grok patterns stored centrally in a git repo to be deployed altogether to graylog clusters

maintain configuration such as grok patterns stored centrally in git repos (github/gitlab) so they can be deployed altogether to graylog clusters so we can ensure we have the same grok patterns/pipelines/extractors on all Graylog Clusters.

I have done some extensive research…pls suggest if ‘System/Content Packs’ help me achieve above, where centrally stored/managed grok patterns in git repos can be deployed altogether to all graylog clusters…other options: is there any plugins to achieve this objective or shall we need to configure REST API’s?

Personally, that will slow the process every time need to retrieve from the central server and process.
either you need to look at the clustering setup or make centralized script to Push the Pattern to each server (as you mentioned your content pack)

How many clusters are we talking? I think you’re on the right track with content packs as that will allow your export grok patterns from one cluster and import them into another.

I just did a quick test and found i was able to import a content pack of grok rules even though all the grok rules already existed, meaning you don’t need to worry about only exporting changes or differences, you can export all grok rules via the ‘Create a content pack’ workflow:


Using the API, it is possible to script/automate this task but will likely take some trial and error to get right. I recommend using Dev tools (F12) (from a chromium browser, such as Chrome or Edge) and viewing the API requests sent when you carry out those actions in the web browser. This can give you an idea of exactly what web reqs you need to use to script/automated.

1 Like