I’m wondering what would be the best way to query the Graylog API to tell me which sources are currently sending logs to Graylog.
Use case: Integrating a check for this into our monitoring system and ensuring compliance to the requirement “every server in our network needs to log to Graylog, and if it stops logging there we sound the alarm”.
For Graylog agents / sidecars we can query the /api/sidecars/all URI, but what about other sources (pure syslog forwarding, for example)?
In previous versions of Graylog we’ve been able to use a call to /api/sources to enumerate all sources known to Graylog, but this endpoint does not exist anymore in modern versions of Graylog. Or did it return in 5.x?
So, how can we monitor which sources are known to my Graylog instance and when they were active / sent the latest message? Or is there really no other way but to send a query for every source that we expect to be there and find out whether Graylog knows about it and when the latest message was delivered? But what would be the best/easiest way to do that?
Is my use case clear? It doesn’t sound too exotic (what good is a log server if I’ve got no way to verify that a certain system continues to log into it successfully), but I didn’t find any obvious replacement for /api/sources. Apparently I’m looking in the wrong place?
thanks, but not entirely sure what you’re getting at with your reference to the Changelog.
In my case the Changelog does not even list the removal of the /api/sources endpoint, much less point to a functional equivalent. Why remove functionality that doesn’t hurt anybody and satisfies a need (else why would there be a GUI equivalent still existing), but no replacement?
I’ve found an older thread for the same issue, but this refers to the GUI dashboard only as well.
Is there no way to get the same information programmatically instead of paying eyeballs to look at a fancy dashboard? I thought that’s why computers were invented, to minimize routine tasks for humans…
The thread above says that “it’s simply a search, therefore /api/sources is redundant”, which is all well and good, but I have not found a way to properly access search results via API. I can construct a search and submit my search request to the API, but only a reference to a result set is returned and I fail to see how I can access the actual results and transform the output into a format roughly equivalent to the former output of /api/sources. I think this is what I’m missing at the moment.
I’ve asked a somewhat broader question because I’m not actually hung up on parsing this specific information in this specific way. If anybody has got another way of monitoring (active) sources or their dropping out of the Graylog instance without anybody manually clicking in the Graylog GUI, I’m all ears. That’s all I need/want.