Graylog
Graylogmonitoring4 credentials
Root User Password Hash
graylog / root-password-hash
Graylog initial configuration requires root_password_sha2, a SHA-256 hash of the password used for the initial root login. Graylog documents that this password cannot be changed through the API or web interface and is modified in server.conf.
Looks like
pattern^root_password_sha2\s*=\s*[A-Fa-f0-9]{64}$Location
server.conf, datanode.confGraylog root_password_sha2 initial administrator password hash
deployment secrets, cloud secret managers, and configuration management vaults
Docker Compose files, Helm values, Ansible roles, and committed server.conf files
setup logs and preflight validation output
Graylog web interface and REST APINotes
root_password_sha2 is a verifier rather than the plaintext password, but it is sufficient to define the root login password hash for Graylog nodes.
password_secret
graylog / password-secret
Graylog requires password_secret to secure and pepper stored user passwords, sessions, access tokens, and encrypted values. Graylog documents using at least 64 characters and keeping the same value on all nodes.
Looks like
pattern^password_secret\s*=\s*[^\r\n]{64,}$Location
server.conf, datanode.confGraylog shared password_secret setting
Kubernetes Secrets, cloud secret managers, vault entries, and deployment automation
committed server.conf files, Helm values, Docker Compose files, and examples
VM or container images containing Graylog configuration
Notes
Changing password_secret invalidates user sessions and encrypted values, including encrypted access tokens.
REST API Access Token
graylog / rest-api-token
Graylog REST API can be accessed with usernames/passwords or with secure access tokens to avoid sending actual usernames and passwords directly over the command line.
Location
AuthorizationBasic/token authentication context for Graylog REST API clients
GRAYLOG_TOKEN, GRAYLOG_API_TOKENautomation config, .env files, monitoring integrations, and deployment manifests
CI/CD variables, cloud secret managers, and automation vault entries
Graylog REST scripts, tests, and committed clients
API client traces and command-line history
Notes
API token privileges correspond to the user and permissions that created or own the token.
MongoDB Backend Credential
graylog / mongodb-uri-credential
Graylog stores cluster configuration metadata in MongoDB and documents mongodb_uri as the MongoDB connection string. Authenticated MongoDB URIs can contain usernames and passwords used by Graylog.
Looks like
patternmongodb(?:\+srv)?://[^\s:@]+:[^\s@]+@[^\s/]+Location
server.confGraylog mongodb_uri setting
cloud secret managers, Kubernetes Secrets, and database password vaults
Docker Compose files, Helm values, and committed Graylog configs
startup logs and MongoDB connection troubleshooting output
Notes
MongoDB credentials can expose Graylog configuration metadata, encrypted values, access token records, and operational state.
Scope
Authorized use
LOLCreds helps map the credential surface of real products: known defaults, generated values, credential locations, and exposure patterns.