Dustin C. Hatch
3aad9c1dda
The *graylog* role installs Graylog from the *graylog2.org* Yum repository and manages basic server configuration. It augments the default systemd unit to provide the `CAP_NET_BIND_SERVICE` capability to the Graylog server process via ambient capabilities, thereby allowing the server to bind to the privileged Syslog UDP port.
102 lines
2.6 KiB
YAML
102 lines
2.6 KiB
YAML
- name: ensure graylog repository is available
|
|
package:
|
|
name=https://packages.graylog2.org/repo/packages/graylog-3.1-repository_latest.rpm
|
|
state=present
|
|
tags:
|
|
- install
|
|
|
|
- name: ensure graylog is installed
|
|
package:
|
|
name:
|
|
- java-1.8.0-openjdk-headless
|
|
- graylog-server
|
|
state: present
|
|
tags:
|
|
- install
|
|
|
|
- name: ensure graylog-server systemd unit drop-in directory is present
|
|
file:
|
|
path: /etc/systemd/system/graylog-server.service.d
|
|
mode: '0755'
|
|
state: directory
|
|
- name: ensure graylog-server systemd unit capabilities are configured
|
|
copy:
|
|
src: graylog-server-capabilities.systemd.conf
|
|
dest: /etc/systemd/system/graylog-server.service.d/capabilities.conf
|
|
mode: '0644'
|
|
notify:
|
|
- reload systemd
|
|
- restart graylog
|
|
- name: ensure graylog service is configured
|
|
template:
|
|
src=graylog-server.sysconfig.j2
|
|
dest=/etc/sysconfig/graylog-server
|
|
mode=0644
|
|
notify: restart graylog
|
|
|
|
- name: ensure graylog server is configured
|
|
template:
|
|
src=server.conf.j2
|
|
dest=/etc/graylog/server/server.conf
|
|
owner=root
|
|
group=graylog
|
|
mode=640
|
|
notify: restart graylog
|
|
|
|
- name: ensure syslog tls server certificate is installed
|
|
copy:
|
|
src={{ item }}
|
|
dest=/etc/graylog/syslog-tls.cer
|
|
owner=root
|
|
group=graylog
|
|
mode=0640
|
|
with_fileglob: files/{{ inventory_hostname }}.cer
|
|
# The private key file must be in PKCS#8 format, not the more common PKCS#1
|
|
- name: ensure syslog tls server private key is installed
|
|
copy:
|
|
src={{ item }}
|
|
dest=/etc/graylog/syslog-tls.key
|
|
owner=root
|
|
group=graylog
|
|
mode=0640
|
|
with_fileglob: files/{{ inventory_hostname }}.key
|
|
- name: ensure syslog tls ca certificate is installed
|
|
copy:
|
|
src={{ item }}
|
|
dest=/etc/graylog/syslog-tls-ca.crt
|
|
owner=root
|
|
group=graylog
|
|
mode=0640
|
|
with_fileglob: files/{{ inventory_hostname }}_ca.crt
|
|
|
|
- name: ensure firewall is configured for syslog
|
|
firewalld:
|
|
service: '{{ item.service }}'
|
|
permanent: false
|
|
immediate: true
|
|
state: '{{ item.state }}'
|
|
notify: save firewalld configuration
|
|
with_items:
|
|
- service: syslog
|
|
state: '{{ "enabled" if graylog_use_syslog else "disabled" }}'
|
|
- service: syslog-tls
|
|
state: '{{ "enabled" if graylog_use_syslog_tls else "disabled" }}'
|
|
|
|
- name: ensure apache is allowed to proxy
|
|
seboolean:
|
|
name=httpd_can_network_connect
|
|
persistent=yes
|
|
state=yes
|
|
|
|
- name: ensure apache is configured to proxy for graylog
|
|
template:
|
|
src=graylog.httpd.conf.j2
|
|
dest=/etc/httpd/conf.d/graylog.conf
|
|
mode=0644
|
|
notify: reload httpd
|
|
|
|
- name: ensure graylog starts at boot
|
|
service:
|
|
name=graylog-server
|
|
enabled=yes
|