IT Get in touch

Graylog Open: open source log management for SIEM

Graylog, open source log management platform started by Lennart Koopmann in 2009. Version 1.0 released 19 February 2015. Elasticsearch/OpenSearch + MongoDB backend, processing pipelines, streams, alerting, dashboards.

Cyber SecurityOpen Source
Cyber SecurityOpen Source GraylogLog ManagementSIEMCyber SecurityOpen Source
CyberScan

CyberScan

Vulnerability assessment and automated pentest. Continuous asset discovery, AI risk prioritisation, integrated NIS2 compliance manager.

Discover CyberScan →Cyber Security

Cyber Security

CISO-as-a-service consulting: posture, remediation roadmap, ongoing support.

Discover →

Origins

Graylog was born in Hamburg in 2009 as a personal project by Lennart Koopmann, computer science student, with the idea of creating an open source log management server as alternative to the commercial tools then dominant. The code was published on GitHub and the community grew progressively.

In 2012 TORCH GmbH (later Graylog, Inc.) was founded to support commercial development. The main headquarters is today in Houston, Texas, with technical presence in Hamburg.

On 19 February 2015 Graylog 1.0 was released, the first stable release.

Architecture

Graylog combines three components:

  • Graylog server — JVM application that receives logs, applies pipelines and handles API/UI
  • Elasticsearch / OpenSearch — full-text storage and search backend
  • MongoDB — configuration metadata (streams, dashboards, users, roles)

Ingestion supports syslog (UDP/TCP/TLS), GELF (Graylog Extended Log Format), Beats, AWS CloudWatch, Kafka, Raw TCP/UDP. Normalisation is done through extractors and pipeline processing rules, with a dedicated DSL syntax.

Features

  • Streams — message routing into logical flows, with filter rules
  • Pipelines — sequential transformations (grok, JSON parsing, geoip, lookup tables)
  • Alerting — stream conditions, email/webhook/Slack/PagerDuty notifications
  • Dashboards — configurable widgets for metrics and searches
  • Search workflow — Lucene-inspired query language with time scope and stream

Licence

The licensing situation is layered:

  • Graylog Open — community version under SSPL since 2021 (previously GPLv3)
  • Graylog Enterprise and Graylog Security — commercial editions with additional features (archiving, audit log, reports, SIEM correlation)
  • Graylog Operations — Operations offering for large-scale log management

Use of SSPL excludes Graylog Open from OSI-approved licences, a fact to consider in contexts strictly requiring OSI compliance.

SIEM and security analytics

The Graylog Security edition adds:

  • Detection rules with MITRE ATT&CK mapping
  • Asset and user behaviour — baseline and anomaly detection
  • Incident investigation — workflow for SOC analysts
  • Sigma rules — community rule import

The open core retains pipelines, streams, alerting and dashboards, sufficient for SIEM-lite deployments with external integrations.

In the Italian context

Graylog is adopted by ISPs, MSSPs, public administration and mid-sized enterprises as a centralised log platform, often combined with Wazuh or Suricata for security event enrichment. The limited learning curve and mature web interface make it a frequent choice where ELK is perceived as too complex to operate.

References: Graylog 1.0 (19 February 2015). Started by Lennart Koopmann in Hamburg in 2009. Graylog, Inc. HQ: Houston, Texas + Hamburg. Graylog Open licence: SSPL (from 2021; previously GPLv3). Elasticsearch/OpenSearch + MongoDB backend. Website: https://graylog.org

Need support? Under attack? Service Status
Need support? Under attack? Service Status