Delete a specific log message from Graylog

2019-06-04 05:06发布

问题:

I need to delete a specific log messages from Graylog, however there doesn't seem to be any public API to do this (going by the Graylog API browser).

There is very little documentation about how one might do this. I've found a few random articles that imply it is/was possible via curl and a query API, but nothing substantive.

Given a graylog is accessible via "http://1.2.3.4:5678" and I've got a message with an ID of "94c84300-d3c1-11e6-b900-005056ac343f" in index "graylog_0" how would I delete this message ?

回答1:

Since you have access to ES you can remove the message directly in ES. If your message is in a past index, you need to make it writable again as all past indices are made read-only by Graylog, so first run this:

curl -XPUT 'http://localhost:9200/graylog_0/_settings' -d '{
   "index" : {
      "blocks.write" : false
   }
}'

Then you can delete your message

curl -XDELETE 'http://localhost:9200/graylog_0/message/94c84300-d3c1-11e6-b900-005056ac343f

Finally, you need to make the index read-only again

curl -XPUT 'http://localhost:9200/graylog_0/_settings' -d '{
   "index" : {
      "blocks.write" : true
   }
}'

Optionally, you might also want to make Graylog recompute index ranges, so you can run this directly against the Graylog server:

curl -XPOST http://1.2.3.4:5678/system/indices/ranges/rebuild

UPDATE

If you want to bulk delete multiple messages, you can use the bulk API easily:

curl -XPOST 'http://localhost:9200/graylog_0/message' -d '
{"delete":{ "_id": "94c84300-d3c1-11e6-b900-005056ac343f"}}
{"delete":{ "_id": "94c84300-d3c1-11e6-b900-005056ac543e"}}
{"delete":{ "_id": "94c84300-d3c1-11e6-b900-005056ac8694"}}
{"delete":{ "_id": "94c84300-d3c1-11e6-b900-005056ac1264"}}
'