How to log Graylogs HTTPs requests to OpenSearch

Modern IT infrastructures generate massive amounts of log data. Centralized log management platforms help teams collect, process, search, and analyze this data efficiently. One widely used solution is Graylog. In this article, we’ll explain how you can log Graylog’s HTTP(S) requests to OpenSearch, where the data is stored, even when the communication is encrypted via HTTPS.

How Graylog communicates with OpenSearch#

Graylog communicates with OpenSearch via HTTP-based REST APIs. Typical operations include:

• Index creation
• Index rotation
• Search queries
• Bulk indexing
• Health checks

In production environments, this communication is usually secured using HTTPS (TLS encryption).

Because TLS encrypts the traffic, packet captures (e.g., via tcpdump or Wireshark) will not show readable HTTP content.

So how can we log or inspect the actual HTTP requests?

Enable trace of HTTP Requests#

Add this configuration snippet to Graylogs logging configuration log4j2.xml:

<?xml version="1.0" encoding="UTF-8"?>
<Configuration packages="org.graylog2.log4j" shutdownHook="disable">
...
    <Loggers>
...
        <!-- All requests to openSearch as 'curl' -->
       <Logger name="tracer" level="trace"/>
    </Loggers>
</Configuration>

Restart Graylog to pick up the new configuration:

systemctl restart graylog-server

Find the logged requests in Graylogs logs:

tail -F /var/log/graylog-server/server.log
...
2026-02-22T18:04:40.853+01:00 TRACE [tracer] curl -iX GET 'https://opensearch:443/_cluster/health?master_timeout=120s&level=cluster&timeout=120s&local=true'
# HTTP/1.1 200 OK
# Server: nginx/1.20.1
# Date: Sun, 22 Feb 2026 17:04:40 GMT
# Content-Type: application/json; charset=UTF-8
# Content-Length: 271
# Connection: keep-alive
...

Summary#

• Logged requests are complete. They contain all important informations like payload and headers.
• Copy/paste curls from the log to test simulate operations.

You’ll be surprised how many requests will be in the log.