Configure the webhook in Graylog

Configure webhook endpoints so that Graylog can use the endpoint to communicate with Incident Response.

Before you begin

Role required: Responder, Manager, or Administrator

About this task

Note: While this integration with a third-party product is supported, the documentation here is based upon information provided by that third-party. More current information about the operation of that third-party’s system may be available from them directly.

Procedure

  1. Log in to your Graylog web console and select the Alerts tab.
    Alerts tab.
  2. Click Notifications, then click Create Notification.
  3. In the New Notification page, fill in the form:
    Field Description
    Title Name for the wehook notification.
    Description Description for the wehook notification.
    Notification Type Select HTTP Notification.
    URL Paste the webhook URL copied from LIR.
    Create a new notification.
  4. Click Add to URL Whitelist.
  5. Add your webhook to the whitelist.
    Field Description
    Title Use the same title that you used while creating the notification.
    Type Select Exact match.
    Update whitelist.
  6. Click Save.
  7. You can test your notification channel by clicking Execute Test Notification.
    This will create an alert with OK/Informational severity in LIR.
  8. Click Create.

What to do next

Add the webhook notification to the Event Definition for which you want LIR to handle the alerts. 
  1. Navigate to Alerts > Event Definitions.
  2. Create or edit an event definition. Enter the details and conditions for your alert event. For detailed information, see Defining an Event.

    Create or edit an event definition.

  3. In the Notifications section, click Add Notification and select the notification you created containing the webhook URL from LIR.

    Add notification.

  4. Click Done.
  5. You can optionally set the grace period to limit the notifications from being sent again. Also, you can optionally select Message Backlog and provide a number which would limit the number of messages in the backlog.

    Notification settings.

  6. After adding the alert details, click Done.

Closing a Graylog Alert

Graylog doesn't provide a closing payload for an alert. To close an alert from Graylog, follow the steps given in Close an alert.