Graylog Enterprise Reviews

We had two use cases. In the beginning, log centralization was the main thing, and this was the most frequent use of Graylog, but we also tried to use it for analytics. Graylog was maintained by the data lake team, and we were looking for tools that were suitable for analytics. We felt that Graylog looks real-time. It had some graphs and dashboards. So, we had an idea to use it for analytics.  

What I like about Graylog is that it's real-time and you have access to the raw data. So, you ingest it, and you have access to every message and every data item you ingest. You can then build analytics on top of that. You can look at the raw data, and you can do some volumetric estimations, such as how big traffic you have, how many messages of data of a type you have, etc.

We stopped using it for analytics because of its price, and at the moment, we are using it mostly for log centralization. If you use it with high traffic for analytical purposes, as well as for the logs, the infrastructure costs are unbelievable.

Graylog is a great product backed by Elasticsearch as the storage and query engine. It is just an interface on top of Elasticsearch and some Elasticsearch management. The indexes that are kept in Elasticsearch are managed by Graylog software. Elasticsearch is a decent product, but it's very infrastructure-heavy. It requires lots of resources, and if you make a mistake with provisioning, you are likely to not get a cluster back. We had a couple of outages like that, and we hated that. So, we ended up over-provisioning resources just to avoid such situations from happening. If you have a whole team trying to fix the Graylog instance for two days, that's a bit too much. That may be my Norwegian take on it, but the engineering resources are expensive. It's better to just provision the infrastructure.

Overall, the product is great, and the features are just fine, but the infrastructure cost is what is killing it. The infrastructure cost is the main issue. I like the rest. If the infrastructure costs could be lower, it would be fantastic. I'm not sure if they can improve the infrastructure cost with the way Elasticsearch is. If they keep using Elasticsearch, maybe there are some opportunities there, or they can support other backends with cheaper storage. They could have a different backend to replace Elasticsearch or do some tweaks to Elasticsearch to reduce the costs. There could be partial parsing of logs or parsing on demand so that when you write data through Graylog to Elasticsearch, it doesn't need to crunch in every detail requiring that much CPU.

I was a part of the team that was managing a Graylog instance for five years. We were both the maintainers and users of the platform. The last time I checked the Graylog interface was half a year ago. We switched to Loggly for day-to-day activities. Not all the teams in our company did that, but we did. 

It's stable if you do not overload it. If you go over the boundary that it can handle with the existing infrastructure, it becomes a nightmare. Otherwise, it just runs smoothly.

It's pretty scalable. We didn't hit any ceiling when scaling it up. You throw hardware at it, and it just performs fine. The only issue is the cost. It's not dependent on how big an instance you have. The problem is that it costs a fortune.

We have about 300 users, but it's not about the users. It's about the traffic we have. Our traffic is pretty big. We have thousands of messages going per second through the Graylog instance. It's not that we have many users making queries concurrently, but still, to have the data ready for querying, Graylog needs to crunch it, process it, and write it to Elasticsearch, and that's what consumes resources most of the time.

We didn't have any issues that we needed to fix in Graylog. It just worked for us. We do use other open-source products and commercial products, and the commercial product support is not always fantastic. For Graylog, we could solve all the issues by searching over the internet and on Stack Overflow. With other products, such as Metabase, which is an open-source business intelligence tool that we use, because half of our company is made of software developers, they can write a patch. We did that a couple of times, but with Graylog specifically, we haven't had a need to introduce any patches. It was just tweaking the config.

We switched to Loggly because of the infrastructure costs of Graylog. Loggly is an all in the cloud commercial offering. Even though Graylog is free and doesn't require any maintenance and we just pay for the infrastructure, surprisingly, Loggly costs less than Graylog. So, we save money with Loggly. That was a big surprise to me.

Graylog is very stable, but Loggly is less stable. Maybe they're trying to cut costs. We have had a couple of outages, and quite often, we had indexing delays. When the data is not available right away, we have to wait for that. With Graylog, with our over-provisioning, we never had these issues, but we use Loggly because it's more efficient money-wise for our volume.

One drawback of Loggly is that they have just a few sites where they can store data. Previously, the site was only in the United States. We couldn't choose anything else. For us, it wasn't a problem because there was some agreement between the European Union or European Economic Area and the United States on data processing, but then this agreement got canceled. So, Loggly introduced one European site. They do have something over here, but we still lack support on the locality of the data because our customers are in Asia, and we want services to be placed closer to them. We want more sites. If Loggly, for example, could be deployed on any AWS instance, such as on Amazon Cloud or Google Cloud, which do have data centers in, for example, Thailand or the Asia Pacific, that would be beneficial. Loggly still doesn't have that. They are developing something, but that's an advantage of Graylog. It can be placed anywhere you have the infrastructure.

There is one particular mode with which we could not agree with Loggly, but there is some progress there. We have high traffic, but we don't want to store the data for long. Loggly suggests 90 days by default. We don't need 90 days because we need to troubleshoot situations that happened today and yesterday. We only need a couple of weeks of data, but we need to process a lot of traffic. Loggly wasn't ready for this type of load. I do understand why Loggly does that. It's not the storage that is most expensive; it's the CPU resources that you need to put into the indexing process when you ingest logs into the system. So, Graylog is more flexible because you still can tweak it to your particular load. You can say that you need just two weeks of high-traffic data, but you would need the infrastructure built specifically for this use case. With Loggly, we spent a year negotiating this mode. We came close, but it's still not ideal.

The other competitors, which we haven't had in production, such as Humio, are promising lower prices. It seems like the next generation of log processing. Graylog is based on Elasticsearch, and it seems that Loggly is also based on Elasticsearch or at least some mutated version of it. Humio seems to be based on something else. They don't have Elasticsearch. So, they don't have this burden of maintenance.

We have top-level engineers, and we didn't have any problems at all, but any random guy could also set it up. It involved the magic of regular Linux commands. It was pretty easy. I would rate it a five out of five in terms of the ease of the setup. It's great.

It's open source and free. They have a paid version, but we never looked into that because we never needed the features of the paid version.

If you have a small amount of traffic or you are a small company, Graylog is just fantastic because it's open source, and it's free. You can run a Graylog instance on pretty modest hardware, but when it comes to large volumes, as we have, it becomes too expensive. 

I'm pretty happy with the features of the product, but I'm not happy with the infrastructure costs. Feature-wise or from the end user perspective, Graylog is just great.

For small enterprises, it's a good start because they tend to use cheaper products, at least until they grow. Graylog is a good fit there because you can pick a very cheap cloud provider and then just install it there. It is pretty cheap. For big companies that are focused on reliability and availability, Graylog either requires over-provisioning or will cost a lot, which is not ideal. There are better solutions out there in the market, but one important point is that Graylog can be placed in your local data center. Some companies are very suspicious of clouds or have some restrictions from authorities or as per their policies and business model. There are countries, for example, Pakistan, where the network is poor, and if you use the closest data center of any cloud provider, that will most likely be Thailand. For these types of setups, Graylog is pretty much the only choice.

Before Humio, I would have rated it a 10 out of 10. It's a great product, but because of its cost, I would rate it a 9 out of 10.

I have my own recipe for an infrastructure code where I integrate Fluent Bit with Kubernetes. It scrapes the logs off of all the member nodes of Kubernetes and then it chips that to an input on Graylog. That way, when developers want to troubleshoot an application but don't want to use anything Kubernetes CLI-related, they can jump straight to Graylog. They can type the name and the type of deployment that they're looking for and get all of the logs pulled into one place. Essentially I use this solution to give developers a way to look at all the logs in an aggregated form. It's very helpful.

I also use the solution to extract and quantify data and metrics from the logs. For example, let's say you're running the wallet application and you want to make sure that you are getting the minimum 404's when somebody is trying to make a payment. You can essentially extract the code on Graylog and it will give you a really nice view of how often your wallet times out, or overall performance. If you're looking specifically from a security standpoint, if the application is seeing something that should not be seen, you have a way to log that.

I also use it for building charts and live logging. Also, the pipelines allow you to take a raw log, create something out of it, and transform it into something else, so I use that for streams, presentations, metrics, and health checks from an app runtime standpoint.

Everything stands out as valuable, including the fact that I can quantify and qualify the logs, create pipelines and process the logs in any way I like, and create charts or data maps. One time, I created a geo map based on IP addresses accessing a website. The web server generates logs based on who's accessing the application, and we were able to extract the IPs from the logs and even create a chart on Graylog to map out exactly what countries the requests were coming from. Graylog is amazing. It's a beast.

Graylog needs to improve their authentication. Their AD integration is really bad. When it comes to ACL's, access control lists, where you want to have different group memberships and control who gets access to what, it really could use major improvements. It seems like a beta authentication version that they came up with in a hurry and said, "Hey guys, we've got something going for you. Use it until we think of something later on." I believe their enterprise version has improved some of these features, but I use the open source version.

The second thing would be the way they handle live logging. The fact that Graylog displays logs from the top down is just ridiculous. I've never seen anything that logs this way except for Graylog. I believe this is an issue because they have the selector going in that direction, so it would make sense that they have to implement it that way, but it's definitely not cool. When you're looking at Graylog's live logging, whether it's doing a one-second or five-second pull, you'll notice that new log lines are placed at the top of the screen, not the bottom of the screen. I find this ridiculous because normally when you're looking at logs anywhere, on Linux, even in Windows, you're going to see that the logs are generated at the bottom. That's one thing that Graylog definitely needs to improve. 

Graylog also needs to invest some time to improve the performance and how they handle the maintenance of Elasticsearch.

An added feature I would like to see is the capacity to delegate most of the backend maintenance to the frontend UI. When you have somebody from the service desk working on the solution or somebody who's not a technical person, they could run some of the maintenance stuff directly from the UI.

Another thing is something that I saw in LogDNA, where you could have a color based on log regex. For example, it would color the timestamps next to the log lines orange, make the source of the log purple, and then make the actual log content black. That would be very nice to see in Graylog.

I have been using this solution for about four to five years.

I would give this solution a six out of ten for stability. It has quite a few hiccups. I usually try to avoid them the best I can, but sometimes they just happen and you have to deal with it.

Graylog can scale, but technically, Graylog's scalability mainly depends on Elasticsearch because it uses Elasticsearch as the backend. I would say the question should probably be about how well Elasticsearch can scale. The answer to that would be that it is pretty scalable, but it's not simple. It's not like Kubernetes, where you just add a few extra replicas and you get performance right of the box. It's a bit complex to scale it, but it is scalable.

I would rate the technical support as a four out of five. From an experience standpoint, they're pretty good.

Positive

It really depends. If you're going to slap Graylog into a very small environment and do a standalone instance, it's super easy and straightforward. You have to install Mongo, Elasticsearch, and Graylog and connect them to each other, which is super simple. There are tons of easy tutorials online available to help you do that. 

However, if you want to set up a highly scalable cluster, things will get a little bit complex. It's still very manageable, but it's definitely complex.

It took me about 30 minutes to deploy Graylog. 

There is an open source version and an enterprise version. The authentication is bad in the open source version, but I believe they have improved that in the enterprise version. 

I wouldn't recommend the enterprise version, but as an open source solution, it is solid and works really well.

My advice to people considering this solution is to first determine where they can use it. The server sizing depends on the amount of logs generated and where you get the logs from. For example, it it a Kubernetes cluster with a lot of things on it, or just a bunch of VMs, or just a couple of VMs? What's the size of that? Based off of this, you would then decide the server sizing and how big your Elasticsearch needs to be and how scalable it needs to be. Graylog is like ELK Stack. It's very, very resource hungry.

I would rate this solution as a seven out of ten. 

We are using the solution to store all the logs from different sources. Also, we use it to monitor the logs for system errors.

The solution's most valuable feature is its new interface. It enhances our cluster's performance as well.

They depleted the legacy alarm callback feature from the current version. They should make it available in the newest version as well. Also, they should include SSO integration in Graylog 5.0's community version, similar to its enterprise version. It would also be beneficial if they added a feature that scales the solution automatically when the load increases.

We have been using the solution for five to six years.

The solution's current version that I am using is stable.

We have 50-60 users of the solution. Its scalability gets complicated when we have to update or edit multiple nodes. It is a very tedious task to add new nodes to the cluster. I rate its scalability a six.

We use Graylog's community support forum. It helps us solve our queries.

The solution's initial setup is easy. The deployment process for the new version takes 10-15 days.

Our in-house technical staff has seven years of experience working with Graylog. With their guidance, we configure and maintain the solution.

The solution's community version works well for a lesser workload. It will help if you opt for the solution's enterprise version if you plan to increase the load.

I recommend the solution to others and rate it as a seven.

I used this solution for bug tracking, checking to see if an application was running correctly or not.

I was working at a big comparison platform in Germany and was part of a  financial services department where we built multibanking applications. I know that in other departments they used different logging tools like TeamCity, so this was not something that was used companywide. There were probably about 50 developers using it, from app developers to Java/Python backend developers and the data science team. The extent of log messages and verbosity was varying from team to team.

One of the most valuable features is that you are able to do a very detailed search through the log messages in the overview. You are also able to attach a lot of details into your log messages. 

When it came to integrating the solution with Java, it was quite easy. My colleagues used Graylog for some dashboards to show how many bugs there were per day or the overall performance of the applications. For the developers it's not super important, but it was quite a good way for the project manager to see that everything was all right.

With Python, there was a problem where it was harder to attach extra information using the basic logging package. We had to build our own custom adapter for this to append that information to the log message. For Python developers, it would be great if Graylog could provide a better Python package in order to make it easier to use for the Python community.

I used this solution for about two years. 

This solution is definitely stable. 

This solution was definitely scalable to our needs. 

I would say the initial setup is quite straightforward, but it's pretty straightforward for any kind of logging tool out there. The difference is in how you integrate it into the project, but I don't think there's much of a difference between all of the tools, at least from my perspective. 

I used Graylog until a few months ago, and I'm currently using Sentry. With Sentry it is quite easy to filter, for example, errors for a specific project just by clicking a drop down. On Graylog, we had to perform active filtering through the search bar. The filtering process was a bit different. I wouldn't say they differ too much, but Sentry also allows me to do some bug tracking and mark them like, "Okay, now I have to review this," or "This has been resolved", which is not something I would ask for in a log tool, but it's available.

I would say that it's definitely worth looking into the extensive search and filtering functionality of Graylog in order to make the most out of it. I would also suggest having a look into the dashboard view functionalities for doing some kind of quick performance overview on the application set. I think the coolest feature of Graylog if you're a developer is that you are able to really narrow down or to specify the search.

For TeamCity, for example, there is specific query language and you can build dashboards and queries there as well, but this feature was kind of limited when I was using it. Even though it was available, I didn't like the feature overly much. I know that there are other similar tools available, but I enjoy using Graylog the most.

I would rate this solution as an eight out of ten because the integration with Python isn't perfect, but if that's fixed in the future, I would say it would be a nine or ten.

We have one SIEM tool to integrate the log source for other containers and user-related logs. Those logs were integrated into Graylog. When required those logs Graylog gets sent to a SIEM tool. 

The best feature of Graylog is the Elasticsearch integration. We can integrate and we can run filters, such as an event of interest, and those logs we can send to any SIEM tool or as an analytic. Additionally, there are clear and well-documented implementation instructions on their website to follow if needed.

Graylog could improve the process of creating rules. We have to create them manually by doing parses and applying them. Other SIEM solutions have basic rules and you can create and get more events of interest.

I have been using Graylog for approximately three years.

Graylog is a stable solution. However, while using some microservices it may go down.

Graylog

We have approximately 40 to 45 people using the solution in my company. There are three different teams using it, such as developers and testing teams. The teams use the solution on a daily basis.

We are working in India, and sometimes it takes a while to receive a response from the support. However, the solutions they provide are can do them. Their support is good.

I rate the support from Graylog a four out of five.

Positive

I have previously used Logstash. The main difference between Graylog and Logstash is in Logstash it takes a longer time for searching logs.

We had some struggles with the initial setup of Graylog. However, after using the support it works fine.

I rate the initial setup of Graylog a four out of five.

We use the support from the Graylog team for the implementation of the solution.

Graylog is a free open-source solution. The free version has a capacity limitation of 2 GB daily, if you want to go above this you have to purchase a license.

I rate Graylog a seven out of ten.

I like the correlation and the alerting. If I have multiple monitoring systems and I alert Graylog, Graylog will collect them and analyze them, and issue one alert.

We are only approximately four months into production and have not explored all of the features this solution offers. So far, it has everything we wanted.

I would like to see some kind of visualization included in Graylog. The report is plain, they could be improved.

I have been using Graylog for approximately five months.

We are using the latest version.

Graylog community is very good.

We are also using Zenoss.

The initial setup is straightforward.

It's an open-source solution that can be used free of charge.

I would definitely recommend Graylog to others who are interested in using it.

At this point with the features that I have used, I would rate Graylog a ten out of ten.

We use Graylog for developer login to assist developers and help them find issues faster, and for certain applications in production.

The centralized logs where one can find bugs quicker and find the line of code that is a problem has made us more efficient. The turn around time for production support is quite high when using this kind of solution.

Graylog's search functionality, alerting functionality, user management, and dashboards are useful. They also provide an easy way to create dashboards, and the interface is also quite easy to use.

Graylog can improve the index rotation as it's quite complicated. They need to work on that because it's quite cumbersome to manage the index rotation with all the logs.

The filtering of logs before ingestion also needs a bit of work. This is because you have to write some code to avoid certain things before ingesting. As it doesn't support certain AIX versions, you need to upgrade the servers to accommodate it.

I have been using Graylog for about three years.

Graylog is quite stable, and the only issue is the index rotation.

Graylog is scalable and can be deployed in a clustered distributed environment.

The support from the Graylog community is helpful, but they can do better. The enterprise support doesn't really cater to open-source solutions. They only support you if you are an enterprise working on a POC. If you want to do a POC for an enterprise solution, they need assurances that you'll buy their enterprise solution. 

I have used different solutions like Nagios before. These solutions are more like manual processes where logging and viewing of logs are conducted on the server.

Others like ELK are difficult to use because it isn't straightforward and requires a lot of reading. You have to learn quite a lot before using it.

Graylog is quite easy to set up. As it comes with a prepackaged installation file, it's not complex to install and takes one to three days to deploy. If you have to study the documentation and then implement it, I think you can do it within a week.

All implementation was handled in-house.

Graylog is straightforward to install and easy to maintain. It also comes with alerting. But one has to be mindful of the support and disadvantages like the index rotation.

On a scale from one to ten, I give Graylog an eight.

I use this solution regularly for analyzing incidents, collecting them to figure out what's going on. For now, I'm using it myself but would like to also deploy for some of my customers in the near future. I'm an entrepreneur in a security solutions company and a customer of Graylog. 

I like the simplicity of the solution, the fact that it's open source and user friendly.

It would be helpful if they would work more on the documentation because it's not very clear and ideally I'd like to be able to do more myself, but would need some additional guidelines and material for that.

I've been using this solution for a year. 

It's a stable solution. 

I believe it's a scalable solution but haven't tested it yet. 

The technical support is a weak point in this product. It's not so easy to contact them and they don't answer immediately. Sometimes it takes a lot of time and the wait is difficult. If I had enough documentation I might not need the support. 

The initial setup was relatively straightforward. I was able to deploy it myself in a couple of days. For now, I'm the only user. I know it can be scaled for free for up to five users and I'll test that soon. 

This is a good product and I would rate it an eight out of 10.