Is it best practice to put Elasticsearch behind a LB in graylog.conf?

Currently, i use Graylog in Production stage with ~2TB in a day. In my configuration server.conf, i put settings like this elasticsearch_hosts = http://10.199.255.25:9200

10.199.255.25 is a TCP LoadBalancer. And then behind that LB, there are 7 Elasticsearch servers.

Is it best practice to put all of my Elasticsearch servers behind LB in the graylog.conf ? or should i put the config like this
elasticsearch_hosts = http://10.8.1.1:9200,http://10.8.1.2:9200,http://10.8.1.3:9200,....http://10.8.1.7:9200 ?

I am affraid config elasticsearch_max_total_connections_per_route, or elasticsearch_socket_timeout, etc will not be useful because the elasticsearch to be hit as LB not real Elasticsearch.

I use Graylog v3.2.4, Elasticsearch v6.8.
Thank you for your time and help

Elasticsearch performs its own load-balancing. Generally you would want to use these native capabilities instead of adding a separate LB.
So to answer your question: list all the individual nodes in the elasticsearch_hosts setting.

2 Likes

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.