Ansible Role graylog_server
This role installs and configures a Graylog server. Optionally, it allows the creation of a cluster setup.
Currently supported versions:
5.0
You can choose between opensearch
(default) and elasticsearch
for the searchengine. If you choose to use opensearch
, Graylog Server 4.3+ is required.
Additionally this role creates default „System Inputs“ and a Linuxfabrik default „index set“.
Note that this role does NOT let you specify a particular Graylog Server version. It simply installs the latest available Graylog Server version from the repos configured in the system. If you want or need to install a specific Graylog Server version, use the linuxfabrik.lfops.repo_graylog_server beforehand.
Mandatory Requirements
Sizing of disks:
/
: at least 4 GB free disk space (create a 8+ GB partition)./var
: at least 15 GB free disk space (create a 20+ GB partition).
If you use the „Setup Graylog Server“ Playbook, the following is automatically done for you:
Install Java. This can be done using the linuxfabrik.lfops.apps role.
Install MongoDB. This can be done using the linuxfabrik.lfops.mongodb role.
Install Opensearch (recommended) or Elasticsearch as a search engine. This can be done using the linuxfabrik.lfops.opensearch or linuxfabrik.lfops.elasticsearch_oss role.
Enable the official Graylog repository. This can be done using the linuxfabrik.lfops.repo_graylog role.
Mandatory Role Variables
Variable |
Description |
---|---|
|
The main user account for the graylog administrator. Subkeys:
|
|
You MUST set a secret that is used for password encryption and salting. The server refuses to start if this value is not set. The minimum length for |
Example:
# mandatory
graylog_server__admin_user:
username: 'graylog-admin'
password: 'linuxfabrik'
email: 'webmaster@example.com'
graylog_server__password_secret: 'linuxfabrik'
Optional Role Variables
Variable |
Description |
Default Value |
---|---|---|
|
List of dictionaries. CA certificates that should be imported into the Graylog keystore. Subkeys:
|
|
|
List of Elasticsearch hosts URLs Graylog should connect to. |
|
|
The network interface used by the Graylog HTTP interface. |
|
|
The port used by the Graylog HTTP interface. |
|
|
MongoDB connection string. See https://docs.mongodb.com/manual/reference/connection-string/ for details. |
|
|
The Java options like heapsize used by Graylog. |
|
|
A list of available plugins which can be installed additionally. Possible options:
|
|
|
Enables or disables the Systemd unit. |
|
|
Time in milliseconds after which a detected stale leader node is being rechecked on startup. Try increasing this if |
|
|
Creates a default index set. Subkeys:
|
One index per day; 365 indices max |
|
Creates system inputs. Subkeys:
|
Gelf (12201/TCP), Gelf (12201/UDP), Syslog (1514/UDP) |
|
The time zone setting of the root user. See joda.org for a list of valid time zones. |
|
Example:
# optional
graylog_server__cacerts_imports__host_var:
- name: 'central-ca'
file: '/etc/pki/tls/certs/central-ca-chain.crt'
state: 'preset'
- name: 'opensearch-root-ca'
state: 'absent'
graylog_server__elasticsearch_hosts:
- 'http://graylog1.example.com:9200'
- 'http://username:password@graylog2.example.com:9200'
- 'http://graylog3.example.com:9200'
graylog_server__http_bind_address: '192.0.2.1'
graylog_server__http_bind_port: 8080
graylog_server__mongodb_uri: 'mongodb://graylog01.example.com:27017,username:password@graylog02.example.com:27017,graylog03.example.com:27017/graylog?replicaSet=rs01'
graylog_server__opts: '-Xms2g -Xmx2g -server -XX:+UseG1GC -XX:-OmitStackTraceInFastThrow'
graylog_server__plugins:
- 'graylog-enterprise-plugins'
- 'graylog-integrations-plugins'
- 'graylog-enterprise-integrations-plugins'
graylog_server__service_enabled: false
graylog_server__stale_leader_timeout_ms: 10000
graylog_server__system_default_index_set:
can_be_default: true
creation_date: '{{ ansible_date_time.iso8601 }}'
description: 'One index per day; 365 indices max'
field_type_refresh_interval: 5000
index_analyzer: 'standard'
index_optimization_max_num_segments: 1
index_optimization_disabled: false
index_prefix: 'lfops-default'
replicas: 0
retention_strategy_class: 'org.graylog2.indexer.retention.strategies.DeletionRetentionStrategy'
retention_strategy:
max_number_of_indices: 365
type: 'org.graylog2.indexer.retention.strategies.DeletionRetentionStrategyConfig'
rotation_strategy_class: 'org.graylog2.indexer.rotation.strategies.TimeBasedRotationStrategy'
rotation_strategy:
rotation_period: 'P1D'
rotate_empty_index_set: false
type: 'org.graylog2.indexer.rotation.strategies.TimeBasedRotationStrategyConfig'
shards: 4
title: 'Linuxfabrik Index Set'
writable: true
graylog_server__system_inputs:
- configuration:
bind_address: '0.0.0.0'
decompress_size_limit: 8388608
max_message_size: 2097152
number_worker_threads: 2
override_source: ''
port: 12201
recv_buffer_size: 1048576
tcp_keepalive: true
tls_cert_file: ''
tls_client_auth: 'disabled'
tls_client_auth_cert_file: ''
tls_enable: false
tls_key_file: ''
tls_key_password: ''
use_null_delimiter: true
global: true
title: 'Gelf (12201/TCP)'
type: 'org.graylog2.inputs.gelf.tcp.GELFTCPInput'
- configuration:
bind_address: '0.0.0.0'
decompress_size_limit: 8388608
number_worker_threads: 2
override_source: ''
port: 12201
recv_buffer_size: 1048576
global: true
title: 'Gelf (12201/UDP)'
type: 'org.graylog2.inputs.gelf.udp.GELFUDPInput'
- configuration:
allow_override_date: true
bind_address: '0.0.0.0'
decompress_size_limit: 8388608
expand_structured_data: false
force_rdns: false
number_worker_threads: 2
override_source: ''
port: 1514
recv_buffer_size: 1048576
store_full_message: false
global: true
title: 'Syslog (1514/UDP)'
type: 'org.graylog2.inputs.syslog.udp.SyslogUDPInput'
graylog_server__timezone: 'Europe/Zurich'
Multi-node Setup
To use a multi-node setup, you should specify a leader (see graylog_server__is_leader
below) and make sure all the Graylog server can reach each other (by setting graylog_server__http_bind_address
accordingly). It is also recommended to use a Elasticsearch / Opensearch and MongoDB cluster in combination with multi-node Graylog. This can be done by adjusting graylog_server__elasticsearch_hosts
and graylog_server__mongodb_uri
.
Variable |
Description |
Default Value |
---|---|---|
|
This should be set to |
|
Example:
# multi-node setup
graylog_server__is_leader: false
Troubleshooting
/bin/sh: /opt/python-venv/pymongo/bin/python3: No such file or directory
You either have to run the whole playbook, or python_venv directly: ansible-playbook --inventory myinv linuxfabrik.lfops.setup_graylog_server --tags python_venv