Ansible Playbook to provision a Graylog 2.2 server with Nginx and Let's Encrypt.
Tested on Ubuntu 14.04 x64 with a $5/month DigitalOcean VPS (1 vCPU, 512MB of RAM). The Graylog memory requirements is at least 4GB of RAM, however it's possible to run it on a smaller box given that you give it a big enough swap file. The playbook will allocate a 4GB swap by default (you can change the setting in roles/base/defaults/main.yml).
This playbook will configure a single-node Graylog master server. The web management is behind an Nginx proxy with SSL enabled using Let's Encrypt. Let's Encrypt is also configured to automatically renew the SSL cert.
A UFW firewall is enabled by default, allowing only the following ports to be accessed from the outside for added security:
You would want to create separate rules to only allow certain clients to send log messages. For instance, if you're using GELF UDP, you'd want to create a rule to allow access to port
12201 only from certain IP addresses/networks.
- Graylog 2.2
- ElasticSearch 2.x
- Let's Encrypt
Settings/Variables You Should Change
In roles/graylog/defaults/main.yml, change the values of the following vars:
graylog_password_secret(you can use
pwgento generate a random password, e.g.
pwgen -N 1 -s 96)
graylog_root_password_sha2(his is the password for the default
adminuser which you can use to log in to the web interface and configure Graylog. Just pick a password and get its sha2 hash (e.g.
echo -n yourpassword | shasum -a 256). The default password is
certbot_admin_email(change this value in roles/certbot/defaults/main.yml, Let's Encrypt will use this email address to send notifications to the admin of issues in the SSL cert)
Also, in the production inventory file, entire your own server/host.
Running the Playbook
ansible-playbook -i production graylogserver.yml
Adding UFW rules
Allow access to UDP port 12201 from IP address 18.104.22.168
sudo ufw allow proto udp from 22.214.171.124 to any port 12201
Deleting UFW rules
Get the rule number to delete:
ufw status numbered
Delete the rule based on the rule number:
ufw delete rule_number
Once you're logged in to the Graylog web admin, go to System / Indices -> Indices settings and make sure you adjust the index rotation and retention strategies so you don't run out of disk space on the server in the future.