There are certain components in Graylog that will perform outgoing HTTP requests. Among those are alerts and HTTP-based data adapters.
Allowing Graylog to interact with resources using arbitrary URLs may pose a security risk. HTTP requests are executed from Graylog servers and might therefore be able to reach more sensitive systems than an external user would have access to, including AWS EC2 metadata, which can contain keys and other secrets, including OpenSearch.
It is therefore advisable to restrict access by explicitly allowing URLs that are considered safe. HTTP requests will be validated against the allowlist and are prohibited if there is no allowlist entry matching the URL.
Configure the Allowlist
The allowlist configuration may be modified via System > Configurations. Note that the allowlist is enabled by default.
Disable the Allowlist
If the security implications mentioned above are of no concern, the allowlist can be completely disabled. When disabled, HTTP requests will not be restricted.
“Exact Match” Allowlist Entries
Allowlist entries of type Exact match
“Regex” Allowlist Entries
Allowlist entries of type Regex contain a regular expression. If a URL matches the regular expression, the URL is considered to be allowed. Graylog uses the Java Pattern class to evaluate regular expressions.
