Skip to content

Graylog API Token

Service Name: Graylog

Service Description: Graylog is an open-source log management platform that allows for the collection, indexing, and analysis of log data from various sources. It provides centralized logging, search capabilities, and dashboards for monitoring and troubleshooting IT infrastructure.

Service Address: https://www.graylog.org/

Validation Type: API Auth

IP Allow list: IP restrictions can be configured at the server level through network access controls or through Graylog's built-in access control mechanisms.

Secret Access Scope: Grants programmatic access to Graylog's REST API, allowing for management of streams, dashboards, inputs, and other Graylog resources based on the user's permissions.

Secret Revokement URL: https://docs.graylog.org/docs/users

Secret Example: 1a2b3c4d5e6f7g8h9i0j1k2l3m4n5o6p

Suspicious Activity Investigation Instructions:

  • Review Graylog audit logs for unusual API calls or access patterns
  • Check for unauthorized changes to streams, inputs, or dashboards
  • Monitor for unusual data extraction or configuration changes
  • Examine system logs for connection attempts from unexpected IP addresses
  • Review user activity logs for actions performed with the API token

Mitigation Instructions:

  • Log in to the Graylog web interface as an administrator
  • Navigate to System > Users

  • Select the user associated with the compromised API token

  • Click on "Edit tokens" for that user
  • Delete the compromised token
  • Create a new token if needed
  • Update any applications or scripts using the old token
  • Consider implementing more restrictive permissions for the new token
  • Enable audit logging if not already active to monitor future token usage