Update to 2021-12-01 19:13

2025-07-27 00:05:44 +02:00 · 2021-12-01 19:13:34 +01:00
commit 4c4556c660
2153 changed files with 60999 additions and 0 deletions
--- a/roles/graylog/defaults/main.yml
+++ b/roles/graylog/defaults/main.yml
@@ -0,0 +1,73 @@
+---
+
+graylog_version: 4.1.6
+graylog_archive_url: https://downloads.graylog.org/releases/graylog/graylog-{{ graylog_version }}.tgz
+graylog_archive_sha1: 7701118689798cb68cda2181e2a1c56a67792495
+graylog_root_dir: /opt/graylog
+graylog_manage_upgrade: True
+
+graylog_is_master: True
+
+graylog_plugins:
+  graylog-output-syslog:
+    version: 3.3.0
+    sha1: e18bc112cd3b5d5b07b69ed5e5c2e146dfd67677
+    url: https://github.com/wizecore/graylog2-output-syslog/releases/download/3.3.0/graylog-output-syslog-3.3.0.jar
+
+# Plugins bundled, which should not be removed
+graylog_plugins_core:
+  - aws
+  - collector
+  - threatintel
+graylog_plugins_to_install: []
+
+# A random one will be created is not defined
+# graylog_pass_secret:
+# graylog_admin_pass: 
+
+# 9000 is for the web interface and api, 12201 is the default for gelf HTTP inputs
+graylog_api_port: 9000
+graylog_listeners_http_ports: [12201]
+graylog_http_ports: "{{ [graylog_api_port] + graylog_listeners_http_ports }}"
+graylog_http_src_ip: []
+
+# Must match your inputs (eg, syslog/raw)
+# used to open ports in the firewall
+graylog_listeners_udp_ports: [514]
+graylog_listeners_tcp_ports: [514]
+graylog_listeners_src_ip: [0.0.0.0/0]
+
+# graylog_external_uri: https://logs.domain.tld/
+
+graylog_es_hosts:
+  - http://localhost:9200
+graylog_es_cluster_name: elasticsearch
+
+graylog_mongo_user: graylog
+# A random one will be created if not set. To make anonymous connections, set it to False
+# If you use more than 1 mongo URL, then no password will be created, mongo user must be created manually
+# and configured in the url
+#graylog_mongo_pass: S3cRet.
+# Note: if graylog_mongo_pass is defined, it'll be used with graylog_mongo_user to connect, even if not indicated in graylog_mongo_url
+# Else, anonymous connection is made. By default, if you do not set graylog_mongo_pass, a random one will be created
+# If you insist on using anonymous connections, you should set graylog_mongo_pass to False
+graylog_mongo_url:
+  - mongodb://localhost/graylog
+
+# Max size of Graylog journal, in GB
+graylog_journal_max_size: 5
+
+# If you want to obtain a cert with dehydrated
+# it'll be deployed as {{ graylog_root_dir }}/ssl/cert.pem and {{ graylog_root_dir }}/ssl/key.pem
+# graylog_letsencrypt_cert: graylog.domain.tls
+
+# If set, will populate enabled_tls_protocols
+# on el7, TLSv1.3 seems to break filebeat connections, so, just enable TLSv1.2
+graylog_tls_versions:
+  - TLSv1.2
+
+# Mem to allocate to the JVM (Xmx / Xms)
+graylog_jvm_mem: 2g
+
+# Version of the Elasticsearch server
+# graylog_es_version: 6
--- a/roles/graylog/handlers/main.yml
+++ b/roles/graylog/handlers/main.yml
@@ -0,0 +1,5 @@
+---
+
+- name: restart graylog-server
+  service: name=graylog-server state=restarted
+  when: not graylog_started.changed
--- a/roles/graylog/meta/main.yml
+++ b/roles/graylog/meta/main.yml
@@ -0,0 +1,6 @@
+---
+
+dependencies:
+  - role: mkdir
+  - role: repo_mongodb
+  - role: geoipupdate
--- a/roles/graylog/tasks/archive_post.yml
+++ b/roles/graylog/tasks/archive_post.yml
@@ -0,0 +1,7 @@
+---
+
+- import_tasks: ../includes/webapps_compress_archive.yml
+  vars:
+    - root_dir: "{{ graylog_root_dir }}"
+    - version: "{{ graylog_current_version }}"
+  tags: graylog
--- a/roles/graylog/tasks/archive_pre.yml
+++ b/roles/graylog/tasks/archive_pre.yml
@@ -0,0 +1,27 @@
+---
+
+- name: Create archive dir
+  file: path={{ graylog_root_dir }}/archives/{{ graylog_current_version }}/mongo state=directory
+  tags: graylog
+
+- name: Archive current version
+  synchronize:
+    src: "{{ graylog_root_dir }}/app"
+    dest: "{{ graylog_root_dir }}/archives/{{ graylog_current_version }}/"
+    recursive: True
+    delete: True
+  delegate_to: "{{ inventory_hostname }}"
+  tags: graylog
+
+- name: Archive mongo database
+  shell: |
+    mongodump --quiet \
+      --out {{ graylog_root_dir }}/archives/{{ graylog_current_version }}/mongo \
+      --uri \
+      {% if  graylog_mongo_pass is defined and graylog_mongo_pass != False and graylog_mongo_url | length == 1 %}
+      {% set url = graylog_mongo_url[0] %}
+      {{ url | urlsplit('scheme') }}://{{ graylog_mongo_user }}:{{ graylog_mongo_pass | urlencode | regex_replace('/','%2F') }}@{{ url | urlsplit('hostname') }}{% if url | urlsplit('port') %}:{{ url | urlsplit('port') }}{% endif %}{{ url | urlsplit('path') }}?{{ url | urlsplit('query') }}
+      {% else %}
+      {{ graylog_mongo_url[0] }}
+      {% endif %}
+  tags: graylog
--- a/roles/graylog/tasks/cleanup.yml
+++ b/roles/graylog/tasks/cleanup.yml
@@ -0,0 +1,8 @@
+---
+
+- name: Remove temp files
+  file: path={{ item }} state=absent
+  loop:
+    - "{{ graylog_root_dir }}/tmp/graylog-{{ graylog_version }}.tgz"
+    - "{{ graylog_root_dir }}/tmp/graylog-{{ graylog_version }}"
+  tags: graylog
--- a/roles/graylog/tasks/conf.yml
+++ b/roles/graylog/tasks/conf.yml
@@ -0,0 +1,33 @@
+---
+
+- name: Deploy configuration
+  template: src={{ item }}.j2 dest={{ graylog_root_dir }}/etc/{{ item }} group=graylog mode=640
+  loop:
+    - server.conf
+    - log4j2.xml
+  notify: restart graylog-server
+  tags: graylog
+
+- name: Create the mongodb user
+  mongodb_user:
+    database: "{{ item | urlsplit('path') | regex_replace('^\\/', '') }}"
+    name: "{{ graylog_mongo_user }}"
+    password: "{{ graylog_mongo_pass }}"
+    login_database: admin
+    login_host: "{{ item | urlsplit('hostname') }}"
+    login_port: "{{ item | urlsplit('port') | ternary(item | urlsplit('port'),omit) }}"
+    login_user: mongoadmin
+    login_password: "{{ mongo_admin_pass }}"
+    roles:
+      - readWrite
+  loop: "{{ graylog_mongo_url }}"
+  changed_when: False # the module is buggy and indicates a change even if there were none
+  when:
+    - graylog_mongo_url | length == 1
+    - graylog_mongo_pass is defined
+    - graylog_mongo_pass != False
+  tags: graylog
+
+- name: Deploy logrotate configuration
+  template: src=logrotate.conf.j2 dest=/etc/logrotate.d/graylog
+  tags: graylog
--- a/roles/graylog/tasks/directories.yml
+++ b/roles/graylog/tasks/directories.yml
@@ -0,0 +1,39 @@
+---
+
+- name: Create dir
+  file:
+    path: "{{ graylog_root_dir }}/{{ item.dir }}"
+    state: directory
+    owner: "{{ item.owner | default(omit) }}"
+    group: "{{ item.group | default(omit) }}"
+    mode: "{{ item.mode | default(omit) }}"
+  loop:
+    - dir: /
+    - dir: etc
+      owner: root
+      group: graylog
+      mode: 750
+    - dir: app
+    - dir: state
+      owner: graylog
+      group: graylog
+    - dir: data/journal
+      owner: graylog
+      group: graylog
+      mode: 700
+    - dir: meta
+      mode: 700
+    - dir: ssl
+      owner: root
+      group: graylog
+      mode: 750
+    - dir: archives
+      mode: 700
+    - dir: tmp
+    - dir: logs
+      owner: graylog
+      group: graylog
+      mode: 700
+    - dir: backup
+      mode: 700
+  tags: graylog
--- a/roles/graylog/tasks/facts.yml
+++ b/roles/graylog/tasks/facts.yml
@@ -0,0 +1,82 @@
+---
+
+# Detect if already installed, and if an upgrade is needed
+- import_tasks: ../includes/webapps_set_install_mode.yml
+  vars:
+    - root_dir: "{{ graylog_root_dir }}"
+    - version: "{{ graylog_version }}"
+  tags: graylog
+- set_fact: graylog_install_mode={{ (install_mode == 'upgrade' and not graylog_manage_upgrade) | ternary('none',install_mode) }}
+  tags: graylog
+- set_fact: graylog_current_version={{ current_version | default('') }}
+  tags: graylog
+
+# Try to read mongo admin pass
+- name: Check if mongo pass file exists
+  stat: path=/root/.mongo.pw
+  register: graylog_mongo_pw
+  tags: graylog
+- when: graylog_mongo_pw.stat.exists and mongo_admin_pass is not defined
+  block:
+    - slurp: src=/root/.mongo.pw
+      register: graylog_mongo_admin_pass
+    - set_fact: mongo_admin_pass={{ graylog_mongo_admin_pass.content | b64decode | trim }}
+  tags: graylog
+- fail: msg='mongo_admin_pass must be provided'
+  when: not graylog_mongo_pw.stat.exists and mongo_admin_pass is not defined
+  tags: graylog
+
+- name: Remove randomly generated admin password
+  file: path={{ graylog_root_dir }}/meta/admin_pass state=absent
+  when: graylog_admin_pass is defined
+  tags: graylog
+
+- name: Remove randomly generated password secret
+  file: path={{ graylog_root_dir }}/meta/pass_secret state=absent
+  when: graylog_pass_secret is defined
+  tags: graylog
+
+- import_tasks: ../includes/get_rand_pass.yml
+  vars:
+    - pass_file: "{{ graylog_root_dir }}/meta/pass_secret"
+  when: graylog_pass_secret is not defined
+  tags: graylog
+- set_fact: graylog_pass_secret={{ rand_pass }}
+  when: graylog_pass_secret is not defined
+  tags: graylog
+
+- import_tasks: ../includes/get_rand_pass.yml
+  vars:
+    - pass_file: "{{ graylog_root_dir }}/meta/admin_pass"
+  when: graylog_admin_pass is not defined
+  tags: graylog
+- set_fact: graylog_admin_pass={{ rand_pass }}
+  when: graylog_admin_pass is not defined
+  tags: graylog
+
+# If only one mongo url is given and graylog_mongo_pass is not defined,
+# parse the password from the url, or generate one
+- debug:
+    msg: |
+      graylog_mongo_url is '{{ graylog_mongo_url }}'
+      parsed pass is "{{ graylog_mongo_url[0] | urlsplit('password') }}"
+  tags: graylog
+
+- name: Parse password from the first mongo URL
+  set_fact: graylog_mongo_pass={{ graylog_mongo_url[0] | urlsplit('password') | urldecode }}
+  when:
+    - graylog_mongo_url | length == 1
+    - graylog_mongo_pass is not defined
+    - graylog_mongo_url[0] | urlsplit('password') is string
+  tags: mongo
+
+# Create a random password for mongo
+- block:
+    - import_tasks: ../includes/get_rand_pass.yml
+      vars:
+        - pass_file: "{{ graylog_root_dir }}/meta/mongo_pass"
+    - set_fact: graylog_mongo_pass={{ rand_pass }}
+  when:
+    - graylog_mongo_url | length == 1
+    - graylog_mongo_pass is not defined
+  tags: graylog
--- a/roles/graylog/tasks/filebeat.yml
+++ b/roles/graylog/tasks/filebeat.yml
@@ -0,0 +1,5 @@
+---
+
+- name: Deploy filebeat configuration
+  template: src=filebeat.yml.j2 dest=/etc/filebeat/ansible_inputs.d/graylog.yml
+  tags: graylog,log
--- a/roles/graylog/tasks/install.yml
+++ b/roles/graylog/tasks/install.yml
@@ -0,0 +1,100 @@
+---
+
+- name: Uninstall RPM
+  yum:
+    name:
+      - graylog-server
+    state: absent
+  tags: graylog
+
+- name: Install packages
+  yum:
+    name:
+      - java-1.8.0-openjdk
+      - mongodb-org-tools
+  tags: graylog
+
+- name: Download graylog archive
+  get_url:
+    url: "{{ graylog_archive_url }}"
+    dest: "{{ graylog_root_dir }}/tmp/"
+    checksum: sha1:{{ graylog_archive_sha1 }}
+  when: graylog_install_mode != 'none'
+  tags: graylog
+
+- name: Extract graylog archive
+  unarchive:
+    src: "{{ graylog_root_dir }}/tmp/graylog-{{ graylog_version }}.tgz"
+    dest: "{{ graylog_root_dir }}/tmp"
+    remote_src: True
+  when: graylog_install_mode != 'none'
+  tags: graylog
+
+- name: Deploy graylog app
+  synchronize:
+    src: "{{ graylog_root_dir }}/tmp/graylog-{{ graylog_version }}/"
+    dest: "{{ graylog_root_dir }}/app/"
+    recursive: True
+    delete: True
+  delegate_to: "{{ inventory_hostname }}"
+  when: graylog_install_mode != 'none'
+  notify: restart graylog-server
+  tags: graylog
+
+- name: Install plugins
+  get_url:
+    url: "{{ graylog_plugins[item].url }}"
+    dest: "{{ graylog_root_dir }}/app/plugin"
+    checksum: sha1:{{ graylog_plugins[item].sha1 }}
+  when: item in graylog_plugins_to_install
+  loop: "{{ graylog_plugins.keys() | list }}"
+  notify: restart graylog-server
+  tags: graylog
+
+- name: Remove old plugins
+  shell: find {{ graylog_root_dir }}/app/plugin -name graylog-plugin-{{ item }}\* -a \! -name \*{{ graylog_plugins[item].version }}.jar -exec rm -f "{}" \;
+  when: graylog_plugins[item] is defined
+  changed_when: False
+  loop: "{{ graylog_plugins_to_install }}"
+  tags: graylog
+
+- name: List installed plugins
+  shell: find {{ graylog_root_dir }}/app/plugin/ -type f -name graylog-plugin-\*.jar
+  register: graylog_plugins_installed
+  changed_when: False
+  tags: graylog
+
+- name: Remove unwanted plugins
+  file: path={{ item }} state=absent
+  when: item | basename | regex_replace('graylog\-plugin\-(.+)\-\d(\.\d+)+\.jar','\\1') not in graylog_plugins_core + graylog_plugins_to_install
+  notify: restart graylog-server
+  loop: "{{ graylog_plugins_installed.stdout_lines }}"
+  tags: graylog
+
+- name: Deploy systemd service unit
+  template: src=graylog-server.service.j2 dest=/etc/systemd/system/graylog-server.service
+  register: graylog_unit
+  notify: restart graylog-server
+  tags: graylog
+
+- name: Reload systemd
+  systemd: daemon_reload=True
+  when: graylog_unit.changed
+  tags: graylog
+
+- name: Deploy pre/post backup scripts
+  template: src={{ item }}-backup.j2 dest=/etc/backup/{{ item }}.d/graylog mode=750
+  loop:
+    - pre
+    - post
+  tags: graylog
+
+- name: Deploy dehydrated hook
+  template: src=dehydrated_deploy_hook.j2 dest=/etc/dehydrated/hooks_deploy_cert.d/graylog mode=755
+  when: graylog_letsencrypt_cert is defined
+  tags: graylog
+
+- name: Remove dehydrated hook
+  file: path=/etc/dehydrated/hooks_deploy_cert.d/graylog state=absent
+  when: graylog_letsencrypt_cert is not defined
+  tags: graylog
--- a/roles/graylog/tasks/iptables.yml
+++ b/roles/graylog/tasks/iptables.yml
@@ -0,0 +1,20 @@
+---
+
+- name: Handle graylog ports
+  iptables_raw:
+    name: "{{ item.name }}"
+    state: "{{ (item.src_ip | length > 0) | ternary('present','absent') }}"
+    rules: "-A INPUT -m state --state NEW -p {{ item.proto | default('tcp') }} -m multiport --dports {{ item.port }} -s {{ item.src_ip | join(',') }} -j ACCEPT"
+  when: iptables_manage | default(True)
+  loop:
+    - port: "{{ graylog_http_ports | join(',') }}"
+      name: graylog_http_ports
+      src_ip: "{{ graylog_http_src_ip }}"
+    - port: "{{ graylog_listeners_tcp_ports | join(',') }}"
+      name: graylog_listeners_tcp_ports
+      src_ip: "{{ graylog_listeners_src_ip }}"
+    - port: "{{ graylog_listeners_udp_ports | join(',') }}"
+      proto: udp
+      name: graylog_listeners_udp_ports
+      src_ip: "{{ graylog_listeners_src_ip }}"
+  tags: firewall,graylog
--- a/roles/graylog/tasks/main.yml
+++ b/roles/graylog/tasks/main.yml
@@ -0,0 +1,16 @@
+---
+
+- include: facts.yml
+- include: user.yml
+- include: directories.yml
+- include: archive_pre.yml
+  when: graylog_install_mode == 'upgrade'
+- include: install.yml
+- include: conf.yml
+- include: iptables.yml
+- include: service.yml
+- include: write_version.yml
+- include: cleanup.yml
+- include: archive_post.yml
+  when: graylog_install_mode == 'upgrade'
+- include: filebeat.yml
--- a/roles/graylog/tasks/service.yml
+++ b/roles/graylog/tasks/service.yml
@@ -0,0 +1,6 @@
+---
+
+- name: Start and enable the service
+  service: name=graylog-server state=started enabled=True
+  register: graylog_started
+  tags: graylog
--- a/roles/graylog/tasks/user.yml
+++ b/roles/graylog/tasks/user.yml
@@ -0,0 +1,9 @@
+---
+
+- name: Create a system account to run graylog
+  user:
+    name: graylog
+    comment: "Graylog system account"
+    system: True
+    shell: /sbin/nologin
+  tags: graylog
--- a/roles/graylog/tasks/write_version.yml
+++ b/roles/graylog/tasks/write_version.yml
@@ -0,0 +1,5 @@
+---
+
+- name: Write version
+  copy: content={{ graylog_version }} dest={{ graylog_root_dir }}/meta/ansible_version
+  tags: graylog
--- a/roles/graylog/templates/dehydrated_deploy_hook.j2
+++ b/roles/graylog/templates/dehydrated_deploy_hook.j2
@@ -0,0 +1,12 @@
+#!/bin/bash -e
+
+{% if graylog_letsencrypt_cert is defined %}
+if [ $1 == "{{ graylog_letsencrypt_cert }}" ]; then
+  cat /var/lib/dehydrated/certificates/certs/{{ graylog_letsencrypt_cert }}/privkey.pem > {{ graylog_root_dir }}/ssl/key.pem
+  cat /var/lib/dehydrated/certificates/certs/{{ graylog_letsencrypt_cert }}/fullchain.pem > {{ graylog_root_dir }}/ssl/cert.pem
+  chown root:graylog {{ graylog_root_dir }}/ssl/*
+  chmod 644 {{ graylog_root_dir }}/ssl/cert.pem
+  chmod 640 {{ graylog_root_dir }}/ssl/key.pem
+  /bin/systemctl restart graylog-server
+fi
+{% endif %}
--- a/roles/graylog/templates/filebeat.yml.j2
+++ b/roles/graylog/templates/filebeat.yml.j2
@@ -0,0 +1,4 @@
+- type: log
+  enabled: True
+  paths:
+    - {{ graylog_root_dir }}/logs/server.log
--- a/roles/graylog/templates/graylog-server.j2
+++ b/roles/graylog/templates/graylog-server.j2
@@ -0,0 +1,29 @@
+#!/bin/sh
+
+set -e
+
+# For Debian/Ubuntu based systems.
+if [ -f "/etc/default/graylog-server" ]; then
+    . "/etc/default/graylog-server"
+fi
+
+# For RedHat/Fedora based systems.
+if [ -f "/etc/sysconfig/graylog-server" ]; then
+    . "/etc/sysconfig/graylog-server"
+fi
+
+if [ -f "/usr/share/graylog-server/installation-source.sh" ]; then
+    . "/usr/share/graylog-server/installation-source.sh"
+fi
+
+# Java versions > 8 don't support UseParNewGC
+if ${JAVA:=/usr/bin/java} -XX:+PrintFlagsFinal 2>&1 | grep -q UseParNewGC; then
+        GRAYLOG_SERVER_JAVA_OPTS="$GRAYLOG_SERVER_JAVA_OPTS -XX:+UseParNewGC"
+fi
+
+$GRAYLOG_COMMAND_WRAPPER ${JAVA:=/usr/bin/java} $GRAYLOG_SERVER_JAVA_OPTS \
+    -cp /usr/share/graylog-server/graylog.jar{% if graylog_libs.keys() | list | length > 0 %}:{% for lib in graylog_libs.keys() | list %}:{{ graylog_root_dir }}/libs/{{ lib }}-{{ graylog_libs[lib].version }}.jar{% endfor %} {% endif %} -Dlog4j.configurationFile=file://{{ graylog_root_dir }}/etc/log4j2.xml \
+    -Djava.library.path=/usr/share/graylog-server/lib/sigar \
+    -Dgraylog2.installation_source=${GRAYLOG_INSTALLATION_SOURCE:=unknown} \
+    org.graylog2.bootstrap.Main server -f {{ graylog_root_dir }}/etc/server.conf -np \
+    $GRAYLOG_SERVER_ARGS
--- a/roles/graylog/templates/graylog-server.service.j2
+++ b/roles/graylog/templates/graylog-server.service.j2
@@ -0,0 +1,37 @@
+[Unit]
+Description=Graylog server
+Documentation=http://docs.graylog.org/
+Wants=network-online.target
+After=network-online.target
+
+[Service]
+Type=simple
+Restart=on-failure
+RestartSec=10
+User=graylog
+Group=graylog
+LimitNOFILE=64000
+ExecStart=/usr/bin/java \
+            -Xms{{ graylog_jvm_mem }} -Xmx{{ graylog_jvm_mem }} -Djdk.tls.acknowledgeCloseNotify=true \
+            -XX:NewRatio=1 -server -XX:+ResizeTLAB \
+            -XX:+UseConcMarkSweepGC -XX:+CMSConcurrentMTEnabled \
+            -XX:+CMSClassUnloadingEnabled -XX:-OmitStackTraceInFastThrow \
+            -Dlog4j.configurationFile=file://{{ graylog_root_dir }}/etc/log4j2.xml \
+            -Djava.library.path={{ graylog_root_dir }}/app/lib/sigar \
+            -jar {{ graylog_root_dir }}/app/graylog.jar server -f {{ graylog_root_dir }}/etc/server.conf -np
+
+# When a JVM receives a SIGTERM signal it exits with 143.
+SuccessExitStatus=143
+PrivateTmp=yes
+PrivateDevices=yes
+ProtectSystem=full
+ProtectHome=yes
+NoNewPrivileges=yes
+SyslogIdentifier=graylog-server
+
+# Allow binding on privileged ports
+CapabilityBoundingSet=CAP_NET_BIND_SERVICE
+AmbientCapabilities=CAP_NET_BIND_SERVICE
+
+[Install]
+WantedBy=multi-user.target
--- a/roles/graylog/templates/log4j2.xml.j2
+++ b/roles/graylog/templates/log4j2.xml.j2
@@ -0,0 +1,36 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<Configuration packages="org.graylog2.log4j" shutdownHook="disable">
+    <Appenders>
+	    <RollingFile name="rolling-file" fileName="{{ graylog_root_dir }}/logs/server.log" filePattern="{{ graylog_root_dir }}/server.log.%i.gz">
+            <PatternLayout pattern="%d{yyyy-MM-dd'T'HH:mm:ss.SSSXXX} %-5p [%c{1}] %m%n"/>
+            <Policies>
+                <SizeBasedTriggeringPolicy size="50MB"/>
+            </Policies>
+            <DefaultRolloverStrategy max="10" fileIndex="min"/>
+        </RollingFile>
+
+        <!-- Internal Graylog log appender. Please do not disable. This makes internal log messages available via REST calls. -->
+        <Memory name="graylog-internal-logs" bufferSize="500"/>
+    </Appenders>
+    <Loggers>
+        <!-- Application Loggers -->
+        <Logger name="org.graylog2" level="info"/>
+        <Logger name="com.github.joschi.jadconfig" level="warn"/>
+        <!-- Prevent DEBUG message about Lucene Expressions not found. -->
+        <Logger name="org.elasticsearch.script" level="warn"/>
+        <!-- Disable messages from the version check -->
+        <Logger name="org.graylog2.periodical.VersionCheckThread" level="off"/>
+        <!-- Silence chatty natty -->
+        <Logger name="com.joestelmach.natty.Parser" level="warn"/>
+        <!-- Silence Kafka log chatter -->
+        <Logger name="kafka.log.Log" level="warn"/>
+        <Logger name="kafka.log.OffsetIndex" level="warn"/>
+        <Logger name="org.apache.kafka.clients.consumer.ConsumerConfig" level="warn"/>
+        <!-- Silence useless session validation messages -->
+        <Logger name="org.apache.shiro.session.mgt.AbstractValidatingSessionManager" level="warn"/>
+        <Root level="warn">
+            <AppenderRef ref="rolling-file"/>
+            <AppenderRef ref="graylog-internal-logs"/>
+        </Root>
+    </Loggers>
+</Configuration>
--- a/roles/graylog/templates/logrotate.conf.j2
+++ b/roles/graylog/templates/logrotate.conf.j2
@@ -0,0 +1,8 @@
+{{ graylog_root_dir }}/logs/*.log {
+  daily
+  rotate 180
+  compress
+  notifempty
+  missingok
+  copytruncate
+}
--- a/roles/graylog/templates/post-backup.j2
+++ b/roles/graylog/templates/post-backup.j2
@@ -0,0 +1,3 @@
+#!/bin/bash -e
+
+rm -rf {{ graylog_root_dir }}/backup/{mongo,es}/*
--- a/roles/graylog/templates/pre-backup.j2
+++ b/roles/graylog/templates/pre-backup.j2
@@ -0,0 +1,12 @@
+#!/bin/sh
+
+set -eo pipefail
+
+mongodump \
+{% if graylog_mongo_url | length == 1 and graylog_mongo_pass is defined and graylog_mongo_pass != False %}
+{% set graylog_mongo = graylog_mongo_url[0] | urlsplit %}
+  --uri {{ graylog_mongo['scheme'] }}://{{ graylog_mongo_user }}:{{ graylog_mongo_pass | urlencode | regex_replace('/','%2F') }}@{{ graylog_mongo['hostname'] }}{% if graylog_mongo['port'] %}:{{ graylog_mongo['port'] }}{% endif %}{{ graylog_mongo['path'] }}?{{ graylog_mongo['query'] }} \
+{% else %}
+  --uri {{ graylog_mongo_url[0] }} \
+{% endif %}
+  --quiet --out {{ graylog_root_dir }}/backup/mongo
--- a/roles/graylog/templates/server.conf.j2
+++ b/roles/graylog/templates/server.conf.j2
@@ -0,0 +1,60 @@
+is_master = {{ graylog_is_master | ternary('true','false') }}
+node_id_file = {{ graylog_root_dir }}/state/node-id
+password_secret = {{ graylog_pass_secret }}
+root_password_sha2 = {{ graylog_admin_pass | hash('sha256') }}
+root_email = {{ system_admin_email | default('""') }}
+root_timezone = {{ system_tz | default('UTC') }}
+http_bind_address = 0.0.0.0:{{ graylog_api_port }}
+{% if graylog_external_uri is defined %}
+http_external_uri = {{ graylog_external_uri }}{% if not graylog_external_uri is search('/$') %}/{% endif %}
+
+{% endif %}
+http_enable_gzip = false
+{% if graylog_http_src_ip | length > 0 and '0.0.0.0/0' not in graylog_http_src_ip %}
+trusted_proxies = {% for host in graylog_http_src_ip %}{{ host }}{% if not host is search('/\d+$') %}/32{% endif %}{% if not loop.last %},{% else %}{% endif %}{% endfor %}
+
+{% endif %}
+elasticsearch_hosts = {{ graylog_es_hosts | join(',') }}
+elasticsearch_cluster_name = {{ graylog_es_cluster_name | default('elasticsearch') }}
+{% if graylog_mongo_pass is defined and graylog_mongo_pass != False and graylog_mongo_url | length == 1 %}
+mongodb_uri = {% for url in graylog_mongo_url %}{{ url | urlsplit('scheme') }}://{{ graylog_mongo_user }}:{{ graylog_mongo_pass | urlencode | regex_replace('/','%2F') }}@{{ url | urlsplit('hostname') }}{% if url | urlsplit('port') %}:{{ url | urlsplit('port') }}{% endif %}{{ url | urlsplit('path') }}?{{ url | urlsplit('query') }}{% if not loop.last %},{% endif %}
+{% endfor %}
+{% else %}
+mongodb_uri = {{ graylog_mongo_url | join(',') }}
+{% endif %}
+
+message_journal_enabled = true
+
+transport_email_enabled = true
+transport_email_hostname = localhost
+transport_email_port = 25
+transport_email_use_auth = false
+transport_email_from_email = graylog@{{ ansible_domain }}
+{% if graylog_external_uri is defined %}
+transport_email_web_interface_url = {{ graylog_external_uri }}
+{% endif %}
+
+{% if system_proxy is defined and system_proxy != '' %}
+http_proxy_uri = {{ system_proxy }}
+http_non_proxy_hosts = {{ (system_proxy_no_proxy | default([]) + ansible_all_ipv4_addresses) | join(',') }}
+{% endif %}
+
+bin_dir = {{ graylog_root_dir }}/app/bin
+data_dir = {{ graylog_root_dir }}/data
+plugin_dir = {{ graylog_root_dir }}/app/plugin
+message_journal_dir = {{ graylog_root_dir }}/data/journal
+message_journal_max_size = {{ graylog_journal_max_size }}gb
+
+allow_leading_wildcard_searches = true
+
+{% if 'dnsresolver' in graylog_plugins_to_install %}
+dns_resolver_enabled = true
+{% endif %}
+
+{% if graylog_tls_versions | length > 0 %}
+enabled_tls_protocols = {{ graylog_tls_versions | join(',') }}
+{% endif %}
+
+{% if graylog_es_version is defined %}
+elasticsearch_version = {{ graylog_es_version }}
+{% endif %}