# If you are running more than one instances of graylog2-server you have to sele

1. # If you are running more than one instances of graylog2-server you have to select one of these
2. # instances as master. The master will perform some periodical tasks that non-masters won't perform.
3. is_master = true
4.  
5. # The auto-generated node ID will be stored in this file and read after restarts. It is a good idea
6. # to use an absolute file path here if you are starting graylog2-server from init scripts or similar.
7. node_id_file = /etc/graylog2-server-node-id
8.  
9. # You MUST set a secret to secure/pepper the stored user passwords here. Use at least 64 characters.
10. # Generate one by using for example: pwgen -s 96
11. password_secret = SECRET=$(pwgen -s 96 1)
12. sudo -E sed -i -e 's/password_secret =.*/password_secret = '$SECRET'/' /etc/graylog2.conf
13. # the default root user is named 'admin'
14. # root_username = admin
15. # You MUST specify a hash password for the root user (which you only need to initially set up the
16. # system and in case you lose connectivity to your authentication backend)
17. # This password cannot be changed using the API or via the web interface. If you need to change it,
18. # modify it in this file.
19. # Create one by using for example: echo -n yourpassword | shasum -a 256
20. # and put the resulting hash value into the following line
21. root_password_sha2 = PASSWORD=$(echo -n #0danicri0# | shasum -a 256 | awk '{print $1}')
22. sudo -E sed -i -e 's/root_password_sha2 =.*/root_password_sha2 = '$PASSWORD'/' /etc/graylog2.conf
23.  
24. # Set plugin directory here (relative or absolute)
25. plugin_dir = plugin
26.  
27. # REST API listen URI. Must be reachable by other graylog2-server nodes if you run a cluster.
28. rest_listen_uri = http://127.0.0.1:12900/
29. # REST API transport address. Defaults to first non-loopback IPv4 system address and port 12900.
30. # This will be promoted in the cluster discovery APIs and other nodes may try to connect on this
31. # address. (see rest_listen_uri)
32. #rest_transport_uri = http://127.0.0.1:12900/
33.  
34. # Enable CORS headers for REST api. This is necessary for JS-clients accessing the server directly.
35. # If these are disabled, modern browsers will not be able to retrieve resources from the server.
36. # This is disabled by default. Uncomment the next line to enable it.
37. #rest_enable_cors = true
38.  
39. # Enable GZIP support for REST api. This compresses API responses and therefore helps to reduce
40. # overall round trip times. This is disabled by default. Uncomment the next line to enable it.
41. #rest_enable_gzip = true
42.  
43. # Embedded elasticsearch configuration file
44. # pay attention to the working directory of the server, maybe use an absolute path here
45. elasticsearch_config_file = /etc/elasticsearch/elasticsearch.yml
46.  
47. elasticsearch_max_docs_per_index = 20000000
48.  
49. # How many indices do you want to keep?
50. # elasticsearch_max_number_of_indices*elasticsearch_max_docs_per_index=total number of messages in your setup
51. elasticsearch_max_number_of_indices = 20
52. # Decide what happens with the oldest indices when the maximum number of indices is reached.
53. # The following strategies are availble:
54. # - delete # Deletes the index completely (Default)
55. # - close # Closes the index and hides it from the system. Can be re-opened later.
56. retention_strategy = delete
57.  
58. # How many ElasticSearch shards and replicas should be used per index? Note that this only applies to newly created indices.
59. elasticsearch_shards = 1
60. elasticsearch_replicas = 0
61.  
62. elasticsearch_index_prefix = graylog2
63.  
64. # Do you want to allow searches with leading wildcards? This can be extremely resource hungry and should only
65. # be enabled with care. See also: http://support.torch.sh/help/kb/graylog2-web-interface/the-search-bar-explained
66. allow_leading_wildcard_searches = false
67.  
68. # Do you want to allow searches to be highlighted? Depending on the size of your messages this can be memory hungry and
69. # should only be enabled after making sure your elasticsearch cluster has enough memory.
70. # settings to be passed to elasticsearch's client (overriding those in the provided elasticsearch_config_file)
71. # all these
72. # this must be the same as for your elasticsearch cluster
73. elasticsearch_cluster_name = graylog-production
74.  
75. # you could also leave this out, but makes it easier to identify the graylog2 client instance
76. elasticsearch_node_name = graylog2-server
77.  
78. # we don't want the graylog2 server to store any data, or be master node
79. elasticsearch_node_master = true
80. elasticsearch_node_data = true
81.  
82. # use a different port if you run multiple elasticsearch nodes on one machine
83. elasticsearch_transport_tcp_port = 9200
84. # we don't need to run the embedded HTTP server here
85. elasticsearch_http_enabled = true
86.  
87. elasticsearch_discovery_zen_ping_multicast_enabled = true
88. elasticsearch_discovery_zen_ping_unicast_hosts = 192.168.217.67:9300
89.  
90. # the following settings allow to change the bind addresses for the elasticsearch client in graylog2
91. # these settings are empty by default, letting elasticsearch choose automatically,
92. # override them here or in the 'elasticsearch_config_file' if you need to bind to a special address
93. # refer to http://www.elasticsearch.org/guide/en/elasticsearch/reference/0.90/modules-network.html for special values here
94. # elasticsearch_network_host =
95. # elasticsearch_network_bind_host =
96. # elasticsearch_network_publish_host =
97.  
98. # Analyzer (tokenizer) to use for message and full_message field. The "standard" filter usually is a good idea.
99. # All supported analyzers are: standard, simple, whitespace, stop, keyword, pattern, language, snowball, custom
100. # ElasticSearch documentation: http://www.elasticsearch.org/guide/reference/index-modules/analysis/
101. # Note that this setting only takes effect on newly created indices.
102. elasticsearch_analyzer = standard
103.  
104. # Batch size for all outputs. This is the maximum (!) number of messages an output module will get at once.
105. # For example, if this is set to 5000 (default), the ElasticSearch Output will not index more than 5000 messages
106. # at once. After that index operation is performed, the next batch will be indexed. If there is only 1 message
107. # waiting, it will only index that single message. It is important to raise this parameter if you send in so
108. # many messages that it is not enough to index 5000 messages at once. (Only at *really* high message rates)
109. output_batch_size = 5000
110.  
111. # The number of parallel running processors.
112. # Raise this number if your buffers are filling up.
113. processbuffer_processors = 5
114. outputbuffer_processors = 5
115.  
116. # Wait strategy describing how buffer processors wait on a cursor sequence. (default: sleeping)
117. # Possible types:
118. # - yielding
119. # Compromise between performance and CPU usage.
120. # - sleeping
121. # Compromise between performance and CPU usage. Latency spikes can occur after quiet periods.
122. # - blocking
123. # High throughput, low latency, higher CPU usage.
124. # - busy_spinning
125. # Avoids syscalls which could introduce latency jitter. Best when threads can be bound to specific CPU cores.
126. processor_wait_strategy = blocking
127.  
128. # Size of internal ring buffers. Raise this if raising outputbuffer_processors does not help anymore.
129. # For optimum performance your LogMessage objects in the ring buffer should fit in your CPU L3 cache.
130. # Start server with --statistics flag to see buffer utilization.
131. # Must be a power of 2. (512, 1024, 2048, ...)
132. ring_size = 1024
133.  
134. # EXPERIMENTAL: Dead Letters
135. # Every failed indexing attempt is logged by default and made visible in the web-interface. You can enable
136. # the experimental dead letters feature to write every message that was not successfully indexed into the
137. # MongoDB "dead_letters" collection to make sure that you never lose a message. The actual writing of dead
138. # letter should work fine already but it is not heavily tested yet and will get more features in future
139. # releases.
140. dead_letters_enabled = false
141.  
142. # How many seconds to wait between marking node as DEAD for possible load balancers and starting the actual
143. # shutdown process. Set to 0 if you have no status checking load balancers in front.
144. lb_recognition_period_seconds = 3
145.  
146. # MongoDB Configuration
147. mongodb_useauth = false
148. #mongodb_user = grayloguser
149. #mongodb_password = 123
150. mongodb_host = 127.0.0.1
151. #mongodb_replica_set = localhost:27017,localhost:27018,localhost:27019
152. mongodb_database = graylog2
153. mongodb_port = 27017
154.  
155. # Raise this according to the maximum connections your MongoDB server can handle if you encounter MongoDB connection problems.
156. mongodb_max_connections = 100
157. # Number of threads allowed to be blocked by MongoDB connections multiplier. Default: 5
158. # If mongodb_max_connections is 100, and mongodb_threads_allowed_to_block_multiplier is 5, then 500 threads can block. More than t$
159. # http://api.mongodb.org/java/current/com/mongodb/MongoOptions.html#threadsAllowedToBlockForConnectionMultiplier
160. mongodb_threads_allowed_to_block_multiplier = 5
161.  
162. # Drools Rule File (Use to rewrite incoming log messages)
163. # See: http://support.torch.sh/help/kb/graylog2-server/custom-message-rewritingprocessing
164. # rules_file = /etc/graylog2.drl
165.  
166. # Email transport
167. transport_email_enabled = false
168. transport_email_hostname = mail.example.com
169. transport_email_port = 587
170. transport_email_use_auth = true
171. transport_email_use_tls = true
172. transport_email_use_ssl = true
173. transport_email_auth_username = you@example.com
174. transport_email_auth_password = secret
175. transport_email_subject_prefix = [graylog2]
176. transport_email_from_email = graylog2@example.com
177.  
178. # Specify and uncomment this if you want to include links to the stream in your stream alert mails.
179. # This should define the fully qualified base url to your web interface exactly the same way as it is accessed by your users.
180. #
181. # transport_email_web_interface_url = https://graylog2.example.com
182.  
183. # HTTP proxy for outgoing HTTP calls
184. #http_proxy_uri =