############################# GRAYLOG CONFIGURATION FILE####################

1. ############################
2. # GRAYLOG CONFIGURATION FILE
3. ############################
4. # If you are running more than one instances of Graylog server you have to select one of these
5. # instances as master. The master will perform some periodical tasks that non-masters won't perform.
6. is_master = true
7.  
8. # The auto-generated node ID will be stored in this file and read after restarts. It is a good idea
9. # to use an absolute file path here if you are starting Graylog server from init scripts or similar.
10. node_id_file = /etc/graylog/server/node-id
11.  
12. # You MUST set a secret to secure/pepper the stored user passwords here. Use at least 64 characters.
13. # Generate one by using for example: pwgen -N 1 -s 96
14. password_secret = aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
15.  
16. # The default root user is named 'admin'
17. #root_username = admin
18.  
19. # You MUST specify a hash password for the root user (which you only need to initially set up the
20. # system and in case you lose connectivity to your authentication backend)
21. # This password cannot be changed using the API or via the web interface. If you need to change it,
22. # modify it in this file.
23. # Create one by using for example: echo -n yourpassword | shasum -a 256
24. # and put the resulting hash value into the following line
25. root_password_sha2 = aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
26.  
27. # The email address of the root user.
28. # Default is empty
29. root_email = "myuser@mycompany.com"
30.  
31. # The time zone setting of the root user. See http://www.joda.org/joda-time/timezones.html for a list of valid time zones.
32. # Default is UTC
33. root_timezone = EST5EDT
34.  
35. # Set plugin directory here (relative or absolute)
36. plugin_dir = /usr/share/graylog-server/plugin
37.  
38. # REST API listen URI. Must be reachable by other Graylog server nodes if you run a cluster.
39. # When using Graylog Collectors, this URI will be used to receive heartbeat messages and must be accessible for all collectors.
40. rest_listen_uri = https://graylog1.mycompany.com:9000/api/
41.  
42. # REST API transport address. Defaults to the value of rest_listen_uri. Exception: If rest_listen_uri
43. # is set to a wildcard IP address (0.0.0.0) the first non-loopback IPv4 system address is used.
44. # If set, this will be promoted in the cluster discovery APIs, so other nodes may try to connect on
45. # this address and it is used to generate URLs addressing entities in the REST API. (see rest_listen_uri)
46. # You will need to define this, if your Graylog server is running behind a HTTP proxy that is rewriting
47. # the scheme, host name or URI.
48. # This must not contain a wildcard address (0.0.0.0).
49. #rest_transport_uri = http://192.168.1.1:9000/api/
50.  
51. # Enable CORS headers for REST API. This is necessary for JS-clients accessing the server directly.
52. # If these are disabled, modern browsers will not be able to retrieve resources from the server.
53. # This is enabled by default. Uncomment the next line to disable it.
54. #rest_enable_cors = false
55.  
56. # Enable GZIP support for REST API. This compresses API responses and therefore helps to reduce
57. # overall round trip times. This is enabled by default. Uncomment the next line to disable it.
58. #rest_enable_gzip = false
59.  
60. # Enable HTTPS support for the REST API. This secures the communication with the REST API with
61. # TLS to prevent request forgery and eavesdropping. This is disabled by default. Uncomment the
62. # next line to enable it.
63. rest_enable_tls = true
64.  
65. # The X.509 certificate chain file in PEM format to use for securing the REST API.
66. rest_tls_cert_file = /etc/ssl/certs/graylog_cert.pem
67.  
68. # The PKCS#8 private key file in PEM format to use for securing the REST API.
69. rest_tls_key_file = /etc/ssl/certs/graylog_key.pem
70.  
71. # The password to unlock the private key used for securing the REST API.
72. #rest_tls_key_password = secret
73.  
74. # The maximum size of the HTTP request headers in bytes.
75. #rest_max_header_size = 8192
76.  
77. # The maximal length of the initial HTTP/1.1 line in bytes.
78. #rest_max_initial_line_length = 4096
79.  
80. # The size of the thread pool used exclusively for serving the REST API.
81. #rest_thread_pool_size = 16
82.  
83. # Comma separated list of trusted proxies that are allowed to set the client address with X-Forwarded-For
84. # header. May be subnets, or hosts.
85. #trusted_proxies = 127.0.0.1/32, 0:0:0:0:0:0:0:1/128
86.  
87. # Enable the embedded Graylog web interface.
88. # Default: true
89. web_enable = true
90.  
91. # Web interface listen URI.
92. # Configuring a path for the URI here effectively prefixes all URIs in the web interface. This is a replacement
93. # for the application.context configuration parameter in pre-2.0 versions of the Graylog web interface.
94. web_listen_uri = https://graylog1.mycompany.com:9000/
95.  
96. # Web interface endpoint URI. This setting can be overriden on a per-request basis with the X-Graylog-Server-URL header.
97. # Default: $rest_transport_uri
98. web_endpoint_uri = https://graylog.mycompany.com:443/
99.  
100. # Enable CORS headers for the web interface. This is necessary for JS-clients accessing the server directly.
101. # If these are disabled, modern browsers will not be able to retrieve resources from the server.
102. #web_enable_cors = false
103.  
104. # Enable/disable GZIP support for the web interface. This compresses HTTP responses and therefore helps to reduce
105. # overall round trip times. This is enabled by default. Uncomment the next line to disable it.
106. #web_enable_gzip = false
107.  
108. # Enable HTTPS support for the web interface. This secures the communication of the web browser with the web interface
109. # using TLS to prevent request forgery and eavesdropping.
110. # This is disabled by default. Uncomment the next line to enable it and see the other related configuration settings.
111. web_enable_tls = true
112.  
113. # The X.509 certificate chain file in PEM format to use for securing the web interface.
114. web_tls_cert_file = /etc/ssl/certs/graylog_cert.pem
115.  
116. # The PKCS#8 private key file in PEM format to use for securing the web interface.
117. web_tls_key_file = /etc/ssl/certs/graylog_key.pem
118.  
119. # The password to unlock the private key used for securing the web interface.
120. #web_tls_key_password = secret
121.  
122. # The maximum size of the HTTP request headers in bytes.
123. #web_max_header_size = 8192
124.  
125. # The maximal length of the initial HTTP/1.1 line in bytes.
126. #web_max_initial_line_length = 4096
127.  
128. # The size of the thread pool used exclusively for serving the web interface.
129. #web_thread_pool_size = 16
130.  
131. # List of Elasticsearch hosts Graylog should connect to.
132. # Need to be specified as a comma-separated list of valid URIs for the http ports of your elasticsearch nodes.
133. # If one or more of your elasticsearch hosts require authentication, include the credentials in each node URI that
134. # requires authentication.
135. #
136. # Default: http://127.0.0.1:9200
137. elasticsearch_hosts = http://elastic1:9200,http://elastic2:9200,http://elastic3:9200
138.  
139. # Maximum amount of time to wait for successfull connection to Elasticsearch HTTP port.
140. #
141. # Default: 10 Seconds
142. #elasticsearch_connect_timeout = 10s
143.  
144. # Maximum amount of time to wait for reading back a response from an Elasticsearch server.
145. #
146. # Default: 60 seconds
147. #elasticsearch_socket_timeout = 60s
148.  
149. # Maximum idle time for an Elasticsearch connection. If this is exceeded, this connection will
150. # be tore down.
151. #
152. # Default: inf
153. #elasticsearch_idle_timeout = -1s
154.  
155. # Maximum number of total connections to Elasticsearch.
156. #
157. # Default: 20
158. #elasticsearch_max_total_connections = 20
159.  
160. # Maximum number of total connections per Elasticsearch route (normally this means per
161. # elasticsearch server).
162. #
163. # Default: 2
164. #elasticsearch_max_total_connections_per_route = 2
165.  
166. # Maximum number of times Graylog will retry failed requests to Elasticsearch.
167. #
168. # Default: 2
169. #elasticsearch_max_retries = 2
170.  
171. # Enable automatic Elasticsearch node discovery through Nodes Info,
172. # see https://www.elastic.co/guide/en/elasticsearch/reference/5.4/cluster-nodes-info.html
173. #
174. # WARNING: Automatic node discovery does not work if Elasticsearch requires authentication, e. g. with Shield.
175. #
176. # Default: false
177. elasticsearch_discovery_enabled = true
178.  
179. # Filter for including/excluding Elasticsearch nodes in discovery according to their custom attributes,
180. # see https://www.elastic.co/guide/en/elasticsearch/reference/5.4/cluster.html#cluster-nodes
181. #
182. # Default: empty
183. #elasticsearch_discovery_filter = rack:42
184.  
185. # Frequency of the Elasticsearch node discovery.
186. #
187. # Default: 30s
188. # elasticsearch_discovery_frequency = 30s
189.  
190. # Enable payload compression for Elasticsearch requests.
191. #
192. # Default: false
193. #elasticsearch_compression_enabled = true
194.  
195. # Graylog will use multiple indices to store documents in. You can configured the strategy it uses to determine
196. # when to rotate the currently active write index.
197. # It supports multiple rotation strategies:
198. # - "count" of messages per index, use elasticsearch_max_docs_per_index below to configure
199. # - "size" per index, use elasticsearch_max_size_per_index below to configure
200. # valid values are "count", "size" and "time", default is "count"
201. #
202. # ATTENTION: These settings have been moved to the database in 2.0. When you upgrade, make sure to set these
203. # to your previous 1.x settings so they will be migrated to the database!
204. rotation_strategy = count
205.  
206. # (Approximate) maximum number of documents in an Elasticsearch index before a new index
207. # is being created, also see no_retention and elasticsearch_max_number_of_indices.
208. # Configure this if you used 'rotation_strategy = count' above.
209. #
210. # ATTENTION: These settings have been moved to the database in 2.0. When you upgrade, make sure to set these
211. # to your previous 1.x settings so they will be migrated to the database!
212. elasticsearch_max_docs_per_index = 20000000
213.  
214. # (Approximate) maximum size in bytes per Elasticsearch index on disk before a new index is being created, also see
215. # no_retention and elasticsearch_max_number_of_indices. Default is 1GB.
216. # Configure this if you used 'rotation_strategy = size' above.
217. #
218. # ATTENTION: These settings have been moved to the database in 2.0. When you upgrade, make sure to set these
219. # to your previous 1.x settings so they will be migrated to the database!
220. #elasticsearch_max_size_per_index = 1073741824
221.  
222. # (Approximate) maximum time before a new Elasticsearch index is being created, also see
223. # no_retention and elasticsearch_max_number_of_indices. Default is 1 day.
224. # Configure this if you used 'rotation_strategy = time' above.
225. # Please note that this rotation period does not look at the time specified in the received messages, but is
226. # using the real clock value to decide when to rotate the index!
227. # Specify the time using a duration and a suffix indicating which unit you want:
228. # 1w = 1 week
229. # 1d = 1 day
230. # 12h = 12 hours
231. # Permitted suffixes are: d for day, h for hour, m for minute, s for second.
232. #
233. # ATTENTION: These settings have been moved to the database in 2.0. When you upgrade, make sure to set these
234. # to your previous 1.x settings so they will be migrated to the database!
235. #elasticsearch_max_time_per_index = 1d
236.  
237. # Disable checking the version of Elasticsearch for being compatible with this Graylog release.
238. # WARNING: Using Graylog with unsupported and untested versions of Elasticsearch may lead to data loss!
239. #elasticsearch_disable_version_check = true
240.  
241. # Disable message retention on this node, i. e. disable Elasticsearch index rotation.
242. #no_retention = false
243.  
244. # How many indices do you want to keep?
245. #
246. # ATTENTION: These settings have been moved to the database in 2.0. When you upgrade, make sure to set these
247. # to your previous 1.x settings so they will be migrated to the database!
248. elasticsearch_max_number_of_indices = 20
249.  
250. # Decide what happens with the oldest indices when the maximum number of indices is reached.
251. # The following strategies are availble:
252. # - delete # Deletes the index completely (Default)
253. # - close # Closes the index and hides it from the system. Can be re-opened later.
254. #
255. # ATTENTION: These settings have been moved to the database in 2.0. When you upgrade, make sure to set these
256. # to your previous 1.x settings so they will be migrated to the database!
257. retention_strategy = delete
258.  
259. # How many Elasticsearch shards and replicas should be used per index? Note that this only applies to newly created indices.
260. # ATTENTION: These settings have been moved to the database in Graylog 2.2.0. When you upgrade, make sure to set these
261. # to your previous settings so they will be migrated to the database!
262. elasticsearch_shards = 4
263. elasticsearch_replicas = 0
264.  
265. # Prefix for all Elasticsearch indices and index aliases managed by Graylog.
266. #
267. # ATTENTION: These settings have been moved to the database in Graylog 2.2.0. When you upgrade, make sure to set these
268. # to your previous settings so they will be migrated to the database!
269. elasticsearch_index_prefix = graylog
270.  
271. # Name of the Elasticsearch index template used by Graylog to apply the mandatory index mapping.
272. # Default: graylog-internal
273. #
274. # ATTENTION: These settings have been moved to the database in Graylog 2.2.0. When you upgrade, make sure to set these
275. # to your previous settings so they will be migrated to the database!
276. #elasticsearch_template_name = graylog-internal
277.  
278. # Do you want to allow searches with leading wildcards? This can be extremely resource hungry and should only
279. # be enabled with care. See also: http://docs.graylog.org/en/2.1/pages/queries.html
280. allow_leading_wildcard_searches = true
281.  
282. # Do you want to allow searches to be highlighted? Depending on the size of your messages this can be memory hungry and
283. # should only be enabled after making sure your Elasticsearch cluster has enough memory.
284. allow_highlighting = false
285.  
286. # Analyzer (tokenizer) to use for message and full_message field. The "standard" filter usually is a good idea.
287. # All supported analyzers are: standard, simple, whitespace, stop, keyword, pattern, language, snowball, custom
288. # Elasticsearch documentation: https://www.elastic.co/guide/en/elasticsearch/reference/2.3/analysis.html
289. # Note that this setting only takes effect on newly created indices.
290. #
291. # ATTENTION: These settings have been moved to the database in Graylog 2.2.0. When you upgrade, make sure to set these
292. # to your previous settings so they will be migrated to the database!
293. elasticsearch_analyzer = standard
294.  
295. # Global request timeout for Elasticsearch requests (e. g. during search, index creation, or index time-range
296. # calculations) based on a best-effort to restrict the runtime of Elasticsearch operations.
297. # Default: 1m
298. #elasticsearch_request_timeout = 1m
299.  
300. # Global timeout for index optimization (force merge) requests.
301. # Default: 1h
302. #elasticsearch_index_optimization_timeout = 1h
303.  
304. # Maximum number of concurrently running index optimization (force merge) jobs.
305. # If you are using lots of different index sets, you might want to increase that number.
306. # Default: 20
307. #elasticsearch_index_optimization_jobs = 20
308.  
309. # Time interval for index range information cleanups. This setting defines how often stale index range information
310. # is being purged from the database.
311. # Default: 1h
312. #index_ranges_cleanup_interval = 1h
313.  
314. # Batch size for the Elasticsearch output. This is the maximum (!) number of messages the Elasticsearch output
315. # module will get at once and write to Elasticsearch in a batch call. If the configured batch size has not been
316. # reached within output_flush_interval seconds, everything that is available will be flushed at once. Remember
317. # that every outputbuffer processor manages its own batch and performs its own batch write calls.
318. # ("outputbuffer_processors" variable)
319. output_batch_size = 500
320.  
321. # Flush interval (in seconds) for the Elasticsearch output. This is the maximum amount of time between two
322. # batches of messages written to Elasticsearch. It is only effective at all if your minimum number of messages
323. # for this time period is less than output_batch_size * outputbuffer_processors.
324. output_flush_interval = 1
325.  
326. # As stream outputs are loaded only on demand, an output which is failing to initialize will be tried over and
327. # over again. To prevent this, the following configuration options define after how many faults an output will
328. # not be tried again for an also configurable amount of seconds.
329. output_fault_count_threshold = 5
330. output_fault_penalty_seconds = 30
331.  
332. # The number of parallel running processors.
333. # Raise this number if your buffers are filling up.
334. processbuffer_processors = 5
335. outputbuffer_processors = 3
336.  
337. #outputbuffer_processor_keep_alive_time = 5000
338. #outputbuffer_processor_threads_core_pool_size = 3
339. #outputbuffer_processor_threads_max_pool_size = 30
340.  
341. # UDP receive buffer size for all message inputs (e. g. SyslogUDPInput).
342. #udp_recvbuffer_sizes = 1048576
343.  
344. # Wait strategy describing how buffer processors wait on a cursor sequence. (default: sleeping)
345. # Possible types:
346. # - yielding
347. # Compromise between performance and CPU usage.
348. # - sleeping
349. # Compromise between performance and CPU usage. Latency spikes can occur after quiet periods.
350. # - blocking
351. # High throughput, low latency, higher CPU usage.
352. # - busy_spinning
353. # Avoids syscalls which could introduce latency jitter. Best when threads can be bound to specific CPU cores.
354. processor_wait_strategy = blocking
355.  
356. # Size of internal ring buffers. Raise this if raising outputbuffer_processors does not help anymore.
357. # For optimum performance your LogMessage objects in the ring buffer should fit in your CPU L3 cache.
358. # Must be a power of 2. (512, 1024, 2048, ...)
359. ring_size = 65536
360.  
361. inputbuffer_ring_size = 65536
362. inputbuffer_processors = 2
363. inputbuffer_wait_strategy = blocking
364.  
365. # Enable the disk based message journal.
366. message_journal_enabled = true
367.  
368. # The directory which will be used to store the message journal. The directory must me exclusively used by Graylog and
369. # must not contain any other files than the ones created by Graylog itself.
370. #
371. # ATTENTION:
372. # If you create a seperate partition for the journal files and use a file system creating directories like 'lost+found'
373. # in the root directory, you need to create a sub directory for your journal.
374. # Otherwise Graylog will log an error message that the journal is corrupt and Graylog will not start.
375. message_journal_dir = /var/lib/graylog-server/journal
376.  
377. # Journal hold messages before they could be written to Elasticsearch.
378. # For a maximum of 12 hours or 5 GB whichever happens first.
379. # During normal operation the journal will be smaller.
380. #message_journal_max_age = 12h
381. #message_journal_max_size = 5gb
382.  
383. #message_journal_flush_age = 1m
384. #message_journal_flush_interval = 1000000
385. #message_journal_segment_age = 1h
386. #message_journal_segment_size = 100mb
387.  
388. # Number of threads used exclusively for dispatching internal events. Default is 2.
389. #async_eventbus_processors = 2
390.  
391. # How many seconds to wait between marking node as DEAD for possible load balancers and starting the actual
392. # shutdown process. Set to 0 if you have no status checking load balancers in front.
393. lb_recognition_period_seconds = 3
394.  
395. # Journal usage percentage that triggers requesting throttling for this server node from load balancers. The feature is
396. # disabled if not set.
397. #lb_throttle_threshold_percentage = 95
398.  
399. # Every message is matched against the configured streams and it can happen that a stream contains rules which
400. # take an unusual amount of time to run, for example if its using regular expressions that perform excessive backtracking.
401. # This will impact the processing of the entire server. To keep such misbehaving stream rules from impacting other
402. # streams, Graylog limits the execution time for each stream.
403. # The default values are noted below, the timeout is in milliseconds.
404. # If the stream matching for one stream took longer than the timeout value, and this happened more than "max_faults" times
405. # that stream is disabled and a notification is shown in the web interface.
406. #stream_processing_timeout = 2000
407. #stream_processing_max_faults = 3
408.  
409. # Length of the interval in seconds in which the alert conditions for all streams should be checked
410. # and alarms are being sent.
411. #alert_check_interval = 60
412.  
413. # Since 0.21 the Graylog server supports pluggable output modules. This means a single message can be written to multiple
414. # outputs. The next setting defines the timeout for a single output module, including the default output module where all
415. # messages end up.
416. #
417. # Time in milliseconds to wait for all message outputs to finish writing a single message.
418. #output_module_timeout = 10000
419.  
420. # Time in milliseconds after which a detected stale master node is being rechecked on startup.
421. #stale_master_timeout = 2000
422.  
423. # Time in milliseconds which Graylog is waiting for all threads to stop on shutdown.
424. #shutdown_timeout = 30000
425.  
426. # MongoDB connection string
427. # See https://docs.mongodb.com/manual/reference/connection-string/ for details
428. #mongodb_uri = mongodb://localhost/graylog
429.  
430. # Authenticate against the MongoDB server
431. #mongodb_uri = mongodb://grayloguser:secret@localhost:27017/graylog
432.  
433. # Use a replica set instead of a single host
434. mongodb_uri = mongodb://graylog:mypassword@graylog1:27017,graylog2:27017,graylog3:27017/graylog
435.  
436. # Increase this value according to the maximum connections your MongoDB server can handle from a single client
437. # if you encounter MongoDB connection problems.
438. mongodb_max_connections = 1000
439.  
440. # Number of threads allowed to be blocked by MongoDB connections multiplier. Default: 5
441. # If mongodb_max_connections is 100, and mongodb_threads_allowed_to_block_multiplier is 5,
442. # then 500 threads can block. More than that and an exception will be thrown.
443. # http://api.mongodb.com/java/current/com/mongodb/MongoOptions.html#threadsAllowedToBlockForConnectionMultiplier
444. mongodb_threads_allowed_to_block_multiplier = 5
445.  
446. # Drools Rule File (Use to rewrite incoming log messages)
447. # See: http://docs.graylog.org/en/2.1/pages/drools.html
448. #rules_file = /etc/graylog/server/rules.drl
449.  
450. # Email transport
451. transport_email_enabled = true
452. transport_email_hostname = mail.mycompany.com
453. transport_email_port = 25
454. transport_email_use_auth = false
455. transport_email_use_tls = false
456. transport_email_use_ssl = false
457. #transport_email_auth_username = you@example.com
458. #transport_email_auth_password = secret
459. transport_email_subject_prefix = [graylog]
460. transport_email_from_email = graylog@mycompany.com
461.  
462. # Specify and uncomment this if you want to include links to the stream in your stream alert mails.
463. # This should define the fully qualified base url to your web interface exactly the same way as it is accessed by your users.
464. transport_email_web_interface_url = https://graylog.mycompany.com
465.  
466. # The default connect timeout for outgoing HTTP connections.
467. # Values must be a positive duration (and between 1 and 2147483647 when converted to milliseconds).
468. # Default: 5s
469. #http_connect_timeout = 5s
470.  
471. # The default read timeout for outgoing HTTP connections.
472. # Values must be a positive duration (and between 1 and 2147483647 when converted to milliseconds).
473. # Default: 10s
474. #http_read_timeout = 10s
475.  
476. # The default write timeout for outgoing HTTP connections.
477. # Values must be a positive duration (and between 1 and 2147483647 when converted to milliseconds).
478. # Default: 10s
479. #http_write_timeout = 10s
480.  
481. # HTTP proxy for outgoing HTTP connections
482. #http_proxy_uri =
483.  
484. # Disable the optimization of Elasticsearch indices after index cycling. This may take some load from Elasticsearch
485. # on heavily used systems with large indices, but it will decrease search performance. The default is to optimize
486. # cycled indices.
487. #
488. # ATTENTION: These settings have been moved to the database in Graylog 2.2.0. When you upgrade, make sure to set these
489. # to your previous settings so they will be migrated to the database!
490. #disable_index_optimization = true
491.  
492. # Optimize the index down to <= index_optimization_max_num_segments. A higher number may take some load from Elasticsearch
493. # on heavily used systems with large indices, but it will decrease search performance. The default is 1.
494. #
495. # ATTENTION: These settings have been moved to the database in Graylog 2.2.0. When you upgrade, make sure to set these
496. # to your previous settings so they will be migrated to the database!
497. #index_optimization_max_num_segments = 1
498.  
499. # The threshold of the garbage collection runs. If GC runs take longer than this threshold, a system notification
500. # will be generated to warn the administrator about possible problems with the system. Default is 1 second.
501. #gc_warning_threshold = 1s
502.  
503. # Connection timeout for a configured LDAP server (e. g. ActiveDirectory) in milliseconds.
504. #ldap_connection_timeout = 2000
505.  
506. # Disable the use of SIGAR for collecting system stats
507. #disable_sigar = false
508.  
509. # The default cache time for dashboard widgets. (Default: 10 seconds, minimum: 1 second)
510. #dashboard_widget_default_cache_time = 10s
511.  
512. # Automatically load content packs in "content_packs_dir" on the first start of Graylog.
513. #content_packs_loader_enabled = true
514.  
515. # The directory which contains content packs which should be loaded on the first start of Graylog.
516. content_packs_dir = /usr/share/graylog-server/contentpacks
517.  
518. # A comma-separated list of content packs (files in "content_packs_dir") which should be applied on
519. # the first start of Graylog.
520. # Default: empty
521. content_packs_auto_load = grok-patterns.json
522.  
523. # For some cluster-related REST requests, the node must query all other nodes in the cluster. This is the maximum number
524. # of threads available for this. Increase it, if '/cluster/*' requests take long to complete.
525. # Should be rest_thread_pool_size * average_cluster_size if you have a high number of concurrent users.
526. proxied_requests_thread_pool_size = 32