What is Graylog?

Graylog is a powerful Security Information and Event Management (SIEM) solution offering a robust log analytics platform that simplifies the collection, search, analysis, and alerting of all types of machine-generated data. It is specifically designed to capture data from diverse sources, allowing you to centralize, secure, and monitor your log data efficiently. Graylog can perform a wide range of cyber security functions, such as:

  • Data aggregation

  • Security data analytics (reports and dashboards)

  • Correlation and security event monitoring

  • Forensic analysis

  • Incident detection and response

  • Real-time event response or alerting console

  • Threat intelligence

  • User and entity behavior analytics (UEBA)

  • IT compliance management

Graylog Products and Service Offerings

Each product from Graylog delivers powerful functionality suited to different needs and scales. Whether self-managed or in the cloud, there is a solution fitting for every organization focused on keeping your log data secure, accessible, and actionable.

 

Graylog Open

Graylog Open is the free, open-source version of the Graylog software, offering core centralized log management capabilities for gathering, enriching, storing, and analyzing data from various sources. We advocate for software accessibility and inclusivity, which is why Graylog Open is anchored on community participation, ensuring continuous enhancements and community-driven innovation influenced by open-source contributors.

Graylog Enterprise

Graylog Enterprise comprises two license categories (Graylog Enterprise and Graylog Security). This offering caters to various organizations and use cases with self-managed or cloud options available. Graylog Enterprise provides all the features of Graylog Open plus additional advanced features essential for managing complex IT infrastructures, along with access to the Graylog enterprise support team. A valid Enterprise license is required to utilize this product.

Graylog Security

Graylog Security is a product forming part of the Graylog Enterprise offering, and it provides a comprehensive cybersecurity-focused suite of tools geared toward threat detection, investigation, and response (TDIR). Graylog Security requires a separate license.

Graylog Cloud

Available with Graylog Enterprise and Security, Graylog Cloud provides the perfect experience for those who the convenience and scalability of cloud-based log management. Graylog Cloud provides a fully managed cloud service that reduces operational overhead, rapid deployment and seamless updates for an efficient logging solution, and a highly secure platform to protect your vital log data.

Graylog API Security

Graylog API Security targets the protection of your critical APIs by offering in-depth visibility into API usage and activity. It is a powerful threat detection that identifies potential API abuses and detailed logging that aids in the comprehension of API interactions and data flows.

Graylog Illuminate

Graylog Illuminate is a collection of content comprising pipelines, parsing rules, lookup tables, and more, which enriches and normalizes your log data. This process of enrichment and normalization then enables various event logs to be processed using a standard methodology, leveraging the Graylog schema and Graylog Information Model (GIM) to make searching and analyzing common log sources more efficient. Graylog Illuminate is available with Graylog Enterprise and Security and does not require a separate license.

Graylog Core Features

Whether you are a small business or a large enterprise, Graylog's core features provide you with the tools you need to monitor and troubleshoot your systems effectively:

  • Streams operate as a form of tagging for incoming messages. Streams route messages into categories in real-time, and stream rules instruct Graylog to route messages into the appropriate stream. Streams are also used to route data for storage into an index. They also used to control data access and route messages for parsing, enrichment, and other modifications before determining which messages to archive.

  • The Graylog Search page is used to search log messages directly. Graylog uses a simplified syntax, similar to Lucene. Relative or absolute time ranges are configurable from dropdown menus. Searches may be saved or visualized as aggregations, which can be added directly to dashboards from within the search. You can configure your own views and choose to see either a summary or complete data from event messages.

  • Graylog dashboards are visualizations or summaries of information contained in log events. Each dashboard is populated by one or more widgets. Widgets visualize or summarize event log data with data derived from field values such as counts, averages, or totals. You can create indicators, charts, graphs, and maps to visualize the data. Dashboard widgets and dashboard layouts are configurable. Graylog's role-based access controls dashboard access.

  • Alerts are created using event definitions that consist of conditions. When a given condition is met, it will be stored as an event and can be used to trigger an alert.

  • An index is the basic unit of storage for data in your search backend. Index sets provide configuration for retention, sharding, and replication of the stored data. Values, like retention and rotation strategy, are set on a per-index basis, so different data may be subjected to different handling rules.

  • Graylog Sidecar is an agent to manage fleets of log shippers, like Beats or NXLog. These log shippers are used to collect OS logs from Linux and Windows servers. Log shippers read logs written locally to a flat file, and then send them to a centralized log management solution. Graylog supports management of any log shipper as a backend.

  • Graylog’s processing pipelines enable you to run a rule, or a series of rules, against a specific type of event. Tied to streams, pipelines allow for the routing, denylisting, modification, and enrichment of messages as they flow through Graylog.

Get Started with Graylog

Plan Your Deployment

Before diving into the installation, it is essential to plan your Graylog deployment carefully. Consider the size and complexity of your environment to determine hardware requirements and architecture design. Graylog supports various configurations, from small single-server setups to large, distributed architectures.

Install Graylog

The next step is installing Graylog. The Graylog documentation provides detailed instructions for several platforms and environments. Choose the method best suited for your use case.

Navigate the User Interface

Once Graylog is up and running, it is time to familiarize yourself with the web interface. Here you can search and analyze your indexed data and configure your Graylog environment to suit your needs.