Graylog Cheatsheet¶

Installation¶

Platform	Installation Method
Ubuntu/Debian	`wget https://packages.graylog2.org/repo/packages/graylog-5.2-repository_latest.deb && sudo dpkg -i graylog-5.2-repository_latest.deb && sudo apt-get update && sudo apt-get install graylog-server`
CentOS/RHEL	`sudo rpm -Uvh https://packages.graylog2.org/repo/packages/graylog-5.2-repository_latest.rpm && sudo yum install graylog-server`
Docker	`docker run -d --name graylog -p 9000:9000 -p 12201:12201 -p 1514:1514 -e GRAYLOG_PASSWORD_SECRET="somepassword" -e GRAYLOG_ROOT_PASSWORD_SHA2="hash" graylog/graylog:5.2`
Docker Compose	`curl -O https://raw.githubusercontent.com/Graylog2/graylog-docker/5.2/docker-compose.yml && docker-compose up -d`
Kubernetes (Helm)	`helm repo add graylog https://charts.graylog.org/ && helm install graylog graylog/graylog --namespace graylog`

Prerequisites Installation¶

Component	Command
Java (OpenJDK 17)	`sudo apt-get install openjdk-17-jre-headless`
MongoDB 6.0	`sudo apt-get install mongodb-org`
OpenSearch 2.x	`wget https://artifacts.opensearch.org/releases/bundle/opensearch/2.11.0/opensearch-2.11.0-linux-x64.deb && sudo dpkg -i opensearch-2.11.0-linux-x64.deb`
Verify Java	`java -version`

Service Management Commands¶

Command	Description
`sudo systemctl start graylog-server`	Start Graylog service
`sudo systemctl stop graylog-server`	Stop Graylog service
`sudo systemctl restart graylog-server`	Restart Graylog service
`sudo systemctl status graylog-server`	Check service status
`sudo systemctl enable graylog-server`	Enable service at boot
`sudo systemctl disable graylog-server`	Disable service at boot
`sudo tail -f /var/log/graylog-server/server.log`	View live logs
`sudo journalctl -u graylog-server -f`	View systemd journal logs
`sudo systemctl daemon-reload`	Reload systemd configuration

REST API - Authentication & Setup¶

Command	Description
`curl -X POST 'http://localhost:9000/api/system/sessions' -H 'Content-Type: application/json' -d '{"username":"admin","password":"pass","host":"localhost"}'`	Create session token
`curl -u admin:token http://localhost:9000/api/system`	Test API connection with token
`curl -u admin:token http://localhost:9000/api/system/cluster/nodes`	List cluster nodes
`curl -u admin:token http://localhost:9000/api/system/cluster/node`	Get current node info
`curl -u admin:token http://localhost:9000/api/system/indexer/cluster/health`	Check Elasticsearch health
`export GRAYLOG_API="http://localhost:9000/api"`	Set API endpoint variable
`export GRAYLOG_TOKEN="your-api-token"`	Set authentication token

REST API - Search Operations¶

Command	Description
`curl -u $GRAYLOG_TOKEN:token "$GRAYLOG_API/search/universal/relative?query=*&range=3600&limit=100"`	Search all logs (last hour)
`curl -u $GRAYLOG_TOKEN:token "$GRAYLOG_API/search/universal/relative?query=source:webserver&range=3600"`	Search by source field
`curl -u $GRAYLOG_TOKEN:token "$GRAYLOG_API/search/universal/relative?query=level:error&range=86400"`	Search error logs (24h)
`curl -u $GRAYLOG_TOKEN:token "$GRAYLOG_API/search/universal/absolute?query=*&from=2024-01-01T00:00:00.000Z&to=2024-01-02T00:00:00.000Z"`	Search with absolute time range
`curl -u $GRAYLOG_TOKEN:token "$GRAYLOG_API/search/universal/relative?query=message:failed&range=3600&sort=timestamp:desc"`	Search with keyword and sort
`curl -u $GRAYLOG_TOKEN:token "$GRAYLOG_API/search/universal/relative?query=http_status:500&range=7200"`	Search by HTTP status code
`curl -u $GRAYLOG_TOKEN:token "$GRAYLOG_API/search/universal/relative?query=source:nginx%20AND%20level:error&range=3600"`	Boolean search query

REST API - Input Management¶

Command	Description
`curl -u $GRAYLOG_TOKEN:token "$GRAYLOG_API/system/inputs"`	List all inputs
`curl -X POST -u $GRAYLOG_TOKEN:token "$GRAYLOG_API/system/inputs" -H 'Content-Type: application/json' -d '{"title":"Syslog UDP","type":"org.graylog2.inputs.syslog.udp.SyslogUDPInput","global":true,"configuration":{"port":1514}}'`	Create Syslog UDP input
`curl -X DELETE -u $GRAYLOG_TOKEN:token "$GRAYLOG_API/system/inputs/{inputId}"`	Delete input by ID
`curl -X PUT -u $GRAYLOG_TOKEN:token "$GRAYLOG_API/system/inputs/{inputId}"`	Update input configuration
`curl -u $GRAYLOG_TOKEN:token "$GRAYLOG_API/system/inputs/{inputId}"`	Get specific input details

REST API - Stream Management¶

Command	Description
`curl -u $GRAYLOG_TOKEN:token "$GRAYLOG_API/streams"`	List all streams
`curl -X POST -u $GRAYLOG_TOKEN:token "$GRAYLOG_API/streams" -H 'Content-Type: application/json' -d '{"title":"Security Logs","description":"Security events","rules":[]}'`	Create new stream
`curl -X DELETE -u $GRAYLOG_TOKEN:token "$GRAYLOG_API/streams/{streamId}"`	Delete stream
`curl -X POST -u $GRAYLOG_TOKEN:token "$GRAYLOG_API/streams/{streamId}/resume"`	Start/resume stream
`curl -X POST -u $GRAYLOG_TOKEN:token "$GRAYLOG_API/streams/{streamId}/pause"`	Pause stream
`curl -u $GRAYLOG_TOKEN:token "$GRAYLOG_API/streams/{streamId}/rules"`	List stream rules

REST API - Index Management¶

Command	Description
`curl -u $GRAYLOG_TOKEN:token "$GRAYLOG_API/system/indices/index_sets"`	List index sets
`curl -u $GRAYLOG_TOKEN:token "$GRAYLOG_API/system/indices/ranges"`	List index ranges
`curl -X POST -u $GRAYLOG_TOKEN:token "$GRAYLOG_API/system/indices/ranges/rebuild"`	Rebuild index ranges
`curl -X POST -u $GRAYLOG_TOKEN:token "$GRAYLOG_API/system/indices/{indexName}/reopen"`	Reopen closed index
`curl -X DELETE -u $GRAYLOG_TOKEN:token "$GRAYLOG_API/system/indices/indices/{indexName}"`	Delete specific index
`curl -u $GRAYLOG_TOKEN:token "$GRAYLOG_API/system/indexer/indices/closed"`	List closed indices

REST API - Alert & Notification Management¶

Command	Description
`curl -u $GRAYLOG_TOKEN:token "$GRAYLOG_API/events/definitions"`	List event definitions
`curl -u $GRAYLOG_TOKEN:token "$GRAYLOG_API/events/notifications"`	List notification configurations
`curl -X POST -u $GRAYLOG_TOKEN:token "$GRAYLOG_API/events/definitions" -H 'Content-Type: application/json' -d @event_definition.json`	Create event definition
`curl -u $GRAYLOG_TOKEN:token "$GRAYLOG_API/events/search"`	Search events
`curl -X DELETE -u $GRAYLOG_TOKEN:token "$GRAYLOG_API/events/definitions/{definitionId}"`	Delete event definition

REST API - User & Role Management¶

Command	Description
`curl -u $GRAYLOG_TOKEN:token "$GRAYLOG_API/users"`	List all users
`curl -X POST -u $GRAYLOG_TOKEN:token "$GRAYLOG_API/users" -H 'Content-Type: application/json' -d '{"username":"newuser","password":"pass","email":"user@example.com","permissions":[],"roles":["Reader"]}'`	Create new user
`curl -u $GRAYLOG_TOKEN:token "$GRAYLOG_API/roles"`	List all roles
`curl -X DELETE -u $GRAYLOG_TOKEN:token "$GRAYLOG_API/users/{username}"`	Delete user
`curl -X PUT -u $GRAYLOG_TOKEN:token "$GRAYLOG_API/users/{username}/password" -H 'Content-Type: application/json' -d '{"password":"newpass"}'`	Change user password

Configuration Files¶

Main Server Configuration¶

Location: /etc/graylog/server/server.conf

# Core settings
is_leader = true
node_id_file = /etc/graylog/server/node-id
password_secret = <96-character-secret>
root_password_sha2 = <sha256-hash>

# Web interface
http_bind_address = 0.0.0.0:9000
http_publish_uri = http://graylog.example.com:9000/
http_external_uri = http://graylog.example.com:9000/

# Elasticsearch/OpenSearch
elasticsearch_hosts = http://127.0.0.1:9200
rotation_strategy = count
elasticsearch_max_docs_per_index = 20000000
elasticsearch_max_number_of_indices = 20
retention_strategy = delete

# MongoDB
mongodb_uri = mongodb://localhost:27017/graylog

# Email configuration
transport_email_enabled = true
transport_email_hostname = smtp.example.com
transport_email_port = 587
transport_email_use_auth = true
transport_email_auth_username = graylog@example.com
transport_email_auth_password = password
transport_email_from_email = graylog@example.com

# Message processing
processbuffer_processors = 5
outputbuffer_processors = 3
processor_wait_strategy = blocking
ring_size = 65536
inputbuffer_ring_size = 65536
inputbuffer_processors = 2
inputbuffer_wait_strategy = blocking

# Message journal
message_journal_enabled = true
message_journal_dir = /var/lib/graylog-server/journal
message_journal_max_size = 5gb

JVM Options¶

Location: /etc/graylog/server/server.conf or JVM options file

# Heap size (set to 50% of available RAM, max 32GB)
-Xms4g
-Xmx4g

# Garbage collection
-XX:+UseG1GC
-XX:MaxGCPauseMillis=200
-XX:ParallelGCThreads=4
-XX:ConcGCThreads=2

# Memory settings
-XX:+AlwaysPreTouch
-XX:+UseStringDeduplication

Log4j Configuration¶

Location: /etc/graylog/server/log4j2.xml

<?xml version="1.0" encoding="UTF-8"?>
<Configuration packages="org.graylog2.log4j">
    <Appenders>
        <RollingFile name="rolling-file" fileName="/var/log/graylog-server/server.log"
                     filePattern="/var/log/graylog-server/server.log.%i.gz">
            <PatternLayout pattern="%d{yyyy-MM-dd'T'HH:mm:ss.SSSXXX} %-5p [%c{1}] %m%n"/>
            <Policies>
                <SizeBasedTriggeringPolicy size="50MB"/>
            </Policies>
            <DefaultRolloverStrategy max="10"/>
        </RollingFile>
    </Appenders>
    <Loggers>
        <Root level="info">
            <AppenderRef ref="rolling-file"/>
        </Root>
    </Loggers>
</Configuration>

Common Use Cases¶

Use Case 1: Setting Up Syslog Input for Linux Servers¶

# 1. Create Syslog UDP input via API
curl -X POST -u admin:token http://localhost:9000/api/system/inputs \
  -H 'Content-Type: application/json' \
  -H 'X-Requested-By: cli' \
  -d '{
    "title": "Linux Syslog UDP",
    "type": "org.graylog2.inputs.syslog.udp.SyslogUDPInput",
    "global": true,
    "configuration": {
      "bind_address": "0.0.0.0",
      "port": 1514,
      "recv_buffer_size": 262144
    }
  }'

# 2. Configure rsyslog on client server
echo "*.* @graylog-server:1514;RSYSLOG_SyslogProtocol23Format" | \
  sudo tee /etc/rsyslog.d/90-graylog.conf

# 3. Restart rsyslog
sudo systemctl restart rsyslog

# 4. Test log forwarding
logger -p local0.info "Test message to Graylog"

# 5. Search for test message
curl -u admin:token \
  "http://localhost:9000/api/search/universal/relative?query=message:*Test*&range=300"

Use Case 2: Creating Security Event Stream with Alerts¶

# 1. Create security stream
STREAM_ID=$(curl -X POST -u admin:token http://localhost:9000/api/streams \
  -H 'Content-Type: application/json' \
  -H 'X-Requested-By: cli' \
  -d '{
    "title": "Security Events",
    "description": "Failed logins and security violations",
    "remove_matches_from_default_stream": false,
    "index_set_id": "default"
  }' | jq -r '.stream_id')

# 2. Add stream rule for failed SSH logins
curl -X POST -u admin:token \
  "http://localhost:9000/api/streams/$STREAM_ID/rules" \
  -H 'Content-Type: application/json' \
  -H 'X-Requested-By: cli' \
  -d '{
    "field": "message",
    "type": 1,
    "value": "Failed password",
    "inverted": false,
    "description": "SSH failed login attempts"
  }'

# 3. Start the stream
curl -X POST -u admin:token \
  "http://localhost:9000/api/streams/$STREAM_ID/resume" \
  -H 'X-Requested-By: cli'

# 4. Create email notification
curl -X POST -u admin:token http://localhost:9000/api/events/notifications \
  -H 'Content-Type: application/json' \
  -H 'X-Requested-By: cli' \
  -d '{
    "title": "Security Alert Email",
    "description": "Email notification for security events",
    "config": {
      "type": "email-notification-v1",
      "recipients": ["security@example.com"],
      "subject": "Security Alert: ${event.message}",
      "body_template": "Event: ${event.message}\nTimestamp: ${event.timestamp}"
    }
  }'

Use Case 3: Application Log Analysis with Extractors¶

# 1. Create GELF TCP input for application logs
curl -X POST -u admin:token http://localhost:9000/api/system/inputs \
  -H 'Content-Type: application/json' \
  -H 'X-Requested-By: cli' \
  -d '{
    "title": "Application GELF TCP",
    "type": "org.graylog2.inputs.gelf.tcp.GELFTCPInput",
    "global": true,
    "configuration": {
      "bind_address": "0.0.0.0",
      "port": 12201,
      "recv_buffer_size": 1048576
    }
  }'

# 2. Send test application log (using Python)
cat > send_log.py << 'EOF'
import logging
import graypy

logger = logging.getLogger('test_app')
logger.setLevel(logging.INFO)
handler = graypy.GELFTCPHandler('graylog-server', 12201)
logger.addHandler(handler)

logger.info('Application started', extra={
    'environment': 'production',
    'service': 'api',
    'version': '1.0.0'
})
EOF

python3 send_log.py

# 3. Create stream for application errors
curl -X POST -u admin:token http://localhost:9000/api/streams \
  -H 'Content-Type: application/json' \
  -H 'X-Requested-By: cli' \
  -d '{
    "title": "Application Errors",
    "description": "Application error logs",
    "rules": [{
      "field": "level",
      "type": 1,
      "value": "3",
      "inverted": false
    }]
  }'

Use Case 4: Dashboard Creation and Export¶

# 1. List available dashboards
curl -u admin:token http://localhost:9000/api/dashboards

# 2. Create new dashboard
DASHBOARD_ID=$(curl -X POST -u admin:token http://localhost:9000/api/dashboards \
  -H 'Content-Type: application/json' \
  -H 'X-Requested-By: cli' \
  -d '{
    "title": "System Overview",
    "description": "System metrics and logs"
  }' | jq -r '.dashboard_id')

# 3. Add widget to dashboard (message count)
curl -X POST -u admin:token \
  "http://localhost:9000/api/dashboards/$DASHBOARD_ID/widgets" \
  -H 'Content-Type: application/json' \
  -H 'X-Requested-By: cli' \
  -d '{
    "description": "Total Messages",
    "type": "SEARCH_RESULT_COUNT",
    "cache_time": 10,
    "config": {
      "timerange": {
        "type": "relative",
        "range": 3600
      },
      "query": "*",
      "stream_id": null
    }
  }'

# 4. Export dashboard configuration
curl -u admin:token \
  "http://localhost:9000/api/dashboards/$DASHBOARD_ID" \
  > dashboard_backup.json

Use Case 5: Index Management and Optimization¶

# 1. Check current index status
curl -u admin:token http://localhost:9000/api/system/indices/index_sets

# 2. Get index statistics
curl -u admin:token http://localhost:9000/api/system/indexer/indices/closed

# 3. Optimize old indices
curl -X POST -u admin:token \
  http://localhost:9000/api/system/indexer/indices/graylog_0/optimize \
  -H 'X-Requested-By: cli'

# 4. Close old indices manually
curl -X POST -u admin:token \
  http://localhost:9000/api/system/indexer/indices/graylog_0/close \
  -H 'X-Requested-By: cli'

# 5. Delete old indices (be careful!)
curl -X DELETE -u admin:token \
  http://localhost:9000/api/system/indexer/indices/indices/graylog_0 \
  -H 'X-Requested-By: cli'

# 6. Trigger index rotation
curl -X POST -u admin:token \
  http://localhost:9000/api/system/indices/index_sets/default/rotation \
  -H 'X-Requested-By: cli'

# 7. Rebuild index ranges (after maintenance)
curl -X POST -u admin:token \
  http://localhost:9000/api/system/indices/ranges/rebuild \
  -H 'X-Requested-By: cli'

Search Query Syntax¶

Query Type	Example	Description
Simple text	`error`	Search for "error" in any field
Field search	`source:webserver`	Search specific field
Phrase search	`"connection refused"`	Exact phrase match
Boolean AND	`error AND database`	Both terms must exist
Boolean OR	`error OR warning`	Either term exists
Boolean NOT	`error NOT timeout`	Exclude term
Wildcard	`err*`	Matches error, errors, etc.
Range (numeric)	`http_status:[400 TO 599]`	Numeric range
Range (date)	`timestamp:[2024-01-01 TO 2024-01-31]`	Date range
Exists	`_exists_:user_id`	Field exists
Regex	`message:/[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}/`	Regular expression
Grouping	`(error OR warning) AND source:app`	Grouped conditions
Greater than	`response_time:>1000`	Numeric comparison
Less than	`response_time:<100`	Numeric comparison

Pipeline Rules (Advanced Processing)¶

Common Pipeline Rule Examples¶

```javascript // Extract HTTP status code from message rule "extract_http_status" when has_field("message") then let pattern = "HTTP/\d\.\d\" (\d{3})"; let result = regex(pattern: pattern, value: to_string($message.message)); set_field("http_status", result["0"]);