Multiple logging managers for different services, or one with multiple databases (graylog)

Question

I am creating a logging infrastructure for a company with 2 unrelated services. Is it better to have:

a single graylog instance that routes the logs from the two services to different elasticsearch databases
or rather have two separate graylog instances running in 2 docker containers with their own elasticsearch clusters

I only have 1 server available for the logging stuff, there is not a huge volume of logs from either source.

I am not super experienced with server admin so I'm looking for advice for which might cause more headaches - having to deal with more complicated routing, certificates and port stuff or have all log files running through the same place and having to strictly separate them.

score 2 · Accepted Answer · answered Feb 17 '23 at 20:20

I'd recommend setting up one OpenSearch cluster (because OpenSearch is recommended by GrayLog) and one Graylog instance: Then, you can route the logs to different streams and grant permissions accordingly.

By doing so, you'll only have to configure/update one Graylog and one OpenSearch cluster.

Multiple logging managers for different services, or one with multiple databases (graylog)

1 Answers1