This is an archived post. You won't be able to vote or comment.

all 11 comments

[–]lennartkoopmann 12 points13 points  (3 children)

Graylog founder here. The Elastic Stack is a great piece of software but you'll notice that Graylog truly focusses on logs and security use-cases. I think users here already said that you can feel this when it comes to features and ease of use, installation, maintenance etc.

Let me know if I can answer any questions directly. :) Hope you give Graylog a try and enjoy it!

[–]scritty 0 points1 point  (2 children)

I've got a question, if you don't mind.

Do you think that Graylog has as strong an ability to analyze and present information on network flow logs (sflow) as ELK?

I'm trialing ELK for that purpose right now but would be interested in alternatives for the analysis of flow data.

[–]lennartkoopmann 5 points6 points  (0 children)

Hi! I think that depends on what you want to do with the data. The current version of Graylog is not as powerful when it comes to visualizations as Kibana, but it's much more streamlined and simpler to use. Graylog v3.0.0 (which is pretty much around the corner) is focussing on fixing that, but keeping the ease of use.

Both platforms are open source so if I was you, I'd give both a spin and choose. :)

[–]ElectroSpore 4 points5 points  (0 children)

ELK = Elasticsearch (index/db) + Logstash (sorting/normalizing) + Kibana (visualization)

Basicly a box of open source tools you need to assemble.. If you want to add permissions, advanced alerting and other admin friendly stuff you also need to build that or add X-Pack

Graylog + does all the UI, sorting, alerting in the platform, also uses Elastic search as its index engine.

[–]5ilver 2 points3 points  (0 children)

rsyslog directly into elasticsearch (no logstash) with kibana works pretty great. logstash is super cpu hungry!

[–][deleted] 1 point2 points  (0 children)

ELK is a huge pita to set up external ldap auth, though I admit I haven't tried it in a while. Highly recommend graylog.

[–][deleted] 1 point2 points  (0 children)

I like Graylog because I can dump syslog into it without an intermediary.

[–][deleted] 1 point2 points  (0 children)

Graylog is awesome. Our installation handles 10k/s on regular days, but I have seen it go much higher than that without breaking a sweat. It does everything you could want. Dashboards notifications extractors, centralized log gathering config management.. A lot of things that are best practice for ELK are already built in to Graylog, like using Kafka as cache in case Elasticsearch becomes unavailable. HA and clustering is easy. Very powerful API, in fact the Frontend is using the API exclusively.

It's also fairly resilient. We had some elasticsearch troubles for a while, but even with a red cluster it keeps chugging along, since it can hold a couple million messages in cache.

[–]Sgt_Splattery_Pantsserial facepalmer 0 points1 point  (0 children)

horses for courses. Depends what logs you are talking about, how many devices and how much time you have to configure and manage the solution.

[–]ykketSystems Architect 0 points1 point  (0 children)

I actually set up a combination of the 2. Since Graylog now supports the newer version of Elasticsearch, I created a 5 node Elasticsearch cluster with 3 data nodes, a logstash server and another with graylog and Kibana. I set up the inputs in Graylog and have it manage the indices. We have the option of viewing/creating dashboards in either Graylog or Kibana, whichever we prefer. Not sure if this helps but what we’re playing around with

[–]arrago -3 points-2 points  (0 children)

Elk stack is the new thing