We have multiple datacenters, each with their own Graylog and Elasticsearch clusters to handle logs within. Has anyone come up with a good solution for keeping things like GROK patterns and pipeline rules synchronized?
We tried using content packs, but the fact that you need to uninstall the existing content pack when you update a pipeline rule makes that process quite tedious. I’ve been investigating the REST API, but I’m stumbling over the fact that each cluster has its own unique ID for each rule and pattern, so there’s no way to find the endpoint, without downloading a full list from each cluster and iterating over each list separately.
My ideal solution would somehow integrate with Ansible, but that mostly deals with configuration files and Graylog doesn’t seem to have many options for changing things through the filesystem.