Graylog Enterprise Reviews

We are working with Splunk Enterprise Security. I use it in the company. I am only using this Splunk product.

It is easier to find some issues, and if I find some issues, then it is easier to resolve them. It is not so difficult.

We stopped using Graylog Enterprise because we found some issues with logs that came through, and they were too difficult to parse. We saw that it was better to use Splunk. It is better because it has an analysis algorithm and can also draw graphics with some help with this. To use Graylog Enterprise, we needed to import another system that collects and correlates the logs to see the statistics.

I did not find the alerting systems in Graylog Enterprise adequate to maintain operational efficiency. It was acceptable, but our company is developing, so we needed to improve and see different analysis and different ways to see the data. For this reason, we decided to buy a new SIEM platform where we could improve some additional features.

The problem was with the complexity and the cost to add extensions. We found this very expensive to buy another version with additional features.

I think that Graylog Enterprise does not have customizable dashboards. I did not see them in Graylog Enterprise because most of the time we used the open source free version, which is limited.

I think Graylog Enterprise should improve some things that they have in the paid version and perhaps provide users with a menu that gives examples of parsing logs and draws graphics so that people do not need to improve another system such as Grafana. This would be interesting.

When it comes to functionalities, I found the log management in Graylog Enterprise acceptable. It is very simple to use and to collect logs. It has support for different protocols and different ports, and the sidecar is easy to use. However, in visualization, I think it needs to be much better.

I have been working with Graylog Enterprise for about two to three years.

I never contacted technical support by Graylog Enterprise.

Negative

We stopped work with Graylog Enterprise and now we use another SIEM platform. We do not use Graylog Enterprise anymore. We stopped using Graylog Enterprise and switched to Splunk about seven to eight months ago.

We also tried Wazuh and QRadar.

We are now working with Splunk and Wazuh. We used Graylog Enterprise for log management. I did not utilize Graylog Enterprise's advanced search capabilities. When we installed and used Graylog Enterprise, it was sufficient. If I were to give a mark, it would be around seven to eight, or perhaps 7.5. We only used Graylog Enterprise for log management, and for this, I did not use anything. All that I did was manually follow the logs, take them manually, and do some parsing to see them in a better way. I think for this open source product with limited features, for a middle-sized company, it would be around nine, or perhaps even ten. I would rate this review a 7.5 overall.

Graylog Enterprise is used primarily for log management and to perform security analytics. It helps the organization collect logs from different sources and centralize them in one place. We can search and analyze events, detect suspicious activity, and it supports security investigations. The organization ingests a lot of logs including firewall logs, AWS, Windows endpoints, and authentication logs. It helps collect everything in a single dashboard, and we can search the logs and monitor each aspect.

Graylog Enterprise collects everything in one dashboard, allowing the SOC team to search the logs and monitor every alert based on the rules, enabling investigation of suspicious activity. For example, if a user account suddenly logs in from an unusual or unauthorized location with multiple failed login attempts, Graylog helps correlate those logs and allows analysts to investigate that quickly.

Graylog Enterprise is used for compliance and audit log retention, for investigation, and it is useful for centralized log collection.

In alerting and correlation, logs are ingested from multiple sources, allowing us to create alerts based on those use cases. For example, if a suspicious IP from an unauthorized location is detected, the IP is checked in the firewall logs, application logs, or whether it has executed some PowerShell script or is showing some authentication behavior. Based on that, everything is correlated, and those insights are available in the tool for SOC analysts to analyze those alerts.

The best feature Graylog Enterprise offers is its centralized log management, allowing analysts to search logs from a single tool instead of checking multiple tools. It is fast, and we can search effectively because during incident response time, the SOC analyst can quickly search a suspicious IP, username, or any IOCs across the historical logs. Another valuable aspect is the alerting and correlation functionality, where alerts can be created for multiple rules based on use cases, such as multiple failed logins, privilege escalation, abnormal authentication behavior, and other security events.

The dashboard and visualization in Graylog Enterprise is good for SOC monitoring purposes.

Graylog Enterprise positively impacts the organization by helping the team and analysts investigate incidents faster since logs from servers, endpoints, cloud, and firewalls are available in one place. Instead of switching between multiple tools, timelines can be reviewed and suspicious activity validated quickly, resulting in faster investigation times, better visibility into logs, and improved incident response capabilities. This has also reduced manual effort and compliance tasks.

Previously, as an SMB company, approximately 40 to 50 alerts per day were generated. When Graylog Enterprise was implemented and evaluated, it correlated everything, providing true positive alerts and reducing the number of alerts to 10, which allows analysts to monitor those true positive alerts and take action accordingly.

Graylog Enterprise performs well overall; however, the UI could be improved because the SOC team creates multiple dashboards based on their use cases, and creating dashboards is complex. If there were multiple dashboard and chart styles available, it would be helpful for the team and for the SOC analysts to investigate and use the UI in a better way.

I have been working as a cybersecurity engineer for six years.

Enterprise-grade platforms like Graylog Enterprise are expected to be stable for security purposes as well as monitoring workloads, and the experience has been good.

Graylog Enterprise is designed to be capable of handling growing workloads effectively.

The support experience generally depends on the issue complexity, but the team was very responsive and their technical guidance was also very good and constant. I would rate the customer support around nine out of ten.

Previously, Elasticsearch, an open-source SIEM tool, was used, and multiple monitoring approaches were evaluated depending on maturity and requirements.

Graylog Enterprise is a security product and generally requires an evaluation. Multiple tools were evaluated, and the solution will need to be scaled if required, as the main cost depends on integration and operation requirements. These details will be shared with leadership, and they will make the decision.

Graylog Enterprise was purchased from a Graylog salesperson, a third-party salesperson.

Instead of having five analysts working, Graylog Enterprise has reduced the number of analysts as well as time, resulting in a decreased cost of 20%. It has provided better quality and improved detection capabilities.

The organization often compares Graylog Enterprise with other SIEM and detection solutions tools based on the integration, and it is upon leadership's decision.

If others are looking into using Graylog Enterprise and have multiple log sources that they need to monitor and correlate, I would recommend Graylog Enterprise. It is a good product, allowing them to ingest all the logs into a single platform where they can search, triage, create rules, and monitor every alert.

Graylog Enterprise is a good, secure SIEM platform with mature investigation capabilities that works best when integrated into multiple log sources. I rate this product an eight out of ten.

I remember using Graylog Enterprise in the past at a software house where we used it for logging. During that time, we were using Graylog Enterprise as a log aggregator, collecting logs from multiple systems and then exporting and visualizing them within Graylog.

We had multiple Linux-based machines, and we were trying to capture the logs from the systems and export them into Graylog so that they could be centrally visualized. Graylog Enterprise was deployed on-premises in a private cloud.

In my experience, if I compare Graylog Enterprise with the ELK stack, I can see that Graylog is way easier to set up and has a great, good-looking UI. These are the things where I could see Graylog as a lightweight tool with more flexibility in terms of setting it up compared to alternatives such as ELK.

In the case of Elasticsearch, multiple separate components are needed. However, in the case of Graylog Enterprise, there was only one binary that we used to install on the machines.

Graylog Enterprise has positively impacted my organization by enhancing visibility through improved monitoring capabilities and getting logs from all the machines, which contributed to enhanced visibility and monitoring. We had over 500 virtual machines, and monitoring the logs by going to each virtual machine was tedious in the past. With Graylog, all the logs from those 500 machines were centralized in one Graylog Enterprise system. From there, it was very easy to query the logs and see the patterns, and thus the monitoring was significantly enhanced.

With Graylog Enterprise, monitoring improved by up to 80 percent because of having all the logs centralized. Users or engineers would not have to SSH on each node to see the logs, meaning monitoring or visibility got improved by 80 percent or more.

The documentation for Graylog Enterprise can be improved, as this has been a pain point.

I think the visualization aspect of Graylog Enterprise can be made more rich, similar to what we have in Grafana. If upgrades could be made more smooth, as we encountered fragile upgrades while doing upgrades in the past, then I think that could be great.

I used Graylog Enterprise in the past for one year.

Graylog Enterprise is stable.

The customer support for Graylog Enterprise was good and responsive.

I previously used Splunk and ELK as well, but they were with a different employer. It was never a situation where Graylog Enterprise was introduced as a replacement for other tools; the employer I was talking about was primarily using it.

I am not sure about the pricing, setup cost, and licensing because that was dealt with by a different team that handled the licensing and procurement.

No options were evaluated before choosing Graylog Enterprise.

I would say it depends on the scenario. If you have logs and want to have an easier setup, then Graylog Enterprise is the best choice. However, if you go towards a more complex architecture, then you could use other options such as ELK or Splunk. Graylog Enterprise, as far as logging is concerned, in terms of a small-scale setup and ease of use, is the best choice to go with. My overall rating for Graylog Enterprise is 7 out of 10 because of its flexibility and lightweight nature.

The advice I would give to others looking into using Graylog Enterprise is to ensure that the data they are collecting is actually in a proper format so that it can be viewed more clearly within Graylog Enterprise's interface, focusing on the formatting of the data.

Graylog Enterprise is the logging and management tool we initially used, but later we stopped using it and switched to Loki, Grafana Loki for the logs. Eventually, we moved back to Graylog Enterprise after approximately one year.

The main use case for Graylog Enterprise is that we primarily use it for our enterprise logs. We have around 11 services, so we use it to collect all of our logs in one location. We use it for both QA and production environments.

A specific example of how we use Graylog Enterprise in our environment is that we have multiple logins for our MDM solution, a mobile device management solution. Since it is an enterprise application, we generally use Graylog to retrieve the logs and determine if there is an error or any downtime. Graylog Enterprise has been very helpful in identifying issues and is also extremely valuable for handling high-volume log throughput. The cost-effectiveness of Graylog Enterprise has been particularly beneficial to us.

The standout features that make Graylog Enterprise valuable for my team are particularly helpful for Site Reliability Engineers, IT, and DevOps security, as it delivers excellent functionality without extreme cost. Its alerting system and notification capabilities really help us, as we use Slack to receive alerts from Graylog Enterprise. Additionally, the data management and the pipeline to transform and categorize the logs as they flow in are valuable. The best feature of Graylog Enterprise is its high-performance search engine that provides fast, flexible, and scalable analysis of machine data or pod data.

When there is any error, bug, or downtime, Graylog Enterprise sends us an alert to Slack, so we can immediately investigate and find what the issue is, whether it is with the pipeline or within a service. We can determine exactly what happened and why it is causing the downtime. If we need to spin up more pods or if it needs more memory or CPU usage, we take the appropriate initiative based on that assessment.

Graylog Enterprise has positively impacted my organization by significantly minimizing our workload and making it easier to identify any issues in a service. It features good custom dashboards, visualization, and good search capability as well.

I do not have any specific examples or numbers, such as time saved or incidents to share. Currently, I have no suggestions for how Graylog Enterprise can be improved, as there are no pain points or features I wish were better.

I have been working in my current field for around 2.3 years.

Graylog Enterprise is cost-effective, but when compared with Elasticsearch, it can be more costly. I chose a rating of nine out of ten because there is not much that I would change to make it a perfect ten for me. I suggest using Graylog Enterprise, as it really helps to maintain and use everything effectively, ensuring the sustainability and health of the pods. My overall review rating for Graylog Enterprise is nine out of ten.

We describe our customers' usual use cases for Graylog as one where we use it for event correlation. We take typical IT events, and we also use it for security event correlation as well. So, both security and general IT.

We use Graylog internally in our company.

The features and capabilities of Graylog that we have found most valuable are related to its basis on open search, which was ElasticSearch. We appreciate being able to integrate custom feeds and do custom parsers, and to be able to do some of the correlation on it. That all works effectively.

The Graylog features that have proven to be most beneficial for our data analysis in particular are that we tend to use it as a big data store, so we have the correlation rules that, if something matches under certain conditions, it raises an alarm. We use it for investigating problems and problem management. We throw all the information at it, we have it alerting for certain conditions, but generally we use it for deep diving into issues as needed.

The area in Graylog that needs to be improved or enhanced would be the integrations. It would be useful to have more parsers and filters for different types of systems, which is growing, but we still find many systems that there aren't any, and we have to create our own. Having a library of parsers would help. Mainly, it's about integrations: being able to parse different sources and output to different systems easier.

I have been working with Graylog for about 8 years or so. That is quite a while.

I rate the stability of Graylog as very stable, probably a nine out of ten.

On a scale from 1 to 10, where 10 is the highest level of scalability, I would rate Graylog's scalability as an eight. I think Graylog itself is scalable, but where it needs improvement is around the underlying features of open search, particularly concerning data logs and things. More up-to-date documentation on how to do high ingestion and high search scenarios, including recommendations for configuration and deployment, would be useful.

Regarding technical support for Graylog, I can't comment much because I've not had to use it. Even though we have the enterprise products, we've not needed to use technical support because we've been using Graylog for many years and can fix most problems ourselves. There are some sizing documents online, but they were a few years out of date when we looked a few months back.

Positive

Before Graylog, we had a customer running IBM QRadar, which is a big security logging platform. We used other products such as RSyslog, Kiwi Syslog, which is Windows-based, and Syslog-ng, among others.

The decision to switch to Graylog was influenced by my appreciation of its user interface. It separates out the ingestion from the backend. For instance, if Graylog is running and you take the backend down, you don't lose events. In contrast, with RSyslog, if you turn it off, you can't do backend-frontend maintenance, which is an advantage Graylog offers. It also handles clustering nicely, making it easy to scale up quickly.

I would rate my experience with the initial setup of Graylog on a scale of 1 to 10 as probably about a five. If someone has never used Linux before, it would be very difficult, but if you're familiar with Linux and the day-to-day things behind the scenes, it's quite straightforward. The guides online are simple, follow the guide, and you've got a system that works. There could possibly be more around improving the performance, and maybe some more up-to-date calculators on sizing because some of the sizing information we've seen previously are a few years out of date.

For maintenance, we usually need just one or two people. We have a team of three engineers who look after it, and they rotate the maintenance responsibilities every three weeks.

The return on investment or cost savings we have seen since the deployment of Graylog is primarily in time savings, allowing our security team and IT engineers quick access to information, as it all goes to one place. It makes it quite quick to find things, enabling us to retrieve the information needed to respond swiftly.

Evaluating other options before choosing Graylog was somewhat straightforward because we've been using it for some time and are confident with it. Originally, we recommended Graylog to a customer, but they chose QRadar, which is very expensive and didn't scale as effectively. Eventually, we put Graylog next to QRadar because QRadar couldn't keep up.

My impression of the overall visibility of Graylog is good. In the past few years, as it's transitioning from just an open-source product into more of an enterprise solution, they're trying to grow into that area and do more in the API space. I think it will get better, particularly for orchestration pieces. That's probably its weaker area compared to some of the other products such as Microsoft Sentinel or Log Analytics, where they have more hooks into different products. I appreciate that Graylog is moving towards that, and it's quite simple to get it stood up quickly. We have used it during security incidents with customers, and we have spun up a separate Graylog instance to help them with ransomware type issues.

Graylog has supported our compliance and security monitoring activities because, for one of our customers who falls under the NIST 2 regulation due to critical infrastructure, we heavily use it for that side. However, for the rest, we don't tend to use it for compliance really. A lot of that's handled separately, so it's not really an area we do much with Graylog at the moment, but it could be something that we could do more with in the future.

Graylog is not assisting us with our AI-driven data analysis or any operations with AI at the moment, but it could be something that we could do in the future.

Currently, about 10 people are using Graylog in our company.

We have plans to use Graylog more in the future as we deploy more. We run a private cloud for different platforms, and our intention is to have all of those systems folding their events into Graylog.

Overall, I would rate Graylog at about a seven or eight. The only downside is some of the integrations; if it had more integrations, it would be easier to work with other tools. Contextually, they're transitioning from an open-source background to a more enterprise-oriented space, which understandably takes time.

I mostly use it for log management, log aggregation, and visualization. In my case, I am researching how to basically integrate cyber threat intelligence into open-source team systems.

Graylog is very handy. It has data adapters and lookup tables that utilize HTTP calls to APIs. I can enrich data by automating HTTP calls to a MISP instance, for example, or other threat feeds. This is basically the brunt of the work. Otherwise, normalization and parsing of logs from different sources are involved.

I would say log enrichment via these data adapters and lookup tables is valuable, especially the caching ability since Graylog doesn't always have to make API calls for every single instance if it is enriching the same value. That is very handy and makes it scalable.

When it comes to configuring the processing pipeline, writing the rules can be very tedious, especially since the documentation isn't extensive on how the functions provided for these rules work. Parsing depends heavily on regular expressions, which makes the process somewhat tedious.

I have been using it for a year and a half.

I haven't deployed it in a cluster, so I can't properly evaluate how scalable it is. However, since it allows for cluster redundant setups, I imagine it is theoretically pretty scalable. It is very resource-intensive. We have tried it on a single node, but in a setting where a network has thirty different clients doing search queries for insane amounts of logs, it was very slow and inefficient, even with sixteen gigabytes of RAM for that server.

Until now, I have only used the open-source version. I haven't used Graylog Security or Enterprise, so I'm not sure if there is technical support for the open-source version. 

Usually, if I have issues that require troubleshooting, I consult the Graylog Community. Sometimes there are solutions on the forum.

Neutral

Configuring the SSL certificates usually takes a lot of time because I have to add the certificate to the Java keystore in a very specific format. Otherwise, it doesn't get recognized. It is not very convenient. That took me about one week to figure out.

I am the person responsible for that.

Graylog is a purpose-driven tool, so we don't really use it in our company. Rather, we usually deploy it for our clients. Some clients wanted it for managing logs for forensic analysis or compliance reasons, and some wanted it as a security option. 

Some clients abandoned it. Even though it is customizable, it doesn't offer much functionality out of the box. It requires a fair amount of effort and expertise to function. Maybe if there were prebuilt dashboards or processing, like Wazuh, it could be adopted on a higher scale. 

Overall, my rating for this product is seven out of ten.

Neutral

We have various environments, including UAT, SIT, Dev, and Production, with automated deployments. We refer to Graylog Enterprise to verify if deployments have completed, check their status if they have failed, and determine what version is currently running.

Some team members from the QA team are unable to see the exact version or the newer version. We use Graylog Enterprise to check if the deployment is done, identify what version has been deployed, and determine on what date the environment was updated.

We provide variables to fit in the relevant section and select the appropriate one, such as the environment and what we need to check. This is the main feature I appreciate about Graylog Enterprise. Whatever we select, such as the database name or environment name, all the information appears, including the date of the last deployment and related details.

Troubleshooting is straightforward with Graylog Enterprise. Whenever we encounter an issue, whether from the QA team or other team members, we use it to troubleshoot the specific problem and implement a fix.

During deployments, we fix issues as quickly as possible using Graylog Enterprise. When team members from the QA team inform us that something is not working or an environment is down, we access Graylog Enterprise to verify if the deployment has been completed and check exactly what version is running.

We receive approximately 15 to 16 daily requests, and we resolve them through Graylog Enterprise.

We have been using Graylog Enterprise for the last two years. Graylog Enterprise is deployed in our organization as a private cloud solution.

There are many other applications in the market that influenced my rating reduction.

As a bank, we use the product to collect logs from various sources, including applications, our website, and mobile applications.

Since it's a free tool, I don't have much to say. Troubleshooting is important to me. The initial setup is complex. I hope to see improvements in Graylog for more interactivity, user-friendliness, and creating alerts.

I have been using this solution for the past three years, and my current version is v5.1.

The solution is stable.

The product is scalable. Currently, three individuals, myself included, use the solution in our company. We plan to increase the usage in the future.

There is no customer service and support available for the free version of the solution.

We have tested IBM QRadar and now use it. First of all, the key factor is the pricing. I saw that IBM QRadar has an interactive dashboard, providing valuable insights to people. Additionally, I've seen that IBM QRadar has an agent that simplifies installations across various platforms without requiring intricate configurations. Also, IBM QRadar has automatic reporting.

The initial setup was complex. The deployment process involved server configuration, setting up alerts, and configuring the system. When upgrading from version 4.2 to 5.1, the configuration took some time.

We are using the free version of the product. However, the paid version is expensive.

Overall, I rate the product a six out of ten.

We had two use cases. In the beginning, log centralization was the main thing, and this was the most frequent use of Graylog, but we also tried to use it for analytics. Graylog was maintained by the data lake team, and we were looking for tools that were suitable for analytics. We felt that Graylog looks real-time. It had some graphs and dashboards. So, we had an idea to use it for analytics.  

What I like about Graylog is that it's real-time and you have access to the raw data. So, you ingest it, and you have access to every message and every data item you ingest. You can then build analytics on top of that. You can look at the raw data, and you can do some volumetric estimations, such as how big traffic you have, how many messages of data of a type you have, etc.

We stopped using it for analytics because of its price, and at the moment, we are using it mostly for log centralization. If you use it with high traffic for analytical purposes, as well as for the logs, the infrastructure costs are unbelievable.

Graylog is a great product backed by Elasticsearch as the storage and query engine. It is just an interface on top of Elasticsearch and some Elasticsearch management. The indexes that are kept in Elasticsearch are managed by Graylog software. Elasticsearch is a decent product, but it's very infrastructure-heavy. It requires lots of resources, and if you make a mistake with provisioning, you are likely to not get a cluster back. We had a couple of outages like that, and we hated that. So, we ended up over-provisioning resources just to avoid such situations from happening. If you have a whole team trying to fix the Graylog instance for two days, that's a bit too much. That may be my Norwegian take on it, but the engineering resources are expensive. It's better to just provision the infrastructure.

Overall, the product is great, and the features are just fine, but the infrastructure cost is what is killing it. The infrastructure cost is the main issue. I like the rest. If the infrastructure costs could be lower, it would be fantastic. I'm not sure if they can improve the infrastructure cost with the way Elasticsearch is. If they keep using Elasticsearch, maybe there are some opportunities there, or they can support other backends with cheaper storage. They could have a different backend to replace Elasticsearch or do some tweaks to Elasticsearch to reduce the costs. There could be partial parsing of logs or parsing on demand so that when you write data through Graylog to Elasticsearch, it doesn't need to crunch in every detail requiring that much CPU.

I was a part of the team that was managing a Graylog instance for five years. We were both the maintainers and users of the platform. The last time I checked the Graylog interface was half a year ago. We switched to Loggly for day-to-day activities. Not all the teams in our company did that, but we did. 

It's stable if you do not overload it. If you go over the boundary that it can handle with the existing infrastructure, it becomes a nightmare. Otherwise, it just runs smoothly.

It's pretty scalable. We didn't hit any ceiling when scaling it up. You throw hardware at it, and it just performs fine. The only issue is the cost. It's not dependent on how big an instance you have. The problem is that it costs a fortune.

We have about 300 users, but it's not about the users. It's about the traffic we have. Our traffic is pretty big. We have thousands of messages going per second through the Graylog instance. It's not that we have many users making queries concurrently, but still, to have the data ready for querying, Graylog needs to crunch it, process it, and write it to Elasticsearch, and that's what consumes resources most of the time.

We didn't have any issues that we needed to fix in Graylog. It just worked for us. We do use other open-source products and commercial products, and the commercial product support is not always fantastic. For Graylog, we could solve all the issues by searching over the internet and on Stack Overflow. With other products, such as Metabase, which is an open-source business intelligence tool that we use, because half of our company is made of software developers, they can write a patch. We did that a couple of times, but with Graylog specifically, we haven't had a need to introduce any patches. It was just tweaking the config.

We switched to Loggly because of the infrastructure costs of Graylog. Loggly is an all in the cloud commercial offering. Even though Graylog is free and doesn't require any maintenance and we just pay for the infrastructure, surprisingly, Loggly costs less than Graylog. So, we save money with Loggly. That was a big surprise to me.

Graylog is very stable, but Loggly is less stable. Maybe they're trying to cut costs. We have had a couple of outages, and quite often, we had indexing delays. When the data is not available right away, we have to wait for that. With Graylog, with our over-provisioning, we never had these issues, but we use Loggly because it's more efficient money-wise for our volume.

One drawback of Loggly is that they have just a few sites where they can store data. Previously, the site was only in the United States. We couldn't choose anything else. For us, it wasn't a problem because there was some agreement between the European Union or European Economic Area and the United States on data processing, but then this agreement got canceled. So, Loggly introduced one European site. They do have something over here, but we still lack support on the locality of the data because our customers are in Asia, and we want services to be placed closer to them. We want more sites. If Loggly, for example, could be deployed on any AWS instance, such as on Amazon Cloud or Google Cloud, which do have data centers in, for example, Thailand or the Asia Pacific, that would be beneficial. Loggly still doesn't have that. They are developing something, but that's an advantage of Graylog. It can be placed anywhere you have the infrastructure.

There is one particular mode with which we could not agree with Loggly, but there is some progress there. We have high traffic, but we don't want to store the data for long. Loggly suggests 90 days by default. We don't need 90 days because we need to troubleshoot situations that happened today and yesterday. We only need a couple of weeks of data, but we need to process a lot of traffic. Loggly wasn't ready for this type of load. I do understand why Loggly does that. It's not the storage that is most expensive; it's the CPU resources that you need to put into the indexing process when you ingest logs into the system. So, Graylog is more flexible because you still can tweak it to your particular load. You can say that you need just two weeks of high-traffic data, but you would need the infrastructure built specifically for this use case. With Loggly, we spent a year negotiating this mode. We came close, but it's still not ideal.

The other competitors, which we haven't had in production, such as Humio, are promising lower prices. It seems like the next generation of log processing. Graylog is based on Elasticsearch, and it seems that Loggly is also based on Elasticsearch or at least some mutated version of it. Humio seems to be based on something else. They don't have Elasticsearch. So, they don't have this burden of maintenance.

We have top-level engineers, and we didn't have any problems at all, but any random guy could also set it up. It involved the magic of regular Linux commands. It was pretty easy. I would rate it a five out of five in terms of the ease of the setup. It's great.

It's open source and free. They have a paid version, but we never looked into that because we never needed the features of the paid version.

If you have a small amount of traffic or you are a small company, Graylog is just fantastic because it's open source, and it's free. You can run a Graylog instance on pretty modest hardware, but when it comes to large volumes, as we have, it becomes too expensive. 

I'm pretty happy with the features of the product, but I'm not happy with the infrastructure costs. Feature-wise or from the end user perspective, Graylog is just great.

For small enterprises, it's a good start because they tend to use cheaper products, at least until they grow. Graylog is a good fit there because you can pick a very cheap cloud provider and then just install it there. It is pretty cheap. For big companies that are focused on reliability and availability, Graylog either requires over-provisioning or will cost a lot, which is not ideal. There are better solutions out there in the market, but one important point is that Graylog can be placed in your local data center. Some companies are very suspicious of clouds or have some restrictions from authorities or as per their policies and business model. There are countries, for example, Pakistan, where the network is poor, and if you use the closest data center of any cloud provider, that will most likely be Thailand. For these types of setups, Graylog is pretty much the only choice.

Before Humio, I would have rated it a 10 out of 10. It's a great product, but because of its cost, I would rate it a 9 out of 10.