Inputs

Graylog receives log data through inputs, which act as entry points into the system. Inputs are separate from streams (which route data) and index sets (which store data).

Inputs can run on all Graylog nodes (global inputs) or on specific nodes (local inputs). Unless you have a need to isolate data to a node, global inputs are recommended. You can configure multiple inputs of the same type to segment traffic—for example, to separate departmental logs—especially when used with a load balancer and a reliable protocol like TCP to prevent data loss.

Hint: Each input has a Show received messages button. When selected, this option reveals messages received via this input in a range of 26 hours into the past and future.

This area of the documentation provides an overview of Graylog inputs, how to configure and launch a new input, and how to secure inputs with TLS.

Types of Inputs

There are two main types of inputs: listener and pull.

Listener Inputs

This type of input listens on a port and waits for an application to push data to the Graylog platform. They can listen on either TCP (Transmission Control Protocol) or UDP (User Datagram Protocol) depending on the input type. TCP inputs are the most reliable choice since every message that is sent to the Graylog platform is acknowledged at the network level. UDP inputs have higher performance rates but have no delivery guarantees.

Pull Inputs

This type of input reaches out to an endpoint and pulls log data from it using an API or other method(s). Typically these inputs require authentication to the device or service from which they are pulling.

Hint: You can find information about pull inputs for Graylog Cloud in the documentation.

Launch a New Input

Inputs are created in the user interface via the System > Inputs menu. For information on creating a new input, including how to navigate Input Setup Mode, see Set Up an Input.

Input Configuration

For a complete overview of the various input types available in Graylog, refer to the official Graylog Inputs documentation. This resource provides detailed guidance on configuring each input type, including supported protocols, use cases, and setup instructions.

Secure Inputs with TLS

It is generally recommended to secure your input with TLS (Transport Layer Security) to protect log data in transit. Enabling TLS helps prevent unauthorized access, tampering, or interception of sensitive information as it moves from your log sources to Graylog. This is especially important when transmitting data over public or untrusted networks. See Secure Inputs with TLS for more information.