Hello Graylog Community,
I would like to request guidance and clarification regarding the licensing terms of Graylog and its dependencies under the SSPL.
Context of our setup:
-
We are using Graylog 3.3.15 with MongoDB 3.4 and Elasticsearch 6.5.
-
All components run within a private AWS subnet, not exposed externally.
-
We use Graylog purely for internal log aggregation and do not provide it as a service to third parties.
From my understanding, the Server Side Public License (SSPL) imposes strong source code disclosure obligations primarily for entities offering SSPL-licensed software as a service to external users. Since our use case is strictly internal, I believe we might not be subject to these broader obligations.
However, I am facing challenges:
-
Due to licensing uncertainty, we are unable to patch or upgrade these components.
-
This creates significant maintenance and compliance concerns for us.
My specific questions:
-
Does our internal-only use of Graylog, MongoDB, and Elasticsearch under SSPL trigger any compliance obligations (such as source code disclosure)?
-
Are there any restrictions or obligations we should be aware of under SSPL in the context of private/internal deployments?
-
If we upgrade to newer versions of Graylog, MongoDB, or Elasticsearch (also under SSPL), would our obligations change in any way?
Any guidance from the community or pointers to official resources would be highly appreciated, as this will help us ensure we remain fully compliant while maintaining our deployment.
Thanks in advance!