Graylog2-server: Graylog federation / multi home

Tribe node support? I have a use case where I want a GL server in different data centers, but because of latency, these servers cannot be in the same ES cluster. The current GL architecture means I have 3 different servers deployed. As your idea suggests, we can have a central server that can query the remote servers and then roll-up the results and present a singular view to the user.

@billmurrin The Elasticsearch tribe node is on its way out (see Tribe Nodes & Cross-Cluster Search: The Future of Federated Search in Elasticsearch), so we won't use that for implementing any sort of federation or Multi-DC support. 😉

BTW @joschi that was a great article. Thanks for sharing.

This would be a very useful feature for us as well. We have multiple DC locations, each with their own ES and GL instance. We also have one 'parent' DC in which it would be useful to be able to display the information of all other DC's. Right now our ops team needs to connect to different web interfaces to find the correct information.

ES tribe node is indeed on its way out, but it's replaced by Cross-Cluster Search. This seems like the feature needed in ES to be able to implement it.

are there any plans in supporting cross-cluster search ?

+1 for cross-cluster search support

This would be something extremely useful and would put Graylog in a place to contend with Splunk's Search Peers - Distributed Search. Can someone please provide an update on if / when this functionality might be implemented, as it is a key factor in my decision to migrate to Graylog or remain on Splunk, as it minimizes the 'normal' data congestion across the wire for our large scale, very wide-spread PCI environment.

If I understand this correctly then there is nothing to do from the graylog side:
https://www.elastic.co/blog/tribe-nodes-and-cross-cluster-search-the-future-of-federated-search-in-elasticsearch
"From a search execution perspective, there is no difference between local indices and indices that belong to remote clusters as long as the coordinating node can reach some nodes belonging to the remote clusters. Finally, the hits returned as part of the search response which belong to remote clusters have their index name prefixed with their cluster alias.
"
Your ES Cluster dictates where to search and returns the data
This should be pretty easy to test with an extra ES Cluster

zez3-

Not convinced it’s that simple with Graylog. Pretty sure I’d tried before, and the inability is because of the way Graylog does it’s indexing under the covers. If you test and find I’m incorrect, I’m all ears. ;-)

You CAN do cross-index searches with Kibana against multiple Elasticsearch clusters, even those with Graylog data. So there are options.

I was just unable to do it natively, from within Graylog, where I’d prefer to use some plugins and correlations I already have defined.

(Again, all of this assumes Graylog free, not Enterprise)

I’ll do some testing again tomorrow, but I’d also spoken directly to Graylog’s team and they’d said it doesn’t work, currently, although it’s somewhere down the line on their roadmap.