Level Up Your Logging
Rating: 7 out of 10
June 30, 2019
Vetted Review
Verified User
3 years of experience
Graylog is used to aggregate logs and SNMP traps from our network devices and Linux servers. We not only aggregate and store logs but extract values to make logging more searchable than using flat files with BASH utilities (grep, cut, awk, etc) to search. For our critical devices, we also use it to forward logs to a room in our private chat service via a custom integration.
- Graylog does a great job of its core function: log aggregation, retention, and searching.
- Graylog has a very flexible configuration. The backend for storage is Elasticsearch and MongoDB is used to store the configuration. You have to option to make your configuration as simple as possible by storing everything on one box, or you can scale everything out horizontally by using a cluster of Elasticsearch nodes and MongoDB servers with several Graylog servers pointed to all the necessary nodes.
- Graylog does a good job of abstracting away a fair portion of Elasticsearch index management (sharding, creation, deletion, rotation, etc).
Cons
- Some aspects of Graylog are less than intuitive. For example, if you want to run different extractor rules on different device types due to format differences, you need to create different inputs. Since inputs are their own processes that require ports to be bound to them, you either need different IP addresses for each input or a different (read: non-standard) port, which can make the device configuration more complicated.
- Although Graylog abstracts quite a bit of Elasticsearch management away, it is by no means a turnkey solution. Upgrades to Graylog can require upgrades to Elasticsearch, which occasionally requires manual intervention to Elasticsearch. Same goes for mongo. If you're looking to scale out, there is some documentation to get you started, but the heavy lifting is on you.
- As everything is stored in Elasticsearch, there are no more flat files to tail; moving from a "traditional" logging aggregator like Syslog(-ng), a culture change is going to be required.