How to retrieve log from graylog over API - McMap

About

How to retrieve log from graylog over API

Asked 7/5, 2020 at 13:46 Answered 13/10, 2022 at 22:20

api logging graylog2 graylog graylog3

H

1

6

How can I search logs from a graylog server with PHP?

Assume the graylog servers is https://host.td/api/search/universal/absolute

Helvetia answered 7/5, 2020 at 13:46 Comment(5)

I had a similar problem and used Python to access the API. A simple script can be found here. – Rentroll 20/3, 2021 at 16:57

here is another example using shell script : dev.to/boly38/hourly-errors-from-graylog-to-slack-24ga – Baptlsta 21/3, 2021 at 12:14

For others who had some trouble like me from and to fields are also required. This worked for me. Date format: yyyy-MM-ddTHH:mm:ss.SSSZ (e.g. 2014-01-23T15:34:49.000Z) or yyyy-MM-dd HH:mm:ss.. however, in Graylog API documentation it is under section Legacy/Search/Absolute, which seems like it should be used? – Einkorn 2/9, 2021 at 9:12

If you use the universal/relative endpoint rather than universal/absolute, then you don't need to format dates. Instead of "from" and "to", use "range". A value of "3600" will show you entries for the last hour. – Frontlet 12/1, 2022 at 19:27

@Klaus, StackOverflow does not recommend both asking and answering the question in the body of the question. I moved your answer below in my response. Please feel free to copy the text of my answer and repost it as your own... just send me a comment if you do so... I will gladly delete my "answer" once you respond – Kaitlynkaitlynn 13/10, 2022 at 22:24

K

0

This solution is implemented in PHP:

$url = 'https://host.td/api/search/universal/absolute'
   . '?query=' . urlencode('field:value')                 //query which you would also perform on UI
   . '&from=' . urlencode(Carbon::createFromTimestamp(0)) // min timestamp so we get all logs
   . '&to=' . urlencode(Carbon::createFromTimestamp(NumberUtils::MAX_32_BIT_INT)) // max timestamp so we get all logs
   . '&limit=' . $this->limit                             //how many results do we want?
   . '&fields=' . urlencode('field1,field2,field3')       //which fields do we want?
   . '&filter=' . urlencode('streams:<stream_id>')        //OPTIONAL: only search in this stream
   . '&sort=' . urlencode('field:desc')                   //sort result
   . '&decorate=false';                                   //decorate parameter


$res = (new Client())->get($url, [
    // generate a token on graylog UI;
    // we use basic auth, username=the token; password: hard coded string 'token'
'auth'    => ['<token_value>', 'token'],
'headers' => ['Accept' => 'application/json']             //we want a json result
]);

$json = \GuzzleHttp\json_decode($res->getBody());

If you want to sort by a timestamp you provided, don't call it timestamp since in this case graylog's timestamp is used, not yours. I ended up using a prefix on every field I am storing.

Kaitlynkaitlynn answered 13/10, 2022 at 22:20 Comment(0)

Recommended topics

#Godot #Unity #Godot 4.X #Mongodb

Hot tags

Godot Unity Godot Help Programming Godot 4.X GUI GDScript 3D 2D Physics CSharp Godot 3.X VR XR Projects C++

© 2022 - 2024 — McMap. All rights reserved.