Graylog3, ELK 6.x and Grafana

Hello,

I try to get Grafana 6.x to use a ELK 6.x and Graylog 3.0.2 working. Unfortunately I can’t get it working. The most howtos use Graylog 2.x, so I’m not sure, if Graylog 3.x and Grafana 6.x can work together. Either I get always a 404 back. If I test the source:

192.168.x.x - - [06/Jan/2020:09:50:34 +0100] "GET /graylog_%2A/_mapping HTTP/1.1" 200 455 "-" "Grafana/6.5.2"

The "%2A comes from the Index grafana_*.

Our graylog is behind a Apache2 reverse proxy https://graylog.example.com/ which forwards everything to the internal Graylog host and port.
If I try to use the ELK datasource:

192.168.x.x - - [06/Jan/2020:09:53:14 +0100] "POST /_msearch HTTP/1.1" 404 50 "-" "Grafana/6.5.2"

which results in a 404.

Question is: How can I get the streams / logs into my Grafana Dashboard

Any suggestions ?

Graylog does not work as a source for Grafana.

It would be a feature request for Grafana to use Graylog directly as source. Until that is possible you can only talk directly to the Elasticsearch that your Graylog is using. But you bypass all authentication that is part of Graylog.

hi,

thanks for the reply. So, its Graylog2, which is only supported, as I understand it correctly. The only thing what I’ve found is, that Graylog3 saves the data in a different way/format, what could be the reason, why the ELK source does not work anymore.

Correct ?

cu denny

hi,

maybe, there is a different way … All I want, is a counter to create a histogram, like I get with

https://graylog.example.com/streams/122334455667788999/search?interval=minute

May I can create a curl command, which give me an integer, how many log entries I have per minute … If that is possible, I use Icinga2 to execute it every minute …

he @linuxmail

Graylog2 is the old name of the project - even version 0.11 was named Graylog2 …

I did not know that an integration was given to Grafana, maybe you can show me any howto/tutorial you refer too?

The messages are stored in the same way - we just added some meta information. As Graylog is API driven, you can perform nearly any action as API request only. Did you know the API Browser?

hi,

as a short example: https://kifarunix.com/monitor-squid-logs-with-grafana-and-graylog/

but I think, I get my error … they use the Graylog for creating the index and connecting to ELK directly. Because of our setup (no access to ELK directly) that isn’t possible, so I the Graylog REST API is maybe the only chance. The user I use for that, doesn’t have admin permissions, so the api/search/universal doesn’t work, without the STREAM ID … if I red the docs correctly …

cu denny

it is correct - the universal search does not work. But the stream based search will work with the user that has access to this stream.

But at all - the direct search in elasticsearch differs from the search via Graylog. So the next logical step would be having Graylog source in Grafana …

hi,

Grafana has a JSON backend, but it requires a different layout … but anyway …

the curl command works:

curl -s --user 'monitoring:secret' -k -H 'Accept: application/json' -X GET "https://graylog.example.com:443/api/search/universal/relative?query=deny&range=60&filter=streams%3A1111222223333444&fields=action%2Cmessage&decorate=true" | jq

With this knowledge, I can use the check_json.py plugin for Icinga2 to get the values I need. Icinga2 pushes the value in our InfluxDB and voilà … it appears in Grafana
It is a bit more work than I thought, but this setup works (after our developer extends the check_json.py script for usage with username/password).
Thanks for the help

your welcome!

maybe you can create a PR for the original check_json.py that the community can benefit?

hi,

for sure I will do so, like on every project I’m involved

cu denny

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.