API way to enumerate all sources and timestamp of last message received?

I’m wondering what would be the best way to query the Graylog API to tell me which sources are currently sending logs to Graylog.
Use case: Integrating a check for this into our monitoring system and ensuring compliance to the requirement “every server in our network needs to log to Graylog, and if it stops logging there we sound the alarm”.

For Graylog agents / sidecars we can query the /api/sidecars/all URI, but what about other sources (pure syslog forwarding, for example)?

In previous versions of Graylog we’ve been able to use a call to /api/sources to enumerate all sources known to Graylog, but this endpoint does not exist anymore in modern versions of Graylog. Or did it return in 5.x?

So, how can we monitor which sources are known to my Graylog instance and when they were active / sent the latest message? Or is there really no other way but to send a query for every source that we expect to be there and find out whether Graylog knows about it and when the latest message was delivered? But what would be the best/easiest way to do that?

Is my use case clear? It doesn’t sound too exotic (what good is a log server if I’ve got no way to verify that a certain system continues to log into it successfully), but I didn’t find any obvious replacement for /api/sources. Apparently I’m looking in the wrong place?

OS: Ubuntu 18.04 LTS x64

Graylog 4.3.10

Hey @bitwiz

I seen this a lot here,
Couple suggestion before upgrading is to check out these out first.


Most, if not all upgrades are focused on Security but also on Enterprise versions so our opensource version have to adapt. What I use in this case is Grafana Metric and/or API.

What I did a while back for source was create a widget, This is not an alert but visually identifing if a source drops out or source was added.

Hi @gsmith ,

thanks, but not entirely sure what you’re getting at with your reference to the Changelog.
In my case the Changelog does not even list the removal of the /api/sources endpoint, much less point to a functional equivalent. Why remove functionality that doesn’t hurt anybody and satisfies a need (else why would there be a GUI equivalent still existing), but no replacement?

I’ve found an older thread for the same issue, but this refers to the GUI dashboard only as well.

Is there no way to get the same information programmatically instead of paying eyeballs to look at a fancy dashboard? I thought that’s why computers were invented, to minimize routine tasks for humans…

The thread above says that “it’s simply a search, therefore /api/sources is redundant”, which is all well and good, but I have not found a way to properly access search results via API. I can construct a search and submit my search request to the API, but only a reference to a result set is returned and I fail to see how I can access the actual results and transform the output into a format roughly equivalent to the former output of /api/sources. I think this is what I’m missing at the moment.

I’ve asked a somewhat broader question because I’m not actually hung up on parsing this specific information in this specific way. If anybody has got another way of monitoring (active) sources or their dropping out of the Graylog instance without anybody manually clicking in the Graylog GUI, I’m all ears. That’s all I need/want.

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.