Moving one Graylog node from on-prem to cloud

We have a Graylog 4.3.3 setup running on linux VMs on-premises. Our setup consists of four cluster nodes running on CentOS, behind a load balancer VIP. Our elastic back-end is located in AWS… We send data from network devices and in-house applications to Graylog via the LB VIP.

We are in the process of doing a migration of various VMware VMs from on-premises to VMware on GCP and have VPN connectivity between on-prem and GCP, on-prem and AWS, and also GCP and AWS. Future state will be to have some VMs running on-prem and some running in VMware on GCP.

I’m trying to figure out the best way to extend our Graylog setup to GCP. I feel like I ought to be able to move a Graylog node from on-prem to GCP and put it behind a GCP load balancer. In my mind the GCP node could still communicate with the other nodes on prem and the elastic back end and also accept syslog data from our GCP-based VMs and network devices.

Has anyone had any experience with extending a Graylog cluster across on-prem/cloud? Looking for advice and support for/against the idea of moving an existing cluster node…

Thanks in advance!

What are you trying to accomplish by doing it would be my first question, it’s technically possible, but depending on why it may not be the best solution.

Hi @vbenkert, @Joel_Duffield is right. It sounds like a simple question, but there is a lot to consider.

If we knew more about what your goals are that led you to consider nodes in each location, we could offer better advice.

The limiting factor will likely be latency. Graylog nodes don’t perform well over high latency connections.


To address both of your questions, we eventually want to move our Graylog cluster from on-prem to GCP. But for a bit (~1 year) we’ll need to forward logs to Graylog from both on-prem and GCP. So I guess I had in mind to move a node from on-prem to GCP, to facilitate sending logs to it (vs over our VPN connection). I am concerned about Chris’ comment about latency. I assume that you’re referring to node-to-node communications?



The biggest issue with latency will actually be graylog node to opensearch, the nodes dont talk to each other that much. I would either just sent the messages over the vpn, or setup a second cluster and have it output messages back to the main cluster is needed.

I dont see any benifits to extending the cluster in this way from a graylog perspective, and lots of possible issues.

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.