Graylog GELF
Send a GELF message per match so Graylog can index alert metadata alongside application logs. Use gelf with your Graylog input host, port, and optional TLS. Add gelf under alert: on your rule (you can combine destinations).
Use Options for key-by-key reference, then Full working example for copy-paste YAML you can tailor to your stack.
Options
Keys below match the ElastAlert 2 alerter. Shared rule fields such as alert_subject apply as described in Subject & body. Example fragments from the ElastAlert 2 reference appear indented under the option they illustrate (add your own name, type, index, and filter to make a full rule).
Required
gelf_type— Type of your Graylog GELF Input. How available 'http' or 'tcp'. And in case of HTTP:
Example usage
alert:
- gelf
gelf_type: http
gelf_endpoint: http://example.com:12201/gelf
gelf_payload:
username: user
src_ip: source_ip-
gelf_endpoint— URL of your GELF HTTP input, for examplehttp://example.com/gelf(only used ifgelf_typeishttp). -
gelf_host— Graylog server address where Input launched. (Only used if gelf_type=tcp) -
gelf_port— Port, specified for Input. (Only used if gelf_type=tcp) -
gelf_payload— Main message body. Working as key-value, where the key is your custom name and value - data from elasticsearch message. Name of alert will write to beginning of the message.
Optional
-
gelf_log_level— Standard syslog severity levels. By default set 5 (Notice) -
gelf_http_headers— Additional headers. (Only used if gelf_type=http) -
gelf_ca_cert— Path to custom CA certificate. -
gelf_http_ignore_ssl_errors— Ignore ssl error. (Only used if gelf_type=http) -
gelf_timeout— Custom timeout.
Full working example
name: Example alert for Graylog GELF
type: any
index: "*-*"
filter:
- query:
query_string:
query: "level:error OR log.level:error"
alert:
- "gelf"
gelf_type: http
gelf_endpoint: "https://graylog.example/gelf"
gelf_payload:
message: message
host: host.name