I would like to setup 2ndary elasticsearch server, where I can put only 24 hours logs and discard all others.
I can't figure out how to transfer logs / indeces from one server to other while they both are on same network.
I want to transfer logs in real time.
Please help me in this.
Best way is probably to index into both clusters concurrently.
Thanks for your reply, but how they both can work together, cause I don't want first elasticsearch server to share whole data with other, just oneday logs.
If you have any way which can help me here will be great.
If you want to keep data for just one day on one of the clusters you will just need to delete indices earlier there. I am not sure I understand the problem.
Ok let me try by this way.
I have a one server (WAZUH, LOGSTASH, ElasticSearch), which is primary, but I want to create another server just for logstash and elasticsearch, where I will show 24 hours of logs from wazuh.
Now I have tried by rsyslog to share logs but failing.
Have the first Logstash instance capture all the logs and then send it to both the local Elasticsearch instance as well as to Elasticsearch/Logstash on the other host. This means that you index the data into both clusters in parallel.
This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.