Last active
January 9, 2023 12:57
-
-
Save mariussturm/0b885812500d91df8c3a to your computer and use it in GitHub Desktop.
Graylog2 create inputs/streams/alerts
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/bin/bash | |
| sleep 3 | |
| IP_ADDRESS=$(hostname -I | cut -f1 -d' ') | |
| GRAYLOG2_URL="http://admin:admin@${IP_ADDRESS}:12900" | |
| GRAYLOG2_INPUT_GELF_TCP=' | |
| { | |
| "global": "true", | |
| "title": "Gelf TCP", | |
| "configuration": { | |
| "port": 12201, | |
| "bind_address": "0.0.0.0" | |
| }, | |
| "creator_user_id": "admin", | |
| "type": "org.graylog2.inputs.gelf.tcp.GELFTCPInput" | |
| }' | |
| GRAYLOG2_INPUT_GELF_UDP=' | |
| { | |
| "global": "true", | |
| "title": "Gelf UDP", | |
| "configuration": { | |
| "port": 12201, | |
| "bind_address": "0.0.0.0" | |
| }, | |
| "creator_user_id": "admin", | |
| "type": "org.graylog2.inputs.gelf.udp.GELFUDPInput" | |
| }' | |
| GRAYLOG2_STREAM_CATCH_ALL=' | |
| { | |
| "title": "Catch all", | |
| "description": "All messages", | |
| "creator_user_id": "admin", | |
| "rules": [{ | |
| "field": "message", | |
| "value": ".*", | |
| "type": 2, | |
| "inverted": false}] | |
| }' | |
| GRAYLOG2_STREAM_ALERT=' | |
| { | |
| "parameters": { | |
| "grace": 10, | |
| "time": 5, | |
| "backlog": 0, | |
| "threshold_type": "more", | |
| "threshold": 3 | |
| }, | |
| "creator_user_id": "admin", | |
| "type": "message_count" | |
| }' | |
| INPUTS=$(curl -X GET -H "Content-Type: application/json" ${GRAYLOG2_URL}/system/inputs 2>/dev/null) | |
| STREAMS=$(curl -X GET -H "Content-Type: application/json" ${GRAYLOG2_URL}/streams 2>/dev/null) | |
| if [ $(echo $INPUTS | grep -c "GELF TCP") != "1" ]; then | |
| curl -s -X POST -H "Content-Type: application/json" -d "${GRAYLOG2_INPUT_GELF_TCP}" ${GRAYLOG2_URL}/system/inputs > /dev/null | |
| fi | |
| if [ $(echo $INPUTS | grep -c "GELF UDP") != "1" ]; then | |
| curl -s -X POST -H "Content-Type: application/json" -d "${GRAYLOG2_INPUT_GELF_UDP}" ${GRAYLOG2_URL}/system/inputs > /dev/null | |
| fi | |
| if [ $(echo $STREAMS| grep -c "Catch all") != "1" ]; then | |
| curl -s -X POST -H "Content-Type: application/json" -d "${GRAYLOG2_STREAM_CATCH_ALL}" ${GRAYLOG2_URL}/streams > /dev/null | |
| STREAMID=$(curl -s -X GET -H "Content-Type: application/json" ${GRAYLOG2_URL}/streams | ruby -rjson -e 'api=JSON.parse(STDIN.read);api["streams"].each{|stream| puts stream["id"] if stream["title"] == "Catch all"}') | |
| curl -s -X POST -H "Content-Type: application/json" ${GRAYLOG2_URL}/streams/${STREAMID}/resume > /dev/null | |
| curl -s -X POST -H "Content-Type: application/json" -d "${GRAYLOG2_STREAM_ALERT}" ${GRAYLOG2_URL}/streams/${STREAMID}/alerts/conditions > /dev/null | |
| fi | |
| exit 0 |
You should define title, type, global, configuration, node in your JSON
In Graylog, can I replace:
"Content-Type: application/json" --> "Content-Type: application/x-yaml" or any other type ?
curl -s -X POST -H "Content-Type: application/json" -d "${GRAYLOG2_STREAM_CATCH_ALL}" ${GRAYLOG2_URL}/streams > /dev/null
Is it running in graylog version 3.0 ? I get it:
< HTTP/1.1 400 Bad Request
This is not happened in older version (2.5.4)
I don't understand why but I could solve it like that:
curl -s -X POST ${GRAYLOG2_URL}/streams -H "Content-Type: application/json" -H "X-Requested-By: cli" -d "${GRAYLOG2_STREAM_CATCH_ALL}" > /dev/null
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Thanks! That works with Graylog 2.0.0. I tested only
GRAYLOG2_INPUT_GELF_UDP, but I had to remove the line:because otherwise I got the following error: