This is the third in a multi-part series where I explore the process of transforming an existing Graylog install into a resilient and scalable multi-site installation. Start here for Part 1.
Previously we built our servers and reconfigured ElasticSearch. Next up is to build out the new Graylog2 and Graylog2-Web servers themselves.
Graylog2 Server Build
Since I sized and installed the OS instance at the same time as the ElasticSearch nodes I can jump straight to the software install. In my example I'm using Ubuntu Server 14.10 LTS1. Since the last time I set this stuff up Torch has started hosting their own software repos, which makes me happy. We can manually set up and install the software by running
Or if you want to use their repo package
Graylog2 Cluster Join
Actually joining the Graylog2 instances to the cluster is pretty brain-dead easy as cluster
membership happens using the MongoDB instance. However, unlike ElasticSearch there are a lot
of changes we need to make to the configuration file. The settings I've listed below are the
minimums. Please don't entirely replace your
/etc/graylog2.conf with this. You need to read
through the file and make at least these changes2.
The most important things to notice here are
is_master: Unlike ElasticSearch this explicitly sets who is the master and like The Game "There can be only one."
rest_listen_uri: By default this is set to localhost, in order for the non-local graylog2-web instances to work this has to be externally reachable.
elasticsearch_cluster_discovery_timeout: I made this number big since trans-continental links are relatively high latency.
mongodb_host: Points at the MongoDB master, currently the legacy server.
At this point we can start the
graylog2-server service and it should be pretty automagic. It will
auto-join the graylog2-server cluster based on data in the MongoDB instance. It will also join the
ElasticSearch cluster as a client node.
Graylog2 Web Setup
The Graylog2 Web config file is significantly shorter, and easier to deal with, than the Server
itself. Edit the file
/etc/graylog2/web/graylog2-web-interface.conf and make sure the following
Now start up the
graylog2-web service and we should be good to go. Note that we don't actually
point the web service at either the ElasticSearch cluster or the Mongo database. All of the
information shown in the web interface comes through Graylog2 Server, including user accounts. The
data is still stored in the Mongo database it's just not directly accessed by the web app.
Now we have our new server and web interfaces up. Huzzah! At this point nothing is actually using the Graylog2 Servers, though, since all of the logs are still being shipped to the legacy system. None of that will happen until after we retire the legacy server and start migrating hosts.
Because DevOps. ↩
The point of this blog is for me to document my process and to hope that others can learn from my mistakes and can start their project with at least more information than I did when I started mine. The ability to copy/paste is not a substitute for a basic understanding of what the fuck is going on. ↩