I’ll echo the totally not a robot’s statements, the reason I went with Graylog was that our dev team just wants logs, they don’t care about visualisations, and that Graylog comes out of the box with LDAP and role based access controls. Kibana in it’s “free” version does not, and we’ve had some hilarity with devs trying to manage the cluster when I wasn’t looking by using Kibana’s dev tool.
On top of that, in the long run, from a financial standpoint Graylog’s pricing is just much more attractive than getting an ELK stack with x-pack. With our current setup we’d be looking at stupid amounts of money to get features that Graylog already has. When the time comes (soon, staff people, soon) I’ll gladly convince my higher ups to spend money on a Graylog Enterprise license, if only for the support. Because feature wise, the open source version totally hits the spot.
Now, for visualisations, yes, Graylog is lacking in that department. On the other hand, you do get a search API, so it’s “easy enough” to write some code that uses that to wrangle your visualisations for you. Also because I find that while Kibana does visualise better, it still doesn’t do it quite right, so we have home-brew stuff running anyway, especially for our data analysts who always want things different.
So the long of it is above, the short of it: I picked Graylog for feature-richness, ease of management, and future much lower cost than a full blown enterprisey ELK stack.