The Forwarder is a feature that is exclusively available for Graylog Cloud, Graylog Security, and Graylog Operations customers. To learn more about Graylog licenses, please contact the Graylog Sales team.

The Forwarder is distributed in similar packaging and installation methods as the Graylog server. You can choose between operating system packages, Docker, and binary tar installation methods for the forwarder. Each installation method is described below.

Hint:  It is recommended to have at least 2 CPU cores (3GHz) and 4GB of RAM to ensure optimal performance.

Binary Installation

To perform binary installation, download the binaries and manually install them on disk.

For the 5.0 forwarder binaries, follow this link.

Operating System Package Installation

The most common installation method is the Linux operating system packages. You can choose from DEB and RPM. If you choose either tool, ensure that Java is available on your operating system (see System Requirements for appropriate Java version). In addition, confirm access to a TLS certificate and an API token generated from Graylog.

Install via DEB

1. Download and install the DEB package:

Copy
sudo apt-get install apt-transport-https openjdk-17-jdk-headless
wget https://downloads.graylog.org/releases/cloud/forwarder/5.0/graylog-forwarder_5.0-1_all.deb
sudo dpkg -i graylog-forwarder_5.0-1_all.deb

2. Create the certificate and update the config file:

Copy
sudo vi /etc/graylog/forwarder/forwarder.conf

3. Start the service:

Copy
sudo systemctl start graylog-forwarder.service

RPM Install Instructions

1. First, ensure that you install Java:

Copy
sudo yum install java-17-openjdk-headless

2. Then, install the Graylog repository configuration:

Copy
https://downloads.graylog.org/releases/cloud/forwarder/5.0/graylog-forwarder-5.0-1.noarch.rpm

3. Install the graylog-forwarder package:

Copy
sudo yum install graylog-forwarder

4. Create the certificate and update the configuration file:

Copy
sudo vi /etc/graylog/forwarder/forwarder.conf

5. Start the service:

Copy
sudo systemctl start graylog-forwarder.service

Docker Installation

The forwarder is also available as a Docker image. Regardless of your installation method, you need to create a digital certificate to enhance security. To download the image, run the following command: docker pull graylog/graylog-forwarder:<release-version>.

To run the container, you will need to pass it the following environment variables:

Hint: To configure the options for the container, you MUST capitalize the option and pre-pend it with GRAYLOG_. 

Copy
GRAYLOG_FORWARDER_SERVER_HOSTNAME
GRAYLOG_FORWARDER_GRPC_API_TOKEN

You also need to mount the certificate file as a volume. Here is an example command:

Copy
docker run -e GRAYLOG_FORWARDER_SERVER_HOSTNAME=ingest.<SERVER NAME> -e GRAYLOG_FORWARDER_GRPC_API_TOKEN=<INSERT_API_TOKEN_HERE> -v /path/to/cert/cert.pem:/etc/graylog/forwarder/cert.pem graylog/graylog-forwarder:<release-version>

Here is an example docker compose file (and supporting file) for using Graylog Forwarder with Docker:

.env

Copy
# See the Graylog Forwarder documentation for all available configuration options.
# https://go2docs.graylog.org/4-x/getting_in_log_data/forwarder_configuration_options.html

# The Graylog Forwarder ingest hostname (eg. Graylog for on-premise or
# ingest-<your-account>.graylog.cloud for Cloud). Provided in the Forwarder
# Setup Wizard in Graylog. [required]
GRAYLOG_FORWARDER_SERVER_HOSTNAME=""

# The API Token for authenticating the forwarder. Provided in the Forwarder
# Setup Wizard in Graylog. [required]
GRAYLOG_FORWARDER_GRPC_API_TOKEN=""

# Enables TLS for forwarder communication. Always enable for production use.
GRAYLOG_FORWARDER_GRPC_ENABLE_TLS="true"

Docker-compose.yml

Copy
version: "3.8"

services:
  forwarder:
    image: "graylog/graylog-forwarder:4.10"
    environment:
      GRAYLOG_FORWARDER_SERVER_HOSTNAME: "${GRAYLOG_FORWARDER_SERVER_HOSTNAME:?Please configure GRAYLOG_FORWARDER_SERVER_HOSTNAME in the .env file}"
      GRAYLOG_FORWARDER_GRPC_API_TOKEN: "${GRAYLOG_FORWARDER_GRPC_API_TOKEN:?Please configure GRAYLOG_FORWARDER_GRPC_API_TOKEN in the .env file}"
      GRAYLOG_FORWARDER_GRPC_ENABLE_TLS: "${GRAYLOG_FORWARDER_GRPC_ENABLE_TLS:-true}"
      # The explicit GRAYLOG_NODE_ID_FILE setting is only required when
      # running version <=4.10-1 of the Forwarder image.
      #GRAYLOG_NODE_ID_FILE: "/var/lib/graylog-forwarder/node-id"
    ports:
      - "5044:5044/tcp"   # Beats
      - "5140:5140/udp"   # Syslog
      - "5140:5140/tcp"   # Syslog
      - "5555:5555/tcp"   # RAW TCP
      - "5555:5555/udp"   # RAW TCP
      - "12201:12201/tcp" # GELF TCP
      - "12201:12201/udp" # GELF UDP
      #- "10000:10000/tcp" # Custom TCP port
      #- "10000:10000/udp" # Custom UDP port
    volumes:
      - "forwarder-data:/var/lib/graylog-forwarder"
      #- "/path/to/custom/jvm.options:/etc/graylog/forwarder/jvm.options"
    restart: "on-failure"

volumes:
  forwarder-data: