Since many years I’m interested in security log, in new tools and techniques, and implementation of usable solutions. With the release of Graylog2, I switched my productive log infrastructure from ELK to Graylog, but I’m still not complete happy with them.

Graylog2 has all basic features to ingest, analyze, and display a large amount of data, but in many areas – especially dashboards – there is a lot of room for improvements.

Graylog V3

Graylog is now approaching version 3.0 and even if the dashboard functionalities cannot be compared with those offered by Kibana, the version packs some long-awaited features. For a complete list of improvements, please refer to Graylog web site.

For my use case, there are two killer features: Views and Content Packs. Please note that we are talking about the free but licensed version of Graylog V3, so all features can be found in “Enterprise” menu.

Views

In Graylog V2, widgets in dashboards have a predefined time interval; it is therefore not possible to walk through time.

In Graylog V3, apart from the static dashboards still present, the Enterprise/Views have been introduced: now it is possible to define a Search with all the necessary widgets and store it in order to use it as needed.

Widgets are now more flexible and comfortable to edit. The amount of widgets available should be increased, but the direction seems to be the right one.

Content Packs

Content Packs have now the ability to export the complete set of configurations, including Inputs! Now is possible to port configs without the MongoDB dumps workaround.

Reports

It is now possible to create and receive a report at regular intervals; basically the view is transformed to PDF and dropped in your inbox.

Other

There are additional useful features:

• a view for the audit trail, where is possible to check the performed activities
• sidecar has been improved; with sidecar it is possible to centrally manage the collectors configuration
• Elasticsearch 6 is supported

Summary

The update from Version 2 to 3 may seem like a trivial matter, but – in my opinion – there are changes in the structure of the components that will make the development of new feature easier and more frequent.

Even if only the Enterprise part has been enhanced, the limit of 5Gb data per day is fair, making Graylog really usable for most of the small companies lacking budget for log analysis.

Graylog, even with all limitations, is a complete solution that can be used for the collection and analysis of log files and for alerting in case of deviations. For small companies, the data limit is not a problem, and with a small investment in hardware, you can have an economical and efficient data analysis solution available.

About the Author

Rocco Gagliardi has been working in IT since the 1980s and specialized in IT security in the 1990s. His main focus lies in security frameworks, network routing, firewalling and log management.

Links

• https://twitter.com/graylog2/status/1083471287077482502
• https://www.graylog.com
• https://www.graylog.org/products/graylog-3-preview