Welcome to the Graylog documentation

NOTE: There are multiple options for reading this documentation. See link to the lower left.

Graylog

• Architectural considerations
  • Minimum setup
  • Bigger production setup
  • Graylog Architecture Deep Dive
• Getting Started
  • Planning Your Log Collection
    • Strategies
    • Use Cases
    • Event Log Sources
    • Collection method
    • Users
    • Retention
  • Download & Install Graylog
    • Operating System Packages
    • Configuration Management
    • Containers
    • Virtual Appliances
  • Initial Configuration
    • server.conf
    • elasticsearch.yml
  • Connect to the Web Console
  • Explore Graylog
    • Streams
    • Searches
    • Dashboards
    • Alerts
    • System
  • Collect Messages
    • Content packs
    • Create an Input
    • Verify Messages Are Being Collected
• Installing Graylog
  • Virtual Machine Appliances
    • Pre-Considerations
    • Download
    • Run the image
    • Logging in
    • Configuration
    • VMWare ESXi
    • Update OVA to latest Version
    • Production readiness
  • Operating System Packages
    • Prerequisites
    • Step by Step Guides
    • DEB / APT
    • RPM / YUM / DNF
    • Step-by-step guides
    • Feedback
  • Chef, Puppet, Ansible
  • Docker
    • Requirements
    • Quick start
    • Configuration
    • Persisting data
    • Plugins
    • Kubernetes automatic master selection
    • Nomad automatic master selection
    • Troubleshooting
    • Testing a beta version
  • Amazon Web Services
    • AMIs
    • Usage
    • Networking
    • HTTPS
    • Basic configuration
    • Production readiness
  • Manual Setup
    • Graylog server on Linux
  • System requirements
• Upgrading Graylog
  • Upgrading to Graylog 2.0.x
    • Elasticsearch 2.x
    • MongoDB
    • Log4j 2 migration
    • Dead Letters feature removed
    • Removed configuration settings
    • Changed configuration defaults
    • Changed prefixes for configuration override
    • REST API Changes
    • Web Interface Config Changes
  • Upgrading to Graylog 2.1.x
    • HTTPS Setup
    • Web Interface Listener
    • Internal Metrics to MongoDB
    • Configuration file changes
    • Graylog REST API
    • For Plugin Authors
    • Changed Elasticsearch Cluster Status Behavior
    • Changes in message field values trimming
  • Upgrading to Graylog 2.2.x
    • Email Alarm Callback
    • Alert Notifications (previously known as Alarm Callbacks)
    • Default stream/Index Sets
    • RotationStrategy & RetentionStrategy Interfaces
    • Changes in Exposed Configuration
    • Changes in Split & Count Converter
    • Graylog REST API
  • Upgrading to Graylog 2.3.x
    • Graylog switches to Elasticsearch HTTP client
    • Graylog REST API
  • Upgrading to Graylog 2.4.x
    • More plugins shipped by default
  • Upgrading to Graylog 2.5.x
    • Protecting against CSRF, HTTP header required
    • Elasticsearch 6 changes
  • Upgrading to Graylog 3.0.x
    • Elasticsearch Version Requirements
    • Simplified HTTP interface configuration
    • Plugins merged into the Graylog server
    • New “bin_dir” and “data_dir” configuration parameters
    • Removed support for Drools-based filters
    • Changed metrics name for stream rules
    • Email alarm callback default settings
    • Collector Sidecar is deprecated
    • Legacy Content Packs
    • Elasticsearch 6 changes
  • Upgrading to Graylog 3.1.x
    • Views & Extended Search
    • Alerts
  • Upgrading to Graylog 3.2.x
    • Migrating Dashboards
    • Changed Default TLS Protocols
    • Indexing Requests use HTTP Expect: 100-Continue Header
    • Accounted Message Size Field
    • Known Bugs and Limitations
  • Upgrading to Graylog 3.3.x
    • [BREAKING] Fixing certificate validation for LDAP servers used for authentication
    • Deprecating legacy Aggregation API endpoints
    • API Access Token Encryption
    • Dashboards API
    • Saved Searches API
    • CSV Export API
    • Enterprise Audit Log
    • Notes for plugin authors
  • Upgrading to Graylog 4.0.x
    • Breaking Changes
    • API Endpoint Deprecations
    • API Endpoint Removals
  • Upgrading Graylog Originally Installed from Image
  • Upgrading Graylog Originally Installed from Package
  • Upgrading Elasticsearch
    • Elasticsearch Reindexing Notes
    • Elasticsearch 6 Upgrade Notes
    • Elasticsearch 7 Upgrade Notes
    • Elasticsearch Rolling Upgrade Notes
• Configuring Graylog
  • server.conf
    • Properties
  • Web interface
    • Overview
    • Configuration Options
    • How does the web interface connect to the Graylog server?
    • Browser Compatibility
    • Making the web interface work with load balancers/proxies
  • Load balancer integration
    • Load balancer state
    • Graceful shutdown
    • Web Interface
  • Using HTTPS
    • Things to consider
    • Certificate/Key file format
    • Creating a self-signed private key/certificate
    • Converting a PKCS #12 (PFX) file to private key and certificate pair
    • Converting an existing Java Keystore to private key/certificate pair
    • Sample files
    • Adding a self-signed certificate to the JVM trust store
  • Multi-node Setup
    • Prerequisites
    • MongoDB replica set
    • Elasticsearch cluster
    • Graylog Multi-node
    • Scaling
    • Troubleshooting
  • Elasticsearch
    • Elasticsearch versions
    • Configuration
    • Avoiding split-brain and shard shuffling
    • Custom index mappings
    • Cluster Status explained
  • Index model
    • Overview
    • Index Set Configuration
    • Maintenance
  • Backup
    • Disaster recovery
  • Default file locations
    • DEB package
    • RPM package
  • Graylog REST API
    • Using the API browser
    • Interacting with the Graylog REST API
• Securing Graylog
  • Default ports
  • Configuring TLS ciphers
  • Security related topics
    • Generating Graylog certificates and keys with Microsoft AD CS
    • Secured Graylog and Beats input
    • Logging user activity
    • Using ModSecurity
    • The URL Whitelist
• Sending in log data
  • What are Graylog message inputs?
  • Log sources
    • Ingest syslog
    • Ingest journald
    • Ingest Windows eventlog
    • Ingest CEF
    • Ingest Raw/Plaintext
    • Ingest GELF
    • Ingest from files
    • Ingest JSON path from HTTP API
    • Ingest Application Data
  • Individual Inputs
    • Beats
    • AWS Kinesis/CloudWatch Input
    • IPFIX Input
    • Okta Log Events Input
    • Palo Alto Networks Input
  • Using Apache Kafka as transport queue
  • Using RabbitMQ (AMQP) as transport queue
  • Input Throttling
    • Graylog Inputs that support throttling
    • Enabling throttling
    • Throttling criteria
• Graylog Sidecar
  • Installation
    • Install the Sidecar
    • Install collectors
  • Sidecar Configuration
    • sidecar.yml Reference
    • First start
    • Mode of Operation
    • Sidecar Status
  • Step-by-step guide
  • Creating a new Log Collector
  • Using Configuration Variables
    • Runtime Variables
  • Secure Sidecar Communication
    • Certificate based client authentication
  • Run Sidecar as non-root user
  • Upgrading from the Collector Sidecar
    • 1. Install New Sidecar
    • 2. Migrate configuration
    • 3. Adopt configuration to Graylog 3.0
    • 4. Switch over to the new Sidecar
    • Sidecar Configuration Migrator
  • Sidecar Glossary
    • Configuration
    • Inputs
  • Debug
  • Uninstall
  • Known Problems
• Searching
  • Search query language
    • Syntax
    • Escaping
  • Time frame selector
    • Relative time frame selector
    • Absolute time frame selector
    • Keyword time frame selector
  • Saved Searches
  • Widgets
    • Creating a widget
    • Aggregation
    • Message Table
    • Repositioning and Resizing
  • Decorators
    • List active decorators
    • Syslog severity mapper
    • Format string
    • Pipeline Decorator
    • Further functionality
  • Parameters
    • Declaring a parameter
    • Default values
  • Export results as CSV
    • Exporting Message Tables on a Dashboard
    • Decorator Support
    • Exporting the full message
    • Troubleshooting
  • Search result highlighting
    • Enabling/Disabling search result highlighting
  • Search configuration
    • Query time range limit
    • Relative time ranges
• Streams
  • What are streams?
    • What’s the difference to saved searches?
  • How do I create a stream?
  • Index Sets
    • Storage requirements
  • Outputs
  • Use cases
  • How are streams processed internally?
  • Stream Processing Runtime Limits
    • How to configure the timeout values if the defaults do not match
    • What could cause it?
    • Summary: How do I solve it?
  • Programmatic access via the REST API
    • Checking for currently active alert/triggered conditions
    • List of already triggered stream alerts
  • FAQs
    • Using regular expressions for stream matching
    • Can I add messages to a stream after they were processed and stored?
    • Can I write own outputs, alert conditions or notifications?
• Alerts
  • Alerts & Events
  • Defining an Event
    • Priority
  • Filter
    • Filter with dynamic lists (Enterprise feature)
  • Aggregation
  • Fields
  • Notifications
    • Data available to notifications
    • Email alert notification
    • HTTP alert notification
    • PagerDuty alert notification
    • Slack alert notification
    • Script alert notification [Enterprise]
    • Legacy Script alert callback
  • Event Summary
• Dashboards
  • Why dashboards matter
  • How to use dashboards
    • Creating an empty dashboard
    • Adding and configuring widgets
  • Widget specific search criteria
  • Examples
  • Result
  • Export a search as a dashboard
  • Widget cache times
  • Dashboard permissions
    • That’s it!
• Extractors
  • The problem explained
  • Graylog extractors explained
  • Import extractors
  • Using regular expressions to extract data
  • Using Grok patterns to extract data
  • Using the JSON extractor
  • Automatically extract all key=value pairs
  • Normalization
    • The standard date converter
    • The flexible date converter
• Processing Pipelines
  • Pipelines
    • Overview
    • Pipeline structure
  • Rules
    • Overview
    • Rule Structure
    • Data Types
    • Conditions
    • Actions
  • Stream connections
    • Overview
    • The All messages stream
    • The importance of message processor ordering
  • Functions
    • Overview
    • Function Index
  • Usage
    • Overview
    • Configuration
    • Manage rules
    • Managing pipelines
    • Connect pipelines to streams
    • Simulate your changes
• Lookup Tables
  • Components
    • Data Adapters
    • Caches
    • Lookup Tables
    • Lookup Results
  • Setup
    • Create Data Adapter
    • Create Cache
    • Create Lookup Table
  • Usage
    • Extractors
    • Converters
    • Decorators
    • Pipeline Rules
  • Built-in Data Adapters
    • CSV File Adapter
    • DNS Lookup Adapter
    • DSV File from HTTP Adapter
    • HTTP JSONPath Adapter
    • Geo IP - MaxMind Databases
  • Enterprise Data Adapters
  • MongoDB
    • Alter from HTTP Rest API
    • Alter from Pipeline Function
    • Alter from GUI
• Geolocation
  • Setup
    • Download the database
    • Configure Lookup Table
    • Use the Lookup Table
  • Visualize geolocations in a map
    • Display a map in the search results page
    • Add map to a dashboard
  • FAQs
    • Will Graylog extract IPs from all fields?
    • What geo-information is extracted from IPs?
    • Where is the extracted geo-information stored?
    • Which geo-points format does Graylog use to store coordinates?
    • I have a field in my messages with coordinates information already, can I use it in Graylog?
    • Not all fields containing IP addresses are resolved. Why does this happen?
• Indexer failures
  • Common indexer failure reasons
    • MapperParsingException
• Permission Management
  • Authentication
  • Users
  • Roles
    • Providing Dashboard Creation Access
  • Teams
    • AD/LDAP Synchronization with Teams
  • Sharing
    • Sharing Streams and Dashboards with Teams
    • Sharing within Teams
    • Sharing Dashboards within Teams
• Plugins
  • About Plugins
  • Plugin Types
  • Writing Plugins
    • Sample Plugin
    • Creating a plugin skeleton
    • The anatomy of a plugin
    • Required conventions for web plugins
    • Best practices for web plugin development
    • Building plugins
  • Installing and loading plugins
• Content Packs
  • What are content packs?
    • Parameter
  • How do I create a Content Pack?
  • Upload a content pack
  • Installing a content pack
  • Uninstalling a content pack
• Graylog Marketplace
  • GitHub integration
  • General best practices
    • README content
    • License
  • 4 Types of Add-Ons
  • Contributing plug-ins
  • Contributing content packs
  • Contributing GELF libraries
  • Contributing other content
• Frequently asked questions
  • General
    • Do I need to buy a license to use Graylog?
    • How long do you support older versions of the Graylog product?
  • Architecture
    • What is MongoDB used for?
    • Can you guide me on how to replicate MongoDB for High Availability?
    • I have datacenters across the world and do not want logs forwarding from everywhere to a central location due to bandwidth, etc. How do I handle this?
    • Which load balancers do you recommend we use with Graylog?
    • Isn’t Java slow? Does it need a lot of memory?
    • Does Graylog encrypt log data?
    • Where are the log files Graylog produces?
  • Installation / Setup
    • Should I download the OVA appliances or the separate packages?
    • How do I find out if a specific log source is supported?
    • Can I install the Graylog Server on Windows?
    • Can I run Graylog on Azure?
  • Functionality
    • Can Graylog automatically clean old data?
    • Does Graylog support LDAP / Active Directory and its groups?
    • Do we have a user audit log for compliance?
    • Does Graylog have reporting functionality?
    • Can I filter inbound messages before they are processed by the Graylog server?
    • Dedicated Partition for the Journal
    • Raise the Java Heap
    • How can I start an input on a port below 1024?
  • Graylog & Integrations
    • What is the best way to integrate my applications to Graylog?
    • I have a log source that creates dynamic syslog messages based on events and subtypes and grok patterns are difficult to use - what is the best way to handle this?
    • I want to archive my log data. Can I write to another database, for example HDFS / Hadoop, from Graylog?
    • I don’t want to use Elasticsearch as my backend storage system – can I use another database, like MySQL, Oracle, etc?
    • How can I create a restricted user to check internal Graylog metrics in my monitoring system?
  • Troubleshooting
    • I’m sending in messages, and I can see they are being accepted by Graylog, but I can’t see them in the search. What is going wrong?
    • I have configured an SMTP server or an output with TLS connection and receive handshake errors. What should I do?
    • Suddenly parts of Graylog did not work as expected
    • I cannot go past page 66 in search results
    • My field names contain dots and stream alerts do not match anymore
    • What does “Uncommited messages deleted from journal” mean?
    • What does “Journal utilization is too high” mean?
    • How do I fix the “Deflector exists as an index and is not an alias” error message?
    • How do I enable debug logging for a specific plugin or area of Graylog?
    • Have another troubleshooting question?
  • Support
    • I think I’ve found a bug, how do I report it?
    • I’m having issues installing or configuring Graylog, where can I go for support?
• The thinking behind the Graylog architecture and why it matters to you
  • A short history of Graylog
  • The log management market today
    • Architectural considerations
    • Blackboxes
  • The future
• Changelog
  • Graylog 4.0.5
    • Core
  • Graylog 4.0.4
    • Core
    • Integrations Plugin
  • Graylog 4.0.3
    • Core
    • Integrations Plugin
  • Graylog 4.0.2
    • Core
    • Legacy Collector Plugin
    • Threatintel Plugin
  • Graylog 4.0.1
    • Core
    • Integrations Plugin
    • Threatintel Plugin
  • Graylog 4.0.0
    • Core
    • Integrations Plugin
  • Graylog 3.3.11
    • Core
  • Graylog 3.3.10
    • Core
  • Graylog 3.3.9
    • Core
  • Graylog 3.3.8
  • Graylog 3.3.7
    • Core
  • Graylog 3.3.6
    • Core
    • Legacy AWS Plugin
    • Integrations Plugin
  • Graylog 3.3.5
  • Graylog 3.3.4
  • Graylog 3.3.3
    • Core
  • Graylog 3.3.2
    • Core
    • Integrations Plugin
  • Graylog 3.3.1
    • Core
  • Graylog 3.3.0
    • Core
  • Graylog 3.2.6
    • Core
  • Graylog 3.2.5
    • Core
    • AWS Plugin (legacy)
  • Graylog 3.2.4
    • Core
  • Graylog 3.2.3
    • Core
  • Graylog 3.2.2
    • Core
    • Integrations Plugin
  • Graylog 3.2.1
    • Core
  • Graylog 3.2.0
    • Core
    • Integrations Plugin
  • Graylog 3.1.4
    • Core
    • Integrations Plugin
  • Graylog 3.1.3
    • Core
    • Integrations Plugin
  • Graylog 3.1.2
    • Core
  • Graylog 3.1.1
    • Core
    • Integrations Plugin
  • Graylog 3.1.0
    • Views & Extended Search
    • Core
  • Graylog 3.0.2
  • Graylog 3.0.1
  • Graylog 3.0.0
  • Graylog 2.5.2
  • Graylog 2.5.1
  • Graylog 2.5.0
  • Graylog 2.4.7
  • Graylog 2.4.6
  • Graylog 2.4.5
  • Graylog 2.4.4
  • Graylog 2.4.3
  • Graylog 2.4.2
  • Graylog 2.4.1
  • Graylog 2.4.0
  • Graylog 2.4.0-rc.2
  • Graylog 2.4.0-rc.1
  • Graylog 2.4.0-beta.4
  • Graylog 2.4.0-beta.3
  • Graylog 2.4.0-beta.2
  • Graylog 2.4.0-beta.1
  • Graylog 2.3.2
  • Graylog 2.3.1
  • Graylog 2.3.0
  • Graylog 2.2.3
  • Graylog 2.2.2
  • Graylog 2.2.1
  • Graylog 2.2.0
  • Graylog 2.1.3
  • Graylog 2.1.2
  • Graylog 2.1.1
  • Graylog 2.1.0
  • Graylog 2.0.3
  • Graylog 2.0.2
  • Graylog 2.0.1
  • Graylog 2.0.0
  • Graylog 1.3.4
  • Graylog 1.3.3
  • Graylog 1.3.2
  • Graylog 1.3.1
  • Graylog 1.3.0
  • Graylog 1.2.2
  • Graylog 1.2.1
  • Graylog 1.2.0
  • Graylog 1.2.0-rc.4
  • Graylog 1.2.0-rc.2
  • Graylog 1.1.6
  • Graylog 1.1.5
  • Graylog 1.1.4
  • Graylog 1.1.3
  • Graylog 1.1.2
  • Graylog 1.1.1
  • Graylog 1.1.0
  • Graylog 1.1.0-rc.3
  • Graylog 1.1.0-rc.1
  • Graylog 1.1.0-beta.3
  • Graylog 1.1.0-beta.2
  • Graylog 1.0.2
  • Graylog 1.0.1
  • Graylog 1.0.0
  • Graylog 1.0.0-rc.4
  • Graylog 1.0.0-rc.3
  • Graylog 1.0.0-rc.2
  • Graylog 1.0.0-rc.1
  • Graylog 1.0.0-beta.2
  • Graylog 1.0.0-beta.2
  • Graylog2 0.92.4
  • Graylog 1.0.0-beta.1
  • Graylog2 0.92.3
  • Graylog2 0.92.1
  • Graylog2 0.92.0
  • Graylog2 0.92.0-rc.1
  • Graylog2 0.91.3
  • Graylog2 0.91.3
  • Graylog2 0.92.0-beta.1
  • Graylog2 0.91.1
  • Graylog2 0.90.1
  • Graylog2 0.91.0-rc.1
  • Graylog2 0.90.0
  • Graylog2 0.20.3
  • Graylog2 0.20.2

Graylog Enterprise

• Introduction
• Setup
  • Requirements
  • Installation
    • DEB / APT
    • RPM / YUM / DNF
    • Edit the Configuration File
    • Starting Graylog
  • Cluster Setup
  • Update Graylog Enterprise
    • Update Enterprise
    • Graylog OSS to Graylog Enterprise
• Archiving
  • Setup
    • Installation
    • Configuration
  • Usage
    • Creating Archives
    • Restoring Archives
    • Searching in Restored Indices
• Audit Log
  • Setup
    • Installation
    • Configuration
  • Usage
    • View Audit Log Entries
    • Expand Event Details
    • Search & Filter
    • Export Entries
• Reporting
  • Setup
    • Installation
    • Configuration
  • Usage
    • Creating Reports
    • Configure Reports
    • History
    • Generating Report On Demand
• License
  • License Installation
  • License Verification
    • Details on License Verification
    • Details on licensed traffic
• Changelog
  • Graylog Enterprise 4.0.5
    • Enterprise
  • Graylog Enterprise 4.0.4
    • Enterprise
  • Graylog Enterprise 4.0.3
    • Enterprise
    • Enterprise Integrations Plugin
  • Graylog Enterprise 4.0.2
    • Enterprise
    • Enterprise Integrations Plugin
  • Graylog Enterprise 4.0.1
    • Enterprise
    • Enterprise Integrations Plugin
  • Graylog Enterprise 4.0.0
    • Enterprise
    • Enterprise Integrations Plugin
  • Graylog Enterprise 3.3.11
  • Graylog Enterprise 3.3.10
    • Enterprise
  • Graylog Enterprise 3.3.9
    • Enterprise
    • Enterprise Integrations Plugin
  • Graylog Enterprise 3.3.8
    • Enterprise Integrations Plugin
  • Graylog Enterprise 3.3.7
    • Enterprise Integrations Plugin
  • Graylog Enterprise 3.3.6
    • Enterprise
    • Enterprise Integrations Plugin
  • Graylog Enterprise 3.3.5
  • Graylog Enterprise 3.3.4
  • Graylog Enterprise 3.3.3
  • Graylog Enterprise 3.3.2
  • Graylog Enterprise 3.3.1
  • Graylog Enterprise 3.3.0
  • Graylog Enterprise 3.2.6
  • Graylog Enterprise 3.2.5
  • Graylog Enterprise 3.2.4
  • Graylog Enterprise 3.2.3
  • Graylog Enterprise 3.2.2
  • Graylog Enterprise 3.2.1
  • Graylog Enterprise 3.2.0
  • Graylog Enterprise 3.1.4
  • Graylog Enterprise 3.1.3
  • Graylog Enterprise 3.1.2
  • Graylog Enterprise 3.1.1
  • Graylog Enterprise 3.1.0
  • Graylog Enterprise 3.0.2
  • Graylog Enterprise 3.0.1
  • Graylog Enterprise 3.0.0
  • Graylog Enterprise 2.5.2
    • Plugin: License
  • Graylog Enterprise 2.5.1
  • Graylog Enterprise 2.5.0
  • Graylog Enterprise 2.4.7
    • Plugin: License
  • Graylog Enterprise 2.4.6
  • Graylog Enterprise 2.4.5
  • Graylog Enterprise 2.4.4
  • Graylog Enterprise 2.4.3
  • Graylog Enterprise 2.4.2
  • Graylog Enterprise 2.4.1
  • Graylog Enterprise 2.4.0
  • Graylog Enterprise 2.4.0-rc.2
  • Graylog Enterprise 2.4.0-rc.1
  • Graylog Enterprise 2.4.0-beta.4
    • Plugin: License
  • Graylog Enterprise 2.4.0-beta.3
  • Graylog Enterprise 2.4.0-beta.2
  • Graylog Enterprise 2.4.0-beta.1
    • Plugin: Archive
  • Graylog Enterprise 2.3.2
    • Plugin: Archive
  • Graylog Enterprise 2.3.1
    • Plugin: Archive
  • Graylog Enterprise 2.3.0
    • Plugin: Archive
  • Graylog Enterprise 2.2.3
    • Plugin: Archive
  • Graylog Enterprise 2.2.2
    • Plugin: Audit Log
  • Graylog Enterprise 2.2.1
    • Plugin: Archive
  • Graylog Enterprise 2.2.0
    • Plugin: Archive
  • Graylog Enterprise 1.2.1
    • Plugin: Archive
    • Plugin: Audit Log
  • Graylog Enterprise 1.2.0
    • Plugin: Archive
    • Plugin: Audit Log
  • Graylog Enterprise 1.1
  • Graylog Enterprise 1.0.1
    • Plugin: Archive
  • Graylog Enterprise 1.0.0
    • Plugin: Archive

Graylog Content

• Graylog Integrations
  • Open Source
  • Enterprise
• GELF
  • Structured events from anywhere. Compressed and chunked.
  • GELF via UDP
    • Chunking
    • Compression
  • GELF via TCP
  • GELF Payload Specification
  • Example payload
    • Sending GELF messages via UDP using netcat
    • Sending GELF messages via TCP using netcat
    • Sending GELF messages via HTTP using curl
• Graylog Schema