Integrations
Graylog
Overview
This document provides a detailed guide to integrating Graylog with Callgoose SQIBS for real-time Incident Management, log-based alerting, and automated incident resolution.
The integration uses Graylog Alert Notifications (HTTP Webhooks) to send alert event payloads directly to Callgoose, where API Filters convert them into incidents that are automatically created and resolved.
Prerequisites
Before beginning, ensure you have the following:
- A Callgoose SQIBS account with permissions to create API Filters and access the integration endpoint.
- A Graylog instance (Cloud or Self-hosted) with Admin-level access to Streams, Event Definitions, and Notification settings.
- A valid Callgoose API token and API endpoint URL.
- A test Graylog Event Definition (recommended) for validating webhook delivery and payloads.
1. Prepare Callgoose: Obtain Endpoint and Token
1.1 Retrieve Callgoose API Endpoint
Generate or locate your Callgoose process endpoint:
https://****.callgoose.com/v1/process?from=Graylog&token=xxxx
Store the API token securely and never commit it to source control.
2. Install Graylog (Self-Hosted)
If you are not using Graylog Cloud, install Graylog on your server before configuring webhook notifications. Graylog requires Java, MongoDB, and OpenSearch.
2.1 Install Java
Graylog requires Java 17 or later.
sudo apt update sudo apt install openjdk-17-jre
Verify:
java -version
2.2 Install MongoDB
Graylog uses MongoDB for metadata storage.
sudo apt install mongodb-org sudo systemctl enable mongod sudo systemctl start mongod
Verify:
systemctl status mongod
2.3 Install OpenSearch
Graylog stores log data in OpenSearch.
Install OpenSearch:
sudo apt install opensearch sudo systemctl enable opensearch sudo systemctl start opensearch
Set minimum JVM heap size in /etc/opensearch/jvm.options if required.
2.4 Install Graylog Server
Import Graylog repository:
sudo apt install graylog-server
Modify Graylog server configuration:
sudo nano /etc/graylog/server/server.conf
Set:
- password_secret
- root_password_sha2
- http_bind_address
Example:
http_bind_address = 0.0.0.0:9000
Start Graylog:
sudo systemctl enable graylog-server sudo systemctl start graylog-server
2.5 Verify Graylog Installation
Check service:
systemctl status graylog-server
Once running, access:
http://<server-ip>:9000
Log in with the admin credentials configured earlier.
Graylog is now ready to configure webhooks.
3. Configure Graylog Webhook Notification
3.1 Choose the Webhook Scope
Graylog allows webhook creation under:
- Alerts → Notifications
- Event Definitions → Notifications
Graylog can send events from log search queries, filter conditions, thresholds, message fields, and correlation rules.
3.2 Create a Webhook Notification
In Graylog:
- Go to Alerts → Notifications
- Click Create Notification
- Select HTTP Notification
- Configure:
- Notification Name: Callgoose SQIBS
- URL: Callgoose endpoint from Step 1
- HTTP Method: POST
- Content Type: application/json
- Use Custom Headers: Optional
- Include More Event Data: Enabled
- Body Template: JSON format using Mustache variables
Save the notification.
3.3 Attach Notification to an Event Definition
- Go to Alerts → Event Definitions
- Create or edit an event rule
- Define the triggering condition
- Add the Callgoose SQIBS HTTP Notification
- Save and enable the rule
Graylog will now forward firing and resolved alerts to Callgoose.
3.4 Verification Headers
Graylog may include headers like:
- X-Graylog-Event-Definition-Id
- X-Graylog-Stream-Id
- X-Graylog-Signature
These can be optionally validated by intermediaries.
4. Example Graylog Payloads
4.1 Firing event example
{
"event_definition_id": "graylog-def-01",
"event_definition_title": "High Error Rate",
"event_definition_type": "aggregation-v1",
"event": {
"id": "evt-99120",
"timestamp": "2025-10-01T12:05:00Z",
"message": "Error rate above threshold",
"severity": "3",
"alert": true
},
"backlog": [
{
"message": "Error: Database timeout",
"source": "api-service",
"timestamp": "2025-10-01T12:04:30Z"
}
],
"status": "firing"
}
4.2 Resolved event example
{
"event_definition_id": "graylog-def-01",
"event_definition_title": "High Error Rate",
"event": {
"id": "evt-99120",
"timestamp": "2025-10-01T12:15:20Z",
"message": "Condition back to normal",
"severity": "1",
"alert": false
},
"status": "resolved"
}
Use actual payloads in Callgoose API Logs to confirm exact field names.
5. Create API Filters in Callgoose SQIBS
5.1 Trigger Filter — Create Incident
Settings:
- Payload JSON Key: "status"
- Key Value Contains: firing
- Map Incident With: "event"."id" or "event_definition_id"
- Incident Title From: "event_definition_title"
- Incident Description: (optional — empty for full JSON)
5.2 Resolve Filter — Auto-Resolve Incident
Settings:
- Payload JSON Key: "status"
- Key Value Contains: resolved
- Incident Mapped With: the same key as Trigger Filter
Ensures incidents are created and resolved correctly.
6. Verify and Test the Integration
6.1 Test Initial Delivery
- Send a Test Notification from Graylog
- Check Callgoose → API Logs
6.2 View Exact Payload
Review Callgoose API request logs to confirm field mappings.
6.3 Final Verification
- Trigger alert condition → Incident created
- Resolve condition → Incident auto-resolved
- Check field consistency (event.id or event_definition_id)
7. Troubleshooting
- Incoming Payload Not Received
- Validate webhook URL
- Ensure token is correct
- Check Graylog Notification Failure logs
- Verify HTTPS connectivity
- Incidents Not Auto-Resolving
- Confirm Graylog sends "status": "resolved"
- Mapping key mismatch between Trigger & Resolve
- Missing Fields
- Check Graylog “Backlog size”
- Review body template
- Graylog Not Triggering Alerts
- Confirm Event Definition conditions
- Verify stream filtering
- Check message matching rules
8. Conclusion
Integrating Graylog with Callgoose SQIBS enables automated incident creation and resolution based on real-time log-driven alert rules.
By configuring Graylog Webhooks and mapping them through Callgoose API Filters, teams gain instant visibility into log anomalies, service issues, and operational failures.
With properly configured Trigger and Resolve filters, alert changes flow seamlessly into incident lifecycle management, improving operational reliability.
For further customization or advanced use cases, refer to the official documentation for both Graylog and Callgoose SQIBS:
