I’m planning on creating a new Graylog production architecture with OpenSearch on a Debian based OS. But I’m no OpenSearch expert. From my understanding, one should use OpenSearch the same way ElasticSearch. Meaning you declare them this way in the server.conf
This explains node/role types and how to configure them. My understanding of the recommendation for OpenSearch nodes is that unless you are sending a lot of log data (>550GB/day) and you have several opensearch nodes, you won’t need dedicated masters, and shouldn’t need to explicitly define server roles.
So, to use this kind of production setup for less than 550GB/day.
Create three Opensearch nodes
Make each nodes master eligible
Declare them in server.conf the same way as you would declare elasticsearch_hosts.
Enjoy ?
What confused me was that in Creating a cluster - OpenSearch documentation, they showcase a 4 nodes architectures, with a cluster manager node, a coordinating node and data ingesting nodes. I was not sure how to make this fit with a Graylog production setup.