This is a temporary requirement to push alerts from Graylog API Security 3.6.86 to Graylog 6.0
Graylog API Security pushes alerts as JSON-encoded messages using HTTP POST requests. Graylog has a GELF HTTP input that can be configured as a webhook to receive JSON-encoded messages in HTTP POST requests. Even though the accepted payload content type is JSON, messages have to conform to the Graylog Extended Log Format specification in order to be parseable by the GELF HTTP input. This requires adding a few new mandatory fields, and renaming custom fields by prefixing them with an underscore (_).
In addition, Graylog API Security 3.6.86 does not have a way to identify when Graylog has been set as a webhook destination.
Both this and GELF dialect translation will be included in a future release of Graylog API Security 3.6.86.
For now, the resurfaceio/gelfhook
container has to be run as a sidecar to Graylog API Security to proxy alert messages and ensure proper message translation.
Graylog API Security ---(generic JSON alert message)---> gelfhook [listening on port 3123] ---(translated GELF alert message)---> Graylog GELF HTTP input [listening on port 12201]
-
Set up Graylog.
- Get your Graylog instance up and running.
- Configure a new GELF HTTP input with the default configuration:
- Bind address: 0.0.0.0
- Port: 12201
- Enable TLS: False
- TCP keepalive: False
- Enable Bulk Receiving: False
- Enable CORS: True
-
Set up Graylog API Security
- Use any of the compose files in this repo to run both Graylog API Security and the temporary proxy service to translate alerts into the GELF dialect.
- Import a dataset with recent records using the Graylog API Security
:7701/
endpoint. - Configure alerting on Graylog API Security:
- Go to the Settings tab.
- Enter both
localhost
and7700
in the “Network routing to Resurface” section. - Enter
http://gelfhook:3123/
in the “Default alerting webhook” section.
-
Wait for 1-2 mins
-
Go back to Graylog and see your new Graylog API Security alerts!