Graylog Cloud supports pull inputs as an alternative to using a forwarder, allowing you to configure inputs to accept data from remote sources. This added functionality for pull inputs works by allowing Graylog server nodes in Cloud to periodically query endpoints for data.

Supported Inputs

• AWS CloudTrail

• AWS Kinesis/CloudWatch

• AWS Security Lake

• Azure Event Hubs

• CrowdStrike

• GCP Log Events

• Gmail Log Events

• Google Workspace Log Events

• JSON path value from HTTP API

• Microsoft Defender for Endpoint

• Office 365 Log Events

• Okta Log Events

• Random HTTP message generator

Configuration

Pull inputs are straightforward to set up and require the following basic steps. (See the Graylog documentation linked in the above section for specific input configuration settings.)

Warning: In order for a given input to receive log traffic, the port it uses must be open on all corresponding Graylog nodes.

1. Configure an endpoint to accept requests from Graylog Cloud.

2. Create an input in Graylog Cloud using the endpoint URL.

3. Optionally, configure additional settings for the input (e.g. message processing rules).

4. Start the input to pull data from the configured endpoint.

5. Once successfully configured, users can use pull inputs to collect data from both HTTP and HTTPS sources.

Some inputs, such as Syslog TCP or GELF TCP, can be secured using Transport Layer Security (TLS). This secures the data being sent to Graylog by using encryption in transit. A certificate including the private key is required for the inputs. Note that this can be the same certificate as is used to secure Graylog itself.

Additionally, note that if TCP log traffic is sent to a UDP input, or vice versa, these messages will not be successfully received (and will silently fail to ingest).