How to display the number of users connecting to the server

hi, guys!

I have the problem as the title says right now.

I’m using Graylog 3.0.2 and Ubuntu 20.04.

My purpose is to display the number of users connected to the server on a dashboard.
To do that, we need to be able to dynamically move the log representing the accessor.

For example, when there are two users, the number 2 appears, and when one person disconnects, the dashboard should display 1.

The method I thought of was to delete the separately collected connection logs one by one whenever a log indicating that the connection was lost came in.

but it didn’t go well…

I hope anyone can recommend a good way.

It would be great if you could show an example. :smiling_face:

Hello @pat-bung

This can be done either in your environment devices or Graylog server.
I’ll give you two demonstration below.

Using windows, I have field called TargetUsrName. Then I have a stream /w Rules to collect users logging into device called “Windows: User Successful Logon Local”.
From that I made a widget as shown below.

For Graylog server there are two ways this can be done.

  1. If your under 5 Gb day you can get the Enterprise License for free.
  1. Second way which is a little harder and takes a more time to set up but its possible.

First enable Log4j2 Appender Configuration shown here

That creates a file called restaccess in /var/log/graylog-server/
Next, the file called restaccess needs to be picked up by your log shipper.
My log shipper called “Nxlog” I have configured all Nxlog INPUT’s config in a unique way in my environment. Some for VDI’s, DNS Server, AD servers, Etc… Take notice that I named this input in nxlog its called access.

<Input access> <---- this name 
    Module       im_file
    FILE         "/var/log/graylog-server/restaccess.log"
    SavePos       TRUE
    ReadFromLast  TRUE
    PollInterval  1
    Exec  $Message = $raw_event;

So when the logs arrive I have a field call SourceModuleName and under that field I named it access in which then I created a stream called Linux: Source Access to collect only the logs and a rule matching the fieldSourceModuleName and contains the word Access.

Example of the received message.

The INPUT used for Graylog needs an REGEX extractor. I had to do this to pick up any sting of numbers within that file, just incase I missed someone’s name.
File for this demo

2022-01-17 21:50:29,711 DEBUG: - 5e224e7683d72eff75055199 [-] “GET api/system/cluster/nodes” Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/97.0.4692.71 Safari/537.36 200 -1

I originally want a pipeline to do all this @tmacgbay :smiley: :laughing:
As you can see the number after the IP Address show as 5e224e7683d72eff75055199 .



Test completed.

Newer Graylog versions now converts names into numbered string or UUID so I had to create a pipeline.
For every name that has access to Graylog I had to create a pipeline for them.(Copy && Paste Pipeline rules) took about 15 minutes to do like 30 people.

The Pipeline below it attached to the stream called Linux: Source Access then gets the number found in that message from restaccess. It adjusted field called “graylog_gui” and places the Name for the number found.

rule "Graylog Web Access Greg"
    has_field("graylog_gui") AND contains(to_string($message.graylog_gui), "5e224e7683d72eff75055199")

Now its widget time.

One problem I noticed was as the user stays logged in it creates a message like every minute in the restaccess file, so basically it keeps counting.

This is a good starter. Unfortunately its not just one number count but every 15 minutes it updates so I know whos logged on or not.

Example below, you can see the user Greg and since I missed a pipeline configured, you can see the UID, Just so happens that UUID is the Graylog Sidecar collector.

My apologies, I got lazy and didn’t finish I also going to add a Widget with just a number sorta like what you wanted. I told you it would be a little harder, but it can be done since your only dealing with one server its pretty easy.

EDIT: I just noticed that your using GL Version 3.0. if your restaccess file has names you don’t have to use a pipeline. Just create a new field with the name of the user and that should be about it.
Here is my old post.

Hope that helps


Thank you for your kind and detailed explanation, just like a few days ago!!

But I’m a beginner, I think I’ll have to try again…:sob:

I’ll watch your comments carefully, and I’ll be back if I run into any issues! thank you!

1 Like

I am not sure if this works with your older version of Graylog but in mine (4.2.5) when I look at system/users and teams, I can see IP’s listed for anyone who is connected. I am sure that is listed in the MongoDB… So the ugly thing to do would to be have a script query Mongo at a small but reasonable interval and dump those IP’s and whatever metadata you want to a text file that is picked by local logging and processed into your dashboard… Man that is an ugly way to do it… but it might be an interesting project to get to know Mongo/local text logging/dashboards…


Thank for your reply!
I guess I didn’t write a lot of explanations because I was in a hurry :sob:
Syslog is sent from Client Server to Graylog Server, and I want to extract users who are connecting to Client Server from Syslog…
Could this also be easily found in MongoDB?


Are these client server Windows OS clients? If so then you need a field for a username
Example of mine.

1 Like

Oh, Hello!!
The client is also using Ubuntu!

In that case you need to have your log shipper pick up the audit.log file in /var/log/
Then use an extractor ( regex ) to make a field so you can create your widget.

Example of my Linux environment.
regex user\s(\w+) which makes my fields called “linux_user”


1 Like

You could track logins that have happened over X time but even if syslog/audit.log/auth.log tells you about disconnects and logouts, Graylog doesn’t really have a way of counting those log in/out messages and applying the math for a solution. You could have a cron job that dumps the count of a who command to a text file watched by filebeat and have a dash that shows the last number picked up. Its ugly, but it would be accurate within the repetition you set in cron…


Oh man…I didn’t think abut using cron. Thanks for the reminder.

Edit @tmacgbay I grabbed a quick bash

who -a | awk '{print $1}' > /var/log/users.log


drwxr-xr-x.  2 root   root           40 Feb  2  2021 tuned
-rw-r--r--.  1 root   root           47 Jan 19 22:11 users.log
-rw-r--r--.  1 root   root         1200 Dec 29  2016 wpa_supplicant.log
-rw-rw-r--.  1 root   utmp       903168 Jan 19 22:07 wtmp
-rw-------.  1 root   root            0 Jan  1 07:57 yum.log
-rwxr-xr-x.  1 root   root        33295 Dec 28  2020 yum.log-20201229
-rw-------.  1 root   root         1122 Jan 11  2021 yum.log-20210112
-rw-------.  1 root   root        36722 Oct 12 23:24 yum.log-20211013
-rw-------.  1 root   root         4557 Nov 25 19:23 yum.log-20220101
drwxr-xr-x.  2 zabbix zabbix       4096 Dec  4 06:42 zabbix
[root@nextcloud-web1 log]# who -a | awk '{print $1}'  > /var/log/users.log

[root@nextcloud-web1 log]# cat users.log
[root@nextcloud-web1 log]#
1 Like

to expand on that, you can put the count right in the log file:

billybob@graylog:~# who -a | awk '{print $1}' > /var/log/users.log && wc -l < /var/log/users.log >> /var/log/users.log
billybob@graylog:~# cat /var/log/users.log


1 Like

I likey the addon :+1:

1 Like

hey @gsmith, @tmacgbay!!!
you guys are so awesome!
It took a long time, but I finally solved the problem!! :face_holding_back_tears: :face_holding_back_tears:
I am so happy and I am just so grateful to you all…
It’s a pity that the widget has to be a data table, but it’s so great…!
Thank you very much and I hope to see you again next time.
Until then, stay healthy and happy everyone!


Maybe write up your script and how to set it up - add it to the Templates and Rules Exchange? :smiley:

Glad it worked!

1 Like

Nice :+1: , If you mark this resolved for future searches that would be great :smiley:
Would like to see what you did , that would be great…

1 Like

I may have taken a difficult path as I am a newbie who has just studied this field.

This is my script.

who --ips | awk '{print $5}' > /root/script/userip.txt
who --ips | wc -l > /root/script/user.txt

sed -i 's/\([^ ]*\)/[&]/g' /root/script/userip.txt

HOST=`hostname --long`
TIMESTAMP=`date +%s`
MESSAGE=`cat /root/script/userip.txt`

GRAYLOG_SERVER=graylog server ip

cd /root/script

if [ -e user.txt ]; then

        MSG="{\"version\": \"$VERSION\""

        for user in `cat user.txt`; do


        echo $MSG | gzip -cf | nc -w 1 -u $GRAYLOG_SERVER $GRAYLOG_PORT



I created two text files to check the number of users connected to the server as well as the IP of the users who are connecting.
The reason for separating the files is to create a separate widget without extracting the string.

IP is included in one line in MESSAGE because multiple IPs cannot be included in MSG and only one is displayed.

Also, sed is a command to make it easier to see the IP displayed in one line.

And run the script every minute with crontab.

I have already sent two log files to rsyslog, so I made an INPUT using GELF, and they are successfully received.
I am still inexperienced in writing scripts, so it may seem inefficient because I have modified the existing GELF file.


This is my widget.

IP deleted all fields except MESSAGE PREVIEW for a clear view, and if Logon user sets Single Number, only the number of logs is displayed, so it is set as a data table. :smiley:

1 Like

Wow , Nice @pat-bung

I was going to ask, Is it possible to post that here. @tmacgbay stated above. This would be awesome and would make it way easier to point them to this script

My answer is not enough, but I would be very grateful if you could move the solution you posted here!

1 Like

Yes!! for sure. Maybe the next community member might add on to it.

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.