We just raised a $30M Series A: Read our story

Graylog OverviewUNIXBusinessApplication

Graylog is the #16 ranked solution in our list of Log Management Software. It is most often compared to Splunk: Graylog vs Splunk

What is Graylog?

Graylog is purpose-built to deliver the best log collection, storage, enrichment, and analysis. Graylog is:

  • Considerably faster analysis speeds.
  • More robust and easier-to-use analysis platform.
  • Simpler administration and infrastructure management.
  • Lower cost than alternatives.
  • Full-scale customer service.
  • No expensive training or tool experts required.

Graylog is also known as Graylog2.

Buyer's Guide

Download the Log Management Buyer's Guide including reviews and more. Updated: October 2021

Graylog Customers

Blue Cross Blue Shield, eBay, Cisco, LinkedIn, SAP, King.com, Twilio, Deutsche Presse-Agentur

Graylog Video

Archived Graylog Reviews (more than two years old)

Filter by:
Filter Reviews
Industry
Loading...
Filter Unavailable
Company Size
Loading...
Filter Unavailable
Job Level
Loading...
Filter Unavailable
Rating
Loading...
Filter Unavailable
Considered
Loading...
Filter Unavailable
Order by:
Loading...
  • Date
  • Highest Rating
  • Lowest Rating
  • Review Length
Search:
Showingreviews based on the current filters. Reset all filters
AN
Head of Infrastructure
Real User
Captures our financial logs and preserves them and it covers many environments

Pros and Cons

  • "I am very proud of how very stable the solution is."
  • "I would like to see a date and time in the Graylog Grok patterns so that I can save time when searching for a log. I like how the streams and the search query work, but adding a date and time will allow me to pull out a log in a milli-second."

What is our primary use case?

Our primary use case of this solution is for logging. Because we have financial systems, we also use it for audit trailing.

I basically run the entire program in our company. Whenever there's an audit, I get the people on board and give them the information they require.

How has it helped my organization?

Graylog captures our financial logs and preserves them, mainly for any audit that may come up. The compliance is very good.

What is most valuable?

What I like most about this solution, is that it caches the log. I also like it's filtration because we have various layers of data that needs to be captured - from flat filing to Windows servers, Linux-based servers and the like. I like the diversity and the number of environments it can cover, including the switches.

What needs improvement?

I would like to see a date and time in the Graylog Grok patterns so that I can save time when searching for a log. I like how the streams and the search query work, but adding a date and time will allow me to pull out a log in a milli-second.

For how long have I used the solution?

I have been using Graylog for at least three years now on site in our data center.

What do I think about the stability of the solution?

I am very proud of how very stable the solution is. One time I had an entire node on my VxRail VMware collapse, so I basically restored the template, gave it the same IP address and everything was working again.

What do I think about the scalability of the solution?

We've grown from 500 to 2,000 independent devices on this solution, and it captures them all. We even plan to increase our usage. So, yes, the program is scalable.

How are customer service and technical support?

There hasn't been a need for me to call support, because I only went through the forums and hundreds of pages of manuals to get to understand it. 

How was the initial setup?

The initial setup was really complex because I did it myself. I had no support and I didn't understand the whole ecosystem. The first deployment took about a month because I had to figure out exactly what I'm capturing, and how to query it afterwards. I also had to manage the clientele, client installations, and the like. After a month or so I had an overall view of everything.

What about the implementation team?

I am responsible for the deployment and maintenance of Graylog. I've even done smaller setups and deployments for other people. 

What's my experience with pricing, setup cost, and licensing?

I use the free version of Graylog.

What other advice do I have?

In the next version I would perhaps like to see less overlapping in in the interface. Some users feel that it is still very rigid and boxy. Pretty old school. So a more user-friendly interface with less overlapping in the structures would be great. I rate this solution 9.5 out of 10.

Disclosure: I am a real user, and this review is based on my own experience and opinions.
JD
Technology Consultant
Vendor
Real-time UDP/GELF logging and full text-based searching

Pros and Cons

  • "Real-time UDP/GELF logging and full text-based searching."
  • "UDP is a fast and lightweight protocol, perfect for sending large volumes of logs with minimal overhead."
  • "Storing logs in Elasticsearch means log retrieval is extremely fast, and full text search is available by default."
  • "More complex visualizations and the ability to execute custom Elasticsearch queries would be great."
  • "With technical support, you are on your own without an enterprise license."

How has it helped my organization?

Logs were previously stored in various database tables. Log consumers were required to write SQL for retrieval, then correlate/join disparate sources by hand. Since most logging fields were not indexed, the retrieval process was painfully slow.

What is most valuable?

Real-time UDP/GELF logging and full text-based searching. Since UDP is a stateless, connectionless protocol, it simplifies error handling for the log sender/producer in the event that Graylog is not available. UDP is also a fast and lightweight protocol, perfect for sending large volumes of logs with minimal overhead. Storing logs in Elasticsearch means log retrieval is extremely fast, and full text search is available by default. Additionally, Graylog has support via plugins for Slack-based alerts. These have been wonderful for notifying us when exceptional log messages are encountered.

What needs improvement?

  • Backup and restore functionally for migrating instances.
  • Dashboard and search analytics (i.e., more complex visualizations and the ability to execute custom Elasticsearch queries would be great).
  • More flexible alert conditions

For how long have I used the solution?

One to three years.

What do I think about the stability of the solution?

No issues.

What do I think about the scalability of the solution?

No issues.

How are customer service and technical support?

I would rate them as a two out of 10. You are on your own without an enterprise license.

Which solution did I use previously and why did I switch?

No previous solution.

How was the initial setup?

Our setup was not straightforward. We opted to create a Docker swarm instance, hosting three Graylog nodes, Nginx for SSL/TLS offloading, and three MongoDB nodes (in a replica set). Then, we installed a three node Elasticsearch cluster on RHEL 7 virtual machines. The majority of the configuration was done through Docker compose.

What's my experience with pricing, setup cost, and licensing?

You get a lot out-of-the-box with the non-enterprise version, so give it a try first.

Which other solutions did I evaluate?

All the other solutions were in-house proposals.

What other advice do I have?

Thoroughly read the Graylog documentation and consider Enterprise support if you have atypical needs or setup requirements.

Disclosure: I am a real user, and this review is based on my own experience and opinions.
Find out what your peers are saying about Graylog, Splunk, Elastic and others in Log Management. Updated: October 2021.
540,984 professionals have used our research since 2012.
JasonCrow
Senior Architect at a tech vendor with 51-200 employees
Real User
Enables us to set up streams and error/anomaly searches across hundreds of containers

Pros and Cons

  • "We run a containerized microservices environment. Being able to set up streams and search for errors and anomalies across hundreds of containers is why a log aggregation platform like Graylog is valuable to us."
  • "Allowing us to set up alerts and integrate with platforms we already use, such as Slack and OpsGenie to alert users of these errors proactively, is also a very useful feature."
  • "Elasticsearch recommendations for tuning could be better. Graylog doesn't have direct support for running the system inside of Kubernetes, so it can be challenging to fill in the gaps and set up containers in a way that is both performant and stable."
  • "We ran into problems with Elasticsearch throwing a circuit-breaking exception due to field data size being too large. It turned out that the heap size directly impacted this size in a high-throughput environment, causing unexplained instability in Graylog. We were able to troubleshoot on the Elasticsearch size, but we should have been able to reference some minimum requirements for Graylog to know that our settings weren't sufficient."
  • "Since container orchestration systems are popular and Graylog fits the niche well, perhaps they could officially support running in docker containers on Kubernetes as a StatefulSet as a use case. That way, the declarative nature of Kubernetes config files would document their best case deployment scenario-"

What is our primary use case?

Use for log aggregation, alerting, and monitoring in a container environment

What is most valuable?

  • Searching errors
  • Alerting through Slack and OpsGenie using their plugins.

We run a containerized microservices environment. Being able to set up streams and search for errors and anomalies across hundreds of containers is why a log aggregation platform like Graylog is valuable to us. 

Allowing us to set up alerts and integrate with platforms we already use, such as Slack and OpsGenie to alert users of these errors proactively, is also a very useful feature. 

What needs improvement?

Elasticsearch recommendations for tuning could be better. Graylog doesn't have direct support for running the system inside of Kubernetes, so it can be challenging to fill in the gaps and set up containers in a way that is both performant and stable.

We ran into problems with Elasticsearch throwing a circuit-breaking exception due to field data size being too large. It turned out that the heap size directly impacted this size in a high-throughput environment, causing unexplained instability in Graylog. We were able to troubleshoot on the Elasticsearch size, but we should have been able to reference some minimum requirements for Graylog to know that our settings weren't sufficient.

Otherwise, the documentation is great and there are a lot of options for configuration. Since container orchestration systems are popular and Graylog fits the niche well, perhaps they could officially support running in docker containers on Kubernetes as a StatefulSet as a use case. That way, the declarative nature of Kubernetes config files would document their best-case deployment scenario.

For how long have I used the solution?

One to three years.

What do I think about the stability of the solution?

Yes, with Elasticsearch.

What do I think about the scalability of the solution?

No issues with scalability.

How are customer service and technical support?

Never used.

Which solution did I use previously and why did I switch?

Splunk, Logstash, and Elasticsearch.

How was the initial setup?

Set up in Kubernetes; not complex once the configuration is right.

What's my experience with pricing, setup cost, and licensing?

We use the free version.

Which other solutions did I evaluate?

Splunk, Logstash, and Elasticsearch.

What other advice do I have?

Make sure your Elasticsearch cluster is sized right, memory-wise.

Disclosure: I am a real user, and this review is based on my own experience and opinions.
JM
IT Security Consultant at a tech services company with 10,001+ employees
Real User
Scales smoothly, but needs improvement in dashboards and parsing

Pros and Cons

  • "It is used as a log manager/SIEM. It provides visibility into the infrastructure and security related events."
  • "The build is stable and requires little maintenance, even compared to some extremely expensive products."
  • "We have scaled from a single machine installation (a VM with a Graylog + ES + MongoDB) to (2 Graylog + 2 ES + 3 MongoDB). This was done smoothly with a minimal impact on logging."
  • "Dashboards, stream alerts and parsing could be improved."
  • "Over six months, I had two similar issues where searches were performed on field "messages". It exhausted all the memory of the ES node causing an ES crash and a Graylog halt."

How has it helped my organization?

It is used as a log manager/SIEM. It provides visibility into the infrastructure and security related events.

What is most valuable?

The most valuable part is an open source. The build is stable and requires little maintenance, even compared to some extremely expensive products.

What needs improvement?

There are places which could be improved:

  • Stream alerts
  • Dashboards
  • Parsing.

Some places were already improved in 2.4 with the threat intelligence add-on.

For how long have I used the solution?

Less than one year.

What do I think about the stability of the solution?

Over six months, I had two similar issues where searches were performed on field "messages". It exhausted all the memory of the ES node causing an ES crash and a Graylog halt.

What do I think about the scalability of the solution?

We have scaled from a single machine installation (a VM with a Graylog + ES + MongoDB) to (2 Graylog + 2 ES + 3 MongoDB). This was done smoothly with a minimal impact on logging.

How are customer service and technical support?

I have only used the community support (forum), but Graylog developers are quick to respond and assist with issues.

Which solution did I use previously and why did I switch?

Splunk: The price was the factor for the switch.

How was the initial setup?

The initial setup is straightforward.

What about the implementation team?

Step-by-step installation walk-through is provided by the Graylog team.

What's my experience with pricing, setup cost, and licensing?

If you want something that works and do not have the money for Splunk or QRadar, take Graylog.

Which other solutions did I evaluate?

ELK was another option. However, Graylog appeared to be more robust and had less limitations at the time.

What other advice do I have?

Just go ahead with the product. 

Disclosure: I am a real user, and this review is based on my own experience and opinions.
it_user805368
Software Engineer, DevOps at a tech services company with 51-200 employees
Real User
The Stream Alert feature is a highlight of the product, and it is shipped with the build

Pros and Cons

  • "This had increased productivity for the dev and support teams, because we are directly notifying them."
  • "There should be some user groups and an auto sign-in feature.​"

How has it helped my organization?

This had increased productivity for the dev and support teams, because we are directly notifying them. Now, they have to come to dev for every issue. 

What is most valuable?

The Stream Alert feature is a highlight of this. As for similar products, there are separate integrations, but Graylog ships this with the build.

What needs improvement?

There should be some user groups and an auto sign-in feature.

For how long have I used the solution?

One to three years.

What do I think about the stability of the solution?

No issues.

What do I think about the scalability of the solution?

Not yet.

How are customer service and technical support?

We are not using any technical support.

Which solution did I use previously and why did I switch?

No.

How was the initial setup?

It was pretty straightforward.

What's my experience with pricing, setup cost, and licensing?

None, as we are not using an enterprise solution.

Which other solutions did I evaluate?

We had evaluated ELK Stack, but found Graylog more useful for our use case.

What other advice do I have?

I will say that if you are using this, then explore all the features. You will find this like a swiss army knife.

Disclosure: I am a real user, and this review is based on my own experience and opinions.
it_user776928
Java Software Developer at a financial services firm with 5,001-10,000 employees
Real User
It has sped up the investigation of incidents

What is our primary use case?

The product does all the things it must do very well. It can be used for investigating logs as well as a dashboard to see the current amount of errors in the environment.

What is most valuable?

  • Logging aggregation and querying. We have multiple applications, therefore it is no longer feasible to check logs from our file system per each application.
  • When adopting microservices architecture, centralized logging is a must have.

How has it helped my organization?

It has sped up the investigation of incidents.

What needs improvement?

The alerting system could be more flexible. It does not allow for definition of different thresholds and alert types of the same streams. It allows different alert types and thresholds for the same stream.

E.g., if we have a single stream of errors, I would like to send each error to the ticketing system: A mail if there are less than 1 errors per second and an SMS if greater than 10 errors received per second.

For how long have I used the solution?

One year.

What do I think about the stability of the solution?

No issues.

What do I think about the scalability of the solution?

No issues.

How are customer service and technical support?

Not applicable.

Which solution did I use previously and why did I switch?

No.

How was the initial setup?

It was straightforward.

Which other solutions did I evaluate?

Yes, Elastic Stack.

What other advice do I have?

Send all logs to Graylog instead of just your errors. This will make it easier to investigate problems.

Disclosure: I am a real user, and this review is based on my own experience and opinions.
it_user776922
Release Engineering Manager
Real User
Provides the ability to write custom alerts, which are key to information security and compliance

Pros and Cons

  • "The ability to write custom alerts is key to information security and compliance."
  • "I would like to see a default dashboard widget that shows the topology of the clusters defined for the graylog install."

What is our primary use case?

The core of the product is to aggregate log collection.

What is most valuable?

The ability to write custom alerts is key to information security and compliance. Also, I love the improvements I can make on dashboard widgets. 

How has it helped my organization?

Application event messaging, or logging, until I show an organization the result of seeing the application in real time. Then, I can mentor the importance of a good log event message. To have proper context, logging is more than exception logging, it is positive and negative logging. Once you show what can be done with a proper logging message, the entire application can become more robust. The ability to make an extractor out of a non-standard stream of strings, which allows for you to index on a plethora of fields, and you gain some insights that you may have missed. 

Graylog brings life to the application execution.

What needs improvement?

The collectors and using sidecar made my life easier from earlier versions. Unfortunately, I have been pulled away from the product, beyond setting up new inputs, defining the alerts. I am currently trying to leverage the API and Graylog Extended Log Format (GELF), and some of the underlying tech of Elasticsearch as well, for downstream consumers and our AI consumers.

For improvements or features to add, I would like to see a default dashboard widget that shows the topology of the clusters defined for the graylog install.
For instance, I have three Elasticsearch nodes and three MongoDB. I would like to see a visual representation of their status. 

Additionally, maybe it does exist (I have not looked), but I would like to see percent filled of the current index. 

For how long have I used the solution?

I love the product. I have used it at three different employment points in my career. I first used Graylog seven years ago, and have provisioned and configured it into production three times over that period.

I have had two gaps in my use over the seven years, so using the current version has been super.

What do I think about the stability of the solution?

I do have a multinode deployment, with only one Graylog node. As we rely more on Graylog permanently and consume more of its collected data, I will transition to a Graylog HA installation, as and when we come to require it without outage. We are moving more to IoT, and those streams will be mandated to not have any gaps. They will be responders to events that can't have any outages. 

What do I think about the scalability of the solution?

No scaling issues that I have seen with the three nodes of MongoDB and the three nodes of Elasticsearch. I will transition to have HA, load balancers, and buffering/queues as we move forward. I see things have changed in the latest version, or current -1 that I am using right now. I see durability is defined, I just need to reach out and implement it. 

How are customer service and technical support?

I have not had to use technical support. 

Which solution did I use previously and why did I switch?

I have always used Graylog2. Initially, I may have looked at Logstash and Loggly, but once it was off and running, I embraced the Graylog way of things. 

How was the initial setup?

This was the first multi-node installation that I laid out. It seems to be running, and I did not find it overly complicated. I have Apache distributed big data experience, and have used Cloudera within that scope. Having Linux expertise, Apache, Tomcat, REST, and Java experiences may have reduce the complexity. 

What's my experience with pricing, setup cost, and licensing?

I am not fully aware of their licensing model. I should take a look at the details, as I am using a community edition. I have not looked at the enterprise offering from Graylog.

Which other solutions did I evaluate?

I reviewed Logstash and Loggly. 

What other advice do I have?

Start with the defaults. Do not be afraid to start over. Having a test or sandbox to work with to figure out how to create streams, extractors, and inputs is a good way to go. Recommend interacting with MongoDB and Elasticsearch from the command line, if you have the time; nothing deep. Knowing the underlying CLI's may help you if you need to understand how or why something may not line up correctly.

I would consider myself Graylog2's number one fan or at least a big advocate of the utility of this product. Step one in any application inception should begin with application messaging, and couple that with Graylog2, and you will cover many bases of insight and compliance right out of the gate. 

Disclosure: I am a real user, and this review is based on my own experience and opinions.
it_user774168
Systémový inženýr DS senior
Real User
We use this system as a central log collector with the possibility to search through the archive backward for specific string definitions

Pros and Cons

  • "Message forwarding through the in-built module."
  • "The biggest problem is the collector application, as we wanted to avoid using Graylog Collector Sidecar due to its architecture."

What is most valuable?

We are using only a few parts of its functionality. Its most valuable functions for us are:

  • Log collection
  • Quick string search in central storage
  • Message forwarding through the in-built module
  • Message filters. 

We need all these function to fulfill law requirements for cyber security.

How has it helped my organization?

We use this system as a central log collector with the possibility to search through the archive backward for specific string definitions.

What needs improvement?

The biggest problem is the collector application, as we wanted to avoid using Graylog Collector Sidecar due to its architecture. It requires connection outside our network during build from source, so we decided instead to use the obsolete Graylog Collector, which is working fine and in an easy way. It would be great, if that component would get back into the development process. But it is nothing that I could even complain about, as our company is not paying for support.

For how long have I used the solution?

Solution was build on the 10th of January 2017, so for nearly a year.

What do I think about the stability of the solution?

The only issue we had was during the Java patch. Graylog's search DB was not able to start up after the upgrade to Java 9, so we returned back to v.8. With that only exception, we have any issues with application or its components.

What do I think about the scalability of the solution?

We never attempted to scale the environment, as its sizing is defined in the planning phase and it fitted us later perfectly.

How are customer service and technical support?

We never contacted technical support, so I cannot answer this.

Which solution did I use previously and why did I switch?

There were no solution before Graylog. It was built as new project.

How was the initial setup?

We did not had any experience with Graylog or its components before this project. We had luck in planning phase, the environment was sized properly to its purpose. 

As Graylog also needs other applications/DB's to run, implementation of each component was a separate challenge, as we are not using the default configuration.

What's my experience with pricing, setup cost, and licensing?

I cannot answer this question. Having paid official support is wise for projects.

Which other solutions did I evaluate?

Yes, we were thinking about the Logstash family, but due to similar issues with the building codes as in the Graylog Collector Sidecar case, we decided for Graylog.

What other advice do I have?

Do not give up. Look forward and good luck. The worst phase was the planning one, so I would offer this advice: Don't underestimate anything. 

Graylog is worth the given effort.

Disclosure: I am a real user, and this review is based on my own experience and opinions.