When I initially set out to replace free Splunk with Graylog the requirements were as follows:
Create a central log collector with write access granted to only one person (non-tech manager) for compliance and forensics. The collected data includes about 8 CentOS boxes sending auditd and syslog, and 2 Windows servers sending Win logs via NXlog. Grant read access (i.e. search) to the sysadmin staff. Initially I set up 2 completely separate Graylog VM's with one access limited and one not. This was only necessary because of the perplexing way Graylog requires me to use Streams to limit access, which I found totally unapproachable. This demanded all senders to send streams to both VM's and it doubles the storage requirements. It occurred to me last week that I should be able to have both VM's using the same elastic storage. It seemed I could have the protected VM store all the data, and just have the admin access VM parse it for search. I presume I can't just run graylog-web on the second VM because that must use different authentication/access lists. But I'm having some trouble figuring out how to get the secondary graylog VM to share the search data. I have it connecting and I see the Index name from the other VM under indices, but the numbers don't correlate at all. And I don't see any events unless I collect them locally, so I presume the second VM would store it's own collected events just fine, but they are not sharing them (the whole point). So I'm clearly missing an obvious large piece of the puzzle to close the loop. That or I'm barking up the wrong tree entirely. Actually, at the end of the day, the protected VM that collects that data doesn't even need graylog-web at all. It just needs to be a data collector. Which I guess means it needs elastic collecting data. But of course the inputs are created using graylog-web. I'm still not totally wrapping my head around how the graylog-server and elasticsearch pieces fit together. I'm hoping someone has done something similar that can offer some insight. -- You received this message because you are subscribed to the Google Groups "graylog2" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout.
