Install and Register Graylog Forwarder

The Forwarder is a feature that is exclusively available for Graylog Cloud, Graylog Security, and Graylog Enterprise. To learn more about Graylog licenses, please contact the Graylog Sales team.

This guide describes how to install and register Graylog Forwarder on a Linux host. You will begin by reviewing the required prerequisites, then generate a Forwarder token and install the Forwarder package. After installation, you will edit the forwarder.conf file, start the Forwarder service, and register the host with your Graylog environment.

Once the Forwarder is registered, this guide shows you how to assign input profiles in the Graylog interface and verify that data is flowing correctly. Additionally, you will learn how to deploy and operate the Forwarder using Docker, if desired.

Prerequisites

Before proceeding, ensure that the following prerequisites are met:

  • Your user account must have permission to create Forwarder inputs, tokens, and input profiles, which requires the Forwarder Manager role.

  • The host must run a supported Linux distribution to which you have administrative access.

  • The host must have outbound network access to the Graylog Forwarder input.

  • The Forwarder must be able to connect to the Graylog cluster on ports 13301 and 13302.

  • For on-premises deployments, an existing Forwarder input must be available on the Graylog cluster; you may create this input manually or during the Forwarder setup wizard.

Generate a Forwarder Token

The Forwarder requires a valid token to authenticate when registering with Graylog. Create this token before installing the Forwarder.

  1. Navigate to System > Forwarders in Graylog.
  2. Select Add Forwarder or begin the Forwarder Setup Wizard.
  3. Create a new Forwarder token.
  4. Copy the token securely. It will not be displayed again.

You will add this token to forwarder.conf before starting the service.

Install the Forwarder Package

Graylog provides binary packages for Linux platforms. Install the package that matches your distribution. See the Graylog operating system package repository for all available packages.

Debian or Ubuntu

sudo apt update
sudo apt install ./graylog-forwarder_<version>_amd64.deb    

Replace <version> with your target version.

RHEL or Other RPM-Based Systems

sudo rpm -i graylog-forwarder-<version>.x86_64.rpm        

Configure forwarder.conf

The Forwarder reads its configuration from forwarder.conf during startup. You must adjust the file before enabling the service.

The configuration file is located at: /etc/graylog/forwarder/forwarder.conf.

Open the file and set the following required fields:

forwarder_server_hostname = <graylog-hostname-or-ip>
forwarder_configuration_port = 13302
forwarder_message_transmission_port = 13301
forwarder_grpc_api_token = <your-forwarder-token>            

TLS configuration and other optional fields may be added depending on your environment. TLS is recommended for production use but not required. Additionally, the Forwarder must reach the Graylog API on port 13302 to retrieve configuration data.

For more information on available configurations for the Forwarder, see Forwarder Configuration Settings Reference.

Start and Register the Forwarder Service

After editing forwarder.conf, start the service.

sudo systemctl enable graylog-forwarder
sudo systemctl start graylog-forwarder
sudo systemctl status graylog-forwarder        

When the service starts, the Forwarder attempts to register with Graylog. The host appears in System > Forwarders after successful registration.

If the host does not appear, verify connectivity to the forwarder input on port 13302.

Deploy Forwarder Using Docker

You can also run Forwarder as a container. The container must be able to bind to all input ports used by assigned input profiles.

  1. Pull down the container: 

    docker pull graylog/forwarder:<version>

  2. Run the container: 

    docker run -d \
    -v /etc/graylog/forwarder/forwarder.conf:/etc/forwarder/forwarder.conf \
    --name graylog-forwarder \
    graylog/forwarder:<version>        

Registration occurs automatically when the container starts.

Assign Input Profiles

After registration, assign one or more input profiles to the Forwarder host. Input profiles define which inputs the Forwarder runs.

  1. Navigate to System > Forwarders.
  2. Select the registered host.
  3. Assign the appropriate input profiles.

The Forwarder activates the inputs from these profiles on the next update cycle. The Forwarder does not automatically discover logs; all collection behavior is defined by assigned input profiles.

For more information on input profiles and the Graylog Forwarder, see Configure Forwarder Input Profiles.

Verify Data Flow

To confirm successful installation and operation, verify the following in Graylog:

  • The forwarder input is running.
  • The Forwarder host appears in System > Forwarders.
  • Assigned input profiles show active listeners.
  • Messages appear under Show Messages for the relevant inputs.

Troubleshooting and Common Issues

The following section outlines troubleshooting steps for common issues to assist you in resolving potential challenges you may encounter.

Issue: Logs Not Appearing in Graylog

The Forwarder and its inputs appear to be running, but no logs are visible in Graylog.

Solution: Verify Connectivity, Configuration, and Input Assignments

  1. Confirm that the Forwarder has network connectivity to ports 13301 and 13302.

  2. Verify that the token value in forwarder.conf is correct.

  3. Check that the correct input profiles are assigned to the Forwarder host.

  4. Review firewall rules on both the host and the Graylog cluster to ensure they allow required traffic.

Further Reading

Explore the following additional resources and recommended readings to expand your knowledge on related topics: