# Graylog — Centralized Log Management and Analysis Platform > Collect, index, and analyze log data from any source with a powerful search engine, real-time alerting, and customizable dashboards built for operations teams. ## Install Save in your project root: # Graylog — Centralized Log Management and Analysis Platform ## Quick Use ```bash # Docker Compose quickstart git clone https://github.com/Graylog2/docker-compose.git cd docker-compose/open-core docker compose up -d # Access UI at http://localhost:9000 (admin / admin) ``` ## Introduction Graylog is an open-source log management platform that centralizes logs from servers, applications, and network devices into a searchable index. It combines collection, parsing, alerting, and dashboarding in a single tool designed for operations and security teams who need fast answers from high-volume log streams. ## What Graylog Does - Ingests log data via Syslog, GELF, Beats, and raw TCP/UDP inputs at thousands of messages per second - Provides a full-text search interface backed by OpenSearch or Elasticsearch for sub-second log queries - Parses and enriches incoming messages with extractors, pipeline rules, and lookup tables - Triggers alerts based on search conditions with notification to Slack, PagerDuty, email, or HTTP endpoints - Renders real-time dashboards with aggregation widgets, heatmaps, and statistical summaries ## Architecture Overview Graylog runs three core components: the Graylog server (Java), MongoDB for configuration and metadata storage, and OpenSearch (or Elasticsearch) for log indexing. Inputs receive messages over the network and hand them to a processing pipeline that applies extractors, pipeline rules, and stream routing. Messages are then written to time-based OpenSearch indices. The web UI is built into the server process and communicates via a REST API that is also available for automation. ## Self-Hosting & Configuration - Deploy with Docker Compose for evaluation or use the official Linux packages (DEB/RPM) for production - Configure inputs in the web UI to receive Syslog (RFC 5424), GELF, or Beats protocol data - Define streams to route messages by source, severity, or content into separate index sets with independent retention policies - Write pipeline rules in Graylog's processing language to parse, enrich, and transform messages on ingest - Set index rotation by time or size and configure retention to automatically close and delete old indices ## Key Features - Content packs bundle inputs, extractors, dashboards, and pipeline rules into shareable, importable packages - Decorators modify search results on the fly without changing stored data, adding context like GeoIP fields - Correlation engine groups related events across multiple log sources for security investigation workflows - Sidecar manages Filebeat and Winlogbeat agents centrally from the Graylog UI - Role-based access control restricts stream and dashboard visibility per team or user ## Comparison with Similar Tools - **Grafana Loki** — log aggregation optimized for labels, not full-text indexing; Graylog offers richer search and built-in parsing - **Elasticsearch + Kibana (ELK)** — flexible but requires assembling ingest, UI, and alerting separately; Graylog integrates all three - **Splunk** — enterprise leader in log analytics; Graylog provides similar core features under an open-source license - **Fluentd / Fluent Bit** — log shippers and processors; Graylog is the destination that indexes, searches, and visualizes - **SigNoz** — APM-focused observability; Graylog specializes in log management with deeper parsing and alerting features ## FAQ **Q: What is the difference between Graylog Open and Graylog Enterprise?** A: Graylog Open (formerly Open Source) covers core log management. Enterprise adds features like audit logging, archiving, and the correlation engine under a commercial license. **Q: Can Graylog replace the ELK stack?** A: For log management, yes. Graylog uses OpenSearch or Elasticsearch as its indexing backend but replaces Logstash with its own inputs and pipelines, and replaces Kibana with its built-in UI. **Q: How much storage does Graylog need?** A: Storage depends on message volume and retention. A typical production setup indexes 50-100 GB per day and retains 30-90 days of hot data, with older indices optionally archived to cold storage. **Q: Does Graylog support Kubernetes logs?** A: Yes. Deploy Fluent Bit or Filebeat as a DaemonSet to forward container logs to Graylog via GELF or Beats inputs. ## Sources - https://github.com/Graylog2/graylog2-server - https://go2docs.graylog.org --- Source: https://tokrepo.com/en/workflows/68045e07-3de4-11f1-9bc6-00163e2b0d79 Author: AI Open Source