Graylog Review

Real-time UDP/GELF logging and full text-based searching

How has it helped my organization?

Logs were previously stored in various database tables. Log consumers were required to write SQL for retrieval, then correlate/join disparate sources by hand. Since most logging fields were not indexed, the retrieval process was painfully slow.

What is most valuable?

Real-time UDP/GELF logging and full text-based searching. Since UDP is a stateless, connectionless protocol, it simplifies error handling for the log sender/producer in the event that Graylog is not available. UDP is also a fast and lightweight protocol, perfect for sending large volumes of logs with minimal overhead. Storing logs in Elasticsearch means log retrieval is extremely fast, and full text search is available by default. Additionally, Graylog has support via plugins for Slack-based alerts. These have been wonderful for notifying us when exceptional log messages are encountered.

What needs improvement?

  • Backup and restore functionally for migrating instances.
  • Dashboard and search analytics (i.e., more complex visualizations and the ability to execute custom Elasticsearch queries would be great).
  • More flexible alert conditions

For how long have I used the solution?

One to three years.

What do I think about the stability of the solution?

No issues.

What do I think about the scalability of the solution?

No issues.

How are customer service and technical support?

I would rate them as a two out of 10. You are on your own without an enterprise license.

Which solution did I use previously and why did I switch?

No previous solution.

How was the initial setup?

Our setup was not straightforward. We opted to create a Docker swarm instance, hosting three Graylog nodes, Nginx for SSL/TLS offloading, and three MongoDB nodes (in a replica set). Then, we installed a three node Elasticsearch cluster on RHEL 7 virtual machines. The majority of the configuration was done through Docker compose.

What's my experience with pricing, setup cost, and licensing?

You get a lot out-of-the-box with the non-enterprise version, so give it a try first.

Which other solutions did I evaluate?

All the other solutions were in-house proposals.

What other advice do I have?

Thoroughly read the Graylog documentation and consider Enterprise support if you have atypical needs or setup requirements.

Disclosure: I am a real user, and this review is based on my own experience and opinions.

1 visitor found this review helpful
Add a Comment
1 Comment

author avatarNick C

FROM GRAYLOG: Thank you for the review, and wanted to point you to our new 3.0 version of Graylog. In 3.0 we have the ability to export content packs, which you can then migrate your processing pipelines, alerts, dashboards, and lookup tables, so they can be moved to a different system or be shared with the community. Also, in 3.0 Enterprise side, we have implemented Views, which allows for much greater flexibility on searches as well as creating interactive dashboards. Also in views, we have added a parameter option, to build workflows all based on one input (i.e. IP address, User name).

If you have a chance, give the new version a try!