This is a transcript of Tour of Graylog v4.0.
Hello, I'm Jeff Darrington, the Senior Technical Marketing Manager at Graylog. Graylog is a leading centralized log management solution built to open standards for capturing, storing, and enabling real-time analysis of terabytes of machine data. Thousands of IT professionals rely on Graylog to solve issues with security, compliance, operational, and DevOps. I'm one of those professionals. I've used Graylog for many years, and that's why I'm excited to take you on this highlighted tour.
We will be taking a look at Graylog Illuminate, teams and permissions, search and dashboards, and alerting.
First, let's have a quick look at the authentication access to Graylog. Under system authentication, your authentication is set up another LDAP, or active directory, or local users contained here. Users can be assigned to teams, which will help eliminate the need for your IT administrator for permission changes. Authentication management in Graylog is used to allow restrict access, to log data, restrict access to dashboards, or creating dashboards or other data by user role or team as you can see here under roles.
Pipelines & Search
Once you've got access to Graylog and your logs are received, parsed, and normalized through pipeline rules enriching them, this is the heart of Graylog. In search, the web-based query builder is now where we'll start. As you can see, by clicking on search, we're going to focus on our Illuminate spotlight, which in this particular event is our office 365 logs. We're going to extend out our timeframe here to about 14 days so we can get a large amount of logs. As you'll see here, you'll get a variety of logs that are being generated from the Office environment. So we put in here, O365, and we look at some particular events. Here you can highlight any one of these individual logs, look at application names, a field, for example, and this is an exchange log. So from here, we pick this and say, show top values. This will show all the details for anything going on in Office 365 and the events that are occurring.
If you wanted to modify this chart or add to it, we could create a duplicate. Creating this duplicate allows us to now edit it and change how the data can be manipulated and/or shown. From here we can represent this as a pie chart. So looking at these two representations of the same data in two different ways, you can create dashboards or saved events. So in this case, this is a safe search. We've created a search. I want to save this search. I'm going to call it one time. Now that search has been saved as one time and you can load up other searches that you've saved as well.
From here, you can export this as a dashboard. Exporting it as a dashboard will take it into the dashboards area. Here you can see a variety of dashboards that have been created. In this particular instance, I'm still highlighting our Illuminate Office 365 spotlight. So I'm going to utilize this dashboard, going to extend out some time on the logs. As you'll see here, here's a particular dashboard showing sign-in success, failures, tenants reporting, Office 365, geolocation of the actual sign-in attempts, as well as other information. The question you can ask is, are doing security operations and want to know when people are locked out? Are users logging in from a country that you don't operate in? Are you an IT manager needing to watch change control on your servers and infrastructure? Or are you a software developer monitoring real-time application performance in your latest code spin?
You could be an IT director requiring metrics on all of the above information I just mentioned. Search is the foundation for all of the information in Graylog. Let's go where the magic happens. System pipelines and rules. Here you'll see a long list of individual pipeline rules and pipelines. In these individual ones, you'll see different stages for which you can execute. So this particular one here, enrichment, we've got three different stages with some additional rules in them. Within each rule, this is where your parser is actually parsing the raw logs and normalizing the logs.
Once you're capturing these logs, what do you do with them? You can view them. You can set up dashboards, but one crucial component is alerts. This is where you can create event definitions so that you can notify teams or individuals or processes on events that might occur, which are created with conditions, modifying fields, and creating notifications. An example here for PagerDuty, Slack notifications, script notifications, email notifications, HTTP notifications, and legacy alarm callbacks. This system menu is where all the configuration happens to transform your log data.
This concludes our brief tour of Graylog. These are just a few highlights of Graylog.
Happy logging with Graylog.