Graylog receives log data through inputs. Inputs are distinct from index sets (where log information is saved) and streams (which define the indices to which log information is saved). A good way to visualize this relationship is to imagine that the input is a funnel, the streams are (branching) pipes, and index sets are the storage bins at the end of each pipe. An input with no associated stream directs any message it receives to the All Messages stream, which in turn saves those messages to the default index.
Inputs can either be run on all Graylog nodes as global inputs or configured to only run on specific Graylog node(s) as local inputs. Unless you have a specific reason to use a local input, we recommend using global inputs by default. Multiple inputs of the same type can be configured to work side-by-side if you wish to further isolate your log sources. This configuration can be useful when trying to silo log traffic by internal departments. For example, using inputs with a load balancer and a reliable transport method such as TCP can ensure that no log data is lost in transit.
Launch a New Input
Inputs are created in the user interface via the System > Inputs menu. To launch a new input:
-
Select an input from the drop-down menu.
-
Click Launch new input.
Additional configuration is required depending on the type of input. It is also recommended to secure your input with TLS.
Types of Inputs
There are two main types of inputs: listener and pull.
Listener Inputs
This type of input listens on a port and waits for an application to push data to the Graylog platform. They can listen on either TCP (Transmission Control Protocol) or UDP (User Datagram Protocol) depending on the input type. TCP inputs are the most reliable choice since every message that is sent to the Graylog platform is acknowledged at the network level. UDP inputs have higher performance rates but have no delivery guarantees.
Some examples of listener inputs:
Pull Inputs
This type of input reaches out to an endpoint and pulls log data from it using an API or other method(s). Typically these inputs require authentication to the device or service from which they are pulling.
Some examples of pull inputs: