This article looks at the open-source log file tool Graylog. It is not a technical comparison against other tools, is just to fire some reasons to support my – changed – preference of Graylog over ELK. We are taking here about the free versions.

Since many years I’m a – relative – big fan of ELK, basically because Logstash and Kibana. Since I wrote and maintained my own log parsing and presentation engine, I really appreciate Logstash, in regards of performance, modularity, flexibility. I also appreciate the Kibana visualization features.

Where I’m falling from love with ELK, is the lacks of authentication/authorization features and the absence of a unified management user interface for all components.

Comfort of Graylog

Graylog uses a different approach. The WebUI covers many functionality – from the status of ES indexes up to input, parsing, filter and presentation – making the experience more comfortable; sure, for some advanced tuning, console intervention is needed, but for normal usage, the WebUI provides all functionality necessary to get, parse, manipulate, and present the data.

Key points to use Graylog

Graylog excels in many areas:

• Message parsing is really easy: For K-V log types, with few clicks it is possible to normalise long strings of data. For complex logs, regexp, grok and other extractors are ready to use, without leaving the WebUI.
• Manipulation of messages is also easy: The process starts with routing messages matching some conditions, creating streams! Streams are processed in real-time and are foundation for the whole message processing.
• Pipelines: Concatenation of message processing, increases the flexibility.
• Alerts: Trough real-time streams, messages can be content analyzed and counted and triggers can be set to fire alerts in case of abnormal conditions or on defined incoming content.
• Plugins: Additional features can be added to the core.
• Authentication/authorization: It is possible to restrict visibility of data to authorized people.

Room for Improvements

The dashboard part, even if very well integrated and useful, lacks many features and visualizations contained in Kibana (like aggregations).

Additionally, security settings must be configured separately, also with some terminal effort.

Summary

Graylog, even if not perfect, is – at the moment – the best open-source tool to start with, if there is a need of log management. It is packaged for major Linux distributions, has VM ready for use and also Docker images are available.

It still requires some time to learn the architecture, and in case of problems you could spend days if you never touched Elasticsearch or other log tools. But if you have some experience, you can easily setup a complex environment for complex log analysis in a couple of hours.

About the Author

Rocco Gagliardi has been working in IT since the 1980s and specialized in IT security in the 1990s. His main focus lies in security frameworks, network routing, firewalling and log management.

Links

• https://marketplace.graylog.org
• https://www.elastic.co
• https://www.elastic.co/products/kibana
• https://www.elastic.co/products/logstash
• https://www.graylog.org