I found out why my second Graylog VM was seeing a different Elastic index..
so problem solved there.
Still hoping for feedback on the whole strategy though.
How do I make the secondary graylog-server/web stop warning me there are no
configured inputs?
How should these be set on the primary and secondary graylog VM's:
# we don't want the graylog2 server to store any data, or be master node
elasticsearch_node_master = false
elasticsearch_node_data = false
On Monday, March 30, 2015 at 12:15:39 PM UTC-7, Mark Moorcroft wrote:
>
>
>
> Initially I set up 2 completely separate Graylog VM's with one access
> limited and one not. This was only necessary because of the perplexing way
> Graylog requires me to use Streams to limit access, which I found totally
> unapproachable. This demanded all senders to send streams to both VM's and
> it doubles the storage requirements. It occurred to me last week that I
> should be able to have both VM's using the same elastic storage. It seemed
> I could have the protected VM store all the data, and just have the admin
> access VM parse it for search. I presume I can't just run graylog-web on
> the second VM because that must use different authentication/access lists.
> But I'm having some trouble figuring out how to get the secondary graylog
> VM to share the search data. I have it connecting and I see the Index name
> from the other VM under indices, but the numbers don't correlate at all.
> And I don't see any events unless I collect them locally, so I presume the
> second VM would store it's own collected events just fine, but they are not
> sharing them (the whole point). So I'm clearly missing an obvious large
> piece of the puzzle to close the loop. That or I'm barking up the wrong
> tree entirely. Actually, at the end of the day, the protected VM that
> collects that data doesn't even need graylog-web at all. It just needs to
> be a data collector. Which I guess means it needs elastic collecting data.
> But of course the inputs are created using graylog-web. I'm still not
> totally wrapping my head around how the graylog-server and elasticsearch
> pieces fit together.
>
> I'm hoping someone has done something similar that can offer some insight.
>
--
You received this message because you are subscribed to the Google Groups
"graylog2" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to graylog2+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.