GitLab Audit Event Streaming with Raw HTTP Input

Logs from GitLab Audit Event Streaming (via HTTP destinations) can be ingested into Graylog using the Raw HTTP input. When configured successfully, GitLab will post newline-delimited batches of log messages to the input over HTTP.

General information about this input, including configuration options, may be found in the Raw HTTP Input documentation.

Hint: Note that you may review an additional use case for the Raw HTTP input in Cloudflare Logpush with Raw HTTP Input.

Prerequisites

Before proceeding, ensure that the following prerequisites are met:

  • An existing GitLab account is required.

  • A Graylog Raw HTTP input must be configured to listen on a port that can accept traffic from GitLab’s service running on the public internet.

Set Up GitLab Audit Event Streaming

To stream GitLab audit logs into Graylog, several key configuration steps are required. This section outlines the necessary setup for integrating GitLab's Audit Event Streaming with a Graylog instance. It begins with configuring GitLab to forward audit events, followed by specifying the destination details within Graylog, such as the destination name, server URL, and custom HTTP headers. Additionally, optional event filtering can be implemented to tailor which audit logs are captured. See the official GitLab documentation for more information.

Configure the Destination

  • Destination Name: Assign an appropriate destination name.

  • Destination URL: Specify the public-facing host name and port for the Graylog server where the Raw HTTP input running, e.g. https://<graylog-server-hostname>/raw.

  • Custom HTTP Headers: Add a custom header with the same values specified in the input configuration above. Add any additional headers as required by your particular network setup.

  • (Optional) Event Filtering: Determine filters logs to be streamed to the Graylog input.

Set up the Input

Navigate to System > Inputs and select Raw HTTP to launch the new input. The following configuration settings must be carefully considered when setting up this input for GitLab Audit Event Streaming:

  • Bind Address and Port: Ensure that GitLab can route through your network to the IP address and port specified. Note that the Raw HTTP input listens for HTTP requests at the /raw root HTTP path.

  • Authorization Header: Specify a name and value for the authorization header to use. This will ensure that the input will only accept communication where appropriate authentication is validated. Enter the same values used when configuring the GitLab Audit Streaming service in the previous section.

  • TLS Settings: TLS must either be enabled for this endpoint, or you can choose to route through a firewall or gateway to fulfill the required usage of TLS.

  • Enable Bulk Receiving: Be sure to select this option. This will ensure that the input will correctly split newline-delimited batches of log messages sent from GitLab.

For the additional configuration settings available, see the Raw HTTP Input documentation for more details. Unless required for your environment, we recommend you use the default settings when determining these additional configuration properties.