Icinga/Nagios check to monitor Graylog2 stream alerts

Check Graylog2 Stream

A simple Icinga/Icinga2/Nagios check to monitor Graylog2 stream alerts.


See releases for pre-compiled binaries. No dependencies are needed.


Following options can be set

$ ./bin/check-graylog2-stream
  -condition="": Condition ID, set only to check a single alert (optional)
  -password="": API password (mandatory)
  -stream="": Stream ID (mandatory)
  -url="http://localhost:9000/api": URL to Graylog2 API (optional)
  -user="": API username (mandatory)

To check a stream on a remote server configure this check in your monitoring config

check-graylog2-stream -stream=545b8c15e4b07ae85aee40d1 -user=admin -password=secret -url=''

You can also check a single condition of a stream, through HTTP

check-graylog2-stream -stream=545b8c15e4b07ae85aee40d1 -user=admin -password=secret -url='' -condition=eeae1109-7cba-4fa0-a35a-8aa7d162ed54

or HTTPS (see rest_listen_uri and rest_enable_tls in graylog-server configuration)

check-graylog2-stream -stream=545b8c15e4b07ae85aee40d1 -user=admin -password=secret -url='' -condition=eeae1109-7cba-4fa0-a35a-8aa7d162ed54

To figure out which stream or condition IDs to use, query the Graylog2 API

curl -i --user admin:secret -H 'Accept: application/json' ''


If you need to build the check yourself, you can do it like this:

go get
go build -o bin/check-graylog2-stream src/check-graylog2-stream/check-graylog2-stream.go

Icinga 2 Integration

Make sure to download and install the plugin into PluginDir. This constant is defined in the constants.conf file (default in /etc/icinga2/constants.conf). More details in the Icinga 2 documentation.

New CheckCommand Definition

Add that to conf.d/commands.conf or a similar included file.

object CheckCommand "graylog2-stream" {
  import "plugin-check-command"

  command = [ PluginDir + "/check-graylog2-stream" ]

  arguments = {
    "-stream" = "$graylog2_stream_id$"
    "-user" = "$graylog2_api_username$"
    "-password" = "$graylog2_api_password$"
    "-url" = "$graylog2_api_url$"

  // default values
  vars.graylog2_api_url = "http://localhost:9000/api"
  vars.graylog2_api_username = "admin"
  vars.graylog2_api_password = "yourpassword"

Host and Service Definition

Depending your monitoring configuration strategy, you can define it like the following example for Icinga2 2.2+:

object Host "graylog2-host" {
  address = ""
  check_command = "hostalive"

  /* `icinga2` is the stream name. Used in service apply for rule below */
  vars.streams["icinga2"] = {
    graylog2_stream_id = "54610d26e4b059482bbfab0f"

template Service "graylog2-service" {
  check_interval = 30s
  retry_interval = 30s
  max_check_attempts = 3
  enable_flapping = false
  enable_notifications = true

const GraylogStreamApiUrl = ""

apply Service "alert-" for (stream => config in host.vars.streams) {
  import "graylog2-service"

  check_command = "graylog2-stream"

  vars += config

  notes = "My " + stream + " graylog2 alert stream checker."
  notes_url = GraylogStreamApiUrl + stream + "/alerts"

  assign where host.vars.streams