1. Situation: I have a multi-node Graylog cluster with about 25 nodes that ingests around 23–24TB of logs per day. As our environment grows and new services are added, the volume of logs keeps increasing, which forces us to scale up resources continuously.
To better handle the load, I’m considering splitting our setup into 3–4 separate Graylog clusters, each with its own dedicated OpenSearch cluster, so the workload is distributed more evenly.
- Package Version: GrayLog 5/6 Open Source
4. My main questions are:
- Is it possible to have a single unified Graylog web interface that can sit on top of and manage multiple Graylog clusters?
- Alternatively, can I create a small central Graylog cluster that provides a single web interface for the different backend clusters?
Has anyone implemented something similar, or is this use case supported/recommended?