Graylog api access through nginx proxy

Help
7

OMG!!! I solved it!!!

Ok, so journey as to what i was doing…

So i decided to poke around the graylog api web interface inside the
GET /search/universal/relative section
URL: http://graylog-lab-ecr-1/api/api-browser#!/Search/Relative/searchRelativeChunked_get_0

Filled in the fields:

query source:h-txa-1ter-ecr-1
range 3600
fields source,message

Which gave me the Request URL:
http://graylog-lab-ecr-1:80/api/search/universal/relative?query=source%3Ah-txa-1ter-rtr-1&range=3600&fields=source%2Cmessage

with a Response Body:

"timestamp","source","message"
"2018-01-30T20:00:32.785Z","H-TXA-1TER-RTR-1","Jan 30 20:15:41.301 UTC: %SSH-5-SSH2_USERAUTH: User 'config' authentication for SSH2 Session from <ipv6> (tty = 0) using crypto cipher 'aes128-cbc', hmac 'hmac-sha1' Succeeded"
"2018-01-30T20:00:32.785Z","H-TXA-1TER-RTR-1","Jan 30 20:15:41.301 UTC: %SEC_LOGIN-5-LOGIN_SUCCESS: Login Success [user: config] [Source: <ipv6>] [localport: 22] at 20:15:41 UTC Tue Jan 30 2018"
"2018-01-30T20:00:32.785Z","H-TXA-1TER-RTR-1","Jan 30 20:15:41.093 UTC: %SSH-5-SSH2_SESSION: SSH2 Session request from <ipv6> (tty = 0) using crypto cipher 'aes128-cbc', hmac 'hmac-sha1' Succeeded"
"2018-01-30T20:00:36.785Z","H-TXA-1TER-RTR-1","Jan 30 20:15:46.721 UTC: %SYS-6-LOGOUT: User config has exited tty session 2(<ipv6>)"
"2018-01-30T20:00:38.785Z","H-TXA-1TER-RTR-1","Jan 30 20:15:46.721 UTC: %SSH-5-SSH2_CLOSE: SSH2 Session from <ipv6> (tty = 0) for user 'config' using crypto cipher 'aes128-cbc', hmac 'hmac-sha1' closed"

So i fiddled a bit with that under curl. Which after much playing around led me to this output:

{
    "message": "Not authorized",
    "type": "ApiError"
}

Which led me to this post in google: https://community.graylog.org/t/rest-api-search-authorization/1103

Which led me to use the credentials of the graylog administrator.

curl -4 -X GET -u "administrator" -H 'Accept: application/json' 'http://graylog-lab-ecr-1/api/search/universal/relative?query=%2A&range=&limit=25&offset=0' | python -m json.tool
Enter host password for user 'administrator':
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
100    75  100    75    0     0   2675      0 --:--:-- --:--:-- --:--:--  2777
{
    "message": "Invalid credentials in Authorization header",
    "type": "ApiError"
}

This led me to believe that it was the colon inside my admin password that did not allow me to access the api.
Change it with a non-colon and … BOOM!!!

curl -4 -X GET -u "administrator:administrator" -H 'Accept: application/json' 'http://graylog-lab-ecr-1/api/search/universal/relative?query=%2A&range=&limit=25&offset=0' | python -m json.tool

 "decoration_stats": null,
    "fields": [
        "application_name",
        "level",
        "source",
        "ip_address",
        "message",
        "facility",
        "timestamp"
    ],
    "from": "1970-01-01T00:00:00.000Z",
    "messages": [
        {
            "decoration_stats": null,
            "highlight_ranges": {},
            "index": "graylog2_0",
            "message": {
                "_id": "3096b240-05fc-11e8-9ffd-525400418107",
                "application_name": "systemd",
                "facility": "daemon",
                "gl2_remote_ip": "127.0.0.1",
                "gl2_remote_port": 47594,
                "gl2_source_input": "58a4b2b948fdda09423bcced",
                "gl2_source_node": "bc808e5c-1271-4d83-b3ff-160d52e37433",
                "ip_address": "127.0.0.1",
                "level": "6",
                "message": "Stopping Graylog server...",
                "source": "graylog-lab-ecr-1",
                "streams": [
                    "58803ca348fdda55811e9ca0",
                    "000000000000000000000001"
                ],
                "timestamp": "2018-01-30T20:28:55.073Z"
            }
        },
        {
            "decoration_stats": null,
            "highlight_ranges": {},
            "index": "graylog2_0",
            "message": {
                "_id": "3096d950-05fc-11e8-9ffd-525400418107",
                "application_name": "polkitd",
                "facility": "authpriv",
                "gl2_remote_ip": "127.0.0.1",
                "gl2_remote_port": 47594,
                "gl2_source_input": "58a4b2b948fdda09423bcced",
                "gl2_source_node": "bc808e5c-1271-4d83-b3ff-160d52e37433",
                "ip_address": "127.0.0.1",
                "level": "5",
                "message": "Registered Authentication Agent for unix-process:3411:773421 (system bus name :1.33 [\\/usr\\/bin\\/pkttyagent --notify-fd 5 --fallback], object path \\/org\\/freedesktop\\/PolicyKit1\\/AuthenticationAgent, locale en_US.UTF-8)",
                "source": "graylog-lab-ecr-1",
                "streams": [
                    "58803ca348fdda55811e9ca0",
                    "000000000000000000000001"
                ],
                "timestamp": "2018-01-30T20:28:55.072Z"
...
...
...

SOO lesson learned???

  • To access the API universal search you need to use admin (couldn’t find in the graylog doc where it said that though) (would probably explore the non-admin approach)…but the librenms doc had it … :man_facepalming:
  • DO NOT use a colon : on your password…

What a headache! But fun!
Glad it’s working!!! Woohoo!!! :sunglasses:

1 Like