For us the deployment of Graylog was to solve a very specific need at a time when another well-known SIEM solution just wasn’t going to be ready quickly enough to accommodate us. We started with a single OVA for evaluation and immediately obtained a free enterprise license because we thought “why not fully explore Graylog if we’re going to use it”.
The installation was pretty quick since we started with the OVA. We booted it and it was ready to go right away. We were able to get users configured and an input, index, and stream up and running within a day. We were ingesting logs by the end of the first day.
For us, the challenge was in securing Graylog. We knew immediately that we wanted to configure HTTPS on the web interface. We failed to immediately appreciate how precise this process would be and in the end our problems came down to not following the documentation exactly. Once we read and re-read the process we got past our difficulties. I actually ended up writing a post to help guide others.
My tip to the community is to be sure to carefully follow the documentation. I have yet to find that it doesn’t have the information that I need. It is also important to be sure that the documentation being used is for the correct Graylog version.