MCP Log Search Tool: Timestamp Search & Data Stream Filter for Claude Desktop Debugging

MCP Server Graylog

An MCP server for Graylog log search that supports searching for logs by absolute/relative timestamps and filtering by data streams. It can be used to debug production problems directly in Claude Desktop.

Monitoring Search tools #Log Search #Production Debugging #Graylog Integration #Timestamp Query .JavaScript

rating : 2 points

downloads : 6.5K

update time : 2025-12-29

Open Site

What is the Graylog Log Search Server?

This is a Model Context Protocol (MCP) server specifically designed for Claude Desktop. It allows you to search and analyze log data in the Graylog log system directly within the Claude chat interface. You can think of it as a 'log search engine' that enables you to query production environment log information without leaving Claude.

How to use the Graylog Log Search Server?

It's very simple to use: First, configure the server connection in Claude Desktop, and then you can use natural language instructions to ask Claude to search for logs. For example, you can say 'Help me find the error logs of the API registration interface between 10:00 and 11:00 this morning', and Claude will automatically call this server to obtain the relevant logs.

Applicable Scenarios

It is most suitable for scenarios such as troubleshooting production environment failures, analyzing monitoring system alarms, verifying after deployment, and investigating user issues. When you receive a monitoring alarm or user feedback about a problem, you can directly search for logs in the relevant time period in Claude to quickly locate the cause of the problem.

Main Features

Precise Time Search

Supports searching for logs by a precise time range. You can specify the exact start and end times, which is very suitable for troubleshooting problems at known time points.

Relative Time Search

Supports searching for logs within a recent period, such as 'last 15 minutes' or 'last 1 hour', which is suitable for real-time monitoring and quick checks.

Application Stream Filtering

You can filter logs by different applications or services (referred to as 'streams' in Graylog) to view only the log information of specific applications.

System Health Check

Provides a system connection status check function to ensure that the connection to the Graylog server is normal and the versions are compatible.

Intelligent Error Prompt

Provides clear and understandable error messages to help quickly locate configuration or connection problems.

Timeout Protection

Automatically sets a 30-second timeout to prevent long waiting times and ensure timely query responses.

Advantages

No need to switch tools: Search for logs directly in Claude, improving work efficiency

Natural language interaction: Describe your requirements in natural language, and Claude will automatically convert them into queries

Precise time control: Supports the ISO 8601 standard time format for accurate search

Production-ready: Verified by 54 test cases, with a code quality score of 9.2/10

Simple configuration: Only need to set the Graylog address and API token to use

Limitations

Requires a Graylog instance: You must have a deployed Graylog log system

Requires API permissions: You need to configure an API token with read permissions

Depends on network connection: You need to be able to access the Graylog server

Limited query complexity: Supports basic Elasticsearch syntax, but complex queries may be restricted

How to Use

Get a Graylog API Token

Log in to the Graylog management interface, go to 'System → Users', select your user, click 'Edit Tokens', and create a new read-only permission token.

Configure Claude Desktop

Edit the Claude Desktop configuration file and add the server configuration. The configuration file location: On macOS, it is in ~/Library/Application Support/Claude/, and on Windows, it is in %APPDATA%\Claude\.

Restart Claude Desktop

After saving the configuration file, restart the Claude Desktop application for the configuration to take effect.

Start Using

In the Claude chat interface, describe your log query requirements in natural language, such as 'Help me find all the error logs in the last 1 hour'.

Usage Examples

Troubleshoot Production Environment Errors

When the monitoring system alarm indicates that an error occurred at a specific time point in an API interface, use the precise time search to quickly locate the problem.

Monitor the Status After Deployment

After completing the application deployment, check if there are any new errors in the recent period to ensure that the deployment did not introduce any problems.

Investigate User Feedback Issues

When a user reports a problem at a specific time, search for the log records of the relevant user operations during that period.

Frequently Asked Questions

What kind of Graylog permissions do I need to use this tool?

How should I write the time format?

Why isn't the search returning any results?

What query syntax is supported?

How can I verify if the configuration is correct?

How many logs can be returned at most?

Related Resources

GitHub Repository

Source code, issue feedback, and contribution guidelines

npm Package Page

Download the latest version and view the version history

Model Context Protocol Official Website

Official documentation and specifications of the MCP protocol

Graylog Official Documentation

Guide for using and configuring the Graylog log system

🚀 mcp-server-graylog

A Model Context Protocol (MCP) server for Graylog log searching. Search logs by absolute/relative timestamps, filter by streams, and debug production issues directly from Claude Desktop.

🚀 Quick Start

This MCP server allows you to search Graylog logs using exact timestamps, filter by application streams, and gain actionable insights for troubleshooting production issues. You can use it in different ways as described below.

✨ Features

✅ Absolute timestamp search: Debug specific errors with exact time ranges.
✅ Relative timestamp search: Search recent logs (last N seconds).
✅ Stream discovery: List all available streams/applications.
✅ System health check: Verify Graylog connectivity.
✅ Comprehensive validation: Validate ISO 8601 timestamps, query syntax, and stream IDs.
✅ Clear error messages: Provide actionable errors for auth, network, and API issues.
✅ Timeout handling: Set 30 - second timeouts to prevent hanging.
✅ Production - ready: Passed 54 tests with a 9.2/10 code quality score.

📦 Installation

Option 1: Use with npx (Recommended)

# No installation needed - use directly with npx
npx mcp-server-graylog

Option 2: Global Installation

npm install -g mcp-server-graylog

Option 3: Local Installation

# Clone the repository
git clone https://github.com/Pranavj17/mcp-server-graylog.git
cd mcp-server-graylog

# Install dependencies
npm install

📚 Documentation

Configuration

Claude Desktop Setup

Add the following configuration to your Claude Desktop config file:

macOS: ~/Library/Application Support/Claude/claude_desktop_config.json
Windows: %APPDATA%\Claude\claude_desktop_config.json

Using npx (Recommended)

{
  "mcpServers": {
    "graylog": {
      "command": "npx",
      "args": ["-y", "mcp-server-graylog"],
      "env": {
        "BASE_URL": "https://graylog.example.com",
        "API_TOKEN": "your_api_token_here"
      }
    }
  }
}

Using Local Installation

{
  "mcpServers": {
    "graylog": {
      "command": "node",
      "args": ["/path/to/mcp-server-graylog/src/index.js"],
      "env": {
        "BASE_URL": "https://graylog.example.com",
        "API_TOKEN": "your_api_token_here"
      }
    }
  }
}

Environment Variables

Property	Details
`BASE_URL`	Required. Graylog server URL (e.g., `https://graylog.example.com`).
`API_TOKEN`	Required. Graylog API token (username for Basic Auth, password is "token").

Getting Your Graylog API Token

Log in to the Graylog web interface.
Go to System → Users.
Select your user.
Click Edit tokens.
Create a new token with read permissions.
Copy the token value.

Available Tools

1. search_logs_absolute

Search logs using absolute timestamps (from/to). Ideal for debugging errors with specific timestamps from monitoring tools or error - tracking systems.

Parameters:

query (required): Search query using Elasticsearch syntax.
from (required): Start timestamp in ISO 8601 format.
to (required): End timestamp in ISO 8601 format.
streamId (optional): Stream ID to filter results.
limit (optional): Maximum results (default: 50, max: 1000).

Example:

{
  "query": "\"/api/v1/registrations\" AND \"PUT\"",
  "from": "2025-10-23T10:00:00.000Z",
  "to": "2025-10-23T11:00:00.000Z",
  "streamId": "646221a5bd29672a6f0246d8",
  "limit": 100
}

2. search_logs_relative

Search logs using a relative time range (e.g., last 15 minutes). Useful for recent log analysis.

Parameters:

query (required): Search query using Elasticsearch syntax.
rangeSeconds (optional): Time range in seconds (default: 900 = 15 minutes, max: 86400 = 24 hours).
streamId (optional): Stream ID to filter results.
limit (optional): Maximum results (default: 50, max: 1000).

Example:

{
  "query": "level:ERROR",
  "rangeSeconds": 3600,
  "limit": 100
}

3. list_streams

List all available Graylog streams (applications). Use this to discover stream IDs for filtering.

Parameters: None

Returns:

{
  "total": 3,
  "streams": [
    {
      "id": "646221a5bd29672a6f0246d8",
      "title": "clientmaster",
      "description": "Client Master application logs",
      "disabled": false
    }
  ]
}

4. get_system_info

Get Graylog system information and health status. Verify connectivity and check the server version.

Parameters: None

Returns:

{
  "version": "5.1.0",
  "codename": "graylog",
  "cluster_id": "abc123",
  "is_processing": true,
  "timezone": "UTC"
}

Query Examples

Search for Errors

level:ERROR

Search for Specific Endpoint

"/api/v1/registrations" AND "PUT"

Search for HTTP Status Codes

status:500
status:>=400

Search for User Actions

user_id:12345 AND action:login

Search for Slow Requests

duration_ms:>1000

Search for Exceptions

exception:NullPointerException

Combine Multiple Conditions

level:ERROR AND source:nexus AND message:*timeout*

Search with Wildcards

message:*connection refused*

Search by Field Existence

_exists_:error_code

Common Use Cases

1. Debug Production Error

When you get an error with a timestamp from your monitoring system:

1. Copy the error timestamp from your monitoring tool.
2. Use search_logs_absolute with a ±5 - minute window.
3. Filter by the application stream.
4. Find the root cause in the logs.

2. Monitor Recent Deployments

After deploying:

1. Use search_logs_relative with the last 15 minutes.
2. Search for level:ERROR.
3. Verify no new errors are introduced.

3. Investigate API Failures

When an API endpoint fails:

1. Search for the endpoint path: "/api/v1/endpoint".
2. Filter by status codes: status:>=400.
3. Check error patterns.

Error Messages

The server provides clear, actionable error messages:

Error	Meaning	Solution
Authentication failed	Invalid API token	Check `API_TOKEN` in the configuration.
Invalid query	Elasticsearch syntax error	Check the query syntax and parameters.
Endpoint not found	Wrong Graylog URL	Check `BASE_URL` in the configuration.
Cannot reach Graylog	Network connectivity issue	Verify Graylog is accessible.
Invalid timestamp	Wrong timestamp format	Use ISO 8601 format (e.g., `2025-10-23T10:00:00.000Z`).

Troubleshooting

Server Won't Start

# Verify BASE_URL and API_TOKEN are set in Claude Desktop config
# Check Claude Desktop logs:
# macOS: ~/Library/Logs/Claude/mcp*.log
# Windows: %APPDATA%\Claude\logs\mcp*.log

curl -u "YOUR_API_TOKEN:token" https://graylog.example.com/api/system

Authentication Errors

Verify the API token has read permissions in Graylog.
Use the token value as the username and "token" as the password.
Check if the token has expired.

No Results Returned

Verify the stream ID is correct using the list_streams tool.
Check if the timestamp range includes data.
Try simplifying the query to * to see if any data exists.
Verify the stream is not disabled.

Integration Tests Failing

# Set environment variables for integration tests
export INTEGRATION_TESTS=true
export BASE_URL=https://graylog.example.com
export API_TOKEN=your_token_here

# Run integration tests
npm run test:integration

Development

Prerequisites

Node.js >= 18.0.0
npm >= 8.0.0
Access to a Graylog instance (for integration tests)

Development Workflow

# Install dependencies
npm install

# Run in development mode (auto - reload)
npm run dev

# Run tests
npm test

# Run tests in watch mode
npm run test:watch

# Run only unit tests
npm run test:unit

# Run integration tests (requires Graylog instance)
INTEGRATION_TESTS=true BASE_URL=https://graylog.example.com API_TOKEN=xxx npm run test:integration

# Check syntax
npm run lint

Project Structure

mcp-server-graylog/
├── src/
│   └── index.js           # Main server implementation (429 lines)
├── test/
│   ├── helpers.test.js    # Helper function tests (14 tests)
│   ├── validation.test.js # Input validation tests (24 tests)
│   ├── mcp-protocol.test.js # MCP protocol tests (16 tests)
│   └── integration.test.js  # Integration tests (7 tests)
├── example-config.json    # Claude Desktop config example
├── CONTRIBUTING.md        # Contributing guidelines
├── CHANGELOG.md          # Version history
└── package.json         # npm configuration

Running Tests

# Run all tests (54 tests)
npm test

# Expected output:
# tests 54
# pass 54
# fail 0

Architecture

Simple, focused architecture in a single file (429 lines):

Configuration & Validation: Check environment variables.
Helper Functions: Validate ISO 8601 timestamps and format errors.
MCP Server Setup: Implement the standard MCP protocol.
Tool Definitions: Define 4 tools with clear schemas.
Tool Implementations: Provide clean, validated functions.
Server Startup: Validate then establish a connection.

Design Principles:

✓ Simple and maintainable.
✓ One file, easy to understand.
✓ Clear separation of concerns.
✓ Comprehensive error handling.
✓ Input validation at boundaries.
✓ Consistent response format.

Contributing

Contributions are welcome! Please see CONTRIBUTING.md for guidelines.

Quick Start:

Fork the repository.
Create a feature branch.
Add tests for your changes.
Ensure all tests pass (npm test).
Submit a pull request.

Changelog

See CHANGELOG.md for version history and release notes.

Security

Use environment variables for sensitive data (never hard - code).
Properly implement basic authentication.
Input validation prevents injection attacks.
Timeout prevents hanging requests.
Error messages don't leak sensitive information.

To report security vulnerabilities, please create a private security advisory on GitHub.

📄 License

This project is under the MIT License. See the LICENSE file for details.

Acknowledgments

Built with @modelcontextprotocol/sdk.
Inspired by the MCP community.
Thanks to all contributors!

Made with ❤️ for the Claude Desktop community

For questions or support, please open an issue on GitHub

Notion Api MCP

Certified

A Python-based MCP Server that provides advanced to-do list management and content organization functions through the Notion API, enabling seamless integration between AI models and Notion.

Markdownify is a multi-functional file conversion service that supports converting multiple formats such as PDFs, images, audio, and web page content into Markdown format.

TypeScript

31.4K

5 points

Duckduckgo MCP Server

Certified

The DuckDuckGo Search MCP Server provides web search and content scraping services for LLMs such as Claude.

The GitLab MCP server is a project based on the Model Context Protocol that provides a comprehensive toolset for interacting with GitLab accounts, including code review, merge request management, CI/CD configuration, and other functions.

UnityMCP is a Unity editor plugin that implements the Model Context Protocol (MCP), providing seamless integration between Unity and AI assistants, including real - time state monitoring, remote command execution, and log functions.

28.0K

5 points

Figma Context MCP

Framelink Figma MCP Server is a server that provides access to Figma design data for AI programming tools (such as Cursor). By simplifying the Figma API response, it helps AI more accurately achieve one - click conversion from design to code.

A Gmail automatic authentication MCP server designed for Claude Desktop, supporting Gmail management through natural language interaction, including complete functions such as sending emails, label management, and batch operations.

The MiniMax Model Context Protocol (MCP) is an official server that supports interaction with powerful text-to-speech, video/image generation APIs, and is suitable for various client tools such as Claude Desktop and Cursor.

Python

40.1K

4.8 points

Zhiqi Future, Your AI Solution Think Tank

English 简体中文繁體中文にほんご

MCP Server Graylog

Overview

Installation

Content Details

Alternatives

What is the Graylog Log Search Server?

How to use the Graylog Log Search Server?

Applicable Scenarios

Main Features

How to Use

Usage Examples

Frequently Asked Questions

Related Resources

Installation

🚀 mcp-server-graylog

🚀 Quick Start

✨ Features

📦 Installation

Option 1: Use with npx (Recommended)

Option 2: Global Installation

Option 3: Local Installation

📚 Documentation

Configuration

Claude Desktop Setup

Using npx (Recommended)

Using Local Installation

Environment Variables

Getting Your Graylog API Token

Available Tools

1. search_logs_absolute

2. search_logs_relative

3. list_streams

4. get_system_info

Query Examples

Search for Errors

Search for Specific Endpoint

Search for HTTP Status Codes

Search for User Actions

Search for Slow Requests

Search for Exceptions

Combine Multiple Conditions

Search with Wildcards

Search by Field Existence

Common Use Cases

1. Debug Production Error

2. Monitor Recent Deployments

3. Investigate API Failures

Error Messages

Troubleshooting

Server Won't Start

Authentication Errors

No Results Returned

Integration Tests Failing

Development

Prerequisites

Development Workflow

Project Structure

Running Tests

Architecture

Contributing

Changelog

Security

📄 License

Links

Acknowledgments

Alternatives