Hi Jochen, I just realized that I was investigating Fluentd before, and I forgot to disable the td-agent that sends data to ElasticSearch. I guess the additional indexes were generated because this reason. I have now disabled it and hope to see that the additional indexes will not be generated.
As for the re-indexing option, I would like to get more information on how to do it properly since there is no out-of-box solution from Graylog, and it is a common concern due to addition or change of data/index mapping. So in order to do re-index, I need to install logstash and configure the input as ElasticSearch instance and output to Graylog instance. In the case where I install Elastic search and Graylog in the same machine, the graylog-x is basically the Elasticsearch index, if I install Logstash and configure the Elastic search as input and Graylog as log server to receive input, isn't this an endless loop because the input and destination are the same search index? Thanks, Wayne On Friday, October 21, 2016 at 9:02:12 AM UTC-4, Jochen Schalanda wrote: > > Hi Wayne, > > On Friday, 21 October 2016 14:51:55 UTC+2, Wayne wrote: >> >> I only installed Graylog2 server, Elasticsearch, Mongodb based on the >> lastest Graylog2 document. The daily logstash-yyyy.MM.dd was generated, but >> I did not install Logstash. Is this normal? >> > > No, at least that index definitely hasn't been created or touched in any > way by Graylog. > > > As far as the option of re-indexing you mentionded, are you saying I can >> use the ElasticSearch instance as input, and use log shipper such as >> graylog collector sidecar to push the index to graylog server? My concern >> is that would duplicate the data. In addition, can graylog collector >> sidecar be log shipper in this scenario, or I need to install logstash to >> do the job? >> > > Yes, it would naturally duplicate the data and yes, you need Logstash (or > any other program being able to read from Elasticsearch and send output to > Graylog via GELF) for that. It's not possible to do this with the Graylog > Collector Sidecar. > > > Cheers, > Jochen > -- You received this message because you are subscribed to the Google Groups "Graylog Users" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/d/msgid/graylog2/a9206a2e-d637-4433-8d49-0a74da51f94e%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
