Content Packs

Content packs are a convenient way to share configuration as a content pack is a JSON file that contains a set of configurations for Graylog components. This JSON file can be uploaded to various Graylog instances as desired. Graylog has prebuilt some content packs for use with Illuminate while many user-created content packs can be found in Graylog Marketplace. For example, anyone who takes the time to create an input, pipelines, and a dashboard for a specific log format can easily share their efforts with the community! This article reviews how to create and manage custom content packs via the Graylog interface.

Create a New Content Pack

1. Navigate to System > Content Packs.
2. Select Create a Content Pack on the upper right side of the page to begin the new content pack wizard. Note there are three steps to the content pack creation wizard: Content Selection, Parameters, and Preview.

3. Complete the General Information section as indicated, including Name, Summary, Description, Vendor, and URL.
4. Under Content Pack selection, you can select specific configuration sets to be included in the content pack organized by entity, like input, lookup table, event definition. If you are selecting a configuration that is dependent on another entity, such as a dashboard that contains a saved search, then your selected configuration as well as the dependencies on which they rely are exported in your content pack. Note that streams are treated as special dependencies, and review the following section for important information on how stream dependencies are managed when creating a content pack.

Warning: Grok patterns and lookup tables for pipeline rules must be added manually to the content pack.

5. Select Next or Parameter to proceed to the Parameter page. (For more information on parameters, proceed to the following section.) To create a parameter, click Create parameter. Specify the name, type, and default value of the parameter in the menu that appears.

6. Assign the parameter to a configuration key by selecting Edit on one of the previously selected configurations under Entity List.
7. Select Next or Preview. The Preview page displays a summary of the new content pack for review.
8. Click Create or Create and Download to finish the creation.

Attach a Stream or a Stream Reference

Streams are handled as special dependencies in the content pack creation process. If you are selecting an entity that depends on a stream, note whether you are including the stream dependency as a reference in the content pack or including that stream entity's configuration. Let's look at an example.

A user has included a dashboard titled "Windows User Data Dashboard" to their content pack. This dashboard is dependent on an existing stream, "Windows User Data Stream." When selecting this dashboard during the creation of the content pack, the stream "Windows User Data Stream" will be included in the content pack as a stream reference. This means that, when this content pack is installed, Graylog looks for a stream with the same name as the reference rather than creating a new stream.

You can see in the image below, upon navigating to the Preview menu during content pack creation, the entities listed as a part of this pack include the dashboard "Windows User Data Dashboard" and the stream reference "Windows User Data Stream." You can verify that the stream is included as a reference and not as a separate configuration set for a stream by noting that the entity type for this stream is stream_title and not stream.

Warning: A stream with the referenced title must exist, or installation of the content pack fails.

Additionally, during the creation of a content pack, you can opt to include any existing stream configuration as an entity. This option means that you are including the full stream configuration in the content pack rather than simply a reference to an existing stream. For example, as indicated in the image below, the user has selected to attach the stream configuration "All Investigation messages" to the content pack during the Content Selection stage.

Apply Parameters

Parameters are placeholders that indicate some value must be set by the user during the installation of the content pack. These parameters help to adjust the configuration to the needs of the individual. Graylog supports four types of configuration values: string, integer, double, and boolean.

One example in which parameters can support content packs is in defining the port of an input. The creator of the content pack may have their input running on port 55055, but the user of the content pack may already have an input running on that specific port. The creator can specify a parameter and assign it to the port. The user of the content pack is asked for a value of the parameter on installation. The provided value is then used as the port of the input in the new system.

Upload a Content Pack

Many user-created content packs may be downloaded from Graylog Marketplace. To upload one of these content packs to your Graylog instance:

1. Download the desired content pack from the Marketplace as a JSON file.

2. Navigate to System > Content Packs and select Upload.

3. Click Choose File, then navigate to and select the downloaded content pack.

4. Click Upload to finish the process. The uploaded content pack may now be installed on the new Graylog system.

Install a Content Pack

To install the newest version of an available content pack (which may have been shared with you or prebuilt by Graylog) for use with your Graylog instance:

1. Navigate to System > Content Packs. This page shows the list of all current content packs.

2. Select Install on the desired content pack. A menu appears that asks for an Install Comment and the values of the indicated parameters. It also shows the list of configurations that will be installed on the system.

3. Click Install to complete the installation.

Hint: Some entities need a unique title or name, such as a lookup table. When you install such an entity and the title is already present on the system, Graylog uses the installed entity instead of installing a new one, even when the new configuration differs from the already installed one.

Uninstall a Content Pack

1. Navigate to System > Content Packs and select the name of the content pack that should be uninstalled. The menu that appears shows the details of an uploaded or created content pack.

2. On the left, select the version of the content pack. Below that is a list of previous installations of that content pack.

3. Click Uninstall next to the desired installation. A list of entities about to be removed is displayed.