Graylog receives log data through inputs. Inputs are distinct from index sets (where log information is saved) and streams (which define the indices to which log information is saved). A good way to visualize this relationship is to imagine that the input is a funnel, the streams are (branching) pipes, and index sets are the storage bins at the end of each pipe. An input with no associated stream directs any message it receives to the All Messages stream, which in turn saves those messages to the default index.

Inputs can either be run on all Graylog nodes as global inputs or configured to only run on specific Graylog node(s) as local inputs. Unless you have a specific reason to use a local input, we recommend using global inputs by default. Multiple inputs of the same type can be configured to work side-by-side if you wish to further isolate your log sources. This configuration can be useful when trying to silo log traffic by internal departments. For example, using inputs with a load balancer and a reliable transport method such as TCP can ensure that no log data is lost in transit.

Hint: Each input has a Show received messages button. When selected, this option reveals messages received via this input in a range of 26 hours into the past and future.

Launch a New Input

Inputs are created in the user interface via the System > Inputs menu. To launch a new input:

1. Select an input from the drop-down menu.

2. Click Launch new input.

Additional configuration is required depending on the type of input. It is also recommended to secure your input with TLS.

Types of Inputs

There are two main types of inputs: listener and pull.

Listener Inputs

This type of input listens on a port and waits for an application to push data to the Graylog platform. They can listen on either TCP (Transmission Control Protocol) or UDP (User Datagram Protocol) depending on the input type. TCP inputs are the most reliable choice since every message that is sent to the Graylog platform is acknowledged at the network level. UDP inputs have higher performance rates but have no delivery guarantees.

Some examples of listener inputs:

• Syslog

• Beats

• CEF TCP/UDP

• GELF TCP/UDP

• IPFIX UDP

• NetFlow

• Raw/Plaintext TCP/UDP

Pull Inputs

This type of input reaches out to an endpoint and pulls log data from it using an API or other method(s). Typically these inputs require authentication to the device or service from which they are pulling.

Some examples of pull inputs:

• AWS CloudTrail

• AWS Kinesis/Cloudwatch

• AWS Security Lake

• Azure Event Hubs

• CrowdStrike

• F5 BIG-IP Log Events

• Google

• JSON Path Value From HTTP AI

• Microsoft Defender for Endpoint

• Office 365 Log Events

• Okta Log Events

• Palo Alto Networks

• SalesForce

• Symantec EDR Events

• Symantec SES Events

Hint: You can find information about pull inputs for Graylog Cloud in the documentation.