Graylog V3 - A long awaited Version

Graylog V3

A long awaited Version

Rocco Gagliardi
by Rocco Gagliardi
time to read: 5 minutes

Keypoints

This is what the new Graylog version has to offer

  • Graylog V3 new features only for Enterprise version
  • Great improvement in Views
  • Better portability with Content Packs
  • Free Enterprise License up to 5Gb/day

Since many years I’m interested in security log, in new tools and techniques, and implementation of usable solutions. With the release of Graylog2, I switched my productive log infrastructure from ELK to Graylog, but I’m still not complete happy with them.

Graylog2 has all basic features to ingest, analyze, and display a large amount of data, but in many areas – especially dashboards – there is a lot of room for improvements.

Graylog V3

Graylog is now approaching version 3.0 and even if the dashboard functionalities cannot be compared with those offered by Kibana, the version packs some long-awaited features. For a complete list of improvements, please refer to Graylog web site.

For my use case, there are two killer features: Views and Content Packs. Please note that we are talking about the free but licensed version of Graylog V3, so all features can be found in “Enterprise” menu.

Views

In Graylog V2, widgets in dashboards have a predefined time interval; it is therefore not possible to walk through time.

Old fashioned Dashboard

In Graylog V3, apart from the static dashboards still present, the Enterprise/Views have been introduced: now it is possible to define a Search with all the necessary widgets and store it in order to use it as needed.

New view observing a 30 minutes time frame

Same view observing a 2 hours time frame

Widgets are now more flexible and comfortable to edit. The amount of widgets available should be increased, but the direction seems to be the right one.

New widget interface

Possibility to aggregate any field

Content Packs

Content Packs have now the ability to export the complete set of configurations, including Inputs! Now is possible to port configs without the MongoDB dumps workaround.

Now it is possible to export many configuration aspects

Reports

It is now possible to create and receive a report at regular intervals; basically the view is transformed to PDF and dropped in your inbox.

Now is possible to define report

Other

There are additional useful features:

Summary

The update from Version 2 to 3 may seem like a trivial matter, but – in my opinion – there are changes in the structure of the components that will make the development of new feature easier and more frequent.

Even if only the Enterprise part has been enhanced, the limit of 5Gb data per day is fair, making Graylog really usable for most of the small companies lacking budget for log analysis.

Graylog, even with all limitations, is a complete solution that can be used for the collection and analysis of log files and for alerting in case of deviations. For small companies, the data limit is not a problem, and with a small investment in hardware, you can have an economical and efficient data analysis solution available.

About the Author

Rocco Gagliardi

Rocco Gagliardi has been working in IT since the 1980s and specialized in IT security in the 1990s. His main focus lies in security frameworks, network routing, firewalling and log management.

Links

You want to bring your logging and monitoring to the next level?

Our experts will get in contact with you!

×
Enhancing Data Understanding

Enhancing Data Understanding

Rocco Gagliardi

Transition to OpenSearch

Transition to OpenSearch

Rocco Gagliardi

Graylog v5

Graylog v5

Rocco Gagliardi

auditd

auditd

Rocco Gagliardi

You want more?

Further articles available here

You need support in such a project?

Our experts will get in contact with you!

You want more?

Further articles available here