This is a short and simple tutorial that shows how to log to Graylog and how to receive its alerts on a HTTP server with a little help from Flask.

Graylog is an open source log management tool that consists of a Mongo database (for storing metadata) and Elasticsearch for great search functionality (also stores all your log messages).

Graylog uses its own format — GELF (Graylog Extended Log Format). We’re not really interested in the inner workings of the format, but a log message can be sent to the server via UDP or TCP. We’re going to do it the UDP way.

To start, we need to download an image of Graylog and run it locally as a VM. The latest version is 2.4.4.

After starting the virtual machine, we can open the web UI in a browser on http://vm-ip:9000. The VM IP can be found running ifconfig in the terminal. It’ll be under the eth0 interface.

In the browser, the following page will appear. We login with admin/admin.

Graylog login screen

Let’s now write some Python!

import logging

import graypy

import time my_logger = logging.getLogger('test_logger') my_logger.setLevel(logging.DEBUG) handler = graypy.GELFHandler('192.168.0.25', 12201) my_logger.addHandler(handler) while True:

my_logger.debug('Danger, Will Robinson, Danger!')

time.sleep(1)

This code first creates a classic logger we all know (and love?) and sets its level to DEBUG. Next, using a library called graypy, we create a GELF handler with the IP of the virtual machine and port 12201. We add that object as a handler to the logger we created earlier. We are now ready to log!

In an infinite loop, we log every second.

Let’s run the program and open the browser. In the upper left corner, we have to press play to start showing the messages real time. This should appear:

Receiving log messages

A lot of other messages will probably appear, but in the upper right corner (spanning throughout the screen) it’s a powerful search bar. We can write source: sebo-lap and only the messages from sebo-lap (that the name of my computer) will be shown.

Let’s create a new stream so we can create an alert on it.

In the top menu, click on Streams and create a new stream. Give it a name and a description. Next, click on Manage rules and next on Add stream rule. In the Field input, let’s write full_message and in the Value Danger, Will Robinson, Danger! .

Save your changes, in the list of streams click Start stream on the left and open the stream. You should see log messages arriving every second.

Messages in a stream

Now, let’s add an alert!

Click on Alerts in the top menu, left you’ll see a button Manage conditions. This let’s us add a new condition. Choose our stream from the dropdown and as the condition type, let’s choose Field Content Alert Condition.

The window that opens should be filled like this:

Alert condition settings

Now, click on the Manage notifications button and let’s add a new notification. Select our stream and HTTP Alarm Callback as the type. Fill in the name and the local IP of your computer (find it just like you found the VM IP).

Alarm callback settings

Now, let’s write our server to handle the POST request.

We need to install Flask and write a minimal server to accept a POST request. We aren’t going to do much with the message we’ll receive — printing it to the screen will do.

Install Flask and copy this program to a file.

from flask import Flask

from flask import render_template, request app = Flask(__name__) @app.route('/', methods=['POST'])

def index():

if request.method == 'POST':

print request.data

return "success", 200

To run it, we need to run these two commands:

$export FLASK_APP=server.py

$flask run --host=0.0.0.0

We need the host parameter to be able to receive connections from the LAN.

A few seconds later (the first program must be running), we should be seeing a JSON message printed in our terminal. The message contains more information than I posted here, but I don’t want to use that much space.