Graylog Review

Provides the ability to write custom alerts, which are key to information security and compliance


What is our primary use case?

The core of the product is to aggregate log collection.

What is most valuable?

The ability to write custom alerts is key to information security and compliance. Also, I love the improvements I can make on dashboard widgets. 

How has it helped my organization?

Application event messaging, or logging, until I show an organization the result of seeing the application in real time. Then, I can mentor the importance of a good log event message. To have proper context, logging is more than exception logging, it is positive and negative logging. Once you show what can be done with a proper logging message, the entire application can become more robust. The ability to make an extractor out of a non-standard stream of strings, which allows for you to index on a plethora of fields, and you gain some insights that you may have missed. 

Graylog brings life to the application execution.

What needs improvement?

The collectors and using sidecar made my life easier from earlier versions. Unfortunately, I have been pulled away from the product, beyond setting up new inputs, defining the alerts. I am currently trying to leverage the API and Graylog Extended Log Format (GELF), and some of the underlying tech of Elasticsearch as well, for downstream consumers and our AI consumers.

For improvements or features to add, I would like to see a default dashboard widget that shows the topology of the clusters defined for the graylog install.
For instance, I have three Elasticsearch nodes and three MongoDB. I would like to see a visual representation of their status. 

Additionally, maybe it does exist (I have not looked), but I would like to see percent filled of the current index. 

For how long have I used the solution?

I love the product. I have used it at three different employment points in my career. I first used Graylog seven years ago, and have provisioned and configured it into production three times over that period.

I have had two gaps in my use over the seven years, so using the current version has been super.

What do I think about the stability of the solution?

I do have a multinode deployment, with only one Graylog node. As we rely more on Graylog permanently and consume more of its collected data, I will transition to a Graylog HA installation, as and when we come to require it without outage. We are moving more to IoT, and those streams will be mandated to not have any gaps. They will be responders to events that can't have any outages. 

What do I think about the scalability of the solution?

No scaling issues that I have seen with the three nodes of MongoDB and the three nodes of Elasticsearch. I will transition to have HA, load balancers, and buffering/queues as we move forward. I see things have changed in the latest version, or current -1 that I am using right now. I see durability is defined, I just need to reach out and implement it. 

How is customer service and technical support?

I have not had to use technical support. 

Which solutions did we use previously?

I have always used Graylog2. Initially, I may have looked at Logstash and Loggly, but once it was off and running, I embraced the Graylog way of things. 

How was the initial setup?

This was the first multi-node installation that I laid out. It seems to be running, and I did not find it overly complicated. I have Apache distributed big data experience, and have used Cloudera within that scope. Having Linux expertise, Apache, Tomcat, REST, and Java experiences may have reduce the complexity. 

What's my experience with pricing, setup cost, and licensing?

I am not fully aware of their licensing model. I should take a look at the details, as I am using a community edition. I have not looked at the enterprise offering from Graylog.

Which other solutions did I evaluate?

I reviewed Logstash and Loggly. 

What other advice do I have?

Start with the defaults. Do not be afraid to start over. Having a test or sandbox to work with to figure out how to create streams, extractors, and inputs is a good way to go. Recommend interacting with MongoDB and Elasticsearch from the command line, if you have the time; nothing deep. Knowing the underlying CLI's may help you if you need to understand how or why something may not line up correctly.

I would consider myself Graylog2's number one fan or at least a big advocate of the utility of this product. Step one in any application inception should begin with application messaging, and couple that with Graylog2, and you will cover many bases of insight and compliance right out of the gate. 

Disclosure: I am a real user, and this review is based on my own experience and opinions.
Add a Comment
Guest
Sign Up with Email