The following article exclusively pertains to a Graylog Security feature or functionality. Graylog Security is a part of the Graylog centralized log management platform and requires a separate license. Contact the Graylog Sales team for more information on this product.

Graylog Security provides you with an enhanced and unified view of all Graylog security components—security events, investigations, anomalies, sigma rules, and assets—in a single, accessible space. This unified view of all security-related components allows for seamless navigation through security functionality, utilizing widgets, metrics, notifications, and dashboards all from a central hub and eliminating the need to switch between different pages.

Hint: The General layout remains the default Graylog interface while the Security layout provides a home for those utilizing Graylog Security features. Users with Security licenses, contingent upon their permissions, have the flexibility to toggle between the General and Security layouts, enriching their user experience.

Key Features

Unified Security Space

  • Centralized User Interface: All Security features are accessible from a single location, providing a holistic overview of Security components without the need to switch between various pages.

  • Optimized for Security Tasks: The dedicated Graylog Security layout is optimized to provide tools and features specifically for security analysis allowing for targeted investigation.

  • Integrated Widgets and Metrics: You can interact with Security data through widgets and metrics, allowing for real-time analysis and monitoring of security events.

Granular Control

  • Permission Settings: Assign and manage permissions with refined control over who can view or edit security-related information, ensuring compliance with organizational policies and practices.

  • Alert and Event Management: Enhance your response to alerts and events by utilizing tailored options designed to address distinct security scenarios more efficiently.

Dual Layout Interface

  • General vs. Security Layout: Switch between the default Graylog General layout and the Graylog Security layout, depending on role and security licensing permissions.

Security Layout

To access the Graylog security layout:

  1. Log in to your Graylog instance with the necessary permissions.

  2. On the top navigation bar, click the Change UI perspective drop-down menu located beside the Graylog logo on the top-left corner.

  3. Select Security.

Upon switching to the Security layout, you are presented with a welcome page:

  • Events & Alerts: This widget provides real-time insights into your current security events, enabling swift responses to detected threats. The Security interface allows for direct viewing of your security event and alerts via this widget.

  • Investigations: Here, you can track ongoing investigations by toggling between All Investigations and My Investigations, allowing for efficient management and resolution of security incidents.

  • Last Opened: This is a quick-access section for your most recently engaged Security components, allowing you pick up from where you last stopped.

  • Favorite Items: This widget provides quick access to your favorite tools and features.

  • System Overview: It provides an at-a-glance view widget of system health and activities, ensuring that all Security aspects are functioning optimally.

  • News: The latest updates, news, and announcements from Graylog are showcased here, keeping you informed about new features and best practices.

  • Recent Activity: This widget tracks the latest actions taken by users within the platform, offering insights into usage patterns and potential security maintenance.

  • Releases: Information about the latest Graylog releases, including updates, enhancements, and bug fixes is provided here.

In the Security layout, all features are located on the top navigation bar. These features remain consistent with those from the General layout but offer some extra functionality as described below.

Investigations Metrics Dashboard


To view the metrics dashboard, the following are required:

  • Graylog 6.0 with OpenSearch 2.0.1 (or greater) or Data Node.

Hint: If a 6.0 cluster installs a Graylog Security license (and did not have one installed previously), a reboot of the Graylog server is needed to fully install the components needed for the dashboard.

Navigate the Metrics Dashboard

When you select the Investigations tab from the top navigation menu, you are presented with a comprehensive list of all investigations. To the right of this list, a dashboard view offers detailed metrics related to these investigations, providing a concise overview of all investigations.

The dashboard provides the following metrics:

  • Dwell Time: This widget tracks the amount of time a threat has persisted in the environment before being recognized as a threat. The value is calculated using the earliest log evidence timestamp in the investigation to investigation create time.

  • Time to First Response: This widget tracks when an investigation is created to when the initial edit is made or the first evidence is added. The value is calculated using the investigation create time to first investigation update or evidence addition.

  • Time to Detect: This widget tracks the duration between when an alert is triggered and when an investigation begins. The value is calculated using the alert creation date in the investigation evidence to investigation create time.

  • Time to Resolve: This widget tracks how long investigations take to resolve and is calculated using investigation create time to investigation close time.

  • Opened Investigations: This widget tracks the number of investigations that were opened.

  • Closed Investigations: This widget tracks the number of investigations that were closed.

Assign Roles and Permissions


There are specific security event permissions that are required for using security events functionality. The following individual permissions are available for security events within the Security layout:

  • security_event:create

  • security_event:edit

  • security_event:read

  • security_event:delete

  • security_event:execute_notifications: This permission enables the ability to send notifications for specific security events on demand (using the Send Notification button).

Events and Investigations Dashboard Widgets

  • Investigations widget: Requires the investigations:read permission to display results.

  • Events widget: Requires the security_event:read permission to display results. The widget has built-in capability to display security event fields such as risk score, owner, status, and more. This permission is required for security events.

Hint: The security_event:edit operation is also required for the security_event:execute_notifications action because it creates a SecurityEvent in MongoDB for each notification that is sent.


These roles are selectable and can be assigned while editing a user. For convenience, the following roles are available by default:

Hint: The eventdefinition, eventnotification, and investigations permissions are needed in order to view security event details.

  • Security Events Reader permissions:

    • security_event:read

    • eventdefinitions:read

    • investigations:read

  • Security Events Manager permissions: (This set includes all Security Events Reader permissions and the following.)

    • security_event:create
    • security_event:edit
    • security_event:delete
    • security_event:execute_notifications
    • eventdefinitions:create
    • eventdefinitions:edit
    • eventdefinitions:delete
    • eventnotifications:create
    • eventnotifications:edit
    • eventnotifications:delete
    • eventnotifications:read