# Graylog Integration

Connect Graylog to itoc360 so that every alert your event definitions produce lands directly in your on-call workflow — no manual forwarding, no missed pages.

### Overview

Graylog is an open-source log management and SIEM platform that lets you define conditions on your log data and fire notifications when those conditions are met. The HTTP Notification type sends a structured JSON payload to any endpoint you point it at, which is exactly how itoc360 receives it.

When a Graylog event fires, itoc360 opens an incident. When Graylog marks the same event as resolved, itoc360 closes it automatically. The whole cycle is driven by the `alert` boolean that Graylog includes in every notification.

The screenshot below shows the Alerts & Events dashboard where your event history and alert metrics are visible at a glance.<br>

<figure><img src="https://4108595529-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FimJRSa33y5Ej6rwXrBeA%2Fuploads%2F6k5Vy01O9wCFHp8n4Hs3%2Fimage.png?alt=media&#x26;token=9596ed81-1b17-47c3-9594-662f1e6b6a69" alt=""><figcaption></figcaption></figure>

***

### Step 1 — Open the Notifications Page

In the top navigation bar, click **Alerts**, then select the **Notifications** tab. This is where you manage every outbound integration Graylog can call.

Click **Create Notification** in the top-right corner to start.<br>

<figure><img src="https://4108595529-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FimJRSa33y5Ej6rwXrBeA%2Fuploads%2FTclomXa8doN0CBm50D87%2Fimage.png?alt=media&#x26;token=0a37818f-dfd8-448d-b368-922003ed1145" alt=""><figcaption></figcaption></figure>

### Step 2 — Configure the HTTP Notification

Fill in the form that appears:

* **Title** — give it a name you'll recognise later, for example `itoc360`
* **Notification Type** — select **HTTP Notification** from the dropdown
* **URL** — paste your itoc360 source webhook URL here, including the token query parameter

The form also has optional fields for Basic Authentication, API Key, and API Secret. You do not need any of these — itoc360 authenticates through the token in the URL.

Once the URL is in place, click **Execute Test Notification** to fire a test payload immediately. If everything is wired up correctly, a new alert will appear in your itoc360 source within a few seconds.

<figure><img src="https://4108595529-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FimJRSa33y5Ej6rwXrBeA%2Fuploads%2FFr3EWrJ0R3mPqlmw87re%2FEkran%20Resmi%202026-03-16%2016.36.41.png?alt=media&#x26;token=8c50c536-3287-4fa0-b2ec-b2bb3fe91686" alt=""><figcaption></figcaption></figure>

\
Scroll down and click **Save** to store the notification.

### Step 3 — Attach the Notification to an Event Definition

A notification on its own does nothing until it is linked to an event definition. Open **Event Definitions**, find the definition you want to forward to itoc360, and click **Edit**. Navigate to the **Notifications** step, click **Add Notification**, and select the `itoc360` notification you just created. Save the definition.

From this point on, every time that event definition triggers or resolves, Graylog will POST the payload to itoc360.

### How Alerts Map to Incidents

itoc360 reads the `alert` field in the Graylog payload to decide what to do:

| Graylog `alert` value | itoc360 action                           |
| --------------------- | ---------------------------------------- |
| `true`                | Opens a new incident                     |
| `false`               | Resolves the corresponding open incident |

The match between an open and a resolve event is based on the `event.id` field. As long as Graylog sends the same event ID in both the trigger and the resolution, itoc360 will close the right incident automatically.

### Priority Mapping

itoc360 uses the `event.priority` integer that Graylog includes in every payload:

| Graylog `event.priority` | itoc360 Priority |
| ------------------------ | ---------------- |
| `1`                      | Low              |
| `2`                      | Medium           |
| `3`                      | High             |

You can override these defaults per source under **Sources → Edit → Priority Mapping**.

### Troubleshooting

**Execute Test Notification returns an error or no incident appears**

Check that the URL in the notification form is exactly the one shown on your itoc360 source page, token included. A single mistyped character will cause a 401 or 404.

**Incidents open but never resolve automatically**

Automatic resolution depends on Graylog sending a follow-up notification with `alert` set to `false`. This happens when the event definition's condition is no longer met. Make sure the event definition has a grace period configured so Graylog actually sends the resolution event rather than staying silent.

**Unknown or placeholder values in the payload**

Fields like `job_definition_id: "<unknown>"` and `event.id: "TEST_NOTIFICATION_ID"` appear only when you use the Execute Test Notification button. In production, when a real event triggers the definition, all fields will contain the actual Graylog-generated values.