Message count for CMMC / NIST SP 800-171 purposes

1. Describe your incident:
I’m trying to come up with a solution to satisfy a security requirement - NIST SP 800-171 3.3.4 “Alert in the event of an audit logging process failure”.

2. Describe your environment:

  • OS Information: Debian 11

  • Package Version:
    graylog-server 5.2.5-1

  • Service logs, configurations, and environment variables:
    graylog is recording messages and i’m able to query them from the web gui.

3. What steps have you already taken to try and solve the problem?
googled for hours

4. How can the community help?
What I would like to do is have a powershell script on a remote server that is scheduled to run daily that queries the graylog server for the message count for the last 24 hours. If this count is 0, the powershell script will email me.

I have figured out how to use Invoke-RestMethod to get results from API such as
and I have figured out how to use GET and POST, but i’m having trouble locating an API and crafting a request that does what I want.
I found
but i’m new to Graylog and new to REST and need somebody to show me how to make a request that just returns the message count for the last 24 hours without returning all the messages.

If I get this working, i’ll post the entire powershell script here for other CMMC victims.

As long as you are on a somewhat recent version of graylog 5.1+ I think, check out the simple search api, it has an aggragation api that will do all the heavy lifting for you. Easist way to find it it search the api browser for simple.

hey I think that’s going to work! I came up with this:

Request URL*&timerange=24h&groups=wtf

Response Body
“schema”: [
“column_type”: “grouping”,
“type”: “string”,
“field”: “wtf”,
“name”: “grouping: wtf”
“column_type”: “metric”,
“type”: “numeric”,
“function”: “count”,
“name”: “metric: count()”
“datarows”: [
“(Empty Value)”,
“metadata”: {
“effective_timerange”: {
“from”: “2024-03-26T12:55:27.349Z”,
“to”: “2024-03-27T12:55:27.350Z”,
“type”: “absolute”

What is the GROUPS parameter for? The API forces me to enter something there but doesn’t seem to care what. Better yet, where can I find documentation about all the parameters for every API? I’d rather somebody teach me how to fish than to give me free fish.

Because it’s an aggregation, that is what you want to group by, so group by source gives you count of messages per distinct source etc. The API browser is the place, there is no documentation outside of there about the endpoints and what they do. However, the easiest way to figure out how to do anything is to open the inspector in your browser and watch the traffic as you do something in the UI, the web uses the same API.

That would be very helpful! I was actually looking for a log file in /var/log that might show the queries the web gui makes but didn’t find any. How do I get to the inspector? I feel like that’s a stupid question but I looked thru all the web gui menus, api-browser, and googled “graylog inspector” and there’s nothing.

Sorry like the chrome inspector, dev tools in your browser, and watch the network traffic, you can see all the API calls pretty clearly every time you take an action on the page.

OH - DUH!!!

Thanks to Joel’s help, I’m proud to present a fully working powershell script for anybody that wants it.

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.

That’s awesome :+1: