The following article exclusively pertains to a Graylog Operations feature or functionality. To learn more about obtaining an Operations license, please contact the Graylog Sales team.
Access to additional features in the Graylog Operations plugins requires a valid license.
Once you have obtained a license, you can import it into your Graylog setup with the following steps:
- As an admin user, open the “Enterprise/Licenses” page from the menu in the web interface.
- Click the Import new license button in the top right-hand corner.
- Copy the license text from the confirmation email, and paste it into the text field.
- If the license is valid, a preview of your license details should appear below the text field.
- Click Import to activate the license.
The license automatically applies to all nodes in your cluster without the need to restart the server nodes.
Some Graylog licenses require validity checks on a regular basis. This includes the free Graylog Operations license with a specific amount of traffic included.
If your network environment requires Graylog to use a proxy server to communicate with the external services via https, you need to configure the proxy server in the Graylog configuration file.
The Graylog web interface shows all details about the license, but if you are still unclear about the requirements, please contact our sales team with your questions.
Details on License Verification
Graylog Operations periodically sends the following information to ‘api.graylog.com’ via https on TCP port 443 for each installed license:
- A nonce to avoid modified reports.
- The ID of the license.
- The ID of the Graylog cluster.
- A flag indicator if the license is violated.
- A flag indicator if the license has expired.
- A flag indicator if Graylog detected that the traffic measuring mechanisms have been modified.
- A list of how much traffic was received and written by Graylog in the recent days (in bytes).
Details on Licensed Traffic
Graylog has four counters; the last is counted for the licensed traffic.
The incoming message without any decoding; what is written to the journal before processing.
The message after the codec of the input has parsed the message (e.g. Syslog parser).
Traffic from archive restores; currently stored in memory only.
What is written to Elasticsearch after all processing is complete.
Graylog only measures Elasticsearch output. Measurement occurs when messages are serialized to Elasticsearch. If
a message is written to multiple indices, the message will count for each index. It does not matter how many copies
(replicas) the index has configured, as this is done in Elasticsearch.
Each of the counters follows these rules:
- Count the length of the field name.
- If the content of the field is a string, the length of the string is counted, not the bytes of that string.
- for non-string content in the field, the byte length of that content is counted
- byte = 1 byte
- char/short = 2 bytes
- bool/int/floar = 4 bytes
- long/double = 8 bytes
- dates = 8 bytes
- All internal fields are not counted (meta information created by Graylog).