Merge branch 'graylog' into master

2020-08-31 20:17:12 -05:00 · 2020-08-31 20:17:12 -05:00 · 44404950c1
parent 451df9042c e25b9a2e8e
commit 44404950c1
22 changed files with 1235 additions and 0 deletions
--- a/graylog.yml
+++ b/graylog.yml
@ -0,0 +1,32 @@
 - hosts: graylog
  name: setup mongodb
  roles:
  - mongodb
  tasks:
  - name: ensure mongodb is running
    service:
      name=mongod
      state=started
 - hosts: graylog
  name: setup elasticsearch
  roles:
  - elasticsearch
  tasks:
  - name: ensure elasticsearch is running
    service:
      name=elasticsearch
      state=started
 - hosts: graylog
  name: setup graylog
  vars_files:
    vault/graylog/{{ inventory_hostname }}
  roles:
  - apache
  - graylog
  tasks:
  - name: ensure graylog is running
    service:
      name=graylog-server
      state=started
--- a/group_vars/pyrocufflink-dhcp.yml
+++ b/group_vars/pyrocufflink-dhcp.yml
@ -132,6 +132,9 @@ dhcp_reservations:
 - host: serial0.pyrocufflink.blue
  ip_addr: 172.30.0.16
  mac_addr: b8:27:eb:c4:34:be
 - host: logs0.pyrocufflink.blue
  ip_addr: 172.30.0.17
  mac_addr: 52:54:00:b1:84:98
 # Management
 - host: unifi0
--- a/host_vars/logs0.pyrocufflink.blue.yml
+++ b/host_vars/logs0.pyrocufflink.blue.yml
@ -0,0 +1 @@
 graylog_server_host: graylog.pyrocufflink.blue
--- a/4
+++ b/4
@ -41,6 +41,9 @@ file0.pyrocufflink.blue
 [gitea]
 git0.pyrocufflink.blue
 [graylog]
 logs0.pyrocufflink.blue
 [hassdb]
 hassdb0.pyrocufflink.blue
@ -96,6 +99,7 @@ hass1.pyrocufflink.blue
 hassdb0.pyrocufflink.blue
 jenkins0.pyrocufflink.blue
 koji0.pyrocufflink.blue
 logs0.pyrocufflink.blue
 smtp1.pyrocufflink.blue
 vpn0.pyrocufflink.blue
 web0.pyrocufflink.blue
--- a/roles/elasticsearch/defaults/main.yml
+++ b/roles/elasticsearch/defaults/main.yml
@ -0,0 +1,5 @@
 elasticsearch_version: '6'
 es_xmx: 1g
 es_xms: '{{ es_xmx }}'
 es_enable_gc_logging: false
 es_log_size: 128M
--- a/roles/elasticsearch/handlers/main.yml
+++ b/roles/elasticsearch/handlers/main.yml
@ -0,0 +1,4 @@
 - name: restart elasticsearch
  service:
    name=elasticsearch
    state=restarted
--- a/roles/elasticsearch/tasks/main.yml
+++ b/roles/elasticsearch/tasks/main.yml
@ -0,0 +1,41 @@
 - name: ensure java is installed
  package:
    name=java-1.8.0-openjdk-headless
    state=present
  tags:
  - install
 - name: ensure elasticsearch package repository is available
  template:
    src=elasticsearch.repo.j2
    dest=/etc/yum.repos.d/elasticsearch.repo
    mode=0644
  tags:
  - install
 - name: Ensure elasticsearch is installed
  package:
    name: 'elasticsearch'
    state: present
  tags:
  - install
 - name: ensure elasticsearch logging is configured
  template:
    src=log4j2.properties.j2
    dest=/etc/elasticsearch/log4j2.properties
    mode=0640
    owner=root
    group=elasticsearch
 - name: ensure elasticsearch jvm options are set
  template:
    src=jvm.options.j2
    dest=/etc/elasticsearch/jvm.options
    mode=0644
  notify: restart elasticsearch
 - name: ensure elasticsearch server starts at boot
  service:
    name=elasticsearch
    enabled=yes
--- a/roles/elasticsearch/templates/elasticsearch.repo.j2
+++ b/roles/elasticsearch/templates/elasticsearch.repo.j2
@ -0,0 +1,6 @@
 [elasticsearch-{{ elasticsearch_version }}.x]
 name=Elasticsearch repository for {{ elasticsearch_version }}.x packages
 baseurl=https://artifacts.elastic.co/packages/{{ elasticsearch_version }}.x/yum
 gpgcheck=1
 gpgkey=https://artifacts.elastic.co/GPG-KEY-elasticsearch
 enabled=1
--- a/roles/elasticsearch/templates/jvm.options.j2
+++ b/roles/elasticsearch/templates/jvm.options.j2
@ -0,0 +1,109 @@
 ## JVM configuration
 ################################################################
 ## IMPORTANT: JVM heap size
 ################################################################
 ##
 ## You should always set the min and max JVM heap
 ## size to the same value. For example, to set
 ## the heap to 4 GB, set:
 ##
 ## -Xms4g
 ## -Xmx4g
 ##
 ## See https://www.elastic.co/guide/en/elasticsearch/reference/current/heap-size.html
 ## for more information
 ##
 ################################################################
 # Xms represents the initial size of total heap space
 # Xmx represents the maximum size of total heap space
 -Xms{{ es_xms }}
 -Xmx{{ es_xmx }}
 ################################################################
 ## Expert settings
 ################################################################
 ##
 ## All settings below this section are considered
 ## expert settings. Don't tamper with them unless
 ## you understand what you are doing
 ##
 ################################################################
 ## GC configuration
 -XX:+UseConcMarkSweepGC
 -XX:CMSInitiatingOccupancyFraction=75
 -XX:+UseCMSInitiatingOccupancyOnly
 ## optimizations
 # pre-touch memory pages used by the JVM during initialization
 -XX:+AlwaysPreTouch
 ## basic
 # explicitly set the stack size
 -Xss1m
 # set to headless, just in case
 -Djava.awt.headless=true
 # ensure UTF-8 encoding by default (e.g. filenames)
 -Dfile.encoding=UTF-8
 # use our provided JNA always versus the system one
 -Djna.nosys=true
 # turn off a JDK optimization that throws away stack traces for common
 # exceptions because stack traces are important for debugging
 -XX:-OmitStackTraceInFastThrow
 # flags to configure Netty
 -Dio.netty.noUnsafe=true
 -Dio.netty.noKeySetOptimization=true
 -Dio.netty.recycler.maxCapacityPerThread=0
 # log4j 2
 -Dlog4j.shutdownHookEnabled=false
 -Dlog4j2.disable.jmx=true
 {% if es_tmpdir is defined %}
 -Djava.io.tmpdir={{ es_tmpdir }}
 {% endif %}
 ## heap dumps
 # generate a heap dump when an allocation from the Java heap fails
 # heap dumps are created in the working directory of the JVM
 -XX:+HeapDumpOnOutOfMemoryError
 # specify an alternative path for heap dumps; ensure the directory exists and
 # has sufficient space
 -XX:HeapDumpPath=/var/lib/elasticsearch
 # specify an alternative path for JVM fatal error logs
 -XX:ErrorFile=/var/log/elasticsearch/hs_err_pid%p.log
 {% if es_enable_gc_logging|bool %}
 ## JDK 8 GC logging
 8:-XX:+PrintGCDetails
 8:-XX:+PrintGCDateStamps
 8:-XX:+PrintTenuringDistribution
 8:-XX:+PrintGCApplicationStoppedTime
 8:-Xloggc:/var/log/elasticsearch/gc.log
 8:-XX:+UseGCLogFileRotation
 8:-XX:NumberOfGCLogFiles=32
 8:-XX:GCLogFileSize=64m
 # JDK 9+ GC logging
 9-:-Xlog:gc*,gc+age=trace,safepoint:file=/var/log/elasticsearch/gc.log:utctime,pid,tags:filecount=32,filesize=64m
 # due to internationalization enhancements in JDK 9 Elasticsearch need to set the provider to COMPAT otherwise
 # time/date parsing will break in an incompatible way for some date patterns and locals
 9-:-Djava.locale.providers=COMPAT
 # temporary workaround for C2 bug with JDK 10 on hardware with AVX-512
 10-:-XX:UseAVX=2
 {% endif %}
--- a/roles/elasticsearch/templates/log4j2.properties.j2
+++ b/roles/elasticsearch/templates/log4j2.properties.j2
@ -0,0 +1,182 @@
 status = error
 # log action execution errors for easier debugging
 logger.action.name = org.elasticsearch.action
 logger.action.level = debug
 appender.console.type = Console
 appender.console.name = console
 appender.console.layout.type = PatternLayout
 appender.console.layout.pattern = [%d{ISO8601}][%-5p][%-25c{1.}] [%node_name]%marker %m%n
 appender.rolling.type = RollingFile
 appender.rolling.name = rolling
 appender.rolling.fileName = ${sys:es.logs.base_path}${sys:file.separator}${sys:es.logs.cluster_name}.log
 appender.rolling.layout.type = PatternLayout
 appender.rolling.layout.pattern = [%d{ISO8601}][%-5p][%-25c{1.}] [%node_name]%marker %.-10000m%n
 appender.rolling.filePattern = ${sys:es.logs.base_path}${sys:file.separator}${sys:es.logs.cluster_name}-%d{yyyy-MM-dd}-%i.log.gz
 appender.rolling.policies.type = Policies
 appender.rolling.policies.size.type = SizeBasedTriggeringPolicy
 appender.rolling.policies.size.size = {{ es_log_size }}
 appender.rolling.strategy.type = DefaultRolloverStrategy
 appender.rolling.strategy.max = 4
 appender.rolling.strategy.fileIndex = nomax
 appender.rolling.strategy.action.type = Delete
 appender.rolling.strategy.action.basepath = ${sys:es.logs.base_path}
 appender.rolling.strategy.action.condition.type = IfFileName
 appender.rolling.strategy.action.condition.glob = ${sys:es.logs.cluster_name}-*
 appender.rolling.strategy.action.condition.nested_condition.type = IfAccumulatedFileSize
 appender.rolling.strategy.action.condition.nested_condition.exceeds = 2GB
 rootLogger.level = info
 rootLogger.appenderRef.console.ref = console
 rootLogger.appenderRef.rolling.ref = rolling
 appender.deprecation_rolling.type = RollingFile
 appender.deprecation_rolling.name = deprecation_rolling
 appender.deprecation_rolling.fileName = ${sys:es.logs.base_path}${sys:file.separator}${sys:es.logs.cluster_name}_deprecation.log
 appender.deprecation_rolling.layout.type = PatternLayout
 appender.deprecation_rolling.layout.pattern = [%d{ISO8601}][%-5p][%-25c{1.}] [%node_name]%marker %.-10000m%n
 appender.deprecation_rolling.filePattern = ${sys:es.logs.base_path}${sys:file.separator}${sys:es.logs.cluster_name}_deprecation-%i.log.gz
 appender.deprecation_rolling.policies.type = Policies
 appender.deprecation_rolling.policies.size.type = SizeBasedTriggeringPolicy
 appender.deprecation_rolling.policies.size.size = {{ es_log_size }}
 appender.deprecation_rolling.strategy.type = DefaultRolloverStrategy
 appender.deprecation_rolling.strategy.max = 4
 logger.deprecation.name = org.elasticsearch.deprecation
 logger.deprecation.level = warn
 logger.deprecation.appenderRef.deprecation_rolling.ref = deprecation_rolling
 logger.deprecation.additivity = false
 appender.index_search_slowlog_rolling.type = RollingFile
 appender.index_search_slowlog_rolling.name = index_search_slowlog_rolling
 appender.index_search_slowlog_rolling.fileName = ${sys:es.logs.base_path}${sys:file.separator}${sys:es.logs.cluster_name}_index_search_slowlog.log
 appender.index_search_slowlog_rolling.layout.type = PatternLayout
 appender.index_search_slowlog_rolling.layout.pattern = [%d{ISO8601}][%-5p][%-25c] [%node_name]%marker %.-10000m%n
 appender.index_search_slowlog_rolling.filePattern = ${sys:es.logs.base_path}${sys:file.separator}${sys:es.logs.cluster_name}_index_search_slowlog-%i.log
 appender.index_search_slowlog_rolling.policies.type = Policies
 appender.index_search_slowlog_rolling.policies.size.type = SizeBasedTriggeringPolicy
 appender.index_search_slowlog_rolling.policies.size.size = {{ es_log_size }}
 appender.index_search_slowlog_rolling.strategy.type = DefaultRolloverStrategy
 appender.index_search_slowlog_rolling.strategy.max = 4
 logger.index_search_slowlog_rolling.name = index.search.slowlog
 logger.index_search_slowlog_rolling.level = trace
 logger.index_search_slowlog_rolling.appenderRef.index_search_slowlog_rolling.ref = index_search_slowlog_rolling
 logger.index_search_slowlog_rolling.additivity = false
 appender.index_indexing_slowlog_rolling.type = RollingFile
 appender.index_indexing_slowlog_rolling.name = index_indexing_slowlog_rolling
 appender.index_indexing_slowlog_rolling.fileName = ${sys:es.logs.base_path}${sys:file.separator}${sys:es.logs.cluster_name}_index_indexing_slowlog.log
 appender.index_indexing_slowlog_rolling.layout.type = PatternLayout
 appender.index_indexing_slowlog_rolling.layout.pattern = [%d{ISO8601}][%-5p][%-25c] [%node_name]%marker %.-10000m%n
 appender.index_indexing_slowlog_rolling.filePattern = ${sys:es.logs.base_path}${sys:file.separator}${sys:es.logs.cluster_name}_index_indexing_slowlog-%i.log
 appender.index_indexing_slowlog_rolling.policies.type = Policies
 appender.index_indexing_slowlog_rolling.policies.size.type = SizeBasedTriggeringPolicy
 appender.index_indexing_slowlog_rolling.policies.size.size = {{ es_log_size }}
 appender.index_indexing_slowlog_rolling.strategy.type = DefaultRolloverStrategy
 appender.index_indexing_slowlog_rolling.strategy.max = 4
 logger.index_indexing_slowlog.name = index.indexing.slowlog.index
 logger.index_indexing_slowlog.level = trace
 logger.index_indexing_slowlog.appenderRef.index_indexing_slowlog_rolling.ref = index_indexing_slowlog_rolling
 logger.index_indexing_slowlog.additivity = false
 appender.audit_rolling.type = RollingFile
 appender.audit_rolling.name = audit_rolling
 appender.audit_rolling.fileName = ${sys:es.logs.base_path}${sys:file.separator}${sys:es.logs.cluster_name}_audit.log
 appender.audit_rolling.layout.type = PatternLayout
 appender.audit_rolling.layout.pattern = {\
                "@timestamp":"%d{ISO8601}"\
                %varsNotEmpty{, "node.name":"%enc{{ '{%' }}map{node.name}}{JSON}"}\
                %varsNotEmpty{, "node.id":"%enc{{ '{%' }}map{node.id}}{JSON}"}\
                %varsNotEmpty{, "host.name":"%enc{{ '{%' }}map{host.name}}{JSON}"}\
                %varsNotEmpty{, "host.ip":"%enc{{ '{%' }}map{host.ip}}{JSON}"}\
                %varsNotEmpty{, "event.type":"%enc{{ '{%' }}map{event.type}}{JSON}"}\
                %varsNotEmpty{, "event.action":"%enc{{ '{%' }}map{event.action}}{JSON}"}\
                %varsNotEmpty{, "user.name":"%enc{{ '{%' }}map{user.name}}{JSON}"}\
                %varsNotEmpty{, "user.run_by.name":"%enc{{ '{%' }}map{user.run_by.name}}{JSON}"}\
                %varsNotEmpty{, "user.run_as.name":"%enc{{ '{%' }}map{user.run_as.name}}{JSON}"}\
                %varsNotEmpty{, "user.realm":"%enc{{ '{%' }}map{user.realm}}{JSON}"}\
                %varsNotEmpty{, "user.run_by.realm":"%enc{{ '{%' }}map{user.run_by.realm}}{JSON}"}\
                %varsNotEmpty{, "user.run_as.realm":"%enc{{ '{%' }}map{user.run_as.realm}}{JSON}"}\
                %varsNotEmpty{, "user.roles":%map{user.roles}}\
                %varsNotEmpty{, "origin.type":"%enc{{ '{%' }}map{origin.type}}{JSON}"}\
                %varsNotEmpty{, "origin.address":"%enc{{ '{%' }}map{origin.address}}{JSON}"}\
                %varsNotEmpty{, "realm":"%enc{{ '{%' }}map{realm}}{JSON}"}\
                %varsNotEmpty{, "url.path":"%enc{{ '{%' }}map{url.path}}{JSON}"}\
                %varsNotEmpty{, "url.query":"%enc{{ '{%' }}map{url.query}}{JSON}"}\
                %varsNotEmpty{, "request.body":"%enc{{ '{%' }}map{request.body}}{JSON}"}\
                %varsNotEmpty{, "action":"%enc{{ '{%' }}map{action}}{JSON}"}\
                %varsNotEmpty{, "request.name":"%enc{{ '{%' }}map{request.name}}{JSON}"}\
                %varsNotEmpty{, "indices":%map{indices}}\
                %varsNotEmpty{, "opaque_id":"%enc{{ '{%' }}map{opaque_id}}{JSON}"}\
                %varsNotEmpty{, "transport.profile":"%enc{{ '{%' }}map{transport.profile}}{JSON}"}\
                %varsNotEmpty{, "rule":"%enc{{ '{%' }}map{rule}}{JSON}"}\
                %varsNotEmpty{, "event.category":"%enc{{ '{%' }}map{event.category}}{JSON}"}\
                }%n
 # "node.name" node name from the `elasticsearch.yml` settings
 # "node.id" node id which should not change between cluster restarts
 # "host.name" unresolved hostname of the local node
 # "host.ip" the local bound ip (i.e. the ip listening for connections)
 # "event.type" a received REST request is translated into one or more transport requests. This indicates which processing layer generated the event "rest" or "transport" (internal)
 # "event.action" the name of the audited event, eg. "authentication_failed", "access_granted", "run_as_granted", etc.
 # "user.name" the subject name as authenticated by a realm
 # "user.run_by.name" the original authenticated subject name that is impersonating another one.
 # "user.run_as.name" if this "event.action" is of a run_as type, this is the subject name to be impersonated as.
 # "user.realm" the name of the realm that authenticated "user.name"
 # "user.run_by.realm" the realm name of the impersonating subject ("user.run_by.name")
 # "user.run_as.realm" if this "event.action" is of a run_as type, this is the realm name the impersonated user is looked up from
 # "user.roles" the roles array of the user; these are the roles that are granting privileges
 # "origin.type" it is "rest" if the event is originating (is in relation to) a REST request; possible other values are "transport" and "ip_filter"
 # "origin.address" the remote address and port of the first network hop, i.e. a REST proxy or another cluster node
 # "realm" name of a realm that has generated an "authentication_failed" or an "authentication_successful"; the subject is not yet authenticated
 # "url.path" the URI component between the port and the query string; it is percent (URL) encoded
 # "url.query" the URI component after the path and before the fragment; it is percent (URL) encoded
 # "request.body" the content of the request body entity, JSON escaped
 # "action" an action is the most granular operation that is authorized and this identifies it in a namespaced way (internal)
 # "request.name" if the event is in connection to a transport message this is the name of the request class, similar to how rest requests are identified by the url path (internal)
 # "indices" the array of indices that the "action" is acting upon
 # "opaque_id" opaque value conveyed by the "X-Opaque-Id" request header
 # "transport.profile" name of the transport profile in case this is a "connection_granted" or "connection_denied" event
 # "rule" name of the applied rulee if the "origin.type" is "ip_filter"
 # "event.category" fixed value "elasticsearch-audit"
 appender.audit_rolling.filePattern = ${sys:es.logs.base_path}${sys:file.separator}${sys:es.logs.cluster_name}_audit-%d{yyyy-MM-dd}.log
 appender.audit_rolling.policies.type = Policies
 appender.audit_rolling.policies.time.type = TimeBasedTriggeringPolicy
 appender.audit_rolling.policies.time.interval = 1
 appender.audit_rolling.policies.time.modulate = true
 appender.deprecated_audit_rolling.type = RollingFile
 appender.deprecated_audit_rolling.name = deprecated_audit_rolling
 appender.deprecated_audit_rolling.fileName = ${sys:es.logs.base_path}${sys:file.separator}${sys:es.logs.cluster_name}_access.log
 appender.deprecated_audit_rolling.layout.type = PatternLayout
 appender.deprecated_audit_rolling.layout.pattern = [%d{ISO8601}] %m%n
 appender.deprecated_audit_rolling.filePattern = ${sys:es.logs.base_path}${sys:file.separator}${sys:es.logs.cluster_name}_access-%d{yyyy-MM-dd}.log
 appender.deprecated_audit_rolling.policies.type = Policies
 appender.deprecated_audit_rolling.policies.time.type = TimeBasedTriggeringPolicy
 appender.deprecated_audit_rolling.policies.time.interval = 1
 appender.deprecated_audit_rolling.policies.time.modulate = true
 logger.xpack_security_audit_logfile.name = org.elasticsearch.xpack.security.audit.logfile.LoggingAuditTrail
 logger.xpack_security_audit_logfile.level = info
 logger.xpack_security_audit_logfile.appenderRef.audit_rolling.ref = audit_rolling
 logger.xpack_security_audit_logfile.additivity = false
 logger.xpack_security_audit_deprecated_logfile.name = org.elasticsearch.xpack.security.audit.logfile.DeprecatedLoggingAuditTrail
 # set this to "off" instead of "info" to disable the deprecated appender
 # in the 6.x releases both the new and the previous appenders are enabled
 # for the logfile auditing
 logger.xpack_security_audit_deprecated_logfile.level = info
 logger.xpack_security_audit_deprecated_logfile.appenderRef.deprecated_audit_rolling.ref = deprecated_audit_rolling
 logger.xpack_security_audit_deprecated_logfile.additivity = false
 logger.xmlsig.name = org.apache.xml.security.signature.XMLSignature
 logger.xmlsig.level = error
 logger.samlxml_decrypt.name = org.opensaml.xmlsec.encryption.support.Decrypter
 logger.samlxml_decrypt.level = fatal
 logger.saml2_decrypt.name = org.opensaml.saml.saml2.encryption.Decrypter
 logger.saml2_decrypt.level = fatal
--- a/roles/graylog/defaults/main.yml
+++ b/roles/graylog/defaults/main.yml
@ -0,0 +1,6 @@
 graylog_server_host: '{{ ansible_fqdn }}'
 graylog_server_url: https://{{ graylog_server_host }}/
 graylog_memory: 1g
 graylog_email_from: graylog@{{ ansible_domain }}
 graylog_use_syslog: true
 graylog_use_syslog_tls: true
--- a/roles/graylog/files/graylog-server-capabilities.systemd.conf
+++ b/roles/graylog/files/graylog-server-capabilities.systemd.conf
@ -0,0 +1,3 @@
 [Service]
 # Allow graylog-server to bind to the privileged Syslog UDP port
 AmbientCapabilities=CAP_NET_BIND_SERVICE
--- a/roles/graylog/handlers/main.yml
+++ b/roles/graylog/handlers/main.yml
@ -0,0 +1,12 @@
 - name: save firewalld configuration
  command: firewall-cmd --runtime-to-permanent
 - name: reload systemd
  command: systemctl daemon-reload
 - name: restart graylog
  service:
    name=graylog-server
    state=restarted
 - name: reload httpd
  service:
    name=httpd
    state=reloaded
--- a/roles/graylog/tasks/main.yml
+++ b/roles/graylog/tasks/main.yml
@ -0,0 +1,101 @@
 - name: ensure graylog repository is available
  package:
    name=https://packages.graylog2.org/repo/packages/graylog-3.1-repository_latest.rpm
    state=present
  tags:
  - install
 - name: ensure graylog is installed
  package:
    name:
    - java-1.8.0-openjdk-headless
    - graylog-server
    state: present
  tags:
  - install
 - name: ensure graylog-server systemd unit drop-in directory is present
  file:
    path: /etc/systemd/system/graylog-server.service.d
    mode: '0755'
    state: directory
 - name: ensure graylog-server systemd unit capabilities are configured
  copy:
    src: graylog-server-capabilities.systemd.conf
    dest: /etc/systemd/system/graylog-server.service.d/capabilities.conf
    mode: '0644'
  notify:
  - reload systemd
  - restart graylog
 - name: ensure graylog service is configured
  template:
    src=graylog-server.sysconfig.j2
    dest=/etc/sysconfig/graylog-server
    mode=0644
  notify: restart graylog
 - name: ensure graylog server is configured
  template:
    src=server.conf.j2
    dest=/etc/graylog/server/server.conf
    owner=root
    group=graylog
    mode=640
  notify: restart graylog
 - name: ensure syslog tls server certificate is installed
  copy:
    src={{ item }}
    dest=/etc/graylog/syslog-tls.cer
    owner=root
    group=graylog
    mode=0640
  with_fileglob: files/{{ inventory_hostname }}.cer
 # The private key file must be in PKCS#8 format, not the more common PKCS#1
 - name: ensure syslog tls server private key is installed
  copy:
    src={{ item }}
    dest=/etc/graylog/syslog-tls.key
    owner=root
    group=graylog
    mode=0640
  with_fileglob: files/{{ inventory_hostname }}.key
 - name: ensure syslog tls ca certificate is installed
  copy:
    src={{ item }}
    dest=/etc/graylog/syslog-tls-ca.crt
    owner=root
    group=graylog
    mode=0640
  with_fileglob: files/{{ inventory_hostname }}_ca.crt
 - name: ensure firewall is configured for syslog
  firewalld:
    service: '{{ item.service }}'
    permanent: false
    immediate: true
    state: '{{ item.state }}'
  notify: save firewalld configuration
  with_items:
  - service: syslog
    state: '{{ "enabled" if graylog_use_syslog else "disabled" }}'
  - service: syslog-tls
    state: '{{ "enabled" if graylog_use_syslog_tls else "disabled" }}'
 - name: ensure apache is allowed to proxy
  seboolean:
    name=httpd_can_network_connect
    persistent=yes
    state=yes
 - name: ensure apache is configured to proxy for graylog
  template:
    src=graylog.httpd.conf.j2
    dest=/etc/httpd/conf.d/graylog.conf
    mode=0644
  notify: reload httpd
 - name: ensure graylog starts at boot
  service:
    name=graylog-server
    enabled=yes
--- a/roles/graylog/templates/graylog-server.sysconfig.j2
+++ b/roles/graylog/templates/graylog-server.sysconfig.j2
@ -0,0 +1,12 @@
 # Path to the java executable.
 JAVA=/usr/bin/java
 # Default Java options for heap and garbage collection.
 GRAYLOG_SERVER_JAVA_OPTS="-Xms{{ graylog_memory }} -Xmx{{graylog_memory }} -XX:NewRatio=1 -server -XX:+ResizeTLAB -XX:+UseConcMarkSweepGC -XX:+CMSConcurrentMTEnabled -XX:+CMSClassUnloadingEnabled -XX:+UseParNewGC -XX:-OmitStackTraceInFastThrow -Djavax.net.ssl.trustStore=/etc/pki/ca-trust/extracted/java/cacerts"
 # Pass some extra args to graylog-server. (i.e. "-d" to enable debug mode)
 GRAYLOG_SERVER_ARGS=""
 # Program that will be used to wrap the graylog-server command. Useful to
 # support programs like authbind.
 GRAYLOG_COMMAND_WRAPPER=""
--- a/roles/graylog/templates/graylog.httpd.conf.j2
+++ b/roles/graylog/templates/graylog.httpd.conf.j2
@ -0,0 +1,15 @@
 # vim: set ft=apache :
 RewriteEngine On
 RewriteCond %{HTTPS} !on
 RewriteRule /.* https://%{SERVER_NAME}$0 [R=301,L]
 ProxyRequests Off
 ProxyPass / http://localhost:9000/ nocanon
 ProxyPassReverse / http://localhost:9000/
 RequestHeader set X-Graylog-Server-URL {{ graylog_server_url }}
 <Location />
 	Require all granted
 </Location>
--- a/roles/graylog/templates/server.conf.j2
+++ b/roles/graylog/templates/server.conf.j2
@ -0,0 +1,651 @@
 ############################
 # GRAYLOG CONFIGURATION FILE
 ############################
 #
 # This is the Graylog configuration file. The file has to use ISO 8859-1/Latin-1 character encoding.
 # Characters that cannot be directly represented in this encoding can be written using Unicode escapes
 # as defined in https://docs.oracle.com/javase/specs/jls/se8/html/jls-3.html#jls-3.3, using the \u prefix.
 # For example, \u002c.
 #
 # * Entries are generally expected to be a single line of the form, one of the following:
 #
 # propertyName=propertyValue
 # propertyName:propertyValue
 #
 # * White space that appears between the property name and property value is ignored,
 #   so the following are equivalent:
 #
 # name=Stephen
 # name = Stephen
 #
 # * White space at the beginning of the line is also ignored.
 #
 # * Lines that start with the comment characters ! or # are ignored. Blank lines are also ignored.
 #
 # * The property value is generally terminated by the end of the line. White space following the
 #   property value is not ignored, and is treated as part of the property value.
 #
 # * A property value can span several lines if each line is terminated by a backslash (‘\’) character.
 #   For example:
 #
 # targetCities=\
 #         Detroit,\
 #         Chicago,\
 #         Los Angeles
 #
 #   This is equivalent to targetCities=Detroit,Chicago,Los Angeles (white space at the beginning of lines is ignored).
 #
 # * The characters newline, carriage return, and tab can be inserted with characters \n, \r, and \t, respectively.
 #
 # * The backslash character must be escaped as a double backslash. For example:
 #
 # path=c:\\docs\\doc1
 #
 # If you are running more than one instances of Graylog server you have to select one of these
 # instances as master. The master will perform some periodical tasks that non-masters won't perform.
 is_master = true
 # The auto-generated node ID will be stored in this file and read after restarts. It is a good idea
 # to use an absolute file path here if you are starting Graylog server from init scripts or similar.
 node_id_file = /etc/graylog/server/node-id
 # You MUST set a secret to secure/pepper the stored user passwords here. Use at least 64 characters.
 # Generate one by using for example: pwgen -N 1 -s 96
 password_secret = {{ graylog_password_secret }}
 # The default root user is named 'admin'
 #root_username = admin
 # You MUST specify a hash password for the root user (which you only need to initially set up the
 # system and in case you lose connectivity to your authentication backend)
 # This password cannot be changed using the API or via the web interface. If you need to change it,
 # modify it in this file.
 # Create one by using for example: echo -n yourpassword | shasum -a 256
 # and put the resulting hash value into the following line
 root_password_sha2 = {{ graylog_root_password }}
 # The email address of the root user.
 # Default is empty
 #root_email = ""
 # The time zone setting of the root user. See http://www.joda.org/joda-time/timezones.html for a list of valid time zones.
 # Default is UTC
 #root_timezone = UTC
 # Set the bin directory here (relative or absolute)
 # This directory contains binaries that are used by the Graylog server.
 # Default: bin
 bin_dir = /usr/share/graylog-server/bin
 # Set the data directory here (relative or absolute)
 # This directory is used to store Graylog server state.
 # Default: data
 data_dir = /var/lib/graylog-server
 # Set plugin directory here (relative or absolute)
 plugin_dir = /usr/share/graylog-server/plugin
 ###############
 # HTTP settings
 ###############
 #### HTTP bind address
 #
 # The network interface used by the Graylog HTTP interface.
 #
 # This network interface must be accessible by all Graylog nodes in the cluster and by all clients
 # using the Graylog web interface.
 #
 # If the port is omitted, Graylog will use port 9000 by default.
 #
 # Default: 127.0.0.1:9000
 http_bind_address = 127.0.0.1:9000
 #http_bind_address = [2001:db8::1]:9000
 #### HTTP publish URI
 #
 # The HTTP URI of this Graylog node which is used to communicate with the other Graylog nodes in the cluster and by all
 # clients using the Graylog web interface.
 #
 # The URI will be published in the cluster discovery APIs, so that other Graylog nodes will be able to find and connect to this Graylog node.
 #
 # This configuration setting has to be used if this Graylog node is available on another network interface than $http_bind_address,
 # for example if the machine has multiple network interfaces or is behind a NAT gateway.
 #
 # If $http_bind_address contains a wildcard IPv4 address (0.0.0.0), the first non-loopback IPv4 address of this machine will be used.
 # This configuration setting *must not* contain a wildcard address!
 #
 # Default: http://$http_bind_address/
 #http_publish_uri = http://192.168.1.1:9000/
 #### External Graylog URI
 #
 # The public URI of Graylog which will be used by the Graylog web interface to communicate with the Graylog REST API.
 #
 # The external Graylog URI usually has to be specified, if Graylog is running behind a reverse proxy or load-balancer
 # and it will be used to generate URLs addressing entities in the Graylog REST API (see $http_bind_address).
 #
 # When using Graylog Collector, this URI will be used to receive heartbeat messages and must be accessible for all collectors.
 #
 # This setting can be overriden on a per-request basis with the "X-Graylog-Server-URL" HTTP request header.
 #
 # Default: $http_publish_uri
 #http_external_uri =
 #### Enable CORS headers for HTTP interface
 #
 # This is necessary for JS-clients accessing the server directly.
 # If these are disabled, modern browsers will not be able to retrieve resources from the server.
 # This is enabled by default. Uncomment the next line to disable it.
 #http_enable_cors = false
 #### Enable GZIP support for HTTP interface
 #
 # This compresses API responses and therefore helps to reduce
 # overall round trip times. This is enabled by default. Uncomment the next line to disable it.
 #http_enable_gzip = false
 # The maximum size of the HTTP request headers in bytes.
 #http_max_header_size = 8192
 # The size of the thread pool used exclusively for serving the HTTP interface.
 #http_thread_pool_size = 16
 ################
 # HTTPS settings
 ################
 #### Enable HTTPS support for the HTTP interface
 #
 # This secures the communication with the HTTP interface with TLS to prevent request forgery and eavesdropping.
 #
 # Default: false
 #http_enable_tls = true
 # The X.509 certificate chain file in PEM format to use for securing the HTTP interface.
 #http_tls_cert_file = /path/to/graylog.crt
 # The PKCS#8 private key file in PEM format to use for securing the HTTP interface.
 #http_tls_key_file = /path/to/graylog.key
 # The password to unlock the private key used for securing the HTTP interface.
 #http_tls_key_password = secret
 # Comma separated list of trusted proxies that are allowed to set the client address with X-Forwarded-For
 # header. May be subnets, or hosts.
 trusted_proxies = 127.0.0.1/32, 0:0:0:0:0:0:0:1/128
 # List of Elasticsearch hosts Graylog should connect to.
 # Need to be specified as a comma-separated list of valid URIs for the http ports of your elasticsearch nodes.
 # If one or more of your elasticsearch hosts require authentication, include the credentials in each node URI that
 # requires authentication.
 #
 # Default: http://127.0.0.1:9200
 #elasticsearch_hosts = http://node1:9200,http://user:password@node2:19200
 # Maximum amount of time to wait for successfull connection to Elasticsearch HTTP port.
 #
 # Default: 10 Seconds
 #elasticsearch_connect_timeout = 10s
 # Maximum amount of time to wait for reading back a response from an Elasticsearch server.
 #
 # Default: 60 seconds
 #elasticsearch_socket_timeout = 60s
 # Maximum idle time for an Elasticsearch connection. If this is exceeded, this connection will
 # be tore down.
 #
 # Default: inf
 #elasticsearch_idle_timeout = -1s
 # Maximum number of total connections to Elasticsearch.
 #
 # Default: 20
 #elasticsearch_max_total_connections = 20
 # Maximum number of total connections per Elasticsearch route (normally this means per
 # elasticsearch server).
 #
 # Default: 2
 #elasticsearch_max_total_connections_per_route = 2
 # Maximum number of times Graylog will retry failed requests to Elasticsearch.
 #
 # Default: 2
 #elasticsearch_max_retries = 2
 # Enable automatic Elasticsearch node discovery through Nodes Info,
 # see https://www.elastic.co/guide/en/elasticsearch/reference/5.4/cluster-nodes-info.html
 #
 # WARNING: Automatic node discovery does not work if Elasticsearch requires authentication, e. g. with Shield.
 #
 # Default: false
 #elasticsearch_discovery_enabled = true
 # Filter for including/excluding Elasticsearch nodes in discovery according to their custom attributes,
 # see https://www.elastic.co/guide/en/elasticsearch/reference/5.4/cluster.html#cluster-nodes
 #
 # Default: empty
 #elasticsearch_discovery_filter = rack:42
 # Frequency of the Elasticsearch node discovery.
 #
 # Default: 30s
 # elasticsearch_discovery_frequency = 30s
 # Enable payload compression for Elasticsearch requests.
 #
 # Default: false
 #elasticsearch_compression_enabled = true
 # Graylog will use multiple indices to store documents in. You can configured the strategy it uses to determine
 # when to rotate the currently active write index.
 # It supports multiple rotation strategies:
 #   - "count" of messages per index, use elasticsearch_max_docs_per_index below to configure
 #   - "size" per index, use elasticsearch_max_size_per_index below to configure
 # valid values are "count", "size" and "time", default is "count"
 #
 # ATTENTION: These settings have been moved to the database in 2.0. When you upgrade, make sure to set these
 #            to your previous 1.x settings so they will be migrated to the database!
 #            This configuration setting is only used on the first start of Graylog. After that,
 #            index related settings can be changed in the Graylog web interface on the 'System / Indices' page.
 #            Also see http://docs.graylog.org/en/2.3/pages/configuration/index_model.html#index-set-configuration.
 rotation_strategy = count
 # (Approximate) maximum number of documents in an Elasticsearch index before a new index
 # is being created, also see no_retention and elasticsearch_max_number_of_indices.
 # Configure this if you used 'rotation_strategy = count' above.
 #
 # ATTENTION: These settings have been moved to the database in 2.0. When you upgrade, make sure to set these
 #            to your previous 1.x settings so they will be migrated to the database!
 #            This configuration setting is only used on the first start of Graylog. After that,
 #            index related settings can be changed in the Graylog web interface on the 'System / Indices' page.
 #            Also see http://docs.graylog.org/en/2.3/pages/configuration/index_model.html#index-set-configuration.
 elasticsearch_max_docs_per_index = 20000000
 # (Approximate) maximum size in bytes per Elasticsearch index on disk before a new index is being created, also see
 # no_retention and elasticsearch_max_number_of_indices. Default is 1GB.
 # Configure this if you used 'rotation_strategy = size' above.
 #
 # ATTENTION: These settings have been moved to the database in 2.0. When you upgrade, make sure to set these
 #            to your previous 1.x settings so they will be migrated to the database!
 #            This configuration setting is only used on the first start of Graylog. After that,
 #            index related settings can be changed in the Graylog web interface on the 'System / Indices' page.
 #            Also see http://docs.graylog.org/en/2.3/pages/configuration/index_model.html#index-set-configuration.
 #elasticsearch_max_size_per_index = 1073741824
 # (Approximate) maximum time before a new Elasticsearch index is being created, also see
 # no_retention and elasticsearch_max_number_of_indices. Default is 1 day.
 # Configure this if you used 'rotation_strategy = time' above.
 # Please note that this rotation period does not look at the time specified in the received messages, but is
 # using the real clock value to decide when to rotate the index!
 # Specify the time using a duration and a suffix indicating which unit you want:
 #  1w  = 1 week
 #  1d  = 1 day
 #  12h = 12 hours
 # Permitted suffixes are: d for day, h for hour, m for minute, s for second.
 #
 # ATTENTION: These settings have been moved to the database in 2.0. When you upgrade, make sure to set these
 #            to your previous 1.x settings so they will be migrated to the database!
 #            This configuration setting is only used on the first start of Graylog. After that,
 #            index related settings can be changed in the Graylog web interface on the 'System / Indices' page.
 #            Also see http://docs.graylog.org/en/2.3/pages/configuration/index_model.html#index-set-configuration.
 #elasticsearch_max_time_per_index = 1d
 # Disable checking the version of Elasticsearch for being compatible with this Graylog release.
 # WARNING: Using Graylog with unsupported and untested versions of Elasticsearch may lead to data loss!
 #elasticsearch_disable_version_check = true
 # Disable message retention on this node, i. e. disable Elasticsearch index rotation.
 #no_retention = false
 # How many indices do you want to keep?
 #
 # ATTENTION: These settings have been moved to the database in 2.0. When you upgrade, make sure to set these
 #            to your previous 1.x settings so they will be migrated to the database!
 #            This configuration setting is only used on the first start of Graylog. After that,
 #            index related settings can be changed in the Graylog web interface on the 'System / Indices' page.
 #            Also see http://docs.graylog.org/en/2.3/pages/configuration/index_model.html#index-set-configuration.
 elasticsearch_max_number_of_indices = 20
 # Decide what happens with the oldest indices when the maximum number of indices is reached.
 # The following strategies are availble:
 #   - delete # Deletes the index completely (Default)
 #   - close # Closes the index and hides it from the system. Can be re-opened later.
 #
 # ATTENTION: These settings have been moved to the database in 2.0. When you upgrade, make sure to set these
 #            to your previous 1.x settings so they will be migrated to the database!
 #            This configuration setting is only used on the first start of Graylog. After that,
 #            index related settings can be changed in the Graylog web interface on the 'System / Indices' page.
 #            Also see http://docs.graylog.org/en/2.3/pages/configuration/index_model.html#index-set-configuration.
 retention_strategy = delete
 # How many Elasticsearch shards and replicas should be used per index? Note that this only applies to newly created indices.
 # ATTENTION: These settings have been moved to the database in Graylog 2.2.0. When you upgrade, make sure to set these
 #            to your previous settings so they will be migrated to the database!
 #            This configuration setting is only used on the first start of Graylog. After that,
 #            index related settings can be changed in the Graylog web interface on the 'System / Indices' page.
 #            Also see http://docs.graylog.org/en/2.3/pages/configuration/index_model.html#index-set-configuration.
 elasticsearch_shards = 4
 elasticsearch_replicas = 0
 # Prefix for all Elasticsearch indices and index aliases managed by Graylog.
 #
 # ATTENTION: These settings have been moved to the database in Graylog 2.2.0. When you upgrade, make sure to set these
 #            to your previous settings so they will be migrated to the database!
 #            This configuration setting is only used on the first start of Graylog. After that,
 #            index related settings can be changed in the Graylog web interface on the 'System / Indices' page.
 #            Also see http://docs.graylog.org/en/2.3/pages/configuration/index_model.html#index-set-configuration.
 elasticsearch_index_prefix = graylog
 # Name of the Elasticsearch index template used by Graylog to apply the mandatory index mapping.
 # Default: graylog-internal
 #
 # ATTENTION: These settings have been moved to the database in Graylog 2.2.0. When you upgrade, make sure to set these
 #            to your previous settings so they will be migrated to the database!
 #            This configuration setting is only used on the first start of Graylog. After that,
 #            index related settings can be changed in the Graylog web interface on the 'System / Indices' page.
 #            Also see http://docs.graylog.org/en/2.3/pages/configuration/index_model.html#index-set-configuration.
 #elasticsearch_template_name = graylog-internal
 # Do you want to allow searches with leading wildcards? This can be extremely resource hungry and should only
 # be enabled with care. See also: http://docs.graylog.org/en/2.1/pages/queries.html
 allow_leading_wildcard_searches = false
 # Do you want to allow searches to be highlighted? Depending on the size of your messages this can be memory hungry and
 # should only be enabled after making sure your Elasticsearch cluster has enough memory.
 allow_highlighting = false
 # Analyzer (tokenizer) to use for message and full_message field. The "standard" filter usually is a good idea.
 # All supported analyzers are: standard, simple, whitespace, stop, keyword, pattern, language, snowball, custom
 # Elasticsearch documentation: https://www.elastic.co/guide/en/elasticsearch/reference/2.3/analysis.html
 # Note that this setting only takes effect on newly created indices.
 #
 # ATTENTION: These settings have been moved to the database in Graylog 2.2.0. When you upgrade, make sure to set these
 #            to your previous settings so they will be migrated to the database!
 #            This configuration setting is only used on the first start of Graylog. After that,
 #            index related settings can be changed in the Graylog web interface on the 'System / Indices' page.
 #            Also see http://docs.graylog.org/en/2.3/pages/configuration/index_model.html#index-set-configuration.
 elasticsearch_analyzer = standard
 # Global request timeout for Elasticsearch requests (e. g. during search, index creation, or index time-range
 # calculations) based on a best-effort to restrict the runtime of Elasticsearch operations.
 # Default: 1m
 #elasticsearch_request_timeout = 1m
 # Global timeout for index optimization (force merge) requests.
 # Default: 1h
 #elasticsearch_index_optimization_timeout = 1h
 # Maximum number of concurrently running index optimization (force merge) jobs.
 # If you are using lots of different index sets, you might want to increase that number.
 # Default: 20
 #elasticsearch_index_optimization_jobs = 20
 # Time interval for index range information cleanups. This setting defines how often stale index range information
 # is being purged from the database.
 # Default: 1h
 #index_ranges_cleanup_interval = 1h
 # Time interval for the job that runs index field type maintenance tasks like cleaning up stale entries. This doesn't
 # need to run very often.
 # Default: 1h
 #index_field_type_periodical_interval = 1h
 # Batch size for the Elasticsearch output. This is the maximum (!) number of messages the Elasticsearch output
 # module will get at once and write to Elasticsearch in a batch call. If the configured batch size has not been
 # reached within output_flush_interval seconds, everything that is available will be flushed at once. Remember
 # that every outputbuffer processor manages its own batch and performs its own batch write calls.
 # ("outputbuffer_processors" variable)
 output_batch_size = 500
 # Flush interval (in seconds) for the Elasticsearch output. This is the maximum amount of time between two
 # batches of messages written to Elasticsearch. It is only effective at all if your minimum number of messages
 # for this time period is less than output_batch_size * outputbuffer_processors.
 output_flush_interval = 1
 # As stream outputs are loaded only on demand, an output which is failing to initialize will be tried over and
 # over again. To prevent this, the following configuration options define after how many faults an output will
 # not be tried again for an also configurable amount of seconds.
 output_fault_count_threshold = 5
 output_fault_penalty_seconds = 30
 # The number of parallel running processors.
 # Raise this number if your buffers are filling up.
 processbuffer_processors = 5
 outputbuffer_processors = 3
 # The following settings (outputbuffer_processor_*) configure the thread pools backing each output buffer processor.
 # See https://docs.oracle.com/javase/8/docs/api/java/util/concurrent/ThreadPoolExecutor.html for technical details
 # When the number of threads is greater than the core (see outputbuffer_processor_threads_core_pool_size),
 # this is the maximum time in milliseconds that excess idle threads will wait for new tasks before terminating.
 # Default: 5000
 #outputbuffer_processor_keep_alive_time = 5000
 # The number of threads to keep in the pool, even if they are idle, unless allowCoreThreadTimeOut is set
 # Default: 3
 #outputbuffer_processor_threads_core_pool_size = 3
 # The maximum number of threads to allow in the pool
 # Default: 30
 #outputbuffer_processor_threads_max_pool_size = 30
 # UDP receive buffer size for all message inputs (e. g. SyslogUDPInput).
 #udp_recvbuffer_sizes = 1048576
 # Wait strategy describing how buffer processors wait on a cursor sequence. (default: sleeping)
 # Possible types:
 #  - yielding
 #     Compromise between performance and CPU usage.
 #  - sleeping
 #     Compromise between performance and CPU usage. Latency spikes can occur after quiet periods.
 #  - blocking
 #     High throughput, low latency, higher CPU usage.
 #  - busy_spinning
 #     Avoids syscalls which could introduce latency jitter. Best when threads can be bound to specific CPU cores.
 processor_wait_strategy = blocking
 # Size of internal ring buffers. Raise this if raising outputbuffer_processors does not help anymore.
 # For optimum performance your LogMessage objects in the ring buffer should fit in your CPU L3 cache.
 # Must be a power of 2. (512, 1024, 2048, ...)
 ring_size = 65536
 inputbuffer_ring_size = 65536
 inputbuffer_processors = 2
 inputbuffer_wait_strategy = blocking
 # Enable the disk based message journal.
 message_journal_enabled = true
 # The directory which will be used to store the message journal. The directory must be exclusively used by Graylog and
 # must not contain any other files than the ones created by Graylog itself.
 #
 # ATTENTION:
 #   If you create a seperate partition for the journal files and use a file system creating directories like 'lost+found'
 #   in the root directory, you need to create a sub directory for your journal.
 #   Otherwise Graylog will log an error message that the journal is corrupt and Graylog will not start.
 message_journal_dir = /var/lib/graylog-server/journal
 # Journal hold messages before they could be written to Elasticsearch.
 # For a maximum of 12 hours or 5 GB whichever happens first.
 # During normal operation the journal will be smaller.
 #message_journal_max_age = 12h
 #message_journal_max_size = 5gb
 #message_journal_flush_age = 1m
 #message_journal_flush_interval = 1000000
 #message_journal_segment_age = 1h
 #message_journal_segment_size = 100mb
 # Number of threads used exclusively for dispatching internal events. Default is 2.
 #async_eventbus_processors = 2
 # How many seconds to wait between marking node as DEAD for possible load balancers and starting the actual
 # shutdown process. Set to 0 if you have no status checking load balancers in front.
 lb_recognition_period_seconds = 3
 # Journal usage percentage that triggers requesting throttling for this server node from load balancers. The feature is
 # disabled if not set.
 #lb_throttle_threshold_percentage = 95
 # Every message is matched against the configured streams and it can happen that a stream contains rules which
 # take an unusual amount of time to run, for example if its using regular expressions that perform excessive backtracking.
 # This will impact the processing of the entire server. To keep such misbehaving stream rules from impacting other
 # streams, Graylog limits the execution time for each stream.
 # The default values are noted below, the timeout is in milliseconds.
 # If the stream matching for one stream took longer than the timeout value, and this happened more than "max_faults" times
 # that stream is disabled and a notification is shown in the web interface.
 #stream_processing_timeout = 2000
 #stream_processing_max_faults = 3
 # Since 0.21 the Graylog server supports pluggable output modules. This means a single message can be written to multiple
 # outputs. The next setting defines the timeout for a single output module, including the default output module where all
 # messages end up.
 #
 # Time in milliseconds to wait for all message outputs to finish writing a single message.
 #output_module_timeout = 10000
 # Time in milliseconds after which a detected stale master node is being rechecked on startup.
 #stale_master_timeout = 2000
 # Time in milliseconds which Graylog is waiting for all threads to stop on shutdown.
 #shutdown_timeout = 30000
 # MongoDB connection string
 # See https://docs.mongodb.com/manual/reference/connection-string/ for details
 mongodb_uri = mongodb://localhost/graylog
 # Authenticate against the MongoDB server
 # '+'-signs in the username or password need to be replaced by '%2B'
 #mongodb_uri = mongodb://grayloguser:secret@localhost:27017/graylog
 # Use a replica set instead of a single host
 #mongodb_uri = mongodb://grayloguser:secret@localhost:27017,localhost:27018,localhost:27019/graylog
 # Increase this value according to the maximum connections your MongoDB server can handle from a single client
 # if you encounter MongoDB connection problems.
 mongodb_max_connections = 1000
 # Number of threads allowed to be blocked by MongoDB connections multiplier. Default: 5
 # If mongodb_max_connections is 100, and mongodb_threads_allowed_to_block_multiplier is 5,
 # then 500 threads can block. More than that and an exception will be thrown.
 # http://api.mongodb.com/java/current/com/mongodb/MongoOptions.html#threadsAllowedToBlockForConnectionMultiplier
 mongodb_threads_allowed_to_block_multiplier = 5
 # Email transport
 transport_email_enabled = true
 transport_email_hostname = localhost
 #transport_email_port = 587
 transport_email_use_auth = false
 #transport_email_auth_username = you@example.com
 #transport_email_auth_password = secret
 #transport_email_subject_prefix = [graylog]
 transport_email_from_email = {{ graylog_email_from }}
 # Encryption settings
 #
 # ATTENTION:
 #    Using SMTP with STARTTLS *and* SMTPS at the same time is *not* possible.
 # Use SMTP with STARTTLS, see https://en.wikipedia.org/wiki/Opportunistic_TLS
 transport_email_use_tls = false
 # Use SMTP over SSL (SMTPS), see https://en.wikipedia.org/wiki/SMTPS
 # This is deprecated on most SMTP services!
 transport_email_use_ssl = false
 # Specify and uncomment this if you want to include links to the stream in your stream alert mails.
 # This should define the fully qualified base url to your web interface exactly the same way as it is accessed by your users.
 #transport_email_web_interface_url = https://graylog.example.com
 # The default connect timeout for outgoing HTTP connections.
 # Values must be a positive duration (and between 1 and 2147483647 when converted to milliseconds).
 # Default: 5s
 #http_connect_timeout = 5s
 # The default read timeout for outgoing HTTP connections.
 # Values must be a positive duration (and between 1 and 2147483647 when converted to milliseconds).
 # Default: 10s
 #http_read_timeout = 10s
 # The default write timeout for outgoing HTTP connections.
 # Values must be a positive duration (and between 1 and 2147483647 when converted to milliseconds).
 # Default: 10s
 #http_write_timeout = 10s
 # HTTP proxy for outgoing HTTP connections
 # ATTENTION: If you configure a proxy, make sure to also configure the "http_non_proxy_hosts" option so internal
 #            HTTP connections with other nodes does not go through the proxy.
 # Examples:
 #   - http://proxy.example.com:8123
 #   - http://username:password@proxy.example.com:8123
 #http_proxy_uri =
 # A list of hosts that should be reached directly, bypassing the configured proxy server.
 # This is a list of patterns separated by ",". The patterns may start or end with a "*" for wildcards.
 # Any host matching one of these patterns will be reached through a direct connection instead of through a proxy.
 # Examples:
 #   - localhost,127.0.0.1
 #   - 10.0.*,*.example.com
 #http_non_proxy_hosts =
 # Disable the optimization of Elasticsearch indices after index cycling. This may take some load from Elasticsearch
 # on heavily used systems with large indices, but it will decrease search performance. The default is to optimize
 # cycled indices.
 #
 # ATTENTION: These settings have been moved to the database in Graylog 2.2.0. When you upgrade, make sure to set these
 #            to your previous settings so they will be migrated to the database!
 #            This configuration setting is only used on the first start of Graylog. After that,
 #            index related settings can be changed in the Graylog web interface on the 'System / Indices' page.
 #            Also see http://docs.graylog.org/en/2.3/pages/configuration/index_model.html#index-set-configuration.
 #disable_index_optimization = true
 # Optimize the index down to <= index_optimization_max_num_segments. A higher number may take some load from Elasticsearch
 # on heavily used systems with large indices, but it will decrease search performance. The default is 1.
 #
 # ATTENTION: These settings have been moved to the database in Graylog 2.2.0. When you upgrade, make sure to set these
 #            to your previous settings so they will be migrated to the database!
 #            This configuration setting is only used on the first start of Graylog. After that,
 #            index related settings can be changed in the Graylog web interface on the 'System / Indices' page.
 #            Also see http://docs.graylog.org/en/2.3/pages/configuration/index_model.html#index-set-configuration.
 #index_optimization_max_num_segments = 1
 # The threshold of the garbage collection runs. If GC runs take longer than this threshold, a system notification
 # will be generated to warn the administrator about possible problems with the system. Default is 1 second.
 #gc_warning_threshold = 1s
 # Connection timeout for a configured LDAP server (e. g. ActiveDirectory) in milliseconds.
 #ldap_connection_timeout = 2000
 # Disable the use of SIGAR for collecting system stats
 #disable_sigar = false
 # The default cache time for dashboard widgets. (Default: 10 seconds, minimum: 1 second)
 #dashboard_widget_default_cache_time = 10s
 # For some cluster-related REST requests, the node must query all other nodes in the cluster. This is the maximum number
 # of threads available for this. Increase it, if '/cluster/*' requests take long to complete.
 # Should be http_thread_pool_size * average_cluster_size if you have a high number of concurrent users.
 proxied_requests_thread_pool_size = 32
 # The server is writing processing status information to the database on a regular basis. This setting controls how
 # often the data is written to the database.
 # Default: 1s (cannot be less than 1s)
 #processing_status_persist_interval = 1s
 # Configures the threshold for detecting outdated processing status records. Any records that haven't been updated
 # in the configured threshold will be ignored.
 # Default: 1m (one minute)
 #processing_status_update_threshold = 1m
 # Configures the journal write rate threshold for selecting processing status records. Any records that have a lower
 # one minute rate than the configured value might be ignored. (dependent on number of messages in the journal)
 # Default: 1
 #processing_status_journal_write_rate_threshold = 1
--- a/roles/mongodb/defaults/main.yml
+++ b/roles/mongodb/defaults/main.yml
@ -0,0 +1 @@
 mongodb_version: '4.0'
--- a/roles/mongodb/tasks/main.yml
+++ b/roles/mongodb/tasks/main.yml
@ -0,0 +1,18 @@
 - name: ensure mongodb package repository is available
  template:
    src=mongodb.repo.j2
    dest=/etc/yum.repos.d/mongodb.repo
    mode=0644
  tags:
  - install
 - name: ensure mongodb is installed
  package:
    name: mongodb-org-server
    state: present
  tags:
  - install
 - name: ensure mongodb server starts at boot
  service:
    name=mongod
    enabled=yes
--- a/roles/mongodb/templates/mongodb.repo.j2
+++ b/roles/mongodb/templates/mongodb.repo.j2
@ -0,0 +1,6 @@
 [mongodb-org-{{ mongodb_version }}]
 name=MongoDB Repository
 baseurl=https://repo.mongodb.org/yum/redhat/7/mongodb-org/{{ mongodb_version }}/x86_64/
 gpgcheck=1
 enabled=1
 gpgkey=https://www.mongodb.org/static/pgp/server-{{ mongodb_version }}.asc
--- a/roles/ssh-hostkeys/files/ssh_known_hosts
+++ b/roles/ssh-hostkeys/files/ssh_known_hosts
@ -61,6 +61,9 @@ jenkins0.pyrocufflink.blue ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDibSJk2uGXl+Xtv
 koji0.pyrocufflink.blue ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBL2YIKDjrfYF72nzcsa++Y06lKSwiFijW1c0qhErh2vRE45wex2XhUCJ9q753ambrJPNIGJ6jxxdSpWdPJyxvrA=
 koji0.pyrocufflink.blue ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIHsxeHFHrDxfPSrX0xFyB+8QeFz/BwrMQYR0cj2UADsC
 koji0.pyrocufflink.blue ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDz6WcIvSuGrvDZU38FZi5B3uTlh6N6Y90cDu8mBoBx7yZlW/g9Hf/3OsPE54FpstnsZoQ0PD4sq4ZYhY00sLtj/jl/MtmeHua1azzXGhgaU0vCnZtNdJ4LZiUzCJiNwYByqbLVzChpYNDaFSHTkyMlrdA5MpEsZFCr+DWP53Jvz+dOw0qxDhOQkHzr8ePgPKwyUTMQAgW1yk+YDllzZSnLbvMlu568EsuBr3dcv3KHF439OVVxWVPciWRhWFxgpXnKdVn0ApE21lX37p5qGvav13yRh0+FeW06vO736NtUD2dJPQHmEk8vQ0VC3Ev0a4HkiLEO/Y1eKSUrGfX5rHoH
 logs0.pyrocufflink.blue ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBI44nMZrVNHCRbkofKb20d6zk8Kemznedlt7ztsevODeF7nVryLthNSeQETNQhzKgguUYAs6bAP4Lbs3P1liLO8=
 logs0.pyrocufflink.blue ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIEUGTwxui3nq1UD4ypNBbgITW3J97hlGIKM3tT/Ul2sq
 logs0.pyrocufflink.blue ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQC4dsVIKnNy/7N29wmogDTyOLS0VzB2rmQV8rU7EFdYvvmJ2xiv+FyfXsluGeLJdV/lJ8sPPQ012LgtFE5+NkzXxBY20PMU3feDet3+vdn3qmwE+wi3jw4SNl2V05reTdgvfkqJCdDRquvZGRZtBiuGR6wMH4lFwju+ZXn0MN3enK0kEjNNmNOB8diL7Ndlyg6yQUt/NAtHIajj2nkiwc0SkPTdWhHOvrD5syW7dHuj1Ek9vC+XUb3niuLfGJSI7ZtYR2I6Kj9kzz9D3UGTr/quUa5/zvDUKT66Omz+aoy0zCGmtJ6w8dyHdVS8alSqRFFOwM0Ua4Irw/9NS1+NwHTJkT8tCMX6wXBRZxIhaeIiilBRnAhIaeV/kqRQgp8j4BGG8xn0Pb2S/wpZhVfuixct0nJV7XRnP9yJknJtHt+LnaBL7FlnxcwCms7FJmHxSA08S4hGmYLQ4CaMIuAYLAqMz6EF+wJYOIhUw+n+lpyxgDhsJJtReQdPkOFLI7EdESM=
 proxy0.pyrocufflink.blue ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBJYHAPVZ/doCszO1GL6nMTvdJO5ASv38eyRUIwhxhIhJJgbkFI5bbGdg9Kr10u0wWU5jEjhNiT4fg6QFFZAOLVM=
 proxy0.pyrocufflink.blue ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICfsGYZVyo0LHLYiXt28FGmcRSA9RGWG63+xPzIrdFDI
 proxy0.pyrocufflink.blue ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDNv1c4zTK1ccZr/P7CSMJCryGqoDwehGRPQLJOj07WA5lEPUWtpLRYxFUv7WrMkgIbphjiaOmZdC48tOoPUo4h89qWc8Qkv0NBbFqYsfpYSZGwuTCdR0mYB5c3D+O2E4kA80iw/Ba6mQZGOkmQ1W55tB0VC0w+zf2Z+4bsbHqn7/fYcYyyzNPRtl5etwrQ0XtVjOPdphv6fEypPbZMgpHhHlH24rLfs8lEnQNzU6eGuBoeSG2TQmC3cqp2zOH04s5XPbHgBVCJpTBwfWfKLN4t52YfI7WBpBpjzbhfeX13/9Ji3lY2HfMCq3jYQgoEVVTlg044vMM3azpFMAMjT9+R
--- a/vault/graylog/logs0.pyrocufflink.blue
+++ b/vault/graylog/logs0.pyrocufflink.blue
@ -0,0 +1,20 @@
 $ANSIBLE_VAULT;1.1;AES256
 35613333363132333336316539303631643239336335643739383337626431356635636232346537
 3531386139646134366666313334633531326664666537330a663865663266396538373332613061
 38313861366634313464383663663238666365383661663639363738363963393564343862323438
 3565383738363966650a663834633531323330343233373239356565303436333131363634626165
 61366665303836633832373761326366383763616132623262333730623533326136303162613637
 37323966353566656635646361633234383762323535663862346565383539316437363435353661
 39363131656462393735663035323663356638303061623532383238353138613135636338326261
 33333661646230323239363536616131386232383233643063613264306365386539313637313663
 61343338373164656131656535333031656534643265616132303163333935613434343932303739
 64353233353662303432306437333965373765396262343165303032373164366461386434343863
 32386438386233653564366532643931626639386264653365386537396239316266353738636435
 37616236303961313935663961613731366132643535393263336264313133306364333937363539
 35333830633830393361343230643638333431303330656465633232343538396661653636343238
 65643532313030653764303939353832373364303138626166653263386665376666323563663331
 31626330636638326531666262356135633563356561616538333637613837326262366662653564
 36383032643139343233323632653431376239303830306130623530386565613030333436393439
 31363639386265613330333735343733633030613137306239623132336330336162626163323138
 31306435303334626563393061343037643231383033373562646363343837663264356334666538
 396565653632313663323665383063353863
		`@ -0,0 +1 @@`
							`graylog_server_host: graylog.pyrocufflink.blue`