Graylog REST API – Message Search

Now that we have we have created an API token for our new API Reader user, we can query the API and search messages.  Our user currently has “Reader” level permissions.  However Graylog developers state that:

“Universal search requires admin privileges as you have access to all ingested messages with it.  Normal users can use streams: – reference link


“Reader users are always bound to streams and can only do searches with a filter that limits them to streams they are allowed to view. You could create a stream that matches every message and give the users permissions on that. – reference link

As you may guess, you are probably not going to create a stream for every message. So…what should you do?  Well, I just assigned my api user admin rights and then generated a token. Note, this works with version 2 of Graylog, perhaps version 3 has resolved this issue. More on that to come.

In order to generate a new access token for a user in Graylog, follow these steps depending on your version.

Graylog version 2.x

Open the API Browser and navigate to the Users:User accounts section. Expand the section:graylog-api-token
Then fill out your username and name to generate your token. Example:

Graylog version 3.x

In Graylog version 3.x you can generate a token either from the api or you can now generate a token from the web ui. Follow this link for webui instructions.


About Parker Jardine

Manager of Systems Administration in the Information Technology Higher Education space. I enjoy biking, climbing, hockey, camping, mountaineering, hunting, paragliding, and just being outdoors. You can read my Make Magazine project articles about a diy solar panel and solar systems design in volumes 12 and 14.
This entry was posted in Graylog and tagged , , , . Bookmark the permalink.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s