Multiple Datacenter Setup

lli · 2017-06-26 18:11:27 UTC

Hi, on this FAQ page for multi-datacenter setup: http://docs.graylog.org/en/2.2/pages/faq.html.

"I have datacenters across the world and do not want logs forwarding from everywhere to a central location due to bandwidth, etc. How do I handle this?"
Answer: “You can have multiple graylog-server instances in a federated structure, and forward select messages to a centralized GL server.”

Can someone provide the documentation for a federated structure setup?

For smaller datacenters, will you still recommend a full production architecture, or will a minimum setup be sufficient?
(http://docs.graylog.org/en/2.2/pages/architecture.html)

jochen · 2017-06-27 06:48:51 UTC

This refers to the possibility to create a GELF output in Graylog and send the messages of all streams (or of the “All messages” stream) to another Graylog node, see System / Outputs in the Graylog web interface.

What is a “small” datacenter? How many clients, how many events per second (on average and in peak), and how big are the messages?

lli · 2017-07-07 18:11:03 UTC

There are about 50 clients. On average there’s 1 event per second per node. So there are 50 events per second on average.

I do not have a good estimation of the peak but assume that’s double the size (100 events per second).

Each message is about 4KB.

lli · 2017-07-07 20:40:10 UTC

Average: 10,000KB/s
Peak: 20,000KB/s

jochen · 2017-07-10 07:04:08 UTC

This is a load that a very small single node Graylog installation can handle (if you don’t care for high availability).

You could install the OVA on a machine with a few CPU cores and 4 GB of memory and it could handle the load.

What are these specifications for? That doesn’t match the 50 events per second (50 eps * 4 KB == 200 KB/s).

lli · 2017-07-10 07:16:21 UTC

Thanks. At what number of clients/events per second would you recommend a full production setup (at least 2 graylog nodes with a load balancer, and at least 3 elasticsearch nodes)?

Please ignore the 2 values I provided earlier. Thanks.

jochen · 2017-07-10 07:39:31 UTC

That’s hard to say without all details and I’d rather not generalize this.

system · 2017-07-24 07:39:33 UTC

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.