Raw HTTP Input

Select this check box to enable this input on all Graylog nodes, or keep it unchecked to enable the input on a specific node.

Select the node on which to start this input. If the Global check box is selected, this option is not available.

Provide a unique name for your input.

Enter an IP address for this input to listen on. The source system/data sends logs to this input via this IP address.

Enter the port number on which Graylog listens for incoming messages.

This setting determines the size of the buffer that stores incoming data before it is processed. A larger buffer can accommodate more data, reducing the chance of data loss during high traffic periods. Depending on the amount of traffic being ingested by the input, this value should be large enough to ensure proper flow of data but small enough to prevent the system from spending resources trying to process the buffered data. The optimal size depends on your network traffic volume. Graylog's default setting is somewhat conservative at 256 KB for testing and small deployments, so if you are dealing with high volumes of data, increasing this value is advised. A practical recommendation is to start with a buffer size of at least 1 MB (1024 KB) and adjust based on observed performance.

This setting controls how many concurrent threads are used to process incoming data. Increasing the number of threads can enhance data processing speed, resulting in improved throughput. The ideal number of threads to configure depends on the available CPU cores on your Graylog server. A common starting point is to align the number of worker threads with the number of CPU cores. However, it is crucial to strike a balance with other server demands.

The certificate private key file that is stored on a Graylog system. The value of this field is a path (/path/to/file) that Graylog should have access to, etc/graylog/tls (recommended). Ensure this path is readable by the user running the Graylog service.

The certificate private key file that is stored on a Graylog system. The value of this field is a path (/path/to/file) that Graylog should have access to, etc/graylog/tls (recommended). Ensure this path is readable by the user running the Graylog service.

Enable secure TLS for encrypted message transport (requires certificates). Select if this input should use TLS.

The private key password.

If you want to require the source of the messages sending logs to this input to authenticate themselves, set to optional or required.

The path where client (source) certificates are located on a Graylog system. The value of this field is a path (/path/to/file) to a file or a directory containing client certificates that Graylog should have access to, etc/graylog/tls (recommended). Ensure this is readable by the user running the Graylog service.

Enable this option if you want the input to support TCP keep-alive packets to prevent idle connections.

Allows Cross-Origin Resource Sharing (CORS), enabling requests from external domains.

Sets the maximum size for each HTTP data chunk to control memory usage and throughput. For large data, it is common practice to chunk smaller blocks (e.g., 8KB or 64KB chunks) to prevent overwhelming buffers. The maximum HTTP chunk size is 65536 bytes.

The maximum amount of time the server will wait for a client to send data when writing to an output stream before closing the connection due to inactivity.

Specify a custom authorization header name to optionally enforce authentication for all received messages. This is a way to add password-like security for this input.

Specify authorization header value to optionally enforce authentication for all received messages.

Enables Graylog to extract the client’s real IP address from proxy headers instead of the direct connection IP.

Ensures that only defined and trusted proxy servers are accepted when providing client IP information, preventing spoofed headers.

Allows Graylog to trust and use client IP addresses specified in configured headers.

Defines the specific HTTP header(s) that carry the original client IP address when requests are passed through proxies.