URL Allowlist

There are specific components in Graylog, like alerts and HTTP-based data adapters, that make outgoing HTTP requests. Because these requests originate from Graylog servers, they can potentially access internal systems—including sensitive endpoints like AWS EC2 metadata that may hold keys or other secrets—posing a security risk. To mitigate this risk, it's important to restrict Graylog's interactions to a defined set of safe URLs. All outgoing HTTP requests are checked against an allowlist, and if a URL doesn't have an approved entry, the request is blocked.

This article will review how to access and modify the URL allowlist.

Prerequisites

Before proceeding, ensure that the following prerequisites are met:

  • You must be a Graylog administrator to modify the URL allowlist.

Add URLs to the Allowlist

The allowlist may be updated via the Configurations menu. To add additional URLs to the allowlist: 

  1. Navigate to SystemConfigurations.

  2. Select URL Whitelist from the left-hand menu.

  3. Click Edit configuration.

  4. Select Add Url from the configuration menu and update the following parameters: 

    1. Title: A unique title for the allowlist entry.

    2. URL: The specific URL you wish Graylog to access.

    3. Type: This specifies the matching method for the allowlisted URL. It determines how Graylog compares the URL you add against incoming requests. You can select:

      1. Exact match: Allowlist entries of type Exact match contain a string that will be matched against a URL by direct comparison. If the URL is equal to this string, it is considered to be allowed.

      2. Regex: Allowlist entries of type Regex contain a regular expression. If a URL matches the regular expression, the URL is considered to be allowed. Graylog uses the Java Pattern class to evaluate regular expressions.

  5. Select Update configuration to apply the change.

Disable the Allowlist

The allowlist is enabled by default. If the security implications mentioned above are of no concern, the allowlist can be completely disabled. When disabled, HTTP requests will not be restricted. To disable the allowlist:

  1. Navigate to SystemConfigurations.

  2. Select URL Whitelist from the left-hand menu.

  3. Click Edit configuration.

  4. From the configuration menu, check Disable Whitelist.

  5. Select Update configuration to apply the change.

Further Reading

Explore the following additional resources and recommended readings to expand your knowledge on related topics: