The following content pack is available for use with a Graylog Illuminate license and Graylog Enterprise or Graylog Security. Contact sales to learn more about obtaining Illuminate.

GitLab is a complete DevOps platform that provides Git-based source code management, CI/CD automation, security scanning, and project collaboration in a single application, available as both cloud-hosted and self-managed solutions. This pack parses GitLab logs.

Requirement(s)

• A Graylog server with a valid Enterprise license that is running Graylog version 6.1.3 .

• This pack is tested with GitLab version 17.9.

• This pack requires the use of the Raw HTTP input.

What is Provided

This pack includes parsing rules that convert GitLab logs into Graylog schema-compatible fields. It support all known event_types.

Setting up the Raw HTTP input

Leverage Graylog's Raw HTTP input to receive logs directly from GitLabs via its Audit Event Streaming functionality. You can define which types of logs to send and specify Graylog as the destination endpoint. This allows seamless log forwarding from GitLab to Graylog for centralized log analysis.

Graylog Server Settings

1. Create a global Raw HTTP input in Graylog.

2. Configure the log source to the desired value and configure the field event_source_product with the value GitLab-web.

Log Format Examples:

Application Logs
{"id":3255712804,"author_id":26388820,"entity_id":67540197,"entity_type":"Project","details":{"add":"user_access","as":"Default role: Guest","member_id":122256555,"event_name":"member_created","author_name":"Stefan Tester","author_class":"User","target_id":26027514,"target_type":"User","target_details":"Stefan Tester","custom_message":"Membership created","ip_address":"2603:8080:2b20:9a50:12cd:7d27:1240:b8ea","entity_path":"testmegroupname/testing"},"ip_address":"2603:8080:2bf0:9a50:1422:7227:2240:b8ea","author_name":"Stefan Tester","entity_path":"testmegroupname/testing","target_details":"Stefan Tester","created_at":"2025-03-03T16:23:41.344Z","target_type":"User","target_id":26027514,"event_type":"member_created"}

Graylog Server Configuration

1. Create a new Raw HTTP input for receiving Gitlab logs, unless one already exists. This input must be used for Gitlab logs only.

2. In GitLab, consult the GitLab documentation to set up an HTTP destination.

3. Once created (or if the Raw HTTP input has already been created), click Show received messages to obtain the input ID. This will pull up a search window with the All Time timeframe. If there are a large number of logs, then you may want to adjust the timeframe to speed up the process.

4. Copy the gl2_source_input value.

5. Navigate to Enterprise >Illuminate and select the Customization tab.

6. Locate the lookup_adapter_input_routing title and click Edit . For the content_name key, enter the gl2_source_input ID copied earlier. For the input_id value, enter gitlab. (Note that the column names are reversed).

7. Select Configure value to confirm.

8. If receiving GitLab logs on multiple inputs, repeat this process for each input.

Application Logs
{"id":3255712804,"author_id":26388820,"entity_id":67540197,"entity_type":"Project","details":{"add":"user_access","as":"Default role: Guest","member_id":122256555,"event_name":"member_created","author_name":"Stefan Tester","author_class":"User","target_id":26027514,"target_type":"User","target_details":"Stefan Tester","custom_message":"Membership created","ip_address":"2603:8080:2b20:9a50:12cd:7d27:1240:b8ea","entity_path":"testmegroupname/testing"},"ip_address":"2603:8080:2bf0:9a50:1422:7227:2240:b8ea","author_name":"Stefan Tester","entity_path":"testmegroupname/testing","target_details":"Stefan Tester","created_at":"2025-03-03T16:23:41.344Z","target_type":"User","target_id":26027514,"event_type":"member_created"}

GitLab Spotlight Content Pack

The GitLab content pack provides an Overview Dashboard, a Web Overview Dashboard, and a User Overview Dashboard.

GitLab Events Overview Tab

GitLab User Overview Tab

GitLab Web Overview Tab