IT Get in touch

Graylog Open: Open Source log management for SIEM

Graylog, Open Source log management platform started by Lennart Koopmann in 2009. Version 1.0 released 19 February 2015. Elasticsearch/OpenSearch + MongoDB backend, processing pipelines, streams, alerting, dashboards.

CybersecurityOpen Source
CybersecurityOpen Source GraylogLog ManagementSIEMCybersecurityOpen Source
CyberScan

CyberScan

Vulnerability assessment and automated pentest. Continuous asset discovery, AI risk prioritisation, integrated NIS2 compliance manager.

Discover CyberScan → Cybersecurity

Cybersecurity

CISO-as-a-service consulting: posture, remediation roadmap, ongoing support.

Discover →

Origins

Graylog was born in Hamburg in 2009 as a personal project by Lennart Koopmann, a computer science student, with the idea of creating an Open Source log management server as an alternative to the commercial tools then dominant. The code was published on GitHub and the community grew progressively.

In 2012 TORCH GmbH (later Graylog, Inc.) was founded to support commercial development. The main headquarters is today in Houston, Texas, with technical presence in Hamburg.

On 19 February 2015 Graylog 1.0 was released, the first stable release.

Architecture

Graylog combines three components:

  • Graylog server — JVM application that receives logs, applies pipelines and handles API/UI
  • Elasticsearch / OpenSearch — full-text storage and search backend
  • MongoDB — configuration metadata (streams, dashboards, users, roles)

Ingestion supports syslog (UDP/TCP/TLS), GELF (Graylog Extended Log Format), Beats, AWS CloudWatch, Kafka, Raw TCP/UDP. Normalisation is done through extractors and pipeline processing rules, with a dedicated DSL syntax.

Features

  • Streams — message routing into logical flows, with filter rules
  • Pipelines — sequential transformations (grok, JSON parsing, geoip, lookup tables)
  • Alerting — stream conditions, email/webhook/Slack/PagerDuty notifications
  • Dashboards — configurable widgets for metrics and searches
  • Search workflow — Lucene-inspired query language with time scope and stream

Licence

The licensing situation is layered:

  • Graylog Open Source — community version under GPLv3
  • Graylog Enterprise — commercial edition with additional features (archiving, audit log, reports, SIEM correlation)

Graylog Inc. is the reference vendor for support and enterprise features.

SIEM and security analytics

The core enables composing pipelines, streams, alerting and dashboards — sufficient for SIEM-lite deployments with external integrations. Detection rules and enrichments are typically implemented through custom pipelines and streams.

In the Italian context

Graylog is adopted by ISPs, MSSPs, public administration and mid-sized enterprises as a centralised log platform, often combined with Wazuh or Suricata for security event enrichment. The limited learning curve and mature web interface make it a frequent choice where ELK is perceived as too complex to operate.

References: Graylog 1.0 (19 February 2015). Started by Lennart Koopmann in Hamburg in 2009. Graylog, Inc. HQ: Houston, Texas + Hamburg. GPLv3 licence. Elasticsearch + MongoDB backend. Website: https://graylog.org

Need support? Under attack? Service Status
Need support? Under attack? Service Status