Update to 2021-12-01 19:13

2025-07-27 00:05:44 +02:00 · 2021-12-01 19:13:34 +01:00
commit 4c4556c660
2153 changed files with 60999 additions and 0 deletions
--- a/roles/graylog/templates/dehydrated_deploy_hook.j2
+++ b/roles/graylog/templates/dehydrated_deploy_hook.j2
@@ -0,0 +1,12 @@
+#!/bin/bash -e
+
+{% if graylog_letsencrypt_cert is defined %}
+if [ $1 == "{{ graylog_letsencrypt_cert }}" ]; then
+  cat /var/lib/dehydrated/certificates/certs/{{ graylog_letsencrypt_cert }}/privkey.pem > {{ graylog_root_dir }}/ssl/key.pem
+  cat /var/lib/dehydrated/certificates/certs/{{ graylog_letsencrypt_cert }}/fullchain.pem > {{ graylog_root_dir }}/ssl/cert.pem
+  chown root:graylog {{ graylog_root_dir }}/ssl/*
+  chmod 644 {{ graylog_root_dir }}/ssl/cert.pem
+  chmod 640 {{ graylog_root_dir }}/ssl/key.pem
+  /bin/systemctl restart graylog-server
+fi
+{% endif %}
--- a/roles/graylog/templates/filebeat.yml.j2
+++ b/roles/graylog/templates/filebeat.yml.j2
@@ -0,0 +1,4 @@
+- type: log
+  enabled: True
+  paths:
+    - {{ graylog_root_dir }}/logs/server.log
--- a/roles/graylog/templates/graylog-server.j2
+++ b/roles/graylog/templates/graylog-server.j2
@@ -0,0 +1,29 @@
+#!/bin/sh
+
+set -e
+
+# For Debian/Ubuntu based systems.
+if [ -f "/etc/default/graylog-server" ]; then
+    . "/etc/default/graylog-server"
+fi
+
+# For RedHat/Fedora based systems.
+if [ -f "/etc/sysconfig/graylog-server" ]; then
+    . "/etc/sysconfig/graylog-server"
+fi
+
+if [ -f "/usr/share/graylog-server/installation-source.sh" ]; then
+    . "/usr/share/graylog-server/installation-source.sh"
+fi
+
+# Java versions > 8 don't support UseParNewGC
+if ${JAVA:=/usr/bin/java} -XX:+PrintFlagsFinal 2>&1 | grep -q UseParNewGC; then
+        GRAYLOG_SERVER_JAVA_OPTS="$GRAYLOG_SERVER_JAVA_OPTS -XX:+UseParNewGC"
+fi
+
+$GRAYLOG_COMMAND_WRAPPER ${JAVA:=/usr/bin/java} $GRAYLOG_SERVER_JAVA_OPTS \
+    -cp /usr/share/graylog-server/graylog.jar{% if graylog_libs.keys() | list | length > 0 %}:{% for lib in graylog_libs.keys() | list %}:{{ graylog_root_dir }}/libs/{{ lib }}-{{ graylog_libs[lib].version }}.jar{% endfor %} {% endif %} -Dlog4j.configurationFile=file://{{ graylog_root_dir }}/etc/log4j2.xml \
+    -Djava.library.path=/usr/share/graylog-server/lib/sigar \
+    -Dgraylog2.installation_source=${GRAYLOG_INSTALLATION_SOURCE:=unknown} \
+    org.graylog2.bootstrap.Main server -f {{ graylog_root_dir }}/etc/server.conf -np \
+    $GRAYLOG_SERVER_ARGS
--- a/roles/graylog/templates/graylog-server.service.j2
+++ b/roles/graylog/templates/graylog-server.service.j2
@@ -0,0 +1,37 @@
+[Unit]
+Description=Graylog server
+Documentation=http://docs.graylog.org/
+Wants=network-online.target
+After=network-online.target
+
+[Service]
+Type=simple
+Restart=on-failure
+RestartSec=10
+User=graylog
+Group=graylog
+LimitNOFILE=64000
+ExecStart=/usr/bin/java \
+            -Xms{{ graylog_jvm_mem }} -Xmx{{ graylog_jvm_mem }} -Djdk.tls.acknowledgeCloseNotify=true \
+            -XX:NewRatio=1 -server -XX:+ResizeTLAB \
+            -XX:+UseConcMarkSweepGC -XX:+CMSConcurrentMTEnabled \
+            -XX:+CMSClassUnloadingEnabled -XX:-OmitStackTraceInFastThrow \
+            -Dlog4j.configurationFile=file://{{ graylog_root_dir }}/etc/log4j2.xml \
+            -Djava.library.path={{ graylog_root_dir }}/app/lib/sigar \
+            -jar {{ graylog_root_dir }}/app/graylog.jar server -f {{ graylog_root_dir }}/etc/server.conf -np
+
+# When a JVM receives a SIGTERM signal it exits with 143.
+SuccessExitStatus=143
+PrivateTmp=yes
+PrivateDevices=yes
+ProtectSystem=full
+ProtectHome=yes
+NoNewPrivileges=yes
+SyslogIdentifier=graylog-server
+
+# Allow binding on privileged ports
+CapabilityBoundingSet=CAP_NET_BIND_SERVICE
+AmbientCapabilities=CAP_NET_BIND_SERVICE
+
+[Install]
+WantedBy=multi-user.target
--- a/roles/graylog/templates/log4j2.xml.j2
+++ b/roles/graylog/templates/log4j2.xml.j2
@@ -0,0 +1,36 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<Configuration packages="org.graylog2.log4j" shutdownHook="disable">
+    <Appenders>
+	    <RollingFile name="rolling-file" fileName="{{ graylog_root_dir }}/logs/server.log" filePattern="{{ graylog_root_dir }}/server.log.%i.gz">
+            <PatternLayout pattern="%d{yyyy-MM-dd'T'HH:mm:ss.SSSXXX} %-5p [%c{1}] %m%n"/>
+            <Policies>
+                <SizeBasedTriggeringPolicy size="50MB"/>
+            </Policies>
+            <DefaultRolloverStrategy max="10" fileIndex="min"/>
+        </RollingFile>
+
+        <!-- Internal Graylog log appender. Please do not disable. This makes internal log messages available via REST calls. -->
+        <Memory name="graylog-internal-logs" bufferSize="500"/>
+    </Appenders>
+    <Loggers>
+        <!-- Application Loggers -->
+        <Logger name="org.graylog2" level="info"/>
+        <Logger name="com.github.joschi.jadconfig" level="warn"/>
+        <!-- Prevent DEBUG message about Lucene Expressions not found. -->
+        <Logger name="org.elasticsearch.script" level="warn"/>
+        <!-- Disable messages from the version check -->
+        <Logger name="org.graylog2.periodical.VersionCheckThread" level="off"/>
+        <!-- Silence chatty natty -->
+        <Logger name="com.joestelmach.natty.Parser" level="warn"/>
+        <!-- Silence Kafka log chatter -->
+        <Logger name="kafka.log.Log" level="warn"/>
+        <Logger name="kafka.log.OffsetIndex" level="warn"/>
+        <Logger name="org.apache.kafka.clients.consumer.ConsumerConfig" level="warn"/>
+        <!-- Silence useless session validation messages -->
+        <Logger name="org.apache.shiro.session.mgt.AbstractValidatingSessionManager" level="warn"/>
+        <Root level="warn">
+            <AppenderRef ref="rolling-file"/>
+            <AppenderRef ref="graylog-internal-logs"/>
+        </Root>
+    </Loggers>
+</Configuration>
--- a/roles/graylog/templates/logrotate.conf.j2
+++ b/roles/graylog/templates/logrotate.conf.j2
@@ -0,0 +1,8 @@
+{{ graylog_root_dir }}/logs/*.log {
+  daily
+  rotate 180
+  compress
+  notifempty
+  missingok
+  copytruncate
+}
--- a/roles/graylog/templates/post-backup.j2
+++ b/roles/graylog/templates/post-backup.j2
@@ -0,0 +1,3 @@
+#!/bin/bash -e
+
+rm -rf {{ graylog_root_dir }}/backup/{mongo,es}/*
--- a/roles/graylog/templates/pre-backup.j2
+++ b/roles/graylog/templates/pre-backup.j2
@@ -0,0 +1,12 @@
+#!/bin/sh
+
+set -eo pipefail
+
+mongodump \
+{% if graylog_mongo_url | length == 1 and graylog_mongo_pass is defined and graylog_mongo_pass != False %}
+{% set graylog_mongo = graylog_mongo_url[0] | urlsplit %}
+  --uri {{ graylog_mongo['scheme'] }}://{{ graylog_mongo_user }}:{{ graylog_mongo_pass | urlencode | regex_replace('/','%2F') }}@{{ graylog_mongo['hostname'] }}{% if graylog_mongo['port'] %}:{{ graylog_mongo['port'] }}{% endif %}{{ graylog_mongo['path'] }}?{{ graylog_mongo['query'] }} \
+{% else %}
+  --uri {{ graylog_mongo_url[0] }} \
+{% endif %}
+  --quiet --out {{ graylog_root_dir }}/backup/mongo
--- a/roles/graylog/templates/server.conf.j2
+++ b/roles/graylog/templates/server.conf.j2
@@ -0,0 +1,60 @@
+is_master = {{ graylog_is_master | ternary('true','false') }}
+node_id_file = {{ graylog_root_dir }}/state/node-id
+password_secret = {{ graylog_pass_secret }}
+root_password_sha2 = {{ graylog_admin_pass | hash('sha256') }}
+root_email = {{ system_admin_email | default('""') }}
+root_timezone = {{ system_tz | default('UTC') }}
+http_bind_address = 0.0.0.0:{{ graylog_api_port }}
+{% if graylog_external_uri is defined %}
+http_external_uri = {{ graylog_external_uri }}{% if not graylog_external_uri is search('/$') %}/{% endif %}
+
+{% endif %}
+http_enable_gzip = false
+{% if graylog_http_src_ip | length > 0 and '0.0.0.0/0' not in graylog_http_src_ip %}
+trusted_proxies = {% for host in graylog_http_src_ip %}{{ host }}{% if not host is search('/\d+$') %}/32{% endif %}{% if not loop.last %},{% else %}{% endif %}{% endfor %}
+
+{% endif %}
+elasticsearch_hosts = {{ graylog_es_hosts | join(',') }}
+elasticsearch_cluster_name = {{ graylog_es_cluster_name | default('elasticsearch') }}
+{% if graylog_mongo_pass is defined and graylog_mongo_pass != False and graylog_mongo_url | length == 1 %}
+mongodb_uri = {% for url in graylog_mongo_url %}{{ url | urlsplit('scheme') }}://{{ graylog_mongo_user }}:{{ graylog_mongo_pass | urlencode | regex_replace('/','%2F') }}@{{ url | urlsplit('hostname') }}{% if url | urlsplit('port') %}:{{ url | urlsplit('port') }}{% endif %}{{ url | urlsplit('path') }}?{{ url | urlsplit('query') }}{% if not loop.last %},{% endif %}
+{% endfor %}
+{% else %}
+mongodb_uri = {{ graylog_mongo_url | join(',') }}
+{% endif %}
+
+message_journal_enabled = true
+
+transport_email_enabled = true
+transport_email_hostname = localhost
+transport_email_port = 25
+transport_email_use_auth = false
+transport_email_from_email = graylog@{{ ansible_domain }}
+{% if graylog_external_uri is defined %}
+transport_email_web_interface_url = {{ graylog_external_uri }}
+{% endif %}
+
+{% if system_proxy is defined and system_proxy != '' %}
+http_proxy_uri = {{ system_proxy }}
+http_non_proxy_hosts = {{ (system_proxy_no_proxy | default([]) + ansible_all_ipv4_addresses) | join(',') }}
+{% endif %}
+
+bin_dir = {{ graylog_root_dir }}/app/bin
+data_dir = {{ graylog_root_dir }}/data
+plugin_dir = {{ graylog_root_dir }}/app/plugin
+message_journal_dir = {{ graylog_root_dir }}/data/journal
+message_journal_max_size = {{ graylog_journal_max_size }}gb
+
+allow_leading_wildcard_searches = true
+
+{% if 'dnsresolver' in graylog_plugins_to_install %}
+dns_resolver_enabled = true
+{% endif %}
+
+{% if graylog_tls_versions | length > 0 %}
+enabled_tls_protocols = {{ graylog_tls_versions | join(',') }}
+{% endif %}
+
+{% if graylog_es_version is defined %}
+elasticsearch_version = {{ graylog_es_version }}
+{% endif %}