home / mcp / graylog mcp server

Graylog MCP Server

Provides tools to search Graylog logs and identify identifiers like UUIDs across streams via MCP clients.

Installation

Add the following to your MCP client configuration file.

Configuration

{
  "mcpServers": {
    "abuzo-graylog-mcp": {
      "command": "npx",
      "args": [
        "-y",
        "@alexbuzo/graylog-mcp@latest",
        "--graylog-url",
        "https://graylog.example.com",
        "--token",
        "YOUR_GRAYLOG_PAT",
        "--ssl-verify",
        "false"
      ],
      "env": {
        "GRAYLOG_URL": "https://graylog.example.com",
        "GRAYLOG_TOKEN": "YOUR_GRAYLOG_PAT"
      }
    }
  }
}

You can run a lightweight MCP server that connects Graylog with AI assistants using a simple stdio-based setup. It provides fast log search capabilities, supports PAT authentication, works with self-signed TLS, and is easy to run via npx or a global npm install.

How to use

Set up the server and run it through one of the provided MCP entry points. You will connect to Graylog using a Personal Access Token, optionally disable SSL certificate validation for development, and then use the available tools to search logs, locate UUIDs or trace IDs, or pull messages from a specific stream. The tools normalize fields for consistent results across Graylog deployments.

How to install

Prerequisites: Node.js version 18 or newer is required.

Install the MCP server globally with npm.

Alternatively, use npx to run the MCP server without a global install.

Install commands

npm i -g @alexbuzo/graylog-mcp

Recommended: use npx for on-demand usage.

graylog-mcp \
  --graylog-url https://graylog.example.com \
  --token YOUR_GRAYLOG_PAT \
  --ssl-verify=false

Configuration for Cursor and MCP clients

Use one of the provided MCP configurations to connect your client to Graylog. You can run via npx with explicit arguments, or set environment variables for a secure setup, or use a global installation. All variants assume you have a Graylog server URL and a valid Personal Access Token.

Additional setup options

The server supports automatic field normalization and a smart search across common identifiers like UUID, request IDs, and trace IDs. You can start with a simple search query and expand as needed.

Security notes

Use Personal Access Tokens with the least privileges needed to read the target streams. For production, enable SSL validation. For development or testing, you can disable SSL verification, but do not rely on this setting in production.

Troubleshooting

If you encounter authentication issues, verify the PAT has read permissions on the target streams and that the Graylog URL includes the protocol (https://). If TLS/SSL fails, check your CA settings and consider setting NODE_EXTRA_CA_CERTS to the path of a trusted CA bundle.

Notes

All times are in UTC. The MCP server uses Graylog REST APIs to fetch and format data. The default maximum results per request is 500, and pagination is supported via limit and offset.

Examples of common uses

Search for errors in the last hour using the graylog.search_logs tool. Locate a specific UUID or trace ID across common fields using graylog.search_uuid. Retrieve messages from a specific stream with graylog.search_stream.

Available tools

graylog.search_logs

Search logs using Lucene/GELF style queries with optional range, limit, and filters.

graylog.search_uuid

Smart search for UUIDs and common identifiers across multiple fields with range and limit.

graylog.search_stream

Fetch messages from a specific Graylog stream within a time range.