Which Elasticsearch Node Roles should be connected to Graylog?

Graylog Central (peer support)
1

Hi : ),

I am creating a new multi node installation which look as follows:

  • 3 Graylog Nodes
  • 3 Elasticsearch Master Nodes
  • 1 Elasticsearch Data Node (I am planning to add more data nodes in the future)

Could you tell me please which elasticsearch hosts I should include in the Graylog configuration file?
Shall I add only elasticsearch master nodes or I should add all nodes (master + data nodes)?

Thank you in advance.

  • OS Information: The Graylog/Elasticsearch nodes are running Ubuntu Server 22.04
  • Package Version:
    Graylog 4.3
    Elasticsearch 7.10.2

Helpful Posting Tips: Tips for Posting Questions that Get Answers [Hold down CTRL and link on link to open tips documents in a separate tab]

2

Hi @mobk

welcome to the Community! :slight_smile:

I haven’t found any documentation about that while I was setting up our 3x nodes OpenSearch (OS) cluster. WIth that said, our Graylog cluster points to all OS members (master and data roles), and everything works fine.

HTH

3

Hello && Welocm @mobk

In the documentation here
Basically what I did with 6 node cluster 3 ES & 3 GL/Mongo.
This was configure on each graylog node.
.

elasticsearch_hosts = http://10.10.10.10:9200, http://10.10.10.20:9200, http://10.10.10.30:9200

Depending on how the cluster is set up you could use something like this

http://node1:9200,http://user:password@node2:19200,http://user:password@node3:19200

This was only done for ES master nodes since they ingest from Graylogs journal.

Probably a better way would be a load balancer, if you expanding larger then three nodes. It would make this task much easier down the road.