diff --git a/intern/docker_graylog/tasks/main.yml b/intern/docker_graylog/tasks/main.yml
new file mode 100644
index 0000000000000000000000000000000000000000..38e57a0bf8d8bd82454a1fc32046d49d3ecb3fef
--- /dev/null
+++ b/intern/docker_graylog/tasks/main.yml
@@ -0,0 +1,29 @@
+---
+
+- name: "create folder struct for {{ servicename }}"
+  file: 
+    path: "{{ basedir }}" 
+    state: "directory"
+
+- name: "create folder struct for {{ servicename }}"
+  file: 
+    path: "{{ basedir }}/{{ item }}" 
+    state: "directory"
+    owner: 508
+    group: 508
+  with_items:
+    - "data"
+    - "logs"
+
+- name: "create config files for {{ servicename }}"
+  template: 
+    src: "{{ item }}"
+    dest: "{{ basedir }}/{{ item }}"
+  with_items:
+    - docker-compose.yml 
+
+- name: "start {{ servicename }} docker"
+  docker_compose:
+    project_src: "{{ basedir }}"
+    state: present
+
diff --git a/intern/docker_graylog/templates/docker-compose.yml b/intern/docker_graylog/templates/docker-compose.yml
new file mode 100644
index 0000000000000000000000000000000000000000..2661974ac738183670e1a0e531525bf27fe0325f
--- /dev/null
+++ b/intern/docker_graylog/templates/docker-compose.yml
@@ -0,0 +1,48 @@
+version: "3"
+
+services:
+  mongodb:
+    image: "mongo:5.0"
+    restart: "on-failure"
+
+  opensearch:
+    image: "opensearchproject/opensearch:2.4.1"
+    environment:
+      - "TZ=Europe/Berlin"
+      - "OPENSEARCH_JAVA_OPTS=-Xms1g -Xmx1g"
+      - "bootstrap.memory_lock=true"
+      - "discovery.type=single-node"
+      - "action.auto_create_index=false"
+      - "plugins.security.ssl.http.enabled=false"
+      - "plugins.security.disabled=true"
+    restart: "on-failure"
+
+  graylog:
+    hostname: "server"
+    image: "graylog/graylog:5.0"
+    entrypoint: "/usr/bin/tini -- wait-for-it opensearch:9200 --  /docker-entrypoint.sh"
+    environment:
+      TZ: "Europe/Berlin"
+      GRAYLOG_NODE_ID_FILE: "/usr/share/graylog/data/config/node-id"
+      GRAYLOG_PASSWORD_SECRET: "warpzonewarpzone"
+      GRAYLOG_ROOT_PASSWORD_SHA2: "26230bc6e5e044e6e3cef7c76a2800fdf2d3952ef03e85c83491b99eef149c40"
+      GRAYLOG_HTTP_BIND_ADDRESS: "0.0.0.0:9000"
+      GRAYLOG_HTTP_EXTERNAL_URI: "http://graylog.warpzone.lan/"
+      GRAYLOG_ELASTICSEARCH_HOSTS: "http://opensearch:9200"
+      GRAYLOG_MONGODB_URI: "mongodb://mongodb:27017/graylog"
+    ports:
+      - "514:5140/udp"   # Syslog
+      - "514:5140/tcp"   # Syslog
+    restart: "on-failure"
+    labels:
+      - traefik.enable=true
+      - traefik.http.routers.{{ servicename }}.rule=Host(`{{ domain }}`)
+      - traefik.http.routers.{{ servicename }}.entrypoints=websecure
+      - traefik.http.services.{{ servicename }}.loadbalancer.server.port=9000
+    networks:
+      - web
+      - default
+
+networks:
+  web:
+    external: true
diff --git a/site.yml b/site.yml
index ab66e1c244b5dad630f0e2765cc6151597a8d6c2..eba9ad06ce1854813c9258ee0f73be37712115bb 100644
--- a/site.yml
+++ b/site.yml
@@ -95,7 +95,13 @@
         domain: "omada.warpzone.lan",
         certFile: "/srv/traefik/warpzone+internal+services.pem",
         keyFile: "/srv/traefik/warpzone+internal+services.key"
-      }  
+      }
+    - {
+        role: intern/docker_graylog, tags: graylog,
+        servicename: graylog,
+        basedir: /srv/graylog,
+        domain: "graylog.warpzone.lan"
+      }
 
 
 - hosts: webserver