Secure Graylog
To secure your Graylog setup create your own unique installation where you understand each component and secure the environment by design. Expose only the services that are needed and secure them whenever possible with TLS/SSL and some kind of authentication.
When using Amazon Web Services, never open all ports in the security group. Do not expose the server to the internet. Access Graylog only from within your VPC. Enable encryption for the communication.
Default Ports
All parts of one Graylog installation will communicate over network
sockets. Depending on your setup and number of nodes this might be exposed or can be bound to localhost. The
SELinux configuration is covered in our step-by-step guide.
Component |
Port |
---|---|
Graylog (web interface / API) |
9000 (tcp) |
Graylog to search backend |
9200 (tcp) |
search backend node communication |
9300 (tcp) |
MongoDB |
27017 (tcp) |
Each setup is unique in the requirements and ports might be changed by configuration, but you should limit who is able to connect to which service. In the architecture description you can see what components need to be exposed and communicate with each other.
Configuring TLS Ciphers
When running Graylog in untrusted environments such as the Internet, we strongly
recommend to use SSL/TLS for all connections. All TLS enabled services are configured to support TLS 1.2 or greater
by default. In case you need to support legacy software, you can change the default TLS protocols with the
enabled_tls_protocols
setting.
When using nginx or Apache httpsd for SSL termination the Mozilla SSL Configuration Generator will help to create a reasonably secure configuration for them.