Cluster-to-Cluster Forwarder

The following article exclusively pertains to a Graylog Enterprise feature or functionality. To learn more about obtaining an Enterprise license, please contact the Graylog Sales team.

The Cluster-to-Cluster Forwarder forwards messages from one Graylog cluster to another over HTTP/2. Cluster-to-Cluster Forwarder logs messages from multiple distributed Graylog source clusters into one centralized destination cluster, which enables centralized alerting, reporting, and oversight.

Two Graylog clusters are required to use the Cluster-to-Cluster Forwarder: a Graylog source cluster (Forwarder Output) and a Graylog destination cluster (Cluster-to-Cluster Forwarder Input). The Graylog source cluster forwards messages, and the Graylog destination cluster receives the messages being forwarded.

Forwarder Output

The Forwarder Output (Graylog source cluster) is responsible for forwarding messages to the Graylog destination cluster. The Forwarder Output writes the messages to an on-disk journal in the Graylog source cluster (Forwarder Output). Messages stay in the on-disk journal until the Graylog destination cluster is available to receive messages.

Messages are only forwarded until they are fully processed through the pipeline of the Graylog source cluster, but simultaneously as they are written to Elasticsearch.

Forwarder Journal

The Forwarder is equipped with a disk journal. The disk journal immediately persists messages received from the Graylog Output system to the disk before attempting to send them to the remote Graylog destination cluster. This allows the Forwarder to receive and reliably queue messages, even if the remote Graylog destination cluster is temporarily unavailable due to network issues. The disk journal has many configuration options, such as Maximum Journal Size, as described below.

Forwarder Output Options

The Graylog Forwarder can forward messages at high throughput rates. Many hardware factors affect throughput rates, such as CPU clock speed, number of CPU cores, available memory, and network bandwidth. Several Forwarder Output configuration options are available to help tune performance for throughput requirements and environments.

Cluster-to-Cluster Forwarder Input

The Input (Graylog destination cluster) is responsible for receiving messages that have been forwarded from the Graylog cluster source.

When the Graylog destination cluster (Cluster-to-Cluster Forwarder Input) receives the forwarded messages, the following relevant fields are added to help track which Graylog cluster and node the messages originated from:

  • gl2_source_cluster_id

    The id of the source Graylog cluster.

  • gl2_source_node_id

    The id of the source Graylog node.

Cluster-to-Cluster Forwarder Input Options

SSL/TLS

TLS encryption ensures the secure transport of forwarded messages. To enable it, check the Enable TLS check box on both the input and output. The Input requires that both the certificate and key locations be specified. The Forwarder Output only requires the certification location to be specified.

Hint: Only X.509 certificates and keys in PEM format are supported. TLS Authentication is not currently supported.

Load Balancing

The Forwarder uses HTTP/2 (gRPC) for transport. Load balancing is not supported if only one Concurrent Network Sender is used. However, if more than one Concurrent Network Sender is used, then load balancing is supported, which allows each of these sender connections to be distributed to the destination host. For more information, see Load Balancing gRPC.