lolcreds

Public credential defaults and exposure patterns for authorized security testing.

Graylog

Graylogmonitoring4 credentials

Credentials4 documented
01

Root User Password Hash

graylog / root-password-hash

Graylog initial configuration requires root_password_sha2, a SHA-256 hash of the password used for the initial root login. Graylog documents that this password cannot be changed through the API or web interface and is modified in server.conf.

user definedsecretpassword

Looks like

pattern
pattern

Graylog server.conf root user SHA-256 password hash

^root_password_sha2\s*=\s*[A-Fa-f0-9]{64}$

Location

config file
server.conf, datanode.conf

Graylog root_password_sha2 initial administrator password hash

secret store

deployment secrets, cloud secret managers, and configuration management vaults

source code

Docker Compose files, Helm values, Ansible roles, and committed server.conf files

logs

setup logs and preflight validation output

public interface
Graylog web interface and REST API

Notes

root_password_sha2 is a verifier rather than the plaintext password, but it is sufficient to define the root login password hash for Graylog nodes.

02

password_secret

graylog / password-secret

Graylog requires password_secret to secure and pepper stored user passwords, sessions, access tokens, and encrypted values. Graylog documents using at least 64 characters and keeping the same value on all nodes.

generated on installsecretsecret value

Looks like

pattern
pattern

Graylog server.conf password_secret value

^password_secret\s*=\s*[^\r\n]{64,}$

Location

config file
server.conf, datanode.conf

Graylog shared password_secret setting

secret store

Kubernetes Secrets, cloud secret managers, vault entries, and deployment automation

source code

committed server.conf files, Helm values, Docker Compose files, and examples

image

VM or container images containing Graylog configuration

Notes

Changing password_secret invalidates user sessions and encrypted values, including encrypted access tokens.

03

REST API Access Token

graylog / rest-api-token

Graylog REST API can be accessed with usernames/passwords or with secure access tokens to avoid sending actual usernames and passwords directly over the command line.

user definedsecrettoken

Location

http header
Authorization

Basic/token authentication context for Graylog REST API clients

environment
GRAYLOG_TOKEN, GRAYLOG_API_TOKEN
config file

automation config, .env files, monitoring integrations, and deployment manifests

secret store

CI/CD variables, cloud secret managers, and automation vault entries

source code

Graylog REST scripts, tests, and committed clients

logs

API client traces and command-line history

Notes

API token privileges correspond to the user and permissions that created or own the token.

04

MongoDB Backend Credential

graylog / mongodb-uri-credential

Graylog stores cluster configuration metadata in MongoDB and documents mongodb_uri as the MongoDB connection string. Authenticated MongoDB URIs can contain usernames and passwords used by Graylog.

user definedsecretusername/password

Looks like

pattern
pattern

MongoDB URI with username and password used by Graylog mongodb_uri

mongodb(?:\+srv)?://[^\s:@]+:[^\s@]+@[^\s/]+

Location

config file
server.conf

Graylog mongodb_uri setting

secret store

cloud secret managers, Kubernetes Secrets, and database password vaults

source code

Docker Compose files, Helm values, and committed Graylog configs

logs

startup logs and MongoDB connection troubleshooting output

Notes

MongoDB credentials can expose Graylog configuration metadata, encrypted values, access token records, and operational state.

Scope

Authorized use

LOLCreds helps map the credential surface of real products: known defaults, generated values, credential locations, and exposure patterns.