Reports
The following article exclusively pertains to a Graylog Enterprise feature or functionality. To learn more about obtaining an Enterprise license, please contact the Graylog Sales team.
Graylog reports are structured summaries or visual representations of log data, which help you to analyze, monitor, and share insights on important system and network activity. The reporting feature enables you to create and customize reports by using your existing dashboard widgets. You can schedule reports, which are automatically delivered to the people who require them, or manually send or download reports.
For best visual presentation, you can generate reports as PDFs. If you intend to perform additional data processing, however, you can also generate reports as CSV, XLSX, YML, JSON, and XML files. Graylog offers historic information about report delivery, so you can verify that scheduled report deliveries work as expected.
For complete information about report creation, see Create and Edit Reports.
Prerequisites
-
A valid Graylog Enterprise license is required.
-
PDF generation requires the
fontconfig
and thedejavu font
package installed on the server it is running on.On a Debian-based system, use:
Copysudo apt-get install fontconfig fonts-dejavu
On a Red Hat-based system, use:
Copysudo yum install fontconfig dejavu-sans-fonts dejavu-serif-fonts
Hint: We recommend viewing exported PDF files with Adobe Acrobat Reader, Google Chrome PDF viewer, or Mozilla Firefox PDF viewer. In other PDF viewers, some widget types can appear blurry.
Roles and Permissions
Graylog includes the Report Manager role for all report creation and delivery actions. Note the following:
-
Users with the Report Manager or Admin role can manage and view every report, no matter who created the report.
-
Users can only add data to the report if they have permission to view that information, including information that has been shared to them.
Configure Properties for Reporting
In most cases, you can use the reporting feature without changes to your Graylog configuration file: server.conf
. (Check the default file locations page to see possible default locations for this file.) In the following section, you will find all available configuration options for reporting.
Configuration Options
Name | Description |
---|---|
bin_dir
|
Directory with binaries needed for report generation. |
data_dir
|
Cache directory for report generation. |
report_disable_sandbox
|
Disables report generation sandbox. |
report_generation_timeout_seconds
|
Timeout in seconds to wait for report generation. |
report_user
|
Internal user to generate reports. |
report_render_uri
|
URI to connect to the Graylog web interface. |
report_render_engine_port
|
Port to communicate with background process. |
bin_dir
Default value: bin
(relative to the Graylog working directory; this value can also be set via an absolute path)
The default distribution comes with two binaries needed for PDF generation: headless_shell
and chromedriver
. These binaries are usually located in /usr/share/graylog-server/bin
.
data_dir
Default value: data
(relative to the Graylog working directory; this value can also be set via an absolute path)
PDF generation happens on disk, so Graylog needs a place to write out temporary files. The system packages create /var/lib/graylog-server
for this purpose. Make sure to make this directory writable for the Graylog server user.
report_disable_sandbox
Default value: false
To ensure maximum security in your system, the reporting generation process runs inside a sandbox, which provides a restricted environment for the application. That sandbox can only be used when the process is executed as a normal user, as the root
user has special administrative privileges that could grant a potential attacker full access to your system.
We recommend that you set this configuration option to false
.
Note that there are two scenarios where the security features provided by the sandbox cannot be used:
- Environments where you use the
root
user to run reporting generation. - Environments that provide limited kernel capabilities. Docker containers, for example, limit the kernel capabilities in such a way that sandboxing cannot work. On the other hand, some Red Hat or CentOS-based systems come with older kernel versions that also lack the necessary capabilities. (Systems with a kernel version greater than 4.x should be fine for the default settings.)
If your Graylog server runs in one of those scenarios, consider disabling the sandbox.
This option affects only the reporting generation process, not the Graylog server.
report_generation_timeout_seconds
Default value: 180
Time (in seconds) to wait for a report to load in the background.
To ensure all widgets in your report have time to fetch their data and load, Graylog waits up to the value set for this configuration option. When a report takes longer than configured to load, the report generation fails, and Graylog logs the error.
If reports in your Graylog setup do not generate, and the server displays a timeout error, you may need to increase this value.
report_user
Default value: graylog-report
Graylog user that is used internally to generate reports in the background. To ensure the user has access to all required information, this user must have the role assigned.
report_render_uri
Default value: $http_publish_uri
Customize the URI the background process uses to connect to the web interface. By default, the URI uses the value of the http_publish_uri
option in your Graylog configuration file.
report_render_engine_port
Default value: None. Graylog automatically chooses an open port on the system. If the chosen port does not work in your environment, use this property to set a valid port.
Customize the port used to communicate with the background process.