Graylog Integration

Shodan provides an integrated Graylog package to enrich IP information from our database.


Simply download the .jar file from our Gitlab release. Please check your Graylog version to choose the right package as the table below shows what our integrated version is compatible with your app version.

Graylog Version Shodan Packages
5.1.X 5.1.0
5.0.X 5.0.0
4.3.X 4.3.0
4.2.X 4.2.0
4.1.X 4.1.0

After download, put the .jar file to the Graylog plugin folder. The plugin directory is the plugins/ folder relative from your graylog-server directory by default and can be configured in your graylog.conf file.

Restart Graylog and check the System -> Lookup Tables -> Data Adapter -> Create Data Adapter. Shodan and Shodan InternetDB should appear.

  • Shodan Adapter: If you already have Shodan account, it will help you enrich a lot of IP address information. For more details, you can check it here to see what data Shodan returns.

Shodan Adapter

  • Shodan InternetDB Adapter: Free database for everyone, you can use it with no API key. InternetDB returns hostnames, open ports, cpes, tags, vulnerabilities.

Shodan InternetDB Adapter

How to use

We will demonstrate an example to attach Shodan InternetDB lookup when fetching data into Graylog.

First create a new Shodan InternetDB Adapter. Then create new lookup table using the Shodan Internet Adapter we just created before.

Shodan InternetDB Lookup Table

Go to System -> Pipelines -> Manage Rules -> Create Rule. We need to add Rule Source here to check IP information from Shodan InternetDB Table if there is an IP field in your log (in this example src_ip).

rule "Shodan InternetDB check IP"
    // Change field 'src_ip' depends on your log
  let update_source = lookup("shodan_internetdb_table", $message.src_ip);
  set_field("shodan_internetdb", update_source);

Back to System -> Pipelines -> Manage Pipelines. Create a new pipeline Shodan InternetDB. We need to configure which Stream the pipeline will connect to. Here we use All messages.

Pipeline Stream Connection

Finally, add new stage that tells the pipeline which uses the rule we just created and save.

Pipeline Add Stage

Please check the Messages Processor Configuration in System/Configuration should follow this order.

Messages Processor Configuration

Once the preparation is done, we can check the stream log and see the result.

Stream Result