To secure your Graylog setup create your own unique installation where you understand each component and secure the environment by design. Expose only the services that are needed and secure them whenever possible with TLS/SSL and some kind of authentication.

When using Amazon Web Services, never open all ports in the security group. Do not expose the server to the internet. Access Graylog only from within your VPC. Enable encryption for the communication.

Default Ports

All parts of one Graylog installation will communicate over network sockets. Depending on your setup and number of nodes this might be exposed or can be bound to localhost. The SELinux configuration is already covered in our step-by-step guide for CentOS Linux.

Default Network Communication Ports

Component	Port
Graylog (web interface / API)	9000 (tcp)
Graylog to Elasticsearch	9200 (tcp)
Elasticsearch node communication	9300 (tcp)
MongoDB	27017 (tcp)

Each setup is unique in the requirements and ports might be changed by configuration, but you should limit who is able to connect to which service. In the architecture description you can see what components need to be exposed and communicate with each other.

Configuring TLS Ciphers

When running Graylog in untrusted environments such as the Internet, we strongly recommend to use SSL/TLS for all connections. All TLS enabled services are configured to support TLS 1.2 or greater by default. In case you need to support legacy software, you can change the default TLS protocols with the enabled_tls_protocols setting.

When using nginx or Apache httpsd for SSL termination the Mozilla SSL Configuration Generator will help to create a reasonably secure configuration for them.

Security Related Topics

• Generating Graylog certificates and keys with Microsoft AD CS
• Secured Graylog and Beats input
• Logging user activity
• Using ModSecurity
• The URL Whitelist