Reports

The following article exclusively pertains to a Graylog Enterprise feature or functionality. To learn more about obtaining an Enterprise license, please contact the Graylog Sales team.

Graylog reports are structured summaries or visual representations of log data, which help you to analyze, monitor, and share insights on important system and network activity. The reporting feature enables you to create and customize reports by using your existing dashboard widgets. You can schedule reports, which are automatically delivered to the people who require them, or manually send or download reports.

For best visual presentation, you can generate reports as PDFs. If you intend to perform additional data processing, however, you can also generate reports as CSV, XLSX, YML, JSON, and XML files. Graylog offers historic information about report delivery, so you can verify that scheduled report deliveries work as expected.

For complete information about report creation, see Create and Edit Reports.

Prerequisites

  • A valid Graylog Enterprise license is required.

  • PDF generation requires the fontconfig and the dejavu font package installed on the server it is running on.

    On a Debian-based system, use:

    Copy
    sudo apt-get install fontconfig fonts-dejavu

    On a Red Hat-based system, use:

    Copy
    sudo yum install fontconfig dejavu-sans-fonts dejavu-serif-fonts

    Hint: We recommend viewing exported PDF files with Adobe Acrobat Reader, Google Chrome PDF viewer, or Mozilla Firefox PDF viewer. In other PDF viewers, some widget types can appear blurry.

Roles and Permissions

Graylog includes the Report Manager role for all report creation and delivery actions. Note the following:

  • Users with the Report Manager or Admin role can manage and view every report, no matter who created the report.

  • Users can only add data to the report if they have permission to view that information, including information that has been shared to them.

Configure Properties for Reporting

In most cases, you can use the reporting feature without changes to your Graylog configuration file: server.conf. (Check the default file locations page to see possible default locations for this file.) In the following section, you will find all available configuration options for reporting.

Configuration Options

Name Description
bin_dir Directory with binaries needed for report generation.
data_dir Cache directory for report generation.
report_disable_sandbox Disables report generation sandbox.
report_generation_timeout_seconds Timeout in seconds to wait for report generation.
report_user Internal user to generate reports.
report_render_uri URI to connect to the Graylog web interface.
report_render_engine_port Port to communicate with background process.

bin_dir

Default value: bin (relative to the Graylog working directory; this value can also be set via an absolute path)

The default distribution comes with two binaries needed for PDF generation: headless_shell and chromedriver. These binaries are usually located in /usr/share/graylog-server/bin.

data_dir

Default value: data (relative to the Graylog working directory; this value can also be set via an absolute path)

PDF generation happens on disk, so Graylog needs a place to write out temporary files. The system packages create /var/lib/graylog-server for this purpose. Make sure to make this directory writable for the Graylog server user.

report_disable_sandbox

Default value: false

To ensure maximum security in your system, the reporting generation process runs inside a sandbox, which provides a restricted environment for the application. That sandbox can only be used when the process is executed as a normal user, as the root user has special administrative privileges that could grant a potential attacker full access to your system.

We recommend that you set this configuration option to false.

Note that there are two scenarios where the security features provided by the sandbox cannot be used:

  • Environments where you use the root user to run reporting generation.
  • Environments that provide limited kernel capabilities. Docker containers, for example, limit the kernel capabilities in such a way that sandboxing cannot work. On the other hand, some Red Hat or CentOS-based systems come with older kernel versions that also lack the necessary capabilities. (Systems with a kernel version greater than 4.x should be fine for the default settings.)

If your Graylog server runs in one of those scenarios, consider disabling the sandbox.

This option affects only the reporting generation process, not the Graylog server.

report_generation_timeout_seconds

Default value: 180

Time (in seconds) to wait for a report to load in the background.

To ensure all widgets in your report have time to fetch their data and load, Graylog waits up to the value set for this configuration option. When a report takes longer than configured to load, the report generation fails, and Graylog logs the error.

If reports in your Graylog setup do not generate, and the server displays a timeout error, you may need to increase this value.

report_user

Default value: graylog-report

Graylog user that is used internally to generate reports in the background. To ensure the user has access to all required information, this user must have the role assigned.

report_render_uri

Default value: $http_publish_uri

Customize the URI the background process uses to connect to the web interface. By default, the URI uses the value of the http_publish_uri option in your Graylog configuration file.

report_render_engine_port

Default value: None. Graylog automatically chooses an open port on the system. If the chosen port does not work in your environment, use this property to set a valid port.

Hint: The reporting engine can bind to any available port.

Customize the port used to communicate with the background process.