There are specific components in Graylog, like alerts and HTTP-based data adapters, that make outgoing HTTP requests. Because these requests originate from Graylog servers, they can potentially access internal systems—including sensitive endpoints like AWS EC2 metadata that may hold keys or other secrets—posing a security risk. To mitigate this risk, it's important to restrict Graylog's interactions to a defined set of safe URLs. All outgoing HTTP requests are checked against an allowlist, and if a URL doesn't have an approved entry, the request is blocked.
This article will review how to access and modify the URL allowlist.
Prerequisites
Before proceeding, ensure that the following prerequisites are met:
-
You must be a Graylog administrator to modify the URL allowlist.
Graylog External Endpoints
Graylog requires outbound access to specific external endpoints to support software distribution, licensing, updates, documentation access, and optional services. Ensure the following URLs are permitted through your firewall or proxy allowlist as required by your deployment.
| URL | Description |
|---|---|
| downloads.graylog.org | Hosts Graylog release binaries and related downloadable artifacts. |
| packages.graylog2.org | Provides operating system packages for Graylog installations using package managers (for example, APT or YUM). |
| update.graylog.org | Used by Graylog to check for available updates and display version notifications in the Graylog user interface. |
| docs.graylog.org | Serves Graylog’s official documentation. Links from the Graylog user interface direct users to this site for contextual help and reference material. |
| graylog.org/post | Powers the content feed displayed on the Graylog landing page, including blog posts, product announcements, and other informational updates. |
|
license.graylog.com |
Used for license validation and entitlement checks in licensed Graylog deployments. |
|
telemetry.graylog.com |
Receives anonymous telemetry data about the Graylog cluster. This data helps Graylog improve product quality and usability. Telemetry is optional. |
|
api.graylog.com |
Provides access to Graylog-hosted APIs used by certain product features and integrations. |
|
ai.graylog.com |
Used to submit requests for AI-generated summaries and analysis of Security events. This service helps make log data more understandable and actionable. This endpoint is only required if AI-powered features are enabled. |
Add URLs to the Allowlist
The allowlist may be updated via the Configurations menu. To add additional URLs to the allowlist:
-
Navigate to System > Configurations.
-
Select URL Whitelist from the left-hand menu.
-
Click Edit configuration.
-
Select Add Url from the configuration menu and update the following parameters:
-
Title: A unique title for the allowlist entry.
-
URL: The specific URL you wish Graylog to access.
-
Type: This specifies the matching method for the allowlisted URL. It determines how Graylog compares the URL you add against incoming requests. You can select:
-
Exact match: Allowlist entries of type
Exact match -
Regex: Allowlist entries of type
Regexcontain a regular expression. If a URL matches the regular expression, the URL is considered to be allowed. Graylog uses the Java Pattern class to evaluate regular expressions.
-
-
-
Select Update configuration to apply the change.
Disable the Allowlist
The allowlist is enabled by default. If the security implications mentioned above are of no concern, the allowlist can be completely disabled. When disabled, HTTP requests will not be restricted. To disable the allowlist:
-
Navigate to System > Configurations.
-
Select URL Whitelist from the left-hand menu.
-
Click Edit configuration.
-
From the configuration menu, check Disable Whitelist.
-
Select Update configuration to apply the change.
Further Reading
Explore the following additional resources and recommended readings to expand your knowledge on related topics:
