Skip to main content
Jamf Nation, hosted by Jamf, is a dynamic and knowledgeable community of Apple-focused IT admins and Jamf Pro users. Join us in person, in October, for the annual Jamf Nation User Conference (JNUC) to discover new and better ways to manage Apple devices.

Integrating with Graylog

Overview

You can integrate an on-premise Jamf Pro server (formerly JSS) instance with Graylog, a log management solution. This integration allows you to view, search, and create dashboards of Jamf Pro log information.

Note: This article assumes you already have a Graylog environment configured. If you have not configured a Graylog environment, do so before following the procedure below. For more information, see https://www.graylog.org/download.

Procedure

Before integrating your Jamf Pro server with Graylog, a Graylog Extended Log Format (GELF) UDP Input must be configured to receive log information from Jamf Pro.

To configure Graylog to receive log information from Jamf Pro:

  1. Log in to your Graylog environment.
  2. Select "Inputs" from the System pop-up menu found at the top of the screen.
  3. Select "GELF UDP" from the Select Input pop-up menu, and then click Launch new input.
  4. Configure the settings on the pane. Note: The port you specify must match the port specified in the log4j.properties file found within the Tomcat WEB-INF/classes directory.
  5. Click Save.

Graylog is now configured to accept incoming log information from Jamf Pro.

To integrate the Jamf Pro server with Graylog:

  1. Download the gelfj.jar file found here: https://mvnrepository.com/artifact/org.graylog2/gelfj
  2. Download the simple-json-1.1.1.jar file found here: https://mvnrepository.com/artifact/com.googlecode.json-simple/json-simple/1.1.1
  3. Add the gelfj.jar and the simple-json-1.1.1.jar files to the Tomcat WEB-INF/lib directory. Note: The location of the Tomcat WEB-INF/lib directory varies depending on the platform and the way you installed Jamf Pro. Common locations for the directory are listed below.

If you used the Jamf Pro Installer to install Jamf Pro, the directory is located at:
- Mac: /Library/JSS/Tomcat/webapps/ROOT/WEB-INF/lib
- Linux: /var/local/JSS/Tomcat/webapps/ROOT/WEB-INF/lib
- Windows: C:\Program Files\JSS\Tomcat\webapps\ROOT\WEB-INF\lib

If you did not use the Jamf Pro installer to install Jamf Pro, the directory is located at:
- Mac: /Library/Tomcat/webapps/ROOT/WEB-INF/lib
- Linux: /var/lib/Tomcat/webapps/ROOT/WEB-INF/lib
- Windows: C:\Program Files\Apache Tomcat7\webapps\ROOT\WEB-INF\lib
4. Navigate to the Tomcat WEB-INF/classes directory and add the following information to the log4j.properties file:

#graylog2
#Define the graylog2 destination
log4j.appender.graylog2=org.graylog2.log.GelfAppender
#Can be set to any log4j level (e.g.. INFO, DEBUG, ERROR, WARN, NONE)
log4j.appender.graylog2.Threshold = DEBUG
#Edit graylogHost value to match the IP address of your Graylog server
log4j.appender.graylog2.graylogHost=127.0.0.1
log4j.appender.graylog2.graylogPort=12201
#The originHost line is optional
log4j.appender.graylog2.originHost=mymachine.local
log4j.appender.graylog2.facility=gelf-java
log4j.appender.graylog2.layout=org.apache.log4j.PatternLayout
log4j.appender.graylog2.extractStacktrace=true
log4j.appender.graylog2.addExtendedInformation=true
#The additionalFields can be edited or removed
log4j.appender.graylog2.additionalFields={'environment': 'DEV', 'application': 'Jamf Pro'}

5. Change “log4rootlogger=INFO,JAMF” to “log4rootlogger=INFO,JAMF,graylog2
6. Save the changes you made to the log4j.properties file.

Note: It is recommended that you save a copy of the modified log4j.properties file in a location other than the Tomcat webapps ROOT directory. When upgrading Jamf Pro, changes made to the log4j.properties file are overwritten. Saving a copy of the modified file allows you to easily reinstate your changes after an upgrade.
7. Restart Tomcat.
See Starting and Stopping Tomcat for instructions.

You can now use Graylog to view the log information from your Jamf Pro server.

Note: If you have a clustered environment, you must configure each instance of the Jamf Pro web application separately if you wish to integrate each instance with Graylog.

Additional Information

For additional information about Graylog, visit the following webpage:
https://www.graylog.org

Like Comment
CCT Badge CCA Badge CCE Badge CJA Badge
SOLVED Posted: 7/21/17 at 11:19 AM by nstrauss

Instructions worked perfectly for me. Wanted to comment you can also send JSSAccess.log and JAMFChangeManagement.log data to Graylog by adding graylog2 like below...

log4j.logger.com.jamfsoftware.jss.changemanagement.file=INFO,JAMFCMFILE,graylog2
log4j.additivity.com.jamfsoftware.jss.changemanagement.file=false

log4j.logger.com.jamfsoftware.jss.changemanagement.syslog=INFO,JAMFCMSYSLOG,graylog2
log4j.additivity.com.jamfsoftware.jss.changemanagement.syslog=false

log4j.logger.com.jamfsoftware.jss.objects.user.failed=INFO,JSSACCESSLOG,graylog2
log4j.additivity.com.jamfsoftware.jss.objects.user.failed=false

Otherwise the instructions provided will only send JAMFSoftwareServer.log data.

Like