ContactSupportBlogPartner Portal

Aggregating logs with Graylog – A quick how-to guide

October 15, 2019

Graylog’s log aggregation features are useful for a lot of tasks, ranging from regular troubleshooting to detecting issues as soon as they become manifest. Optimizing log management by aggregating all meaningful data is a quick and efficient way to isolate any problem to root causes and solve it with minimal impact on services. Aggregated data is easier to parse and analyze – you can reduce the number of data points in a meaningful way and obtain the answer you need from them. Without aggregation, the raw amount of data makes log management an overly cumbersome process.

Graylog has been created to understand what’s happening in a Web application or an IT architecture in real-time, guaranteeing an agile and cost-effective response. Our solution was purpose-built to yield log aggregation and analysis that’s smarter, faster, more robust, more scalable, and more comprehensive than anything on the market.

Using Aggregation with Graylog

Aggregation of data points can be used to simplify your extended searches in Graylog’s Views function. The views panel will show you several queries that contain either Message Table or Aggregation widgets (which you can edit or duplicate at your will). You can also add Parameters in a search query by using the Graylog Enterprise plugin.


An Aggregation can be used to reduce the number of data fields, which can either be numeric field types in a message (e.g., a took_ms field which contains how long a page needed to be rendered), or string values which can be used for grouping the aggregation (e.g an action field which contains the name of the controller action). You can create a Custom Aggregation by clicking on + Create -> Custom Aggregation. On the very top of the Extended Search page, a new empty widget will be shown.

Why Aggregation is an immensely useful tool

One of the main steps of the log management process is the consolidation of different log formats coming from a broad range of sources in a single place. Once a bulk amount of information coming from different processes is aggregated, you can analyze, digest, and investigate your data much more easily.

Aggregation charts, for example, could be used to streamline and enhance your threat intelligence or SIEM efforts. They are an incredibly effective tool to way to spot any anomalous event occurring in your system – you just need to check your charts for something that stands out, and then you can start investigating. You can even change the way your charts are visualized, exclude non-relevant data, or refine your filters to pinpoint the root cause of your problems. If you want to have a look at a more detailed guide on how to use aggregation charts, we prepared this for you.

Why is Graylog better than the competition?

Many log management tools use different solutions for log analysis, visualization, and searching that were not designed for log management in the first place. Graylog instead uses a series of features that are built from the ground up for log management purposes. For example, all incoming messages can be blacklisted by enabling user-defined rules which can also modify the message as well as add or remove fields. Graylog is flexible enough to keep up with enormous data volumes by queuing all incoming data in an orderly manner before it is aggregated.

‍All data coming from multiple sources can be aggregated in a single, elegant screen – our unified GUI is extremely straightforward and easy to use, so you can initiate a search across multiple parameters and then save it to reduce repeatable tasks.

Conclusion

Aggregation can be used for a lot of different purposes. Once the data arrives into Graylog, you can combine information into a single interface that reflects service performance as measured by business goals or metrics. You can aggregate all relevant logs from all relevant services and systems in all areas of your organization, from application response time to transactions per hour/day.

No matter if your company requires a complex log management solution or a more simple, straightforward approach, Graylog provides you with the most robust and scalable experience.

If you have any questions or doubts, please join our community and get new ideas on how to use your data.

May the logging be with you!

Written By
Nick Carstensen

Nick has been in the security industry for over fifteen years with experience in Security and the Log/SIEM Industry. Nick is currently a Technical Product Evangelist for Graylog, creating content and helping with their social presence.

@
NickCarstensen1
Add Graylog to your RSS feed
How to use RSS
RSS feeds allow you to see when websites have added new content. You can get the new content as soon as it's published, without having to visit the website. To start getting RSS feeds you will need a RSS feed reader on your device.
Back to Blog Posts

Stay In The Know

Get Graylog email updates and be the first to know about new content, product updates, and tips and tricks!