Hi Mark, I think the easiest setup for your requirements would be to forward the messages processed by the locked down Graylog2 server to the "user-facing" Graylog2 server via the GELF output. This way you could filter messages or run extractors in exactly one place and just forward the final messages to the instance users can run searches on.
If you were sending the log messages to both Graylog2 instances directly, you would need to set up filters and extractors on both of them and keep them in sync. Cheers, Jochen Am Mittwoch, 12. November 2014 22:06:48 UTC+1 schrieb Mark Moorcroft: > > > Question for the room: > > If I have a need to provide a LOCKED down graylog server for compliance, > and second one that someone can actually use to do searches and monitor our > systems. Is it considered a best practice to mirror the outputs from all of > the systems to two nearly identical VM's? We currently use fluentd to push > the logs. Or is it better to have one graylog server push (rebroadcast) all > of it's data to a second one. This is not for failover, but mostly because > the current graylog authentication setup so severely limits what a "read > only" user can do unless someone sets up Streams, which I'm virtually > certain nobody here will take the time to do. I hope this isn't an RTFM > situation. If so I apologize in advance. It doesn't appear to me that Radio > has anything to do with this need. > -- You received this message because you are subscribed to the Google Groups "graylog2" group. To unsubscribe from this group and stop receiving emails from it, send an email to graylog2+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
