diff --git a/CHANGELOG.md b/CHANGELOG.md
index 51ce155e..0a307be6 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -13,6 +13,8 @@ The **patch** part changes is incremented if multiple releases happen the same m
 
 ### Added
 
+* graylog: new role
+
 ### Changed
 
 * apt: with Debian 12, backports are installed but disabled by default
diff --git a/graylog/README.md b/graylog/README.md
new file mode 100644
index 00000000..1ad4e712
--- /dev/null
+++ b/graylog/README.md
@@ -0,0 +1,18 @@
+# Graylog
+
+Installation and basic configuration of Graylog.
+
+## Tasks
+
+Everything is in the `tasks/main.yml` file.
+
+## Available variables
+
+Main variables are :
+
+* `graylog_version`: the Graylog version to install (default: `5.0`),
+* `graylog_listen_ip`: the listen IP for Graylog (default: `"127.0.0.1"`),
+* `graylog_listen_port`: the listen port for Graylog (default: `9000`),
+* `graylog_custom_datadir`: the Graylog data directory (default: `""`, the empty string).
+
+The full list of variables (with default values) can be found in `defaults/main.yml`.
diff --git a/graylog/defaults/main.yml b/graylog/defaults/main.yml
new file mode 100644
index 00000000..26ed02ea
--- /dev/null
+++ b/graylog/defaults/main.yml
@@ -0,0 +1,5 @@
+---
+graylog_version: "5.0"
+graylog_listen_ip: "127.0.0.1"
+graylog_listen_port: 9000
+graylog_custom_datadir: ""
diff --git a/graylog/tasks/main.yml b/graylog/tasks/main.yml
new file mode 100644
index 00000000..66e1b5c3
--- /dev/null
+++ b/graylog/tasks/main.yml
@@ -0,0 +1,100 @@
+---
+
+- name: Dependencies are installed
+  ansible.builtin.apt:
+    name:
+      - apt-transport-https
+      - openjdk-11-jre-headless
+      - uuid-runtime
+      - pwgen
+      - dirmngr
+      - gnupg
+      - wget
+    update_cache: yes
+
+- name: Elasticsearch is configured
+  ansible.builtin.lineinfile:
+    dest: '/etc/elasticsearch/elasticsearch.yml'
+    line: 'action.auto_create_index: false'
+  register: es_config
+
+- name: Elasticsearch is restarted
+  ansible.builtin.systemd:
+    name: elasticsearch
+    state: restarted
+  when: es_config is changed
+
+- name: Graylog repository is installed
+  ansible.builtin.apt:
+    deb: 'https://packages.graylog2.org/repo/packages/graylog-{{ graylog_version }}-repository_latest.deb'
+
+- name: Graylog is installed
+  ansible.builtin.apt:
+    name:
+      - graylog-server
+    update_cache: yes
+
+- name: Graylog password_secret is set
+  ansible.builtin.replace:
+    dest: '/etc/graylog/server/server.conf'
+    regexp: '^(password_secret =)$'
+    replace: '\1 {{ lookup("ansible.builtin.password", "/dev/null chars=ascii_lowercase,digits length=96") }}'
+
+- name: Graylog root_password_sha2 is set
+  ansible.builtin.replace:
+    dest: '/etc/graylog/server/server.conf'
+    regexp: '^(root_password_sha2 =)$'
+    replace: '\1 {{ graylog_root_password_sha2 }}'
+  when: graylog_root_password_sha2 is defined
+
+- name: Graylog http_bind_address is set
+  ansible.builtin.lineinfile:
+    dest: '/etc/graylog/server/server.conf'
+    line: 'http_bind_address = {{ graylog_listen_ip }}:{{ graylog_listen_port }}'
+
+- block:
+  - name: "Is {{ graylog_custom_datadir }} present ?"
+    ansible.builtin.stat:
+      path: "{{ graylog_custom_datadir }}"
+    check_mode: no
+    register: graylog_custom_datadir_test
+
+  - name: "read the real datadir"
+    ansible.builtin.command:
+      cmd: readlink -f /var/lib/graylog-server
+    changed_when: False
+    check_mode: no
+    register: graylog_current_real_datadir_test
+  when: graylog_custom_datadir is defined and graylog_custom_datadir | length > 0
+
+- block:
+  - name: Graylog is stopped
+    ansible.builtin.service:
+      name: graylog-server
+      state: stopped
+
+  - name: Move Graylog datadir to {{ graylog_custom_datadir }}
+    ansible.builtin.command:
+      cmd: mv {{ graylog_current_real_datadir_test.stdout }} {{ graylog_custom_datadir }}
+    args:
+      creates: "{{ graylog_custom_datadir }}"
+
+  - name: Symlink {{ graylog_custom_datadir }} to /var/lib/graylog-server
+    ansible.builtin.file:
+      src: "{{ graylog_custom_datadir }}"
+      dest: '/var/lib/graylog-server'
+      state: link
+  when:
+    - graylog_custom_datadir | length > 0
+    - graylog_custom_datadir != graylog_current_real_datadir_test.stdout
+    - not graylog_custom_datadir_test.stat.exists
+
+- name: Graylog is started
+  ansible.builtin.service:
+    name: graylog-server
+    state: started
+
+- name: Graylog is enabled
+  ansible.builtin.service:
+    name: graylog-server
+    enabled: yes