Forwarder Configuration Options

The Forwarder is a feature that is exclusively available for Graylog Cloud, Graylog Security, and Graylog Enterprise. To learn more about Graylog licenses, please contact the Graylog Sales team.

The forwarder supports the following configuration options.

Setting	Requirement	Description
`forwarder_api_enabled`	optional - defaults to `false`	Enables the forwarder REST API. If enabled, the API will listen on a Unix Domain Socket using the file indicated with `forwarder_api_socket_path`, unless a `forwarder_api_tcp_bind_address` value is provided.
`forwarder_api_socket_path`	optional - defaults to `<working-directory/data/forwarder-api.sock>`	If the Forwarder API is enabled, it will listen on a Unix domain socket using the file, unless a `forwarder_api_tcp_bind_address` value is specified.
`forwarder_api_socket_permissions`	optional - defaults to `rw-------`	The permissions for the forwarder API domain socket file.
`forwarder_api_tcp_bind_address`	optional	The host and optional port number to bind the forwarder API to, e.g. 192.168.1.10 or 192.168.1.10:9090. If a port number is not specified with the host name, the default port 9001 will be used. If specified, the API will no longer listen on a Unix Domain Socket.
`forwarder_configuration_polling_interval`	optional - defaults to `10s`	The interval at which configuration is retrieved from Graylog.
`forwarder_configuration_port`	optional - defaults to `13302`	The remote TCP port through which a configuration and control channel is established between the forwarder and Graylog.
`forwarder_grpc_api_token`	optional - defaults to `true`	The API Token for authenticating the forwarder. Provided in the Forwarder Setup Wizard in Graylog.
`forwarder_grpc_call_timeout`	optional - defaults to `60s`	The timeout for forwarder log message forwarding communication.
`forwarder_grpc_enable_compression`	optional - defaults to `true`	Enables compression for forwarder communication.
`forwarder_grpc_enable_tls`	optional - defaults to `true`	Enables TLS for forwarder communication. Always enable for production use.
`forwarder_grpc_graceful_shutdown_timeout`	optional - defaults to `10s`	The time to allow ongoing log message forwarding requests to complete upon forwarder shutdown.
`forwarder_grpc_max_message_size`	optional - defaults to `4MB`	The maximum log message size permitted through the forwarder. Log messages exceeding this size will be discarded. This value must be smaller than the same property set on the Graylog server-side of the forwarder.
`forwarder_grpc_message_batch_size`	optional - defaults to `100KB`	The size for batches of log messages that triggers sending from the Forwarder to Graylog. Once this batch size is reached, the batch is synchronously sent to Graylog.
`forwarder_grpc_message_flush_interval`	optional - defaults to `1s`	The maximum time to wait before sending a batch to Graylog if the configured batch size is not yet reached.
`forwarder_grpc_message_sending_thread_pool_size`	optional - defaults to `5`	The number of simultaneous batch sender threads. Each batch sender will attempt to send one batch at a time and wait for a server-side acknowledgment before proceeding.
`forwarder_grpc_tls_trust_chain_cert_file`	optional	The full path to the trust chain certificate file (e.g. `cert.pem`). Used to encrypt Forwarder communication. If not provided, the forwarder will still trust public CAs. Not required for Cloud installations, since a public CA is always used.
`forwarder_heartbeat_interval`	optional – defaults to `2s`	The default is 2s and appropriate for most users. But installations with a large number of Forwarders may want to increase the interval to reduce the load on the server.
`forwarder_heartbeat_interval`	optional - defaults to `2s`	The interval at which the forwarder heartbeat is sent. This tells Graylog that the forwarder is connected.
`forwarder_message_transmission_port`	optional - defaults to `13301`	The remote TCP port to send log messages through to Graylog.
`forwarder_server_hostname`	required	The Graylog Forwarder ingest hostname (e.g. `Graylog` for on-premise or `ingest-<your-account>.graylog.cloud` for Cloud). Provided in the Forwarder Setup Wizard in Graylog.
`forwarder_state_reporting_interval`	optional - defaults to `10s`	The interval at which input states and metrics are reported to Graylog.
`message_journal_max_age`	optional - defaults to `12h`	Maximum age of message in journal. Messages older than this time will be deleted/flushed from the journal even if they have not been sent to a Graylog cluster.
`message_journal_max_size`	optional - defaults to `5gb`	Maximum size of message journal. If journal fills up, oldest messages are deleted first.