Log Source Ingestion Reference
Choosing the right log ingestion method for your Graylog environment starts with identifying the log sources you plan to bring into Graylog. The table below lists a wide range of supported sources, including firewalls and network appliances, cloud and SaaS providers, applications, and other popular third-party platforms.
For each source, you’ll see the log types Graylog natively supports, along with the recommended input or inputs used to ingest that data. Use this reference to find the specific inputs, formats, and setup requirements for each supported integration.
If you’re still deciding which data sources to collect, see Select and Ingest High-Value Log Sources for guidance on prioritizing your log collection strategy.
Log Sources
The following table lists commonly supported log sources that can be ingested into Graylog. Each entry identifies the source type, the log data it produces, and the corresponding Illuminate pack, input, and any notable configuration requirements. Use this reference to verify compatibility and determine the most effective ingestion method for your environment.
| Source | Logs | Illuminate pack | Input | Setup Requirements |
|---|---|---|---|---|
|
Apache HTTP Server |
Apache2 access logs |
|
||
|
Apache Tomcat |
Apache Tomcat access logs and Catalina logs |
Apache Tomcat |
|
|
|
Amazon Security Lake |
security data logs |
|
||
|
BIND |
DNS server query and error logs |
|
||
|
Bitdefender GravityZone |
Event Push Service API events logs; Bitdefender Syslog events (appliance) |
|
||
|
Caddy Webserver |
access logs |
|
||
|
Carbon Black Defense |
CB Defense logs |
|
||
|
Check Point |
Checkpoint Next Generation Firewall (NGFW) logs |
|
||
|
Cisco ASA (Adaptive Security Appliances) |
ASA logs |
|
||
|
Cisco IOS (Internetwork Operating System) |
IOS logs |
Raw is recommended to avoid a timestamp incompatibility issue. |
||
|
Cisco ISE (Identity Services Engine) |
ISE logs |
|
||
|
Cisco Meraki |
Meraki logs |
|
||
|
Cisco Umbrella |
Umbrella logs |
|
||
|
Cloudflare |
Cloudflare logs |
|
||
|
CrowdStrike Falcon |
CrowdStrike Falcon logs |
|
||
|
Fortinet FortiGate |
Fortinet FortiGate event logs |
CEF format is not supported. |
||
|
GitLab |
GitLab logs |
|
||
|
Google Workspace |
Gmail, Google Calendar, Google Chat, Google Drive, Google Docs, and more |
Specific log types are selected on the input. |
||
|
Graylog API Security |
API traffic |
|
||
|
HAProxy LoadBalancer |
Default/Connection, Error, TCP, HTTP, HTTPS, and TCP logs |
|
||
|
Juniper SRX |
sd-syslog formatted logs |
|
||
|
Linux Auditbeat |
Auditbeat logs |
|
||
|
Linux AuditD |
AuditD event logs |
Linux AuditD |
|
|
|
Linux System Logs |
syslog and auth.log |
We recommend using Sidecar with rsyslog, syslog-ng, or Filebeat. |
||
|
Microsoft Defender Antivirus |
event logs |
Microsoft Defender Antivirus |
|
|
|
Microsoft Defender for Endpoint |
alert logs |
|
||
|
Microsoft DHCP |
DHCP server event logs |
Used with Filebeat collector. |
||
|
Microsoft 365 (formerly Office 365) |
Office 365 logs |
|
||
|
Microsoft PowerShell |
PowerShell logs |
|
||
|
Microsoft Sysmon |
Sysmon event logs |
Configure Winlogbeat or NXLog to collect Sysmon from the Windows event log service. |
||
|
Microsoft Windows AppLocker |
AppLocker event logs |
Uses Winlogbeat or NXLog, generally with Sidecar. |
||
|
Microsoft Windows DNS Server |
Analytical and Audit DNS logs |
Requires Filebeat version 8.13.0+ for Analytical logs. |
||
|
Microsoft Windows Security |
Windows Security event logs |
Identifies and processes all Windows logs that have not been processed by any other technology pack. Uses Winlogbeat or NXLog. |
||
|
Mimecast |
Archive Search, Audit Events, DLP, Search, and others |
Specific log types are selected on the input. |
||
|
NetFlow |
IP traffic flow data |
|
||
|
NGINX Web Server |
access logs and error logs |
Either Filebeat (with Sidecar) or rsyslog are required for delivering logs. |
||
|
Okta |
Okta logs |
|
||
|
Packetbeat |
Packetbeat logs |
|
||
|
Palo Alto 11 |
Palo Alto logs |
|
||
|
pfSense/OPNsense Firewall |
pfSense and OPNsense logs |
|
||
|
Postfix Mail Server |
Postfix logs |
|
||
|
Sendmail Mail Server |
Sendmail logs |
Can use Filebeat with Sidecar. |
||
|
Snort 3 IDS |
Snort and AppID alerts |
Configure Snort 3 to log in JSON format to capture detailed event information. |
||
|
SonicWall NGFW |
SonicWall NGFW event logs |
|
||
|
Sophos Central |
Sophos Central Endpoint Protection telemetry and event messages |
|
||
|
Sophos Firewall |
Sophos Firewall logs |
|
||
|
Stormshield Firewall |
Stormshield logs |
|
||
|
Symantec Endpoint Detection and Response |
Symantec EDR event and incident logs |
|
||
|
Symantec Endpoint Protection |
Symantec logs |
|
||
|
Symantec Endpoint Security |
|
|
||
|
Symantec ProxySG |
ProxySG events logs |
|
||
|
Ubiquiti Unifi |
UniFi OS, UniFi Network, and UniFi Protect logs |
A UniFi specific input and an Illuminate lookup override must be configured. |
||
|
WatchGuard Firebox |
Firebox event logs |
|
||
|
Zeek |
Zeek logs |
Requires Filebeat, and Zeek must be configured to log in JSON format. |
Generic Inputs
In addition, Graylog provides generic input types based on common protocols and log formats that enable you to ingest many different data sources. The following inputs can be used to accommodate a wide range of log types:
Each input type offers multiple configuration options, allowing you to select the method that best aligns with your environment and data requirements.
