cat /etc/nginx/graylog.conf

log_format graylog_json escape=json '{ "timestamp": "$time_iso8601", '
             '"remote_addr": "$remote_addr", '
             '"body_bytes_sent": $body_bytes_sent, '
             '"request_time": $request_time, '
             '"response_status": $status, '
             '"request": "$request", '
             '"request_method": "$request_method", '
             '"host": "$host",'
             '"upstream_cache_status": "$upstream_cache_status",'
             '"upstream_addr": "$upstream_addr",'
             '"http_x_forwarded_for": "$http_x_forwarded_for",'
             '"http_referrer": "$http_referer", '
             '"http_user_agent": "$http_user_agent", '
             '"http_version": "$server_protocol" }';

access_log syslog:server=logs.newsite.com:5046 graylog_json;
error_log syslog:server=log.newsite.com:5047;

В конфиге nginx в секции http { } указываем:

include /etc/nginx/graylog.conf;

В грейлоге создайте инпуты Syslog UDP и измените logs.newsite.com:5046 и logs.newsite.com:5047 на свой сервер и порт.