Graylog Reviews

I mostly use it for log management, log aggregation, and visualization. In my case, I am researching how to basically integrate cyber threat intelligence into open-source team systems.

Graylog is very handy. It has data adapters and lookup tables that utilize HTTP calls to APIs. I can enrich data by automating HTTP calls to a MISP instance, for example, or other threat feeds. This is basically the brunt of the work. Otherwise, normalization and parsing of logs from different sources are involved.

I would say log enrichment via these data adapters and lookup tables is valuable, especially the caching ability since Graylog doesn't always have to make API calls for every single instance if it is enriching the same value. That is very handy and makes it scalable.

We had two use cases. In the beginning, log centralization was the main thing, and this was the most frequent use of Graylog, but we also tried to use it for analytics. Graylog was maintained by the data lake team, and we were looking for tools that were suitable for analytics. We felt that Graylog looks real-time. It had some graphs and dashboards. So, we had an idea to use it for analytics.  

What I like about Graylog is that it's real-time and you have access to the raw data. So, you ingest it, and you have access to every message and every data item you ingest. You can then build analytics on top of that. You can look at the raw data, and you can do some volumetric estimations, such as how big traffic you have, how many messages of data of a type you have, etc.

I have my own recipe for an infrastructure code where I integrate Fluent Bit with Kubernetes. It scrapes the logs off of all the member nodes of Kubernetes and then it chips that to an input on Graylog. That way, when developers want to troubleshoot an application but don't want to use anything Kubernetes CLI-related, they can jump straight to Graylog. They can type the name and the type of deployment that they're looking for and get all of the logs pulled into one place. Essentially I use this solution to give developers a way to look at all the logs in an aggregated form. It's very helpful.

I also use the solution to extract and quantify data and metrics from the logs. For example, let's say you're running the wallet application and you want to make sure that you are getting the minimum 404's when somebody is trying to make a payment. You can essentially extract the code on Graylog and it will give you a really nice view of how often your wallet times out, or overall performance. If you're looking specifically from a security standpoint, if the application is seeing something that should not be seen, you have a way to log that.

I also use it for building charts and live logging. Also, the pipelines allow you to take a raw log, create something out of it, and transform it into something else, so I use that for streams, presentations, metrics, and health checks from an app runtime standpoint.

Everything stands out as valuable, including the fact that I can quantify and qualify the logs, create pipelines and process the logs in any way I like, and create charts or data maps. One time, I created a geo map based on IP addresses accessing a website. The web server generates logs based on who's accessing the application, and we were able to extract the IPs from the logs and even create a chart on Graylog to map out exactly what countries the requests were coming from. Graylog is amazing. It's a beast.

As a bank, we use the product to collect logs from various sources, including applications, our website, and mobile applications.

Since it's a free tool, I don't have much to say. Troubleshooting is important to me. The initial setup is complex. I hope to see improvements in Graylog for more interactivity, user-friendliness, and creating alerts.

Logs were previously stored in various database tables. Log consumers were required to write SQL for retrieval, then correlate/join disparate sources by hand. Since most logging fields were not indexed, the retrieval process was painfully slow.

Real-time UDP/GELF logging and full text-based searching. Since UDP is a stateless, connectionless protocol, it simplifies error handling for the log sender/producer in the event that Graylog is not available. UDP is also a fast and lightweight protocol, perfect for sending large volumes of logs with minimal overhead. Storing logs in Elasticsearch means log retrieval is extremely fast, and full text search is available by default. Additionally, Graylog has support via plugins for Slack-based alerts. These have been wonderful for notifying us when exceptional log messages are encountered.

I used this solution for bug tracking, checking to see if an application was running correctly or not.

I was working at a big comparison platform in Germany and was part of a  financial services department where we built multibanking applications. I know that in other departments they used different logging tools like TeamCity, so this was not something that was used companywide. There were probably about 50 developers using it, from app developers to Java/Python backend developers and the data science team. The extent of log messages and verbosity was varying from team to team.

One of the most valuable features is that you are able to do a very detailed search through the log messages in the overview. You are also able to attach a lot of details into your log messages. 

When it came to integrating the solution with Java, it was quite easy. My colleagues used Graylog for some dashboards to show how many bugs there were per day or the overall performance of the applications. For the developers it's not super important, but it was quite a good way for the project manager to see that everything was all right.

We have one SIEM tool to integrate the log source for other containers and user-related logs. Those logs were integrated into Graylog. When required those logs Graylog gets sent to a SIEM tool. 

The best feature of Graylog is the Elasticsearch integration. We can integrate and we can run filters, such as an event of interest, and those logs we can send to any SIEM tool or as an analytic. Additionally, there are clear and well-documented implementation instructions on their website to follow if needed.

Use for log aggregation, alerting, and monitoring in a container environment

• Searching errors
• Alerting through Slack and OpsGenie using their plugins.

We run a containerized microservices environment. Being able to set up streams and search for errors and anomalies across hundreds of containers is why a log aggregation platform like Graylog is valuable to us. 

Allowing us to set up alerts and integrate with platforms we already use, such as Slack and OpsGenie to alert users of these errors proactively, is also a very useful feature.