Steps 11 and 12 in the User's Journey

FINAL WEEK!
We’re combining the final weeks Weeks 11 and 12) of Graylog User Journey questions. Remember, we’ll be awarding one lucky participant with a $100 Amazon Gift Certificate after Week 12. If you haven’t played ,there’s still time to catch our top contenders, Just post a detailed response for each week’s step. It’ll give you one chance for each week’s post (12 in all).

Week 11 question : Now that you’ve gone through your first “journey” with Graylog, think about the experience. Ask yourself (and let us know your answer) What the real possibilities of using Graylog? What might be some instances in which Graylog can really help you"

Week 12 question : Finally, let us know if you used another tool in the past, like Splunk to do something, how were you able to do the same task with Graylog?

We will announce the winner of Graylog User Journey next week. Thank you all for playing!

What the real possibilities of using Graylog.

One of Graylogs capabilities is its default features. After setting up Graylog server for the first time and ingesting logs from multiple devices with different type of formatted logs. I can group them together not only using a dashboard but a quick saved search and be able to share my search with specific users. If a project requires a more defined search, I’m able to use a Regular Expression, GROK Pattern, Pipeline, JSON, etc… to create new fields, sending logs to a required stream or basically transform the data under a default fields something else. This absolutely give me freedom to do what I want without being confined to a web page with a lot of syslog’s. being displayed. One feature that does get used a lot in my environment is Event Definitions. If setup properly, on one page I can see all the alert’s, how many times it happened (i.e., count). with a quick overview on what is going on with my DMZ. I’m able to stop a catastrophe before it happens. The “One, Stop, Shop” Alerts & Events section is most appreciated feature. Next feature that is used a lot is Streams, this makes our sorting a metric ton of logs simpler. This is also one of the back bones of our Alerts, Notifications, Dashboards, etc… it’s the second if not most used feature. I can compare it to a closest in my bedroom, I just put everything in there and I’ll sort it out later . The potential of using Graylog can go beyond just collecting and alerting, I have found that in real time you can see how all device are operating within a domain, and for example such things as who logged into where and what device, windows update failed to install automatically, there is a confliction with drivers in my Hyper-V cluster, Domain controller replication failed send help, Veeam License Has Expired, I could go on. These features make it worth setting up a Graylog server. The one thing I do like is the ability to use the enterprise Version for free and the only stipulation is “Keep it under 5 GB”. Elastic-Stack” no freaking way you could get that.
Let me share something with you all, Elastic contacted me about a service “SSO” that we were looking at, never bothered with any type of enterprise installments before but I was curious. This was the email received.

image1345×75 10.3 KB

Holy cow $ 6,600.00 for a node just to have SSO enabled, nope. I dropped them like a heartbeat.
What I can get from Graylog open source may not have all the bells and whistles as other Logging servers, but I must say Graylog is very close, and I can get Graylog enterprise version for free so long as it under 5 GB. I’m SOLD.

Sometime you don’t appreciate what you have, until you don’t have it. That being said, I really appreciate Graylog. I would like to thank everyone here who has helped me out with issues and all the people that created and maintains this awesome software for us.

The only other tool I have ever used is Zabbix. I have been using Zabbix since 2010 and it’s our work horse but not only that, Graylog and Zabbix play nice and in my world that’s a bonus. I have Googled for days looking to compare Graylog with and I did not find much. Either you get a logging server that is EOL or logging server that is made for a large company something a small company cannot afford.

When I started using Graylog I was thrilled with a lot of useful features out of box. If you need only simple syslog server with search capability, you can. If you want to add some alerts, there is handy feature for it. Do you need some visualization graphs, no problem, create nice looking dashboard and share it with other colleagues. Want to login using AD, just setup AD authentication. Want to separate failed logins or app errors? just separate them using streams. Want to use advanced parsing, simply use pipeline and wonderful pipeline rules with a lot of useful functions. Want some special function that is not included? create own plugin on your own or internal developers.

Speed of deployment is another feature. I’m big fun of Ansible, so ansible playbook is way to go for me. Just update some parameters, start playbook and your graylog install is ready in few minutes.

What I’m really grateful for in Graylog is Rest API. You can do everything you click on web UI also using scripts with Rest API, so that open endless possibilities to integrate with other systems or automate steps manually or plan on schedule. E.g. do you need to stop some alert during maintenance? No problem, create simple script via Rest API or integrate with configuration tool like ansible and you are done.

I’m also Zabbix fun like @gsmith . With Graylog it’s a great combo for availability and log monitoring. Zabbix also contains log monitoring feature, but it’s not easy to use. On the other hand Graylog is perfect for log monitoring and blazing fast in search.
While ago we tested Splunk free, but stop using it because it lacked one essential feature which is alerting, and was also is limited to 500MB/day data ingestion, which was small also for your small business environment. It had nice visualization features, that was not possible in graylog that time (nowadays graylog is much more capable in this field), but problems mentioned above was stop for us.
During POC we also tested VMware vRealize Log Insight, which was really nice product, very easy to use, but very costly, so we couldn’t afford it. Maybe Graylog devs should check it to find some nice inspirations.