When working with enterprise-scale data, every second—or millisecond—matters. The longer it takes to analyze data coming in, the longer it takes to find and resolve issues. So the ability to simultaneously explore multiple indicators of compromise is crucial to speeding up analysis.
Graylog uses Elasticsearch as its search engine. Elasticsearch lets you perform full text queries across terabytes, even petabytes, of data, returning results at lightning speed. Elasticsearch also scales across tens of hundreds of nodes without a performance hit.
The design of Graylog’s data storage and retrieval architecture inherently allows for multi-threaded and distributed search across the environment. Each search uses multiple processors, multiple buffers, and multiple buffers on a single machine, then multiplies that threaded search across the number of participating nodes in the cluster. This approach gives much faster results, which allows the analyst to work through the dataset without having to schedule, save, or “walk away” from a search to continue at a later time.
Unlike competing products, querying data in Graylog is done entirely in the UI--no need to learn a custom query language or submit pages of queries to an API to find the data you are looking for. Simply select the fields you want returned, use standard boolean operators to create your search, and specify how you want the data returned: raw data, aggregated data, count, or chart.
Sometimes. The full_message, message, and source fields are case-insensitive by default. All other fields are case-sensitive. However, you can modify this default behavior.
You can export any search result by simply clicking the More Actions button from the Search page, then clicking Export as CSV. Note that the exported logs will contain only the fields checked on the list below the button. If no fields are checked, the exported file will be empty.
Yes. Operators must be in all caps to be recognized in a query. Operators not in all caps are treated as search strings.