Skip to content
Snippets Groups Projects
Select Git revision
  • master default protected
  • use-filebeat-rpm
2 results
Name Last commit Last update
defaults
handlers
meta
tasks
templates
.gitignore
README.md
README.md

Ansible role for graylog sidecars

Ansible role to install and configure graylog sidecars on Debian / Ubuntu / RedHat.

Default variables

# Unique node id. Default uses '/etc/machine-id'
graylog_sidecar_node_id: 'file:/etc/machine-id'

# Sidecar repository urls based on OS family
sidecar_repo_urls:
  "RedHat": "https://github.com/Graylog2/collector-sidecar/releases/download/{{ sidecar_version }}/graylog-sidecar-{{ sidecar_version }}-1.x86_64.rpm"
  "Debian": "https://github.com/Graylog2/collector-sidecar/releases/download/{{ sidecar_version }}/graylog-sidecar_{{ sidecar_version }}-1_amd64.deb"

Variables required by the user

# API URL for graylog server
graylog_sidecar_server_url:

# SECRET: token to be used for sidecars
graylog_sidecar_server_api_token:

Auto fetch configs

You can specify a list of tags that will be used to auto fetch configs from the graylog server. To do so add the config_tags variable and provide a list of tags for which the configs should be pulled by the sidecar.

Node Certificates

For node certificates to be generated you will need to create an additional host group named sidecar-ca with a single host (or multiple but only the first will be used), that stores the CA certificate that should be used for client certificate generation.

In addition, the CA certificate that was used to create the certificates for the Graylog nodes themselves must also be available to be distributed, as it is required for TLS communication of filebeat for example. Therefore, make the graylog nodes available via a host group called graylog-nodes.

You may also use a completely separate host to store the CA files for Graylog and the Sidecar service. If this is the case, you need to set the use_central_ca_host variable to true and provide a host group called ca-store. The other groups mentioned earlier need to be omitted.

The log node CA file must be available at: /etc/graylog/graylog-ca.pem The sidecar CA file must be available at: /etc/graylog/sidecar/sidecar-ca.pem The sidecar CA file's key must be available at: /etc/graylog/sidecar/sidecar-ca.key

The location of the files can be configured via variable. The name of the files however must be as specified. The following variables are available in regard to the node certificates.

# Whether to generate node certificates (default: true)
generate_node_certs: true

# Whether to use a central host to obtain the required certificates from (default: false)
use_central_ca_host: false

# The path where the CA certificate of the graylog nodes should be
# fetched from the remote machine specified in the 'graylog-nodes' host group
gl_node_ca_path: "/etc/graylog/"

# The path where the CA certificate and key should be fetched from
# the remote machine specified in the 'sidecar-ca' host group
gl_sidecar_ca_path: "/etc/graylog/sidecar"

# The directory where client certs should be stored at
sidecar_cert_dir: "/etc/graylog/sidecar"

# The time in days the client certificates will be valid
cert_valid_days: 1095

# The passphrase used for the CA file
sidecar_ca_passphrase:

SAN config

To configure the SANs that will be added to the node certificates the following options are available. The FQDN and short name of the node will always be added. The settings below only apply to IP SAN entries.

# Control the IP family to use
use_ipv4: true
use_ipv6: true

# If set to true, the IP of the default route interface will be used
use_default: true

# If set to true, the IP of the provided interface name will be used
use_interface_ip: false
iface_name: ""