Graylog Log Search Skill
Search Graylog logs directly from your AI agent for production debugging. Query by absolute or relative timestamps, filter by application streams, and check system health.
Quick Start
Install
CODEBLOCK0
Configure
Add to your OpenClaw or Claude Desktop MCP configuration:
CODEBLOCK1
To get your API token: Graylog Web UI > System > Users > Edit your user > Tokens > Create Token.
Verify
CODEBLOCK2
You should see a JSON response with protocolVersion and capabilities.
Overview
This skill provides 4 MCP tools for searching and monitoring Graylog:
| Tool | Description |
|---|
| INLINECODE2 | Search logs between specific timestamps (ISO 8601) |
| INLINECODE3 |
Search recent logs (last N seconds, default: 15 min) |
|
list_streams | Discover available application streams and their IDs |
|
get_system_info | Check Graylog version, health, and processing status |
Core Tasks
- - "Search for ERROR logs in the last 15 minutes"
- "Find all 500 errors from the payment service between 2pm and 3pm today"
- "List available Graylog streams so I can filter by application"
- "Check if Graylog is healthy and processing logs"
- "Search for timeout errors in the API stream from the last hour"
Environment Variable Contract
| Variable | Required | Description |
|---|
| INLINECODE6 | Yes | Full URL to your Graylog instance (e.g., https://graylog.example.com) |
| INLINECODE8 |
Yes | Graylog API token for authentication (Basic Auth) |
Query Syntax
Uses Elasticsearch query syntax:
- -
level:ERROR - Filter by log level - INLINECODE10� - Filter by source
- INLINECODE11� - Exact phrase match
- INLINECODE12� - Numeric range
- INLINECODE13� - Wildcard match
- INLINECODE14� - Boolean operators
Security & Guardrails
- - Read-only access: No write operations to Graylog - only searches and listing
- Credential isolation: API token stored in environment variables, never in code or logs
- Request timeout: 30-second timeout prevents hanging requests
- Result limits: Queries capped at 1000 messages maximum, 50 by default
- Input validation: All parameters validated before API calls (query, timestamps, stream IDs, limits)
- Error sanitization: Error messages never expose API tokens or sensitive internal details
- Time range bounds: Relative searches limited to 24 hours maximum
Troubleshooting
| Error | Solution |
|---|
| "Missing environment variables" | Set BASE_URL and API_TOKEN in your MCP config |
| "Authentication failed" |
Verify your API token is valid in Graylog UI |
| "Cannot reach Graylog" | Check BASE_URL and network/VPN connectivity |
| "Invalid query" | Check Elasticsearch query syntax |
| "Endpoint not found" | Verify BASE_URL includes the correct Graylog URL (no trailing
/api) |
Release Notes
v1.0.3 (2026-04-08)
- - Extracted shared helpers for testable imports
- Fixed credential leak in git history
- 54 tests passing, all MCP protocol verified
v1.0.0 (2025-10-23)
- - First stable release with 4 tools
- Fixed 5 critical bugs from initial implementation
- Comprehensive test suite and documentation
Publisher
@Pranavj17
GrayLog日志搜索技能
直接从AI代理搜索GrayLog日志以进行生产调试。支持按绝对或相对时间戳查询、按应用流过滤以及检查系统健康状态。
快速开始
安装
bash
npm install -g mcp-server-graylog@1.0.3
配置
添加到您的OpenClaw或Claude Desktop MCP配置中:
json
{
mcpServers: {
graylog: {
command: npx,
args: [-y, mcp-server-graylog@1.0.3],
env: {
BASE_URL: https://your-graylog-instance.example.com,
APITOKEN: yourgraylogapitoken
}
}
}
}
获取API令牌:GrayLog Web UI > 系统 > 用户 > 编辑您的用户 > 令牌 > 创建令牌。
验证
bash
echo {jsonrpc:2.0,id:1,method:initialize,params:{protocolVersion:2024-11-05,capabilities:{},clientInfo:{name:test,version:1.0.0}}} | BASEURL=https://your-graylog.example.com APITOKEN=your_token npx mcp-server-graylog@1.0.3
您应该会看到包含protocolVersion和capabilities的JSON响应。
概述
本技能提供4个用于搜索和监控GrayLog的MCP工具:
| 工具 | 描述 |
|---|
| searchlogsabsolute | 在特定时间戳之间搜索日志(ISO 8601) |
| searchlogsrelative |
搜索最近日志(最近N秒,默认:15分钟) |
| list_streams | 发现可用的应用流及其ID |
| get
systeminfo | 检查GrayLog版本、健康状态和处理状态 |
核心任务
- - 搜索过去15分钟内的ERROR日志
- 查找今天下午2点到3点之间支付服务的所有500错误
- 列出可用的GrayLog流,以便按应用过滤
- 检查GrayLog是否健康并正常处理日志
- 搜索过去一小时内API流中的超时错误
环境变量契约
| 变量 | 必需 | 描述 |
|---|
| BASEURL | 是 | GrayLog实例的完整URL(例如:https://graylog.example.com) |
| APITOKEN |
是 | 用于身份验证的GrayLog API令牌(基本认证) |
查询语法
使用Elasticsearch查询语法:
- - level:ERROR - 按日志级别过滤
- source:api-server - 按来源过滤
- connection timeout - 精确短语匹配
- status:>=500 - 数值范围
- message:exception - 通配符匹配
- level:ERROR AND source:payment - 布尔运算符
安全与防护
- - 只读访问:不对GrayLog执行写入操作 - 仅搜索和列出
- 凭据隔离:API令牌存储在环境变量中,绝不存储在代码或日志中
- 请求超时:30秒超时防止请求挂起
- 结果限制:查询最多限制1000条消息,默认50条
- 输入验证:所有参数在API调用前进行验证(查询、时间戳、流ID、限制)
- 错误清理:错误消息绝不暴露API令牌或敏感内部细节
- 时间范围限制:相对搜索最多限制24小时
故障排除
| 错误 | 解决方案 |
|---|
| 缺少环境变量 | 在MCP配置中设置BASEURL和APITOKEN |
| 身份验证失败 |
在GrayLog UI中验证您的API令牌是否有效 |
| 无法连接到GrayLog | 检查BASE_URL和网络/VPN连接 |
| 无效查询 | 检查Elasticsearch查询语法 |
| 未找到端点 | 验证BASE_URL包含正确的GrayLog URL(末尾不带/api) |
发布说明
v1.0.3 (2026-04-08)
- - 提取共享辅助函数以实现可测试导入
- 修复Git历史中的凭据泄露
- 54个测试通过,所有MCP协议已验证
v1.0.0 (2025-10-23)
- - 首个稳定版本,包含4个工具
- 修复初始实现中的5个关键错误
- 全面的测试套件和文档
发布者
@Pranavj17
