Review: Graylog delivers open-source log management for the dedicated do-it-yourselfer
Graylog’s dashboards are built up graphically, which makes them easy to assemble, and you can quickly start by exporting a search over to a dashboard. Each dashboard is composed of widgets that compute values or display graphs, such as “count of results returned,” “number of unique IP addresses seen,” “average response time to HTTP request.”
Graylog security is based on users and groups (“roles” in Graylog). In our testing, we linked this to our Active Directory for authentication and group mapping. Dashboards are fully integrated into this security model, so a group such as “executives” could have access to certain dashboards, but not others.
While we found Graylog’s reporting lacking and the searching good, the dashboards are really a step up in the world of log management and make the product stand out as a leader in this area.
Correlation and alerting
Alerting and correlation are real-time activities: looking at message flows, comparing them to business rules, and then causing some action to happen. For example, one login failure in an hour is not very interesting, but a thousand login failures an hour is interesting, and only by looking at all the message flows can you differentiate between these.
Alerting in Graylog begins with a feature called streams. A stream is a type of saved search that runs continuously as log messages flow into the system. Streams can be fed into dashboards, sent over to other log management systems, or simply be used as convenient pre-packaged content for different types of analysis. Access to streams is also defined by the Graylog users and groups system. For example, you could allow application developers to see messages only from development and QA systems by creating the appropriate stream, while hiding those messages from system operators (who might be confused).
We found that building streams made us re-think some of the data model we used in the collection, parsing and normalization parts of our testing. For example, when we wanted to count alerts across different brands of firewall and IDS in our network, we had to be very careful to normalize the messages in the same way so that we had a minimum of false positives, yet caught every event that was interesting. The results were valuable, but only once we put in the time to really understand and properly categorize and normalize different types of messages.
Once messages are filtered into a stream, Graylog allows for alerting to occur based on simple conditions: number of messages in a time period that match the stream, or a value in a message that passes a threshold or matches a particular string. Built-in alerting supports email and HTTP posts, but you can write your own or find something interesting in the Marketplace. For example, we downloaded a tool from the Marketplace that linked a Graylog stream to our Nagios network monitoring system, sending an alert into Nagios when a stream alert was triggered for over-temperature conditions in our servers.
Correlation is not a current feature in Graylog: you can’t correlate across events, unless you write your own tools to do so and link them in with Graylog’s API. Graylog also doesn’t have the easy ability to connect to other databases as messages fly in, such as linking to an asset inventory or configuration management database. This makes common correlation use cases more difficult, such as differentiating alerts between critical and test systems.
Is it right for me?
After using Graylog in production for several months, we found a solid product with excellent performance and an easy-to-use GUI. Although we found a few areas where the product could be improved, overall we think that Graylog is enterprise ready.
However, being enterprise-ready doesn’t mean that it’s ready to deploy, and we found that the do-it-yourself nature of the product requires a significant investment in time before the value of Graylog above a simple store-and-search tool is realized.
In some cases, the missing pieces represent major weaknesses. Even if Graylog is bulletproof and enterprise-ready, not every plug-in, content pack, and partner tool we had to add on was at the same level of quality and reliability. Thus, you could end up with a solid Graylog installation surrounded by a rat’s nest of other tools and products that have lower uptime and higher support costs.
With that being said, network managers who have the time and energy to invest in heavy customization of their log management systems may find Graylog an attractive option. This is doubly true for network managers who have been working with existing commercial systems and who can re-use some of the data dictionary, log parsing, and normalization techniques from their existing systems.
If you’ve never had a log management system, it is going to be difficult to make an intelligent choice of whether Graylog is right for you, and even more difficult to make effective use of its features. But for network managers frustrated with their current tools, Graylog may be a great escape valve. In our testing and use of other tools, we have found that changing the behavior of other commercial tools can be next to impossible, error prone, or very unsupported. With Graylog, it’s easy to make these changes. Network managers with very diverse equipment vendors may find that it’s easier to migrate to Graylog than try and retrofit a commercial package to their needs. The tradeoff is a significant one, and will be a big factor in deciding whether Graylog is right for you.
Snyder, a Network World Test Alliance partner, is a senior partner at Opus One in Tucson, Ariz.
This story, "Review: Graylog delivers open-source log management for the dedicated do-it-yourselfer" was originally published by Network World.
Copyright © 2015 IDG Communications, Inc.