Install Graylog 2 with Puppet

1. Informations

Graylog is a very good syslog server for Linux. It collecting, indexing, and analyzing a lot of data and can send notifications via mail.

Note:I only tested this installation on Debian !

2. Extra modules

First you need some extra modules

puppet module install elasticsearch-elasticsearch
puppet module install puppetlabs-mongodb
puppet module install ehazlett-graylog2

For more informations the the module descriptions:


2. Puppet Config

  class { 'elasticsearch':
    ensure => 'present',
    config => { ''           => 'graylog2',
                ''           => '',
                'script.disable_dynamic' => True,
    package_url => ''
  elasticsearch::instance { 'graylog2':
    config => { '' => 'graylog2-server'}

  class { '::mongodb::server':
    bind_ip => ['']

  class { 'graylog2::repo':
    version => '1.0'
  class {'graylog2::server':
    password_secret                                    => 'aa8poojook1oaphaic2iesa4ahLoo4xohW3EiNaQuugh4Uthaedeeb8Aimahj7tho',
    root_password_sha2                                 => '5ea632ef78c3e6d64653087d3f810972f97691ae93e064b08e6dbca4a671cb8d',
    elasticsearch_cluster_name                         => 'graylog2',
    elasticsearch_node_name                            => 'graylog2-server',
    elasticsearch_network_host                         => '',
    elasticsearch_discovery_zen_ping_multicast_enabled => false,
    elasticsearch_discovery_zen_ping_unicast_hosts     => '',
    gc_warning_threshold                               => '15s',
  class {'graylog2::web':
    application_secret => 'aa8poojook1oaphaic2iesa4ahLoo4xohW3EiNaQuugh4Uthaedeeb8Aimahj7tho',


1. Create the value for “password_secret” and “application_secret” with:

pwgen 65

2. Create the value for “root_password_sha2” with:

echo -n YOUR_PASSWORD | sha256sum

3. Port 514

In this setup Graylog doesn’t run as root. By this way Graylog is not allowed to open a Port below 1024. (privileged port). But you can create a Input ( System -> Inputs -> Add ) above 1024 (for example 1514) and use this port for syslogs. If you like you can add a firewall rule with redirects 514 to 1514:

Here is an iptables example:

iptables -A PREROUTING -t nat -i eth0 -p udp --dport 514 -j REDIRECT --to-port 1514

You have to configure your firewall (of course with puppet) for this rule if you need syslogs on port 514.

4. Mails

The above configuration has no mail setup. This depends on your favorite mailserver. Just add a puppet config that allows outgoing Mails.

3. Login

After the puppet run has completed you can start using Graylog2. Just visit http://your_server:9000 and login with “admin” and the root password you had defined with sha2.

4. Clients

Small example for client setup with still make local logs:

# Syslog Server
    log_local             => true,
    server                => 'YOUR_SERVER',
    port                  => '1514',
    remote_type           => 'udp',
    remote_forward_format => 'GRAYLOGRFC5424',
    log_templates         => [
      name      => 'GRAYLOGRFC5424',
      template  => '<%PRI%>%PROTOCOL-VERSION% %TIMESTAMP:::date-rfc3339% %HOSTNAME% %APP-NAME% %PROCID% %MSGID% %STRUCTURED-DATA% %msg%\n',

I used rsyslog because it is the default logger on debian.

To use this Puppet Module you may need to install it first:

puppet module install saz-rsyslog


This Post Has One Comment

  1. Loved this guide, very clear use on the puppet modules and just about the easiest step-by-step guide for running Graylog2!

    Much appreciated!

Schreibe einen Kommentar

eMail-Benachrichtigung bei weiteren Kommentaren.
Auch möglich: Abo ohne Kommentar.

Diese Website verwendet Akismet, um Spam zu reduzieren. Erfahre mehr darüber, wie deine Kommentardaten verarbeitet werden.