The following article exclusively pertains to a Graylog Operations feature or functionality. To learn more about obtaining an Operations license, please contact the Graylog Sales team.

The Reporting feature enables you to create and customize your own reports by using dashboard widgets, schedule reports that are automatically delivered to the people who require them, and manually send or download reports as PDF files.

We also offer historic information of report delivery, so you can verify that the scheduled reporting deliveries are working as expected.

For illustrated examples please see the Reporting Use Cases page.


Reporting is part of the Graylog Operations plugin. For installation details, see the Graylog Operations setup page.

PDF generation needs the fontconfig and the dejavu font package installed on the server it is running on.

On a Debian-based system, use apt to install it. For example:

sudo apt-get install fontconfig fonts-dejavu

On a Red Hat-based system, use:

sudo yum install fontconfig dejavu-sans-fonts dejavu-serif-fonts


In most cases, you can use the reporting functionality without changes to your Graylog configuration file (check the default file locations page to see where you can find it). Below, you will find all available configuration options, in case you need to perform advanced configuration.

Configuration Options

Name Description
bin_dir Directory with binaries needed for PDF generation.
data_dir Cache directory for PDF generation.
report_disable_sandbox Disables report generation sandbox.
report_generation_timeout_seconds Timeout in seconds to wait for a report generation.
report_user Internal user to generate reports.
report_render_uri URI to connect to Graylog Web Interface.
report_render_engine_port Port to communication with background process.


Default value: bin- relative to Graylog working directory

The default distribution comes with two binaries needed for PDF generation headless_shell and chromedriver. These binaries are usually located in /usr/share/graylog-server/bin.


Default value: data- relative to Graylog working directory.

PDF generation happens on disk, so Graylog needs a place to write out temporary files. The system packages create /var/lib/graylog-server for this purpose. Make sure to configure this directory correctly, and make it writable for the Graylog Server user.


Default value: false.

To ensure maximum security in your system, the reporting generation process runs inside a sandbox, which provides a restricted environment for the application. That sandbox can only be used when the process is executed as a normal user, as the root user has special administrative privileges that could grant a potential attacker full access to your system.

We recommend that you set this configuration option to false.

Unfortunately, there are two scenarios where the security features provided by the sandbox cannot be used:

  • Environments where you use the root user to run reporting generation.
  • Environments that provide limited kernel capabilities. Docker containers limit the kernel capabilities in a way that sandboxing cannot work. On the other hand, some Red Hat/CentOS-based systems come with older kernel versions that also lack the necessary capabilities. Systems with a kernel version >= 4.x should be fine for the default settings.

If your Graylog server runs in one of those scenarios, consider disabling the sandbox.

Please note that this option only affects the reporting generation process, not the Graylog server.


Default value: 180.

Time (in seconds) to wait for a report to load in the background.

To ensure all widgets in your report have time to fetch their data and load, Graylog waits up to the value set to this configuration option. When a report takes longer than configured to load, the report generation fails, and Graylog logs the error.

If reports in your Graylog setup do not generate, and the server displays a timeout error, you may need to increase this value.


Default value: graylog-report.

Graylog user that will be used internally to generate reports in the background. To ensure the user has access to all required information, this user must have the role assigned.


Default value: $http_publish_uri.

Customize the URI the background process uses to connect to the web interface. By default, the URI uses the value of the http_publish_uri option in your Graylog configuration file.


Hint: In Graylog Operations versions earlier than 4.3, 9515is the default for this setting. From 4.3 onward, the reporting engine can bind to any available port.

Customize the port used to communicate with the background process.