Graylog Integration

Connect Graylog to itoc360 so that every alert your event definitions produce lands directly in your on-call workflow — no manual forwarding, no missed pages.

Overview

Graylog is an open-source log management and SIEM platform that lets you define conditions on your log data and fire notifications when those conditions are met. The HTTP Notification type sends a structured JSON payload to any endpoint you point it at, which is exactly how itoc360 receives it.

When a Graylog event fires, itoc360 opens an incident. When Graylog marks the same event as resolved, itoc360 closes it automatically. The whole cycle is driven by the alert boolean that Graylog includes in every notification.

The screenshot below shows the Alerts & Events dashboard where your event history and alert metrics are visible at a glance.

Step 1 — Open the Notifications Page

In the top navigation bar, click Alerts, then select the Notifications tab. This is where you manage every outbound integration Graylog can call.

Click Create Notification in the top-right corner to start.

Step 2 — Configure the HTTP Notification

Fill in the form that appears:

• Title — give it a name you'll recognise later, for example itoc360

• Notification Type — select HTTP Notification from the dropdown

• URL — paste your itoc360 source webhook URL here, including the token query parameter

The form also has optional fields for Basic Authentication, API Key, and API Secret. You do not need any of these — itoc360 authenticates through the token in the URL.

Once the URL is in place, click Execute Test Notification to fire a test payload immediately. If everything is wired up correctly, a new alert will appear in your itoc360 source within a few seconds.

Scroll down and click Save to store the notification.

Step 3 — Attach the Notification to an Event Definition

A notification on its own does nothing until it is linked to an event definition. Open Event Definitions, find the definition you want to forward to itoc360, and click Edit. Navigate to the Notifications step, click Add Notification, and select the itoc360 notification you just created. Save the definition.

From this point on, every time that event definition triggers or resolves, Graylog will POST the payload to itoc360.

How Alerts Map to Incidents

itoc360 reads the alert field in the Graylog payload to decide what to do:

The match between an open and a resolve event is based on the event.id field. As long as Graylog sends the same event ID in both the trigger and the resolution, itoc360 will close the right incident automatically.

Priority Mapping

itoc360 uses the event.priority integer that Graylog includes in every payload:

You can override these defaults per source under Sources → Edit → Priority Mapping.

Troubleshooting

Execute Test Notification returns an error or no incident appears

Check that the URL in the notification form is exactly the one shown on your itoc360 source page, token included. A single mistyped character will cause a 401 or 404.

Incidents open but never resolve automatically

Automatic resolution depends on Graylog sending a follow-up notification with alert set to false. This happens when the event definition's condition is no longer met. Make sure the event definition has a grace period configured so Graylog actually sends the resolution event rather than staying silent.

Unknown or placeholder values in the payload

Fields like job_definition_id: "<unknown>" and event.id: "TEST_NOTIFICATION_ID" appear only when you use the Execute Test Notification button. In production, when a real event triggers the definition, all fields will contain the actual Graylog-generated values.