Graylog Enterprise Features

If you are anything like us when researching software, what you really want to know is “what does this thing *do*?” and “why should I buy this one instead of the other one?” To answer those questions, here’s a quick summary of Graylog’s features with more details available to help you determine if we can meet your needs.

First, Graylog is primarily a centralized log management platform, though many also use it as a SIEM—especially with the introduction of our new Correlation Engine. Graylog can ingest of many terabytes of log messages every day, then process and store it to meet your operations, security, and compliance needs. The Web interface allows you to search through millions of log records to retrieve information in milliseconds and sort it into useful charts, tables, trend indicators. It is currently available in three license types: open source (unlimited data), free enterprise (enterprise features, but limited to 2GB/day), and commercial (full enterprise features, priced by daily ingest volume).

Discover Graylog

Collecting Data

Unlike legacy Security Information & Event Management (SIEM) systems, Graylog’s modern log-focused architecture can accept nearly any type of structured data, including log messages and network traffic from:

  • Syslog (TCP, UDP, AMQP, Kafka)
  • AWS - AWS Logs, FlowLogs, CloudTrail
  • Beats/Logstash
  • CEF (TCP, UDP, AMQP, Kafka)
  • JSON Path from HTTP API
  • Netflow (UDP)
  • Plain/Raw Text (TCP, UDP, AMQP, Kafka)
Graylog Sidecar

If you want to collect logs from more than one (1) of any type of endpoint, you will be glad to have Sidecar for centralized configuration and management of the data sources listed above.

Organizing Data

Raw messages must be parsed and often enriched to make them useful to a human operator and downstream systems.


For data that does not follow the Syslog standard logging protocol, it is necessary to instruct Graylog on how to parse the data so that it can be searched, analyzed, and presented in a useful way. Creating extractors is possible via either Graylog REST API calls or from the web interface using a wizard. You can extract data using regular expressions, Grok patterns, substrings, or even by splitting the message into tokens by separator characters.


A mechanism for routing messages into categories in real time while they are processed. For example, you could create a stream called Database Errors that catches every error message from all of your different databases. Streams also allow for data segregation and access control to be applied to different data sets.


A way to clean up log messages in a structured order that allows greater flexibility in routing, blacklisting, modifying, and enriching messages as they flow through Graylog. For example, drop unwanted messages, combine or append fields, or remove / rename fields.


Allows you to enrich log data by translating message field values into new values and write them into new message fields or overwrite existing fields. For example map IP addresses to host names or geolocation, add threat intelligence data, hash values, WHOIS data, LDAP/AD information, or DNS / Reverse DNS Lookup.

Analyzing Data

Querying large quantities of machine data is relatively easy when you know exactly what you are looking for, and all log management tools should be relatively equal in this regard. Graylog really shines when exploring data to understand what is happening in your environment. For this we use:


Graylog uses standard boolean search terms in a wizard interface for selecting fields and data display types.


With Graylog’s Search Workflow, you can build and combine multiple searches for any type of analysis into one action and review your delivered results on a dashboard-like screen(or multiple tabs for really complex tasks).


Combine widgets to build fully customized, predefined data displays so everything important is just one click away. Drill-down to explore your data further.

Extracting Data

Rarely does a log management system operate in a vacuum. Whether you need compliance reports, security or performance alerts, or integration with ticketing and orchestration systems, there will be summary data that needs to be passed to somewhere else in your Operations Center. Graylog offers several options here:


Reuse the Dashboard widgets to have charts and data delivered via email on a regular basis.


Build complex alerts based on a relationship between multiple events or even missing events collected by Graylog.


The Graylog web-based admin portal uses our API exclusively for storing and retrieving data. The API can be exposed for integration into 3rd party systems, automation tasks and displaying data into other tools/dashboards.


In large, complex environments you may wish to set up multiple Graylog instances. The Forwarder makes it easy and efficient to combine data across instances for comprehensive analysis and archiving. With the Data Forwarder, you can also keep data geographically separated and forward only needed data centrally for compliance requirements.

Security & Performance Optimization

Graylog often contains sensitive, regulated data so it is critical that the system itself is secure, accessible, and speedy.


Track all actions performed by Graylog operators.


Different types of logs need to be retained for different time periods, store them offline or in slow storage for cost savings. They can easily be retrieved and re-archived as needed.


Limit which operators have access to which data, regardless of whether they are using shared Dashboards, Reports, or Views.


Architect Graylog for scale and redundancy from gigabytes to many terabytes per day.

Extending Graylog

Our Open Source Community is phenomenal. From building extensions and making them available in our Marketplace, to helping each other out in our Community, you will find all the resources you need for success.


Share configurations of inputs, extractors, pipelines, dashboards, and more. Used to share solutions between users in the Marketplace, and also handy when moving from Test to Production.

Try it out for yourself

Get Graylog