Graylog vs. RackFoundry Total Security Management (discontinued)

For small companies, Graylog is the best solution possible. It's easy to configure and "just works." Above everything else, it's free. The only thing I hold against it is the fact that it's Linux-based. [This] makes sense because Elasticsearch is Linux-based. But Linux adds a layer of complexity that we don't need for something basic as a logging server. I'm pretty sure that we would have had a logging server years earlier if I had to convince quite a few decision-making people to go ahead with it anyway.

Incentivized

RackFoundry Total Security Management (TSM) is suited for most companies that have the same challenge as my team had. If you are looking to purchase one security tool and spend most of your allocated budget then I would not recommend this for you. However, if you are looking for something close to a single pane of glass, (granted there is no such thing) this solution does come close as they have the main components built in such as their FW/IPS/IDS/SIEM. Before selecting RackFoundry we had two options which were: 1) Upgrade our current solution and spend an overbearing amount 2) Search for new vendors and maybe procure 1-3 devices and then manually integrate them. Because this was a unified console and integration between devices was simple, we were able to obtain 4-6 security functions and we even had some sense of security visibility via the SIEM. It's not as powerful as Splunk or LogRhythm, but it definitely does the job

• Graylog does a great job of its core function: log aggregation, retention, and searching.
• Graylog has a very flexible configuration. The backend for storage is Elasticsearch and MongoDB is used to store the configuration. You have to option to make your configuration as simple as possible by storing everything on one box, or you can scale everything out horizontally by using a cluster of Elasticsearch nodes and MongoDB servers with several Graylog servers pointed to all the necessary nodes.
• Graylog does a good job of abstracting away a fair portion of Elasticsearch index management (sharding, creation, deletion, rotation, etc).

Incentivized

• Making promises about a service and product.
• Advertising a good price and offering great services.
• Supposedly offer 24/7 365 level 1 threat triaging.

• Support for more log sources
• Event alerts/emails - Some cases where unable to separate data from multiple clients, and no easy fix
• API - Limits results to 10,000 and can cause server to lockup on queries that exceed the limit

Incentivized

• It has been my first year with Rack Foundry and at this point I have to say everything has been smooth, from implementation to support.

Community support does not give simple straightforward answers; simply search up Graylog Issues and look at some of the responses on the forums. The documentation is your only hope if you are on the free version, as you can NOT purchase only support. The few times I have worked with Graylog Enterprise support they were great though.

Incentivized

In terms of log aggregation, the free product fully stacks up with the competitors listed. Full control over the data ingests for flexible configuration. Graylog even better on that front than AlienVault USM because you cannot configure the variable mapping. We haven't used the threat exchange stuff or correlation. But with regex searches, we have created function dashboards that show threat theater pictures of our network based on logs from our firewall.

Incentivized

Well I have experience with the big names: SecureWorks, IBM and Splunk. Individually their logging tools are much better than RackFoundry's Total Security Management. This is great for large corporations and urban cities, however not so great for municipalities, mid size businesses and companies who fluctuate between 1-7 members on their IT staff. Why? Because it takes too much of their resources and integration with other products gets a little rough as you will need to configure your preferences to theirs. When a company has stability it is great to have a name brand product, however renewals and upgrade costs can be taxing to an organization.

• Graylog is just less expensive than some other options which meant it fit into our budget otherwise we might not be able to justify a higher cost.
• Being able to track issues that we normally couldn't track using other tools is a bonus to help us know of any issues we have and can fix before an outage or failure that could potentially cost money.
• We have had to spend more time than I would like to understand and customize Graylog which has taken time away from other tasks and projects.

Incentivized

• Overall the product has had a negative impact. Not necessarily on our environment but in the amount of time it has taken to deploy.