What do you need help with?

We are here and ready to help.
Email: servicedesk@socfortress.co

    Import a new Content Pack in Graylog

    Juan Romero

    03-Aug-2025

    Import a new Content Pack in Graylog

    About Graylog Content Packs

    Graylog content packs are JSON documents that include setting and configurations for different components of the Graylog server.

    We use content packs to import configuration options for log ingestion.

    A Graylog content pack will include the following configuration settings:

    • System Input
    • Stream
    • Pipelines and pipeline rules

    If you need to integrate a specific log source in your environment, simply open a service ticket and we'll provide the content pack (JSON file). After receiving the file, follow instructions in this article to complete your log integration.

    NOTE: Before importing the content pack is recommended to have the index set in Graylog for this specific log source ready.

    Reference on how to do this in this article: https://socfortress.supportbench.net/ar-1073/

    Import the content pack (JSON file)

    Log into your Graylog instance using the admin account.

    Go to System – Content packs:

     

     

    Top right, select “Upload”

     

     

    Browse the content pack file (JSON) from your local file system:

     

     

    Once selected, select Upload:

     

     

    The new content pacl will be listed and ready to be installed. Select Install (right column)

     

     

    Prioir to get installed, the Graylog UI will list all the different components included in this content pack. Review and click Install:

     

     

    Back to the content pack section in Graylog UI, the content pack will be marked as installed:

     

     

    Review and modify Graylog Input

    After importing and installing the content pack we need to modify a few settings.

    First go to System – Inputs:

     

     

    Find the new input just installed from the content pack (in the example below, “OPNSENSE LOGS AND EVENTS”:

     

     

    NOTE: If the Input is not shown as “RUNNING”, restart the Graylog service from the Debian CLI. Logged in as root, execute:

     

    service graylog-server restart

    Back to Graylog UI, select More options – Add static field for the new input:

     

     

    We add a new static field to label the tenant this new input belongs to. The field name will ALWAYS be syslog_customer.

    The field value will be the name of the tenant.

     

     

    Review and modify Graylog Stream

    Go to Streams gtom Graylog's UI main menu:

     

     

    Identify the new stream imported and installed from the content pack:

     

     

    From the “More” drpwdown list (right column) select “Edit stream”:

     

     

    Change title and description, adding the tenant name.

    Also, select the index set where these logs should be stored. By default, the Default index set will be selected. Expand the list and select the right index.

    IMPORTANT: Select the tickbox “Remove matches from Default Stream.

     

     

    Back to the Streams, click More again and select “Manage Rules”:

     

     

    Every stream will normally have two rules:

    • One rule will match the log type
    • One rule will match the tenant,

    The content pack will have the first rule already configured, ash shown below:

     

     

    Now, select Add stream rule:

     

     

    Add another rule to specify the tenant, using the syslog_customer field previously created in the input:

     

     

    After that, click “I'm done!”:

     

     

    Back to the Streams page, the stream will be in “Paused” mode. Simply click the start icon.

     

     

     

     

     

     

     

     

     

    Facebook Share Tweet

    Was this article helpfu?

    Yes No

    Thank you for voting

    Comments

    ×
    Select company

    You are related to multiple companies. Please select the company you wish to login as.