doc/Extensions/Graylog.md

# Graylog integration

We have simple integration for Graylog, you will be able to view any
logs from within LibreNMS that have been parsed by the syslog input
from within Graylog itself. This includes logs from devices which
aren't in LibreNMS still, you can also see logs for a specific device
under the logs section for the device.

Currently, LibreNMS does not associate shortnames from Graylog with
full FQDNS. If you have your devices in LibreNMS using full FQDNs,
such as hostname.example.com, be aware that rsyslogd, by default,
sends the shortname only. To fix this, add

`$PreserveFQDN on`

to your rsyslog config to send the full FQDN so device logs will be
associated correctly in LibreNMS. Also see near the bottom of this
document for tips on how to enable/suppress the domain part of
hostnames in syslog-messages for some platforms.

Graylog itself isn't included within LibreNMS, you will need to
install this separately either on the same infrastructure as LibreNMS
or as a totally standalone appliance.

Config is simple, here's an example based on Graylog 2.4:

!!! setting "external/graylog"
    ```bash
    lnms config:set graylog.server 'http://127.0.0.1'
    lnms config:set graylog.port 9000
    lnms config:set graylog.username admin
    lnms config:set graylog.password 'admin'
    lnms config:set graylog.version 2.4
    ```

## Timezone
Graylog messages are stored using GMT timezone. You can display
graylog messages in LibreNMS webui using your desired timezone by
setting the following option using `lnms config:set`:

!!! setting "external/graylog"
    ```bash
    lnms config:set graylog.timezone 'Europe/Bucharest'
    ```

Timezone must be PHP supported timezones, available at:
<https://php.net/manual/en/timezones.php>

## Graylog Version
If you are running a version earlier than Graylog then please set

!!! setting "external/graylog"
    ```bash
    lnms config:set graylog.version 2.1
    ```

to the version  number of your Graylog
install. Earlier versions than 2.1 use the default port `12900`

## URI
If you have altered the default uri for your Graylog setup then you
can override the default of `/api/` using

!!! setting "external/graylog"
    ```bash
    lnms config:set graylog.base_uri '/somepath/'
    ```

## User Credentials
If you choose to use another user besides the admin user, please note
that currently you must give the user "admin" permissions from within
Graylog, "read" permissions alone are not sufficient.

## TLS Certificate
If you have enabled TLS for the Graylog API and you are using a
self-signed certificate, please make sure that the certificate is
trusted by your LibreNMS host, otherwise the connection will
fail. Additionally, the certificate's Common Name (CN) has to match
the FQDN or IP address specified in

!!! setting "external/graylog"
    ```bash
    lnms config:set graylog.server example.com
    ```

## Match Any Address
If you want to match the source address of the log entries against any
IP address of a device instead of only against the primary address and
the host name to assign the log entries to a device, you can activate
this function using

```bash
lnms config:set graylog.match-any-address true
```

## Recent Devices
There are 2 configuration parameters to influence the behaviour of the
"Recent Graylog" table on the overview page of the
devices.

!!! setting "external/graylog"
    ```bash
    lnms config:set graylog.device-page.rowCount 10
    ```

Sets the maximum number of rows to be displayed (default: 10)

!!! setting "external/graylog"
    ```bash
    lnms config:set graylog.device-page.loglevel 7
    ```

You can set which loglevels that should be displayed on the overview page. (default: 7, min:
0, max: 7)

!!! setting "external/graylog"
    ```bash
    lnms config:set graylog.device-page.loglevel 4
    ```

Shows only entries with a log level less than or equal to 4 (Emergency,
Alert, Critical, Error, Warning).

You can set a default Log Level Filter with
```bash
lnms config:set graylog.loglevel 7
```
 (applies to  /graylog and /device/device=/tab=logs/section=graylog/ (min: 0, max: 7)

## Domain and hostname handling

Suppressing/enabling the domain part of a hostname for specific platforms

You should see if what you get in syslog/Graylog matches up with your
configured hosts first. If you need to modify the syslog messages from
specific platforms, this may be of assistance:

### IOS (Cisco)

```
router(config)# logging origin-id hostname
```

or

```
router(config)# logging origin-id string
```

### JunOS (Juniper Networks)

```
set system syslog host yourlogserver.corp log-prefix YOUR_PREFERRED_STRING
```

### PanOS (Palo Alto Networks)

```
set deviceconfig setting management hostname-type-in-syslog hostname
```

or

```
set deviceconfig setting management hostname-type-in-syslog FQDN
```
Added docs on using Grallog integration 2015-08-11 09:44:35 -07:00			`# Graylog integration`

more documentation clean up (#10577 ) 2019-09-09 05:48:35 -05:00			`We have simple integration for Graylog, you will be able to view any`
			`logs from within LibreNMS that have been parsed by the syslog input`
			`from within Graylog itself. This includes logs from devices which`
			`aren't in LibreNMS still, you can also see logs for a specific device`
			`under the logs section for the device.`
Added docs on using Grallog integration 2015-08-11 09:44:35 -07:00
more documentation clean up (#10577 ) 2019-09-09 05:48:35 -05:00			`Currently, LibreNMS does not associate shortnames from Graylog with`
			`full FQDNS. If you have your devices in LibreNMS using full FQDNs,`
			`such as hostname.example.com, be aware that rsyslogd, by default,`
			`sends the shortname only. To fix this, add`
docs: Update Graylog.md (#4717 ) 2016-10-05 01:09:46 -07:00
			`$PreserveFQDN on`

more documentation clean up (#10577 ) 2019-09-09 05:48:35 -05:00			`to your rsyslog config to send the full FQDN so device logs will be`
			`associated correctly in LibreNMS. Also see near the bottom of this`
			`document for tips on how to enable/suppress the domain part of`
			`hostnames in syslog-messages for some platforms.`
docs: Update Graylog.md (#4717 ) 2016-10-05 01:09:46 -07:00
more documentation clean up (#10577 ) 2019-09-09 05:48:35 -05:00			`Graylog itself isn't included within LibreNMS, you will need to`
			`install this separately either on the same infrastructure as LibreNMS`
			`or as a totally standalone appliance.`
Added docs on using Grallog integration 2015-08-11 09:44:35 -07:00
docs: Updated Graylog.md for 2.4 version (#8517 ) 2018-04-09 21:51:28 +02:00			`Config is simple, here's an example based on Graylog 2.4:`
Added docs on using Grallog integration 2015-08-11 09:44:35 -07:00
Updated WebUI config options in docs to support direct linking to installs (#15009 ) 2023-05-11 01:05:12 +01:00			`!!! setting "external/graylog"`
			```bash
			`lnms config:set graylog.server 'http://127.0.0.1'`
			`lnms config:set graylog.port 9000`
			`lnms config:set graylog.username admin`
			`lnms config:set graylog.password 'admin'`
			`lnms config:set graylog.version 2.4`
Update Graylog.md (#15146 ) 2023-07-16 04:56:31 +09:30			```
fix: Added support for Graylog 2.1 API change (#4411 ) 2016-09-14 04:23:52 +01:00
Update Documentation (#12411 ) 2020-12-30 09:38:14 -05:00			`## Timezone`
more documentation clean up (#10577 ) 2019-09-09 05:48:35 -05:00			`Graylog messages are stored using GMT timezone. You can display`
			`graylog messages in LibreNMS webui using your desired timezone by`
Updated WebUI config options in docs to support direct linking to installs (#15009 ) 2023-05-11 01:05:12 +01:00			setting the following option using `lnms config:set`:
webui: Timezone support for graylog (#7799 ) 2017-12-04 09:56:13 +02:00
Updated WebUI config options in docs to support direct linking to installs (#15009 ) 2023-05-11 01:05:12 +01:00			`!!! setting "external/graylog"`
			```bash
			`lnms config:set graylog.timezone 'Europe/Bucharest'`
			```
webui: Timezone support for graylog (#7799 ) 2017-12-04 09:56:13 +02:00
more documentation clean up (#10577 ) 2019-09-09 05:48:35 -05:00			`Timezone must be PHP supported timezones, available at:`
Swich links to https (#12511 ) 2021-02-09 00:29:04 +01:00			`<https://php.net/manual/en/timezones.php>`
more documentation clean up (#10577 ) 2019-09-09 05:48:35 -05:00
Update Documentation (#12411 ) 2020-12-30 09:38:14 -05:00			`## Graylog Version`
more documentation clean up (#10577 ) 2019-09-09 05:48:35 -05:00			`If you are running a version earlier than Graylog then please set`
Updated WebUI config options in docs to support direct linking to installs (#15009 ) 2023-05-11 01:05:12 +01:00
			`!!! setting "external/graylog"`
			```bash
			`lnms config:set graylog.version 2.1`
			```

Update Documentation (#12411 ) 2020-12-30 09:38:14 -05:00			`to the version number of your Graylog`
more documentation clean up (#10577 ) 2019-09-09 05:48:35 -05:00			install. Earlier versions than 2.1 use the default port `12900`

Update Documentation (#12411 ) 2020-12-30 09:38:14 -05:00			`## URI`
more documentation clean up (#10577 ) 2019-09-09 05:48:35 -05:00			`If you have altered the default uri for your Graylog setup then you`
Improve Markdown syntax in Document (#12949 ) 2021-06-17 03:16:21 +08:00			can override the default of `/api/` using
Updated WebUI config options in docs to support direct linking to installs (#15009 ) 2023-05-11 01:05:12 +01:00
			`!!! setting "external/graylog"`
			```bash
			`lnms config:set graylog.base_uri '/somepath/'`
			```
fix: Added support for Graylog 2.1 API change (#4411 ) 2016-09-14 04:23:52 +01:00
Improve Markdown syntax in Document (#12949 ) 2021-06-17 03:16:21 +08:00			`## User Credentials`
more documentation clean up (#10577 ) 2019-09-09 05:48:35 -05:00			`If you choose to use another user besides the admin user, please note`
			`that currently you must give the user "admin" permissions from within`
			`Graylog, "read" permissions alone are not sufficient.`
docs: Update Graylog.md (#4717 ) 2016-10-05 01:09:46 -07:00
Update Documentation (#12411 ) 2020-12-30 09:38:14 -05:00			`## TLS Certificate`
more documentation clean up (#10577 ) 2019-09-09 05:48:35 -05:00			`If you have enabled TLS for the Graylog API and you are using a`
			`self-signed certificate, please make sure that the certificate is`
			`trusted by your LibreNMS host, otherwise the connection will`
			`fail. Additionally, the certificate's Common Name (CN) has to match`
Improve Markdown syntax in Document (#12949 ) 2021-06-17 03:16:21 +08:00			`the FQDN or IP address specified in`
Updated WebUI config options in docs to support direct linking to installs (#15009 ) 2023-05-11 01:05:12 +01:00
			`!!! setting "external/graylog"`
			```bash
			`lnms config:set graylog.server example.com`
Update Graylog.md (#15146 ) 2023-07-16 04:56:31 +09:30			```
docs: Update Graylog.md (#4717 ) 2016-10-05 01:09:46 -07:00
Update Documentation (#12411 ) 2020-12-30 09:38:14 -05:00			`## Match Any Address`
more documentation clean up (#10577 ) 2019-09-09 05:48:35 -05:00			`If you want to match the source address of the log entries against any`
			`IP address of a device instead of only against the primary address and`
			`the host name to assign the log entries to a device, you can activate`
Improve Markdown syntax in Document (#12949 ) 2021-06-17 03:16:21 +08:00			`this function using`
docs: Added info about client config options for suppressing/enabling FQDN info in syslogmsgs (#8396 ) 2018-03-15 22:46:50 +01:00
Updated WebUI config options in docs to support direct linking to installs (#15009 ) 2023-05-11 01:05:12 +01:00			```bash
			`lnms config:set graylog.match-any-address true`
Update Documentation (#12411 ) 2020-12-30 09:38:14 -05:00			```

			`## Recent Devices`
more documentation clean up (#10577 ) 2019-09-09 05:48:35 -05:00			`There are 2 configuration parameters to influence the behaviour of the`
			`"Recent Graylog" table on the overview page of the`
Improve Markdown syntax in Document (#12949 ) 2021-06-17 03:16:21 +08:00			`devices.`
Update Documentation (#12411 ) 2020-12-30 09:38:14 -05:00
Updated WebUI config options in docs to support direct linking to installs (#15009 ) 2023-05-11 01:05:12 +01:00			`!!! setting "external/graylog"`
			```bash
			`lnms config:set graylog.device-page.rowCount 10`
			```
Update Documentation (#12411 ) 2020-12-30 09:38:14 -05:00
Improve Markdown syntax in Document (#12949 ) 2021-06-17 03:16:21 +08:00			`Sets the maximum number of rows to be displayed (default: 10)`
Update Documentation (#12411 ) 2020-12-30 09:38:14 -05:00
Updated WebUI config options in docs to support direct linking to installs (#15009 ) 2023-05-11 01:05:12 +01:00			`!!! setting "external/graylog"`
			```bash
			`lnms config:set graylog.device-page.loglevel 7`
			```
Update Documentation (#12411 ) 2020-12-30 09:38:14 -05:00
			`You can set which loglevels that should be displayed on the overview page. (default: 7, min:`
Improve Markdown syntax in Document (#12949 ) 2021-06-17 03:16:21 +08:00			`0, max: 7)`
Update Documentation (#12411 ) 2020-12-30 09:38:14 -05:00
Updated WebUI config options in docs to support direct linking to installs (#15009 ) 2023-05-11 01:05:12 +01:00			`!!! setting "external/graylog"`
			```bash
			`lnms config:set graylog.device-page.loglevel 4`
			```

Update Documentation (#12411 ) 2020-12-30 09:38:14 -05:00			`Shows only entries with a log level less than or equal to 4 (Emergency,`
more documentation clean up (#10577 ) 2019-09-09 05:48:35 -05:00			`Alert, Critical, Error, Warning).`
Graylog entry matching device if source is not hostname or primary ip (#10458 ) 2019-07-26 22:13:35 +02:00
more documentation clean up (#10577 ) 2019-09-09 05:48:35 -05:00			`You can set a default Log Level Filter with`
Updated WebUI config options in docs to support direct linking to installs (#15009 ) 2023-05-11 01:05:12 +01:00			```bash
			`lnms config:set graylog.loglevel 7`
Update Documentation (#12411 ) 2020-12-30 09:38:14 -05:00			```
			`(applies to /graylog and /device/device=/tab=logs/section=graylog/ (min: 0, max: 7)`
Added Graylog to device overview and log level filter mechanism (#10509 ) 2019-08-27 19:44:27 +02:00
Documentation cleanup of Basic Setup, Advanced Setup, 3rd Party Integration sections (#13018 ) 2021-07-10 03:34:01 +08:00			`## Domain and hostname handling`

			`Suppressing/enabling the domain part of a hostname for specific platforms`
Added Graylog to device overview and log level filter mechanism (#10509 ) 2019-08-27 19:44:27 +02:00
more documentation clean up (#10577 ) 2019-09-09 05:48:35 -05:00			`You should see if what you get in syslog/Graylog matches up with your`
			`configured hosts first. If you need to modify the syslog messages from`
			`specific platforms, this may be of assistance:`

Documentation cleanup of Basic Setup, Advanced Setup, 3rd Party Integration sections (#13018 ) 2021-07-10 03:34:01 +08:00			`### IOS (Cisco)`
docs: Added info about client config options for suppressing/enabling FQDN info in syslogmsgs (#8396 ) 2018-03-15 22:46:50 +01:00
			```
			`router(config)# logging origin-id hostname`
			```
more documentation clean up (#10577 ) 2019-09-09 05:48:35 -05:00
docs: Added info about client config options for suppressing/enabling FQDN info in syslogmsgs (#8396 ) 2018-03-15 22:46:50 +01:00			`or`
more documentation clean up (#10577 ) 2019-09-09 05:48:35 -05:00
docs: Added info about client config options for suppressing/enabling FQDN info in syslogmsgs (#8396 ) 2018-03-15 22:46:50 +01:00			```
			`router(config)# logging origin-id string`
			```

Documentation cleanup of Basic Setup, Advanced Setup, 3rd Party Integration sections (#13018 ) 2021-07-10 03:34:01 +08:00			`### JunOS (Juniper Networks)`
more documentation clean up (#10577 ) 2019-09-09 05:48:35 -05:00
docs: Added info about client config options for suppressing/enabling FQDN info in syslogmsgs (#8396 ) 2018-03-15 22:46:50 +01:00			```
			`set system syslog host yourlogserver.corp log-prefix YOUR_PREFERRED_STRING`
			```

Documentation cleanup of Basic Setup, Advanced Setup, 3rd Party Integration sections (#13018 ) 2021-07-10 03:34:01 +08:00			`### PanOS (Palo Alto Networks)`
more documentation clean up (#10577 ) 2019-09-09 05:48:35 -05:00
docs: Added info about client config options for suppressing/enabling FQDN info in syslogmsgs (#8396 ) 2018-03-15 22:46:50 +01:00			```
			`set deviceconfig setting management hostname-type-in-syslog hostname`
			```
more documentation clean up (#10577 ) 2019-09-09 05:48:35 -05:00
docs: Added info about client config options for suppressing/enabling FQDN info in syslogmsgs (#8396 ) 2018-03-15 22:46:50 +01:00			`or`

			```
			`set deviceconfig setting management hostname-type-in-syslog FQDN`
			```