Network Connectivity and Firewall Requirements

Graylog can be deployed in highly restricted and air-gapped environments, but doing so requires a clear understanding of which network connections are required, optional, or unavailable in locked-down scenarios. This topic consolidates Graylog firewall, port, and outbound connectivity requirements into a single reference for security and network teams.

Hint: This article focuses on network connectivity only. See the documentation for installation, default ports, and permissions management for additional information.

Deployment Connectivity Model

Graylog connectivity requirements fall into two categories:

• Server-side connectivity: outbound connections initiated by Graylog server components
• Browser-side connectivity: connections initiated by the user’s browser while accessing the Graylog interface

In mixed environments, browser-side features may still work if the user workstation has internet access even when Graylog servers do not.

Server-to-Server Network Ports

These ports are used for communication between Graylog components. If blocked, core functionality may be impacted. For a full list of default network ports used by Graylog, see Default Ports.

Source	Destination	Default Port	Protocol	Purpose
Graylog Server	Graylog Data Node / OpenSearch	9200	TCP	Search and indexing operations
Graylog Server	Graylog Data Node	8999	TCP	Data Node management, coordination, and health
Graylog Server	MongoDB	27017	TCP	Metadata and configuration storage
User’s Browser	Graylog Server	9000	TCP	Web interface and REST API

Hint: Exact ports may vary based on your configuration and deployment design. See Configuration Settings for more information.

Outbound Connectivity from Graylog Server

These endpoints are contacted by the Graylog server. Blocking them disables or limits the associated functionality.

Feature	Destination URL	Behavior if Blocked
Illuminate content installation	https://contenthub.graylog.cloud/ https://glc-illuminate-hub.s3.amazonaws.com/	Illuminate packs must be delivered and uploaded manually
Version checks	https://versioncheck.graylog.com/check	The UI will not show update notifications
Remote license verification	https://api.graylog.com	Standard licenses with remote checks enabled eventually become invalid without periodic verification
Package installation and upgrades	https://packages.graylog2.org/	OS-level installs and upgrades via package manager are unavailable
Manual downloads	https://downloads.graylog.org/	Manual retrieval of Graylog artifacts from the public site is unavailable

Hint: Some endpoints are served via CloudFront. You may also need access to *.cloudfront.net.

Licensing Considerations in Air-Gapped Environments

Standard Graylog licenses require periodic validation. For fully air-gapped environments, contact your Customer Success Manager to request a license designed for offline use.

Browser-Based Connectivity

These endpoints are accessed directly from the user’s browser while interacting with the Graylog interface.

Feature	Destination URL	Behavior if Blocked
Homepage news feed	https://graylog.org/post/tag	Feed fails silently
Map widget tiles	https://*.tile.openstreetmap.org	The map loads but background tiles are blank
Anonymized telemetry submission	https://telemetry.graylog.cloud	Telemetry cannot be submitted

Telemetry Control

Telemetry can be disabled globally by setting telemetry_enabled = false in server.conf. See Configuration Settings for more information.

Graylog Security External Lookups

Graylog Security provides convenience links from value menus for contextual lookups. These links open in your browser and do not require server-side connectivity.

IP Address Lookups

When viewing IP address values in Graylog Security, the value menu may include links to external threat intelligence services to provide reputation and infrastructure context. These links help analysts determine whether an IP is associated with scanning activity, abuse, or known malicious behavior.

• https://www.greynoise.io

• https://www.virustotal.com

• https://www.robtex.com

Hash Lookups

For file hash values, Graylog provides links to external malware intelligence and analysis platforms. These services allow analysts to quickly assess whether a hash is associated with known malware or suspicious files.

• https://www.virustotal.com

• https://otx.alienvault.com

• https://www.hybrid-analysis.com

• https://malshare.com

If browser internet access is restricted, these links will be unavailable without impacting core Graylog functionality.

External Lookup Tables

If Graylog is configured to use external lookup tables, the node performing the lookup must have outbound access to the external data source. Requirements vary based on the lookup implementation.

• Secure Your Graylog Environment

• Secure Graylog Interface with TLS

• Single Sign-On in Graylog

• URL Allowlist