Ansible Playbook to provision a Graylog 2.2 server with Nginx and Let's Encrypt.
Tested on Ubuntu 14.04 x64 with a $5/month DigitalOcean VPS (1 vCPU, 512MB of RAM). The Graylog memory requirements is at least 4GB of RAM, however it's possible to run it on a smaller box given that you give it a big enough swap file. The playbook will allocate a 4GB swap by default (you can change the setting in roles/base/defaults/main.yml).
This playbook will configure a single-node Graylog master server. The web management is behind an Nginx proxy with SSL enabled using Let's Encrypt. Let's Encrypt is also configured to automatically renew the SSL cert.
A UFW firewall is enabled by default, allowing only the following ports to be accessed from the outside for added security:
- 22
- 80
- 443
You would want to create separate rules to only allow certain clients to send log messages. For instance, if you're using GELF UDP, you'd want to create a rule to allow access to port 12201
only from certain IP addresses/networks.
- Graylog 2.2
- ElasticSearch 2.x
- MongoDB
- Nginx
- Let's Encrypt
In roles/graylog/defaults/main.yml, change the values of the following vars:
graylog_password_secret
(you can usepwgen
to generate a random password, e.g.pwgen -N 1 -s 96
)graylog_root_password_sha2
(his is the password for the defaultadmin
user which you can use to log in to the web interface and configure Graylog. Just pick a password and get its sha2 hash (e.g.echo -n yourpassword | shasum -a 256
). The default password ispassword
.certbot_admin_email
(change this value in roles/certbot/defaults/main.yml, Let's Encrypt will use this email address to send notifications to the admin of issues in the SSL cert)
Also, in the production inventory file, entire your own server/host.
ansible-playbook -i production graylogserver.yml
See https://www.digitalocean.com/community/tutorials/ufw-essentials-common-firewall-rules-and-commands for more examples.
sudo ufw allow proto udp from 1.2.3.4 to any port 12201
Get the rule number to delete:
ufw status numbered
Delete the rule based on the rule number:
ufw delete rule_number
Once you're logged in to the Graylog web admin, go to System / Indices -> Indices settings and make sure you adjust the index rotation and retention strategies so you don't run out of disk space on the server in the future.