Version: 2.2.3+7adc951, codename Stiegl
So Im wanting to add a couple servers to my single graylog server setup and wanted some input on what the right way to approach it would be
This is the picture:
(new) Graylog server on the DMZ receiving logs from hosts outside our premises.
It would retain logs for maybe an hour. Main thing is it would have GELF outputs to our main server.
(current) Main server receiving all logs. Retaining for about two weeks.
(new) Long term server. We would determine what streams on the main server need a longer retention period, say file auditing for example. We would have GELF outputs for those pointing to this one. This server will retain for 6 months to a year, depending on compliance requirements.
Would this be considered a multi node cluster or just 3 servers talking to each other ( I haven’t messed with graylog clusters before ). What would be the best approach to this? Is this approach even a good idea? Thoughts?