Hello to the community,
I’m coming to you to get answers regarding graylog’s high availability.
I wanted to know if it is possible to put in place a completely compartmentalized infrastructure of high availability internet with only 2 servers in front.
Here is a diagram of the solution I had in mind.
Both clusters are geographically remote but communicate by fiber.
In addition the cluster will be in the same network as the hosts or we collect the logs
For the most part, Graylog’s HA deployments are only limited to it’s underlying technologies. Namely MongoDB and Elasticsearch. Since MongoDB is the database that houses the configuration for Graylog, and Elasticsearch is the respository/indexer for the log files themselves, if you can configure Elasticsearch and MongoDB to work in your HA plan, then Graylog should work. I’m sure I’m overgeneralizing it. Also, be aware of the versions of the various pieces as Graylog does not support Elasticsearch 7.x, and I’ve seen various issues reported with MongoDB 4.2, you’ll want to make sure you thoroughly test your design.
Thank you for your clear and quick answer. Last question canI install on the same server the 3 services namely Mangodb, Elasticsearsh, and Graylog.? This would give me a redundant log monitoring infrastructure of 3 servers in order to reduce costs.
yes, you can, but I wouldn’t recommend it. especially if you start getting to higher volumes of ingest.
mongodb needs odd number of servers.
If you will use 2 and you loose one, the “live” mongo goes to secondary role and it won’t writeable.
GL will continue the work temporally, but it won’t be accessible (eg no user database…)
You have to test it many times.
An arbiter role mogo is enought for the 3rd server (no data stored).
Yes thank you so much for your answers so I will install 3 servers with each a graylog, a mangoDB and an elasticsearch. I’m going to do a Mango and Elastic Cluster, I do not need to create a Graylog Cluster, I mean the only one I’m going to use is “interviewing Elsatic” ?
am I right?
Thanks
no,no,no
You have to have a graylog cluster also, because every cluster have ONE master, what does some tasks for the cluster. (eg. index rotation…) So if you will use an elastic cluster, you will have a lot of phantom errors.
And one other point, if you use a cluster, you can config everything at onece, you don’t need to config everything on every server.
If I understand correctly I must have 3 servers with the same configurations. One cluster of elsatic, one of mongo and another of graylog. But when you say that each cluster must have a master, in my case I will have a master and two other graylog servers in my cluster is this?
Thank you for your quick answers again
No.
Mongo needs only 3 servers.
ES,GL happy with two.
So in you imagine in site A and B 1-1 server with mongo,GL,ES.
And 1 node somewhere else (always a good idea 3 site…) with mongo as an arbiter.
Or if you put in your office (eg…) you can also put a GL on it, to use it as mgmt/search node(no log processing, just web access to the cluster), but it’s an option. Wit hthe load balancer you can send the messages for site A and B’s GLs.
But all time you have to do it in cluster config. (Of course only if you don’t want debug phantom errors…)
Only GL need a master role manually (server.cfg, master parameter); ES, mongo will vote one, so you don’t need to take care about it.
Be our guest for a (good) doc. 
https://docs.graylog.org/en/3.1/pages/configuration/multinode_setup.html
All right, I understand better here is the finished diagram.
To make it simple I have two servers on my site A with an EL,GL, and MB server and one server hosting only MB, on the second site more than 300km away but connected directly by fiber I have a server with EL,GL and MB
Is this a good configuration
Hello, just to be clear - Elasticsearch won’t be happy with a 2-node setup. This is not a recommended setup because of a split-brain scenario. A 3-node cluster is a minimum, with all 3 being master: true nodes.
Yes you are correct, It’s not a happy situation, but it’s working. But if you loose 1 node from 2, it will stops (yes, it is also ok)
Our set up consists of 3 nodes:
graylog0 - graylog master; ES data-node; MongoDB replicagraylog1 - graylog slave; ES data-node; MongoDB replicagraylog2 - no graylog; ES setting node.data: false ; MongoDB replicaTwo are real iron (hardware) and one is a VM for the 3rd MongoDB replica and as a Elastichsearch node without data, due to the setting node.data: false.
All right, thanks for the information, I’ll do a POC before going into production, I’ll come back to you to keep you informed.
This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.