Redis Content Pack

The following content pack is available for use with a Graylog Illuminate license and Graylog Enterprise or Graylog Security. Contact sales to learn more about obtaining Illuminate.

Redis is an in-memory data structure store used as a database, cache, message broker, and streaming engine. This technology pack processes Redis server log messages from Redis open source, including server lifecycle events, replication, persistence operations, Sentinel monitoring, slow query logging, and ACL authentication. This pack also processes logs from Valkey, the open-source fork of Redis, in all three of its log output modes: legacy (byte-for-byte identical to Redis OSS), logfmt, and JSON.

All the ingest variants share a single event_source_product value. Therefore, downstream streams, searches, and spotlights cover the entire Redis family seamlessly. This content pack supports log delivery via Filebeat with Graylog Sidecar integration.

Requirements

  • A supported version of Redis or Valkey (see Supported Versions below)

  • Graylog version 7.1.0 or later

  • Redis or Valkey configured to send logs via Filebeat to Graylog

Supported Versions

  • Redis 6.x and later (open-source)

  • Redis 7.x and later (open-source)

  • Valkey 7.2.4 and later (legacy, logfmt, and JSON log formats)

Log Collection and Delivery

Redis server logs are delivered to Graylog using Filebeat managed by the Graylog Sidecar. Redis must be configured to write to a log file that Filebeat can ship.

Filebeat Configuration

Configure Filebeat to ship Redis log files:

  1. Install Filebeat on the Redis server (typically through Graylog Sidecar).

  2. Create a configuration under Sidecar > Configuration with a filebeat on linux collector.

  3. Set the Graylog server IP address under hosts and add the event_source_product field with the value redis.

    Copy 
    filebeat.inputs:
    - input_type: log
    paths:
    - /var/log/redis/redis-server.log
    - /var/log/redis/redis.log
    type: filestream
    fields_under_root: true
    fields:
    event_source_product: redis

  4. Default log paths vary by OS: Ubuntu/Debian uses /var/log/redis/redis-server.log, RHEL/CentOS uses /var/log/redis/redis.log. Check the redis.conf 'logfile' setting for the actual path on your host.

  5. Create a matching Beats input in Graylog and save the configuration.

Warning: fields_under_root: true is required so that event_source_product lands at the message root where the pack's identification rule looks for it.

Valkey Log Collection

Valkey is the open-source fork of Redis 7.2.4. It ships three log output modes selected via the 'log-format' directive in valkey.conf. The pack identifies and parses all three. Downstream processing is unified with Redis OSS so no separate pipeline is required.

  • Legacy mode (default, byte-for-byte identical to Redis OSS): Forward via Filebeat. Identification matches on application_name starting with 'valkey', the 'valkey[PID]:' message prefix, or the PID:ROLE body pattern.

  • logfmt mode (log-format logfmt in valkey.conf): messages arrive as 'pid=<n> role=<word> timestamp="<ts>" level=<word> message="<text>"'. Roles: primary, replica, sentinel, RDB/AOF. Levels: debug, verbose, notice, warning.

  • JSON mode (log-format json in valkey.conf): messages arrive as '{"pid":<n>,"role":"<word>","timestamp":"<ts>","level":"<word>","message":"<text>"}'. Same role/level vocabulary as logfmt.

  • All three Valkey modes produce event_source_product=redis (unified with Redis OSS).

Stream Configuration

This technology pack includes 1 stream:

  • Illuminate:Redis Messages

Hint: If this stream does not exist prior to the activation of this pack then it is created and configured to route messages to this stream and the associated index set. There should not be any stream rules configured for this stream.

Index Set Configuration

This technology pack includes 1 index set definition:

  • Redis Logs

Hint: If this index set is already defined, then nothing is changed. If this index set does not exist, then it is created with retention settings of a daily rotation and 90 days of retention. These settings can be adjusted as required after installation.

What is Provided

  • Parsing rules to extract Redis server logs into Graylog schema compatible fields.

  • Graylog Information Model (GIM) message categorization for service lifecycle and authentication events.

  • Support for Redis Sentinel monitoring events.

  • Support for Redis slow query log parsing.

  • Support for Redis signal handler events (SIGTERM, SIGINT).

  • Redis role description mapping (M=master, S=replica, C=child, X=sentinel).

  • Valkey support across all three log output modes: legacy (same format as Redis OSS, handled by existing rules), logfmt (pid=N role=primary|replica|sentinel|RDB/AOF timestamp=... level=... message=...), and JSON ({"pid":N,"role":"...","timestamp":"...","level":"...","message":"..."}). Role words map to the existing role description, and level words (debug, verbose, notice, warning) map through the severity lookup.

Log Format Examples

Representative log lines for Redis open-source and Valkey.

Redis OSS (text log)

87041:M 10 Apr 2026 14:22:01.234 * Server started, Redis version 7.2.4 87041:M 10 Apr 2026 14:22:01.235 * Ready to accept connections tcp 87041:M 10 Apr 2026 14:35:12.456 # WARNING: The TCP backlog setting of 511 cannot be enforced 87041:M 10 Apr 2026 15:00:00.789 * Background saving started by pid 87150 87041:M 10 Apr 2026 15:00:01.012 * Background saving terminated with success 45123:X 10 Apr 2026 16:45:30.100 # +sdown master mymaster 10.0.1.50 6379 45123:X 10 Apr 2026 16:45:31.200 # +odown master mymaster 10.0.1.50 6379 #quorum 2/2 87041:S 10 Apr 2026 17:00:05.300 * MASTER <-> REPLICA sync: Finished with success 87041:M 10 Apr 2026 18:30:00.400 * User requested shutdown 87041:signal-handler (1744358400) Received SIGTERM scheduling shutdown...

Valkey (legacy, logfmt, and JSON modes)

# Valkey (open-source Redis fork) -- three log output modes # # Select with 'log-format <legacy|logfmt|json>' in valkey.conf. # Role words: primary, replica, sentinel, RDB/AOF # Level words: debug, verbose, notice, warning # Legacy mode (default, byte-for-byte identical to Redis OSS): 87041:M 15 Apr 2026 14:22:01.234 * Server started, Valkey version 8.0.1 87041:M 15 Apr 2026 14:22:01.235 * Ready to accept connections tcp 87041:S 15 Apr 2026 14:35:12.456 # WARNING: Lost connection to primary, will retry 87041:X 15 Apr 2026 16:45:30.100 # +sdown master mymaster 10.0.1.50 6379 # logfmt mode (log-format logfmt): pid=87041 role=primary timestamp="2026-04-15T14:22:01.234Z" level=notice message="Server started, Valkey version 8.0.1" pid=87041 role=primary timestamp="2026-04-15T14:22:01.235Z" level=notice message="Ready to accept connections tcp" pid=87041 role=replica timestamp="2026-04-15T14:35:12.456Z" level=warning message="Lost connection to primary, will retry" # JSON mode (log-format json): {"pid":87041,"role":"primary","timestamp":"2026-04-15T14:22:01.234Z","level":"notice","message":"Server started, Valkey version 8.0.1"} {"pid":87041,"role":"replica","timestamp":"2026-04-15T14:35:12.456Z","level":"warning","message":"Lost connection to primary, will retry"}

GIM Categorization

GIM categorization is provided for the following event types:

Event Type gim_event_type_code gim_event_type
Authentication (ACL login, auth failure, security attack) 100000 logon
Server startup 210000 service started
Server shutdown 210100 service stopped
Configuration change 211000 service configuration change
Sentinel state transition / failover 211504 service error
Crash report / replica connection loss 211504 service error
Out-of-memory panic 211504 service error
RDB / AOF persistence failure 211504 service error
Max clients reached (connection-limit DoS / leak) 211504 service error
Module load / unload (supply-chain audit) 211000 service configuration change
General events (replication, persistence, notices, warnings, slowlog) 219999 service event
Valkey (any mode) server startup 210000 service started
Valkey (any mode) server shutdown 210100 service stopped
Valkey (any mode) general events (replication, persistence, notices, warnings) 219999 service event

Message Fields Included in This Pack

Parsed Fields

Field Description Example Type
process_id Redis server process ID 87041 string
vendor_redis_role Redis instance role (M=Master, S=Slave, C=Child, X=Sentinel) M string
vendor_redis_role_description Human-readable Redis role name derived from role character master string
vendor_event_severity Redis log severity character (.=debug, -=verbose, *=notice, #=warning) * string
vendor_event_description The core log message content Server started, Redis version 7.2.4 string
vendor_event_time Timestamp from the standard Redis log line 14:22:01.234 string
vendor_event_epoch Unix epoch timestamp from signal handler log events 1744358400 string
vendor_sentinel_event Sentinel event type (e.g., +sdown, +odown, +failover) +sdown string
vendor_sentinel_target_type Type of the Sentinel target (master, slave, sentinel) master string
vendor_sentinel_target_name Name of the monitored instance mymaster string
vendor_sentinel_target_ip IP address of the Sentinel target 10.0.1.50 ip
vendor_sentinel_target_port Port of the Sentinel target 6379 int
vendor_slowlog_key Key referenced in a slow query log entry user:session:12345 string
vendor_replication_backlog_bytes Bytes of backlog sent during partial resync 1234 int
vendor_replication_offset Replication offset value 56789 string
vendor_replication_id Replication ID from full resync 3e1b5c4a9f2d8e7b6c5a4f3e2d1c0b9a string
vendor_replication_sync_type Sync type when replica times out streaming sync string
source_ip Client IP address (from Accepted or Client info logs) 10.0.2.200 ip
source_port Client source port 55123 int
destination_ip Redis server IP (from Client info laddr field) 10.0.1.50 ip
destination_port Redis server port (from Client info laddr field) 6379 int
vendor_client_id Redis client connection ID 42 string
vendor_client_cmd Last command issued by the client client|info string
db_database_name Redis OSS DB index (0-15) from CLIENT INFO 0 string
memory_total_bytes Total memory consumed by the client connection in bytes 22426 int
user_name Username from ACL authentication or client info admin string
event_action Normalized event action verb derived by the pack (started, stopped, module_loaded, module_unloaded, max_clients_reached) started string
event_error_description Matched failure phrase from the Redis log for persistence, sentinel, crash, or replica-loss events Background saving error string
event_severity Normalized severity level name informational string
service_version Redis or Valkey version captured from the startup banner 7.2.4 string
service_name Service name, always set to redis redis string
application_name Application name redis-server string

Redis Spotlight Content Pack

This spotlight offers a dashboard with 1 tab:

Overview