Inputs

Graylog receives log data through inputs, which act as entry points into the system. Inputs are separate from streams (which route data) and index sets (which store data).

Inputs can run on all Graylog nodes (global inputs) or on specific nodes (local inputs). Unless you have a need to isolate data to a node, global inputs are recommended. You can configure multiple inputs of the same type to segment traffic (for example, to separate departmental logs) especially when used with a load balancer and a reliable protocol like TCP to prevent data loss.

Input documentation provides an overview of Graylog inputs, how to configure and launch a new input, and how to secure inputs with TLS.

New to log ingestion? Enroll in the free Log Ingestion course from Graylog Academy to learn the core concepts behind bringing log data into your environment. Build a solid foundation for parsing, routing, and analyzing logs with confidence.

Inputs

Review the table to help you determine the appropriate input for your data source, how to configure it within your environment, and ensure optimal data collection for centralized log analysis.

Hint: If an Illuminate pack is available for your log source, enable it before configuring an input to avoid creating duplicate entities.

Input Type TLS Capable Illuminate Pack

1Password Input

Pull

Yes

 

AWS CloudTrail

Pull

Yes

 

AWS Kinesis CloudWatch Input

Pull

Yes

 

AWS S3 Input

Pull

Yes

 

AWS Security Lake Input

Pull

Yes

AWS Security Lake

Azure Event Hubs Input

Pull

Yes

  

Beats Input

Listener and pull

Yes

 

Bitdefender GravityZone Input

Listener

Yes

Bitdefender GravityZone

CEF Inputs

Listener

Yes (TCP only)

 

Cluster-to-Cluster Forwarder

Listener

Yes

 

CrowdStrike Input

Pull

Yes

CrowdStrike Falcon

F5 BIG-IP Log Events Input

Pull

Yes

 

Graylog Forwarder

Listener

Yes

 

GCP Log Events

Pull

Yes

 

GELF Inputs

Listener

Yes (HTTP and TCP only)

 

Google Workspace Input

Pull

Yes

Google Workspace

IPFIX Input

Listener

No

 

JSON Path from HTTP API Input

Pull

No

 

Microsoft Defender for Endpoint Input

Pull

Yes

Microsoft Defender for Endpoint

Microsoft Graph Input

Pull

Yes

 

Microsoft Office 365 Input

Pull

Yes

Microsoft Office 365

Mimecast Input

Pull

Yes

Mimecast

Mimecast Input

Listener

No

NetFlow

Okta Log Events Input

Pull

Yes

Okta

OpenTelemetry (gRPC) Input

Listener

Yes

 

Palo Alto Networks TCP (PAN-OS v11+) Input

Listener

Yes

Palo Alto 11

Random HTTP Message Generator Input

Listener

No

 

Raw HTTP Input

Listener

No

 

Raw or Plaintext Inputs

Listener

Yes (TCP only)

 

Salesforce Input

Pull

Yes

 

Sophos Central Input

Pull

 

 

Symantec EDR Events Input

Pull

Yes

Symantec Endpoint Detection and Response

Symantec SES Events Input

Pull

Yes

Symantec Endpoint Security

Syslog Inputs

Listener

Yes (TCP only)

 

Types of Inputs

There are two main types of inputs: listener and pull.

Listener Inputs

This type of input listens on a port and waits for an application to push data to the Graylog platform. They can listen on either TCP (Transmission Control Protocol) or UDP (User Datagram Protocol) depending on the input type. TCP inputs are the most reliable choice since every message that is sent to the Graylog platform is acknowledged at the network level. UDP inputs have higher performance rates but have no delivery guarantees.

Pull Inputs

This type of input reaches out to an endpoint and pulls log data from it using an API or other method(s). Typically these inputs require authentication to the device or service from which they are pulling.

Hint: The following guidance pertains primarily to Graylog editions in self-managed environments. See the documentation for more information about pull inputs for Graylog Cloud.

Filtered Input

A filtered input is a specialized input type in Graylog that lets you pull only the specific data you need directly from an external data lake, such as Amazon Security Lake, without fully ingesting all of it into Graylog. Instead of importing all logs, you define filters that determine which logs to ingest and when, allowing for targeted data retrieval based on criteria like event type or severity.

Hint: It is possible to launch a new filtered input from the Input Setup page in Graylog; however, it is strongly recommended that you create a filtered input when creating a new external data lake. See Create an External Data Lake Connector for more information.

Generic Inputs

In addition, Graylog provides generic input types based on common protocols and log formats that enable you to ingest many different data sources. The following inputs can be used to accommodate a wide range of log types:

Each input type offers multiple configuration options, allowing you to select the method that best aligns with your environment and data requirements.

Launch a New Input

Inputs are created in the user interface via the System > Inputs menu. For information on creating a new input, including how to navigate Input Setup Mode, see Set Up an Input.

Input Configuration

For a complete overview of the various input types available in Graylog, refer to the official Graylog Inputs documentation. This resource provides detailed guidance on configuring each input type, including supported protocols, use cases, and setup instructions.

Secure Inputs with TLS

It is generally recommended to secure your input with TLS (Transport Layer Security) to protect log data in transit. Enabling TLS helps prevent unauthorized access, tampering, or interception of sensitive information as it moves from your log sources to Graylog. This is especially important when transmitting data over public or untrusted networks. See Secure Inputs with TLS for more information.