Overview

The Graylog Provider facilitates receiving alerts from Graylog by setting up Webhook connections. It allows seamless integration with Graylog to receive notifications about events and alerts through Keep.

Authentication

This provider requires authentication.

  • graylog_user_name: Username (required: True, sensitive: False)
  • graylog_access_token: Graylog Access Token (required: True, sensitive: True)
  • deployment_url: Deployment Url (required: True, sensitive: False)
  • verify: Verify SSL certificates (required: False, sensitive: False)

Certain scopes may be required to perform specific actions or queries via the provider. Below is a summary of relevant scopes and their use cases:

  • authenticated: Mandatory for all operations, ensures the user is authenticated. (mandatory)
  • authorized: Mandatory for querying incidents and managing resources, ensures the user has Admin privileges. (mandatory)

In workflows

This provider can be used in workflows.

As “step” to query data, example:

steps:
    - name: Query graylog
      provider: graylog
      config: "{{ provider.my_provider_name }}"
      with:
        events_search_parameters: {value}

If you need workflow examples with this provider, please raise a GitHub issue.

Provider Methods

The provider exposes the following Provider Methods. They are available in the AI Assistant.

  • search Search using elastic query language in Graylog (action, scopes: authorized)

    • query: The query string to search for.
    • query_type: The type of query to use. Default is “elastic”.
    • timerange_seconds: The time range in seconds. Default is 300 seconds.
    • timerange_type: The type of time range. Default is “relative”.

Connecting via Webhook (omnidirectional)

This provider supports webhooks.

To send alerts from Graylog to Keep, Use the following webhook url to configure Graylog send alerts to Keep:

  1. In Graylog, from the Topbar, go to Alerts > Notifications.
  2. Click “Create Notification”.
  3. In the New Notification form, configure:

Note: For Graylog v4.x please set the URL to KEEP_BACKEND_URL/alerts/event/graylog?api_key={api_key}.

  • Display Name: keep-graylog-webhook-integration
  • Title: keep-graylog-webhook-integration
  • Notification Type: Custom HTTP Notification
  • URL: KEEP_BACKEND_URL/alerts/event/graylog # Whitelist this URL
  • Headers: X-API-KEY:
  1. Erase the Body Template.
  2. Click on “Create Notification”.
  3. Go the the Event Definitions tab, and select the Event Definition that will trigger the alert you want to send to Keep and click on More > Edit.
  4. Go to “Notifications” tab.
  5. Click on “Add Notification” and select the “keep-graylog-webhook-integration” that you created in step 3.
  6. Click on “Add Notification”.
  7. Click Next > Update event definition

Connecting with the Provider

  1. Obtain the username and access token from your Graylog instance by following Graylog’s API Access Documentation.
  2. Set the deployment URL to your Graylog instance’s base URL (e.g., http://127.0.0.1:9000).
  3. Ensure the user has the Admin role in Graylog.

Features

The Graylog Provider supports the following key features:

  • Webhook Setup: Configures webhooks to send alerts to Keep.
  • Alerts Retrieval: Fetches and formats alerts from Graylog based on specified search parameters (only a maximum of 10000 most recent alerts)

Ensure that the product of page and per_page does not exceed 10,000.

The notification URL for Graylog v4.x has the api_key as a query param, this is the default behaviour.