Sebastian Mogilowskis Blog

Just another blog about administration, linux and other stuff

Install Graylog 2 with Puppet

1. Informations

Graylog is a very good syslog server for Linux. It collecting, indexing, and analyzing a lot of data and can send notifications via mail.

Note:I only tested this installation on Debian !

2. Extra modules

First you need some extra modules

puppet module install elasticsearch-elasticsearch
puppet module install puppetlabs-mongodb
puppet module install ehazlett-graylog2

For more informations the the module descriptions:


2. Puppet Config

  class { 'elasticsearch':
    ensure => 'present',
    config => { ''           => 'graylog2',
                ''           => '',
                'script.disable_dynamic' => True,
    package_url => ''
  elasticsearch::instance { 'graylog2':
    config => { '' => 'graylog2-server'}

  class { '::mongodb::server':
    bind_ip => ['']

  class { 'graylog2::repo':
    version => '1.0'
  class {'graylog2::server':
    password_secret                                    => 'aa8poojook1oaphaic2iesa4ahLoo4xohW3EiNaQuugh4Uthaedeeb8Aimahj7tho',
    root_password_sha2                                 => '5ea632ef78c3e6d64653087d3f810972f97691ae93e064b08e6dbca4a671cb8d',
    elasticsearch_cluster_name                         => 'graylog2',
    elasticsearch_node_name                            => 'graylog2-server',
    elasticsearch_network_host                         => '',
    elasticsearch_discovery_zen_ping_multicast_enabled => false,
    elasticsearch_discovery_zen_ping_unicast_hosts     => '',
    gc_warning_threshold                               => '15s',
  class {'graylog2::web':
    application_secret => 'aa8poojook1oaphaic2iesa4ahLoo4xohW3EiNaQuugh4Uthaedeeb8Aimahj7tho',


1. Create the value for “password_secret” and “application_secret” with:

pwgen 65

2. Create the value for “root_password_sha2” with:

echo -n YOUR_PASSWORD | sha256sum

3. Port 514

In this setup Graylog doesn’t run as root. By this way Graylog is not allowed to open a Port below 1024. (privileged port). But you can create a Input ( System -> Inputs -> Add ) above 1024 (for example 1514) and use this port for syslogs. If you like you can add a firewall rule with redirects 514 to 1514:

Here is an iptables example:

iptables -A PREROUTING -t nat -i eth0 -p udp --dport 514 -j REDIRECT --to-port 1514

You have to configure your firewall (of course with puppet) for this rule if you need syslogs on port 514.

4. Mails

The above configuration has no mail setup. This depends on your favorite mailserver. Just add a puppet config that allows outgoing Mails.

3. Login

After the puppet run has completed you can start using Graylog2. Just visit http://your_server:9000 and login with “admin” and the root password you had defined with sha2.

4. Clients

Small example for client setup with still make local logs:

# Syslog Server
    log_local             => true,
    server                => 'YOUR_SERVER',
    port                  => '1514',
    remote_type           => 'udp',
    remote_forward_format => 'GRAYLOGRFC5424',
    log_templates         => [
      name      => 'GRAYLOGRFC5424',
      template  => '<%PRI%>%PROTOCOL-VERSION% %TIMESTAMP:::date-rfc3339% %HOSTNAME% %APP-NAME% %PROCID% %MSGID% %STRUCTURED-DATA% %msg%\n',

I used rsyslog because it is the default logger on debian.

To use this Puppet Module you may need to install it first:

puppet module install saz-rsyslog


One thought on “Install Graylog 2 with Puppet

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.