> ## Documentation Index
> Fetch the complete documentation index at: https://docs.keephq.dev/llms.txt
> Use this file to discover all available pages before exploring further.

# Graylog Provider

> The Graylog provider enables webhook installations for receiving alerts in Keep

export const api_key_0 = undefined

## Overview

The **Graylog Provider** facilitates receiving alerts from Graylog by setting up Webhook connections. It allows seamless integration with Graylog to receive notifications about events and alerts through Keep.

## Authentication

This provider requires authentication.

* **graylog\_user\_name**: Username (required: True, sensitive: False)
* **graylog\_access\_token**: Graylog Access Token (required: True, sensitive: True)
* **deployment\_url**: Deployment Url (required: True, sensitive: False)
* **verify**: Verify SSL certificates (required: False, sensitive: False)

Certain scopes may be required to perform specific actions or queries via the provider. Below is a summary of relevant scopes and their use cases:

* **authenticated**: Mandatory for all operations, ensures the user is authenticated. (mandatory)
* **authorized**: Mandatory for querying incidents and managing resources, ensures the user has `Admin` privileges. (mandatory)

## In workflows

This provider can be used in workflows.

As "step" to query data, example:

```yaml theme={null}
steps:
    - name: Query graylog
      provider: graylog
      config: "{{ provider.my_provider_name }}"
      with:
        events_search_parameters: {value}  
```

If you need workflow examples with this provider, please raise a [GitHub issue](https://github.com/keephq/keep/issues).

## Provider Methods

The provider exposes the following [Provider Methods](/providers/provider-methods#via-ai-assistant). They are available in the [AI Assistant](/overview/ai-incident-assistant).

* **search** Search using elastic query language in Graylog (action, scopes: authorized)

  * `query`: The query string to search for.
  * `query_type`: The type of query to use. Default is "elastic".
  * `timerange_seconds`: The time range in seconds. Default is 300 seconds.
  * `timerange_type`: The type of time range. Default is "relative".
  * `page`: Page number, starting from 0.
  * `per_page`: Number of results per page.

## Connecting via Webhook (omnidirectional)

This provider supports webhooks.

To send alerts from Graylog to Keep, Use the following webhook url to configure Graylog send alerts to Keep:

1. In Graylog, from the Topbar, go to `Alerts` > `Notifications`.
2. Click "Create Notification".
3. In the New Notification form, configure:

**Note**: For Graylog v4.x please set the **URL** to `KEEP_BACKEND_URL/alerts/event/graylog?api_key={api_key}`.

* **Display Name**: keep-graylog-webhook-integration
* **Title**: keep-graylog-webhook-integration
* **Notification Type**: Custom HTTP Notification
* **URL**: KEEP\_BACKEND\_URL/alerts/event/graylog  # Whitelist this URL
* **Headers**: X-API-KEY:{api_key_0}

4. Erase the Body Template.
5. Click on "Create Notification".
6. Go the the `Event Definitions` tab, and select the Event Definition that will trigger the alert you want to send to Keep and click on More > Edit.
7. Go to "Notifications" tab.
8. Click on "Add Notification" and select the "keep-graylog-webhook-integration" that you created in step 3.
9. Click on "Add Notification".
10. Click `Next` > `Update` event definition

## Connecting with the Provider

1. Obtain the **username** and **access token** from your Graylog instance by following [Graylog's API Access Documentation](https://go2docs.graylog.org/current/setting_up_graylog/rest_api_access_tokens.htm?tocpath=Set%20up%20Graylog%7CGet%20Started%20with%20Graylog%7CREST%C2%A0API%7C_____3#CreateanAccessToken).
2. Set the **deployment URL** to your Graylog instance's base URL (e.g., `http://127.0.0.1:9000`).
3. Ensure the user has the **Admin** role in Graylog.

## Features

The **Graylog Provider** supports the following key features:

* **Webhook Setup**: Configures webhooks to send alerts to Keep.
* **Alerts Retrieval**: Fetches and formats alerts from Graylog based on specified search parameters (only a maximum of 10000 most recent alerts)

<Note>
  Ensure that the product of `page` and `per_page` does not exceed 10,000.
</Note>

<Note>
  The notification URL for Graylog v4.x has the api\_key as a query param, this is the default behaviour.
</Note>

## Useful Links

* [Graylog API Documentation](https://go2docs.graylog.org/current/what_is_graylog/what_is_graylog.htm?tocpath=What%20Is%20Graylog%253F%7C_____0)
* [Graylog Access Token](https://go2docs.graylog.org/current/setting_up_graylog/rest_api_access_tokens.htm?tocpath=Set%20up%20Graylog%7CGet%20Started%20with%20Graylog%7CREST%C2%A0API%7C_____3#CreateanAccessToken)
* [Quick Setup for Graylog & Integration with Keep](https://github.com/keephq/keep/keep/providers/graylog_provider/README.md)