Graylog Reviews

the ability to add information to messages, with pipelines we can add or remove field without modify the original message, it's very usefull for example with lookup table, in this way it's possible to check if an ip (destination or source) it's part of a ransomware campaign. Another cool feature is the ability to route logs in different index, any index can be stored in a different location and have a different retention policy.

The enterprise version are free for 5 gb of data /daily, it's a reasonable value

dashboard and visualizations, there is only two type of visualization and with few customization options, moreover some diagram cannot be modified and must be recreated, for example if a pie diagram was created it's impossible to add stacked field, it must be recreated.

graylog can be implemented easly and solve one of the more understimate topic of IT

centralization of logs with a centralized config management of collectors, it permit to manage hundred configurations of remote hosts, logs are usefull thinghs, they help in troubleshooting, configuration and decisions, with log it's possible to obtain answer from data and graylog is a very usefull tool to do this. With advanced search capabilities and the ability to add additional information to messages graylog help to find answer to questions like wath kind of traffic use a specific firewall rule or if a specific traffic reach a load balancer

The product installs and runs as advertised. There isn't a lot to say here. It is in the cheaper section of enterprise level log analysis packages but still pay homage to it's roots. It tends to be pretty quick and able to digest a large volume of data at speed.

The only dislike I have is when we ran over the rated daily limits for the 'free' version, it shut the whole thing down. This caused me to lose some logs... not a big deal, but I do point it out so others will be on the lookout for it and upgrade their license as required.

Make sure to keep in mind of your data requirements.

I need to be able to view log files and find data for compliance purposes at a moments notice. This product answers that very well. If Splunk is a Cadillac Eldorado I would say Graylog is a Buick Roadmaster(in my mind a better vehicle anyway)

Actualmente estamos evaluando la funcionalidad de Graylog para remplazar tres sistemas antiguos de recolección de Logs. De momento estamos satisfechos con el producto, resaltamos la facilidad para su instalación, simpleza de su interfaz de usuario.

Esperamos en un futuro próximo poder adquirir soporte técnico y capacitación para la herramienta.

Actualmente estamos probando la funcionalidad de recolección de logs sobre una veintena de nuestros dispositivos de red de mayor criticidad.

Llevamos un par de meses de uso con la herramienta Graylog y de momento no tenemos inconvenientes. Por mencionar algo tuvimos que leer bastante los foros para configurar el sistema de recolección de Logs para nuestros dispositivos. Esto nos anima a considerar la compra de soporte técnico y capacitación para nuestros administradores.

Esperamos que pronto puedan ofrecer soporte técnico y documentación en español, lo tomamos como un diferenciador de entre las otras opciones en el mercado.

Fácil instalación e interfaz de usuario simple. Actualmente estamos evaluando el producto Graylog, para reemplazar tres sistemas antigüos de recolección de Logs.

Graylog ofrece la opción de usar sin compromiso la herramienta, para un número reducido de dispositivos.

Somos una empresa de telecomunicaciones y tenemos un par de centro de datos, cuyos dispositivos están monitoreados 24x7, parte importante de esto es la recolección de sus Logs de eventos, que cubrimos a cabalidad con Graylog.

Contamos con la herramienta Graylog como parte de nuestro sistema de monitoreo para nuestros dispositivos de red más importantes.

- Easy to try out thanks for the OVA/docker

- Interface updates in real-time

- Good looking dashboards

- Integrates into various platforms like Slack for alerting

- Has API

- Some aspects such as pipelines and collector snippets can have a bit of a learning curve

- Initial configuration of streams and alerts can take a long time. This can be setup using the API if you have time to look into that.

If you're a business that needs a quick solution to drop in place for centralized logging, definitely look into Graylog. ELK stack also widely used, but that requires more setting up. Depending on your needs, this can be up and running in minutes if using the OVA.

We initially set this up to do basic monitoring of various SQL, disk, and logon events in our Windows environment. Once it was up and running, we saw the large amount of data we could analyze and our dashboards have been expanding ever since. From all this new insight we have been able to address issues we didn't even know were happening.

The best part of Graylog is that I don't have to go digging through a directory full of Linux text files or Windows Event Viewer on individual servers. Having a single pane of glass into all of our logs is extremely helpful.

There's not much to dislike. The biggest annoyance to me is the workaround you have to do to run a syslog pipe on a port below 1000, where it *should* be.

Take the time to set up Windows event shipping carefully or you'll bring the Graylog server to its knees and bury it under a mountain of useless data.

We needed a simpler way to prove to auditors that terminated AD accounts were actually deactivated and when. Graylog gives us a much easier way to do this search.

It is vast and brimming with features. Setup your SIEM connectors and have enough power to log all the data generated by the machines in your business. It is multi platform capable, meaning that you have your eyes over everything that flows through. It has one of the feature packed cloud interfaces, where you can interact with all the data that is being flown. You can also create custom dashboards for easy monitoring.

It can be a resource hog at times. Since large amount of data gets generated every second, you can easily exhaust your allocated hardware limits. Also, pushing out updates can be a little bit tedious when you have thousands of machines on your business, running on a wide variety of operating systems.

Research the competition and decide which one you want to go with. Graylog is feature packed and would be wise to go for if have the manpower and resources required to deploy this logging beast of a software.

Complete logging and monitoring system events. This greatly helps us in intrusion detection and suspicious events that are happening around the corporation. This integrates flawlessly with our existing security tools and provided with right connectors, the logs get flown on a beautiful cloud-based dashboard.

I am a system administrator so its quite easy to configure it, fix it if elasticsearch hangs or kills itself when out of memory

Our company need few requirements for 3 different system. One system needs to save logs for 30 days, other one for 60 days, and another for 90 days. At least in this first version you can't seperate each stream for saving logs in custom days, every stream logs are saved for one time. So if we need to save logs for seperate times, we need 3 different graylog infrastructures

Prepare a lot of storage if your systems are sending a lot of messages, because elastic search creates shards in each cluster. If one server goes down, the other will take care of the jobs.

We are solving all kinds of problems, we see when some kind of system fails to do a job, or when its successful. We can filter statistics like what channel was most watched and so on. Looking forward to create a new infrastructure with current available version for stability.

Graylog has enabled me to easily search through numerous logs in one centralized location. Along with being able to review logs in one central location, Graylog provides an excellent method for creating threshholds and alerting based on those thresholds. Retention is very easy to set up.

I dislike the lack of functionality when it comes to creating stream thresholds based on a specific field uniqueness.

This is a great product that can really make a difference in incident investigations, system monitoring, and reviewing system logs. You should consider the deployment of the system before going live. For example, do you need just one node or will you need multiple servers for the deployment. Also consider the storage space you will need and how long you plan to retain logs for. I recommend that you also consider how you want your indexes set up. Improperly setting up your indexes will result in a longer than expected wait time for data to be retrieved.

Graylog has given us a better method for managing alerts.

Has many features that you would normally not find in other other free Event Management software (which we tried many). It allows us to add the type of events we want to gather and can modify these events via Pipelines before they get stored (very useful for IIS logs). The website based interface is clean and easy to navigate which allows anywhere access. Both a good and bad feature is it does not provide any default alerts, conditions or dashboard content so you have to create them all from scratch, which can be time consuming. However, this does mean you don't get confused when you get an alert for something you have no idea what it means or is irrelevant to your environment. Searching events has become a lot more easier.

You can setup email alerts for when a certain condition occurs, however there is a lack of complexity in the conditions. It can only be on total number of messages in a 'stream' or 1 field content is a certain value or 1 field over several messages add up to a certain value; there are no options to combine these conditions.

Additionally, we had trouble getting it to install and setup the correct back-end configuration for our environment. Reading the official documentation carefully is a must but we still ran into issues which we could not solve except via a complete rebuild.

This software is purely Event Management and does not do any Security incident management that paid-for SIEM software may do and so is not a full SIEM solution.

Carefully read the documentation as the community is quite small and inactive on forums.

Storing a near real-time backup of Events from Servers, switches, Exchange and IIS logs in individual events instead of a text file. Searching all events to help with specific incidents has become considerably easier. We also get alerted to specific problems that need dealing with before an incident may occur. It also, via Dashboards, allows us to see at an instant, the number of incorrect password attempts, object changes, logins and much more.

Best performance, user friendly interface, very smart charts, lot of functionnality, cross-platform compatibility, data very speed searching, very clear indices management, easy to configure dashboard, a very clear and easy message setup and streaming configuration, graylog server configuration is not complicated.

A little complicated for first installation and configuration, custom regular expression (grok, regex) is a little bit complex to configure. ElasticSearch configuration is more hard that expected, some minor bugs is detected during the first deployment.

Very best and powerful log monitoring tool

We can monitore firewall log to analyse what kind of packet is sending or receiving and what link is accepted/blocked by the firewall. We can monitore our JUNIPER switches too, to detect any anomaly or disfunctionment of the equipment. We can monitore our audiocode equipment for telephony, to detect anomaly and dysfunctionment too. All these functionnality is a very good contribution for the benefits of company.

It's designed from the ground up to be scale able, user friendly, and snappy. It is a full featured product that we keep expanding our use of. From network infrastructure to Windows and IIS servers, sending our logs to Graylog has helped us identify problems.

The learning curve is a little steep, but once you get the hang of it, it's easy to keep going and get your problems solved.

Try it! It's easy to get up and running to see if it's right for you.

Log aggregation, analysis, and alerting have benefited greatly from our use of Graylog. Being able to surface important logs while still keeping all logs has been great for troubleshooting, security, and compliance. Building dashboards allows us to quickly identify problem areas, generate quick reports for meetings, and show off how well the software works to management. We are currently working to implement some of the SEIM features in our environment.

Graylog was easy to setup and can be up and running in a matter of an hour. The GUI is easy to navigate and making changes to the config file is fairly simple. There is also good documentation.

I have noticed that some of the operations seem to take longer in Graylog compared to the ELK stack. This is something to weigh when it comes to using this. The ease of setup may be good for a start, however if you want to display more complex graphs and visuals switching to ELK stack may be better.

If you want an easy setup process and good documentation Graylog is a good choice. Setting up alerts for security events is easy and can save a lot of headache.

We use Graylog to contain all of our log information in accordance with HiTRUST. This solution was easy to setup and build upon.

Audit Log records and stores actions taken by a user or administrator that make changes in your Graylog system. With the new archiving functionality in Graylog Enterprise, you can now store everything older than 30 days on slow storage and only re-import it into Graylog when you need it.

Search through terabytes of log data to discover and analyze important information. Now they have a powerful search syntax, which makes browsing process easier, but before it was a little bit confusing. Visualize metrics and statistics could be more creative and you wish simply for more.

This software has a nice prices for business usage and as well the search is really good developed. If you will need to get an information from the past it will not be a problem for you to do that. So considering this soft for business is a really good idea. I will highly recommend that product for new users. First of all try it for some time before grading it.

We are using this product to work with data that we gather through out the working time. It helps to collect and gather data properly, so whenever you will need to check your archive you will know where to look for a specific information.

Graylog supports both lower-level log formats (like Syslog TCP/UDP, raw streams) as well as its own Gelf formatter, which is broadly supported by applications. I can combine the two for, say, a Kubernetes cluster where fluentd sends logs via Syslog and my applications use Gelf.

The initial setup can be a bit confusing depending on your environment; you need to manage an Elasticsearch cluster and it has a bit of a learning curve if you haven't managed your own indexes and retention policies. Some of the terminology in Graylog is used in a very specific way that might not match entirely to your mind-map, but it just takes some getting used to.

Logging is a very often overlooked issue in web hosting and Graylog, paired with its alerting capabilities (e.g., Slack API integration) helps me add value for clients.

The product flexibility, when you have some machine data somewhere and you want to get it, manipulate it and analyze it. The possibility to start free and then switch, when needed, to the enterprise solution

It would be good to have more options to manipulate and present the data without the need of external solutions

When you try it, you start small but then you put there as most as data you can...

Middle log system to "clean" and reduce the data amount forwarded to a popular SIEM/AI cloud service; netflow management.

The customization features and ability to capture log streams from multiple systems increases our productivity when troubleshooting issues. The fact that the system is vendor neutral and the GUI is easy to use also increases the value of the product.

The solution is open sourced and has a rather large community of users supporting it.

Setting up streams and customizing how Graylog interprets the various logs it gathers can be time consuming and a little cumbersome to initially setup. Once you setup a stream and get through setting up logs for your first system, it makes setting up the next data set easier.

Definitely take advantage of the alerting functionality. The ability to look at logs after an issue has occurred is beneficial, but the ability to be aware of logs related to an issue before it is reported will make you a hero.

Participate in the Graylog community. Whether it is viewing how other users have used the solution or asking questions, the community is valuable tool.

The ability to gather logs from multiple systems into a single interface allows us to quickly identify issues and resolve the issues. The added benefit of alerting also allows us to be aware of issues on our network and within our datacenter before it affects customers or the user experience for services we host.

You can start with a single server, and migrate to a multi-server, highly available logging monster. Because there is no restriction on licensing for the base Graylog product, you can setup a test deployment and test what will happen when you upgrade etc in production.

The community is helpful and active. The product is getting updates frequently.

The system has a purpose built Graylog Collector client which you can monitor directly through the Graylog web interface to determine if the system is still sending logs properly.

Easily integrates with Active Directory to allow authentication of users. Also has the ability to integrate with AD Groups for providing easy access to new users.

All of the Graylog web interface is using the Graylog API. The API browser is well thought out and fully documented. Development teams should find it easy to navigate the API in order to integrate with Graylog. API access also means that any system used for monitoring that can make API calls will be able to query Graylog for system health statistics easily.

Overall the system is very well thought through and comprehensive.

Documentation needs improvement. The marketplace is a bit hit or miss as far as the quality of the plugins.

Customer submitted marketplace items are not curated. Anyone who wants to put together a plug-in can, and while that's great it leads to a highly fragmented experience.

Graylog still relies on Elasticsearch 5.6.x which means that a large amount of the new Elasticsearch improvements are not yet supported.

The Collector Sidecar can and will stop sending logs at random, on Windows, or not startup during system startup after a reboot. Having a system that either forces the service to start or automatically restarts the service at a set period is ideal.

Have a solid understanding of Linux. Also learn the basics of MongoDB in an HA cluster, Elasticsearch in a clustered deployment. Graylog relies heavily on these two products in order to properly operate. Ensure that you have either the ability to run HAProxy, Nginx,

If you don't know how your systems log, what those logs look like, or how you're going to get the logs out of the system and into a log stream to another product you need to start there. Graylog will require that you either log things in a well known format (typical of all logging solutions) or use a combo of Regex/GROK/Graylog Processing Pipelines to break out the logs into different fields so they are individually searchable. Other products have a much larger supported base of these available. If you can't find one you'll be left to either ingest logs as a blob in the message field, or learn to write your own processor pipelines. If you have the ability to pay for professional services then you can enlist Graylog corporate to assist you.

Log management for all devices.

Netflow capture of all network devices.

Historic capture of all events and alerting on those events.

Active Directory log analysis and forensics.

Event correlation and issue root cause.

Graylog logs data with a different approach than we have experienced with other providers. All of the slots that are necessary in this type of solution are cutting edge and provide strong user interface Plugins, alerts, pipelines, message parsing and more. The software allows maximum functionality which makes the experience a better user experience providing ease of access for users. The console is easy and provides all functionality necessary to get, manipulate, parse and load data.

The security have to be configured separately unlike some other competitors. The biggest issue with this software is the dashboard. There are a lot of visualization issues that some of the other providers have on their dashboards such as aggregations.

I would recommend giving this a try. We have had plenty of success with this solution across many different environments. The logs are very powerful and provide a strong overview of problems. The ramp up time is a bit long but once the user is working, the system works great. No complaints. Just need some additional robust applications. But a good product!

We have complex log analysis and this open source solution allows for us to setup a complex environment for complex log analysis in a couple of hours. We can identify issues quickly and it gives us the ability to gather multiple system logs from integrated sources. There are strong alerts and our information within our datacenter can be completed before it affects customers or the user experience for services we host.

I like graylog ability to ingest data from variety of sources, run analytics, and extremely fast searches.

Well, not really dislike, but I would be happy if graylog introduce more dashboard graphs something like kibana, rules simulation engine to test the rules, how to use rules with real examples (documentation), ability to run search queries based on Boolean logic between 2 different documents [correlation] for example show data from all the events where logon id matches (something like vlookup/slookup but enhanced), ability to download automatic correlation rules something like alienvault ossim.

We have used graylog for security and we have good success with it.

Speedy Searches and Normalized Logs. The interface is easy to use and bery intuitive. The Indices are Flexibles.

Archiving feature is limited and lack of a better integration to Cloud Storages like Azure Blob and GCP. in addition do Amazon S3.

Try to use a High Availability setup. It increases search speedy and make you environment secure

Normalized Log Storage ofr Compliance and Regulatory purposes.

The query language is intuitive, and the UI is attractive and usable. Insights into infrastructure quality (e.g. info on the Elasticsearch backend) are great.

One-way communication to Elasticsearch, and a lack of oversight on extensions can make getting Graylog set up for your own personal environment a bit of a chore.

Get a handle on what types of logs you will need Graylog to ingest and research on the ease of getting those log types into the product. Our biggest barrier to entry was aggregating a lot of different log thypes.

Insight into log analytics, centralized log observation.

Together with NXlog, or other log collection tools, Graylog is extremely powerful in the way you can filter/search for specific events. Even the free community version has been, still is actually, very useful to us.

I don't like that it needs Java to run. Other than that, nothing comes to mind.

If you are considering Graylog, then you must give it a try. I am certain that you will not be disappointed.

Collecting and consolidating security events from certain servers in our organization, using the power of Graylog to create an easy way to search for events.

I like the flexibility around leveraging Pipelines & Extractors with regular expressions.

Limitations on converting certain data types such as int IP to string IP.

Being able to centrally manage logs has been a tremendous help to the business. Benefits include IR and data analytics.

- Easy to configure

- Easy to use

- Really fast

- Get beautiful dashboards and alerts for free

- Configuring ES clusters might be a bit daunting, but it's well worth it!

GO FOR IT! In my opinion Graylog is the best solution for log aggregation at the moment.

- Having a centralized view of all applications logs

- Searchable (indexed) logs that can be used to investigate issues

- Alerting and dashboards

- Standardizing logs among different services/languages

The application scales very well and the cost is fair.

I have not noted any features I deslike.

Continue Enjoying this good product.

Centralized log management and threat intelligence.

Being able to go from nothing to a fully fledged SIEM solution with alerting and dashboards in less than a day.

Although the message pipelines within Graylog are powerful, it would be nice to have a fully-fledged language to write pipeline rules.

A completely customisable SIEM solution which can be developed on top of in-house to provide highly detailed information about systems in a clear manner.

The graylog collector and the UI.

They work so well together.

Probably the "high availability" mechanism with mongodb. But because I'm not a specialist of MongoDB.

Be able to "filter" logs for developers. Grok patterns are also so useful and the store is great.

The forum with joschi is as well much better than most of "open source" project. That's awesome !

As an MSP, I love having a central location to go to when needing to access the log data from each of the different sites I manage. This helps me better anticipate when a system or service is going to fail allowing me to be more proactive in preventing these outages.

Setting up the platform was not the smoothest process at all!

Setup is a tedious process.

Prevention of Hardware and critical system Failures, network downtime. Not having to view the log servers of each site just to check up on a system saves me tons of time!

Graylog is open source (free). You can't really beat that. It's very easy to install, set up and use. It's security and scalability are no issues whatsoever.

For some reason, my log file grew at an immense rate. This took up way too much space on my PC. I am not sure if this is a common issue with all users. Other than that, only satisfaction from me.

I used it to for the purpose of having one centralized location for my application, operating systems, and network devices' logs

I also used it to analyze and troubleshoot issues.

Quite an easy setup and ease of use, but capable of complex setups if needed.

From small to very large architectures. Training users is done within a sort timeframe.

In complex dashboards some more graphing capabilities are missing. Changing the time interval afterwards is currently not possible.

Trend analysis and root cause investigations.

Flexibility, tweakability. It is easy to fit your needs.

Out-of-the-box readiness box readiness is not quite there yet, there is lot's to figure and tweak by yourself.

Tweak your memory etc. settings prior to use.

It allows us to easily manage logs.

You can search for pretty much anything inside it - as long as you know how to go about it!

It has a really high level of difficulty of starting with it. For people without dev background it may take a longer to start using it themselves.

We're observing behavior of some parts of the app and use Graylog to find sources of problems as well as track down historical changes.

Ease of installation and quite intuitive gui

Filtering of alerts and other aspects of log meta

Network problems and anomalities

Simple setup, nice interface, LDAP integration

Managing Dashboards is quite unintuitive.

Centralized logging for distributed services

Graylog is an efficient platform for my day to day work. making it much for efficient for output.

Some tools aren’t the best and could use some work.

Graylog allows me to visualize my client’s data better and provides a more understandable way of looking at it.

Simple, easy to use, thoughtful UI, excellent design.

I honestly cannot think of anything I dislike about this product.

We are aggregating all of our web logs to our Graylog server for operational and security purposes.