Graylog: Introduction

Introduction to Graylog, everything you need to know about it

👋 Welcome to the Stackhero documentation!

Stackhero offers a ready-to-use Graylog cloud solution that provides a host of benefits, including:

  • Unlimited and dedicated SMTP email server included.
  • Effortless updates with just a click.
  • Customizable domain name secured with HTTPS (for example, https://logs.your-company.com).
  • Optimal performance and robust security powered by a private and dedicated VM.

Save time and simplify your life: it only takes 5 minutes to try Stackhero's Graylog cloud hosting solution!

What is Graylog

Graylog is an open-source log management platform that provides engineering and operations teams with a centralized location to collect, store, search, and analyze log data from their entire infrastructure. Instead of SSH-ing into each server to read log files one by one, you centralize all your logs in Graylog, where they are indexed in real time and can be searched across billions of events in just milliseconds.

The platform is built around three main capabilities. First, it collects log data from virtually any source — servers, applications, containers, network devices, cloud services — using standard protocols such as Syslog, GELF, Beats, raw TCP/UDP, and HTTP. Second, it indexes this data in an embedded OpenSearch engine, making every field instantly searchable. Third, it analyzes the data through a web interface that offers full-text search, customizable dashboards, alert rules, and processing pipelines that can enrich, filter, and route log events in real time.

The company behind Graylog

Graylog was created in 2010 by Lennart Koopmann in Hamburg, Germany. The project began as a personal tool for centralized log management and was open-sourced in 2012 under the name GELF (Graylog Extended Log Format). It quickly gained popularity in the DevOps and infrastructure communities, and Graylog, Inc. was founded to offer a commercial solution built around the open-source core.

The company is headquartered in Houston, Texas, with offices in London and Hamburg. Over the years, it has raised significant venture capital and now serves thousands of organizations worldwide, from startups to large enterprises and public sector agencies.

What is Graylog used for

Graylog is used by engineering and operations teams in a wide variety of scenarios. The most common use case is production debugging: when an incident occurs, engineers need to search across logs from dozens of services at once, rather than combing through files on each machine. Graylog makes this search instant.

Beyond debugging, teams use Graylog for infrastructure monitoring — configuring alert conditions that trigger when error rates spike, services go down, or unusual patterns are detected in the logs. Security teams use it for audit and compliance, tracking authentication attempts, access patterns, and anomalies across the entire stack, and retaining logs for the periods required by GDPR, ISO 27001, SOC 2, and HIPAA. Platform teams use it to correlate events across heterogeneous systems — web servers, databases, load balancers, Kubernetes pods — into a single searchable timeline.

How Graylog works

Graylog acts as a central hub between your infrastructure and your team. Log shippers — Filebeat, Fluentd, rsyslog, or native GELF client libraries — collect log data from your systems and forward it to Graylog's input endpoints. Graylog then processes each incoming message through configurable pipelines that can parse fields, apply transformations, enrich events with geo-IP data or lookup tables, and route messages to the appropriate streams.

Processed messages are indexed by OpenSearch, which is included with Graylog and handles the full-text search workload. MongoDB, also bundled, stores Graylog's configuration — streams, dashboards, users, alert rules, and pipeline definitions. Your team accesses everything through Graylog's web interface, where they can run ad-hoc searches, build dashboards, configure alerts, and investigate incidents. This provides a unified view of all your log data, with sub-second search even at scale.

Is Graylog free

Graylog is available in two editions. Graylog Open is the community edition — free to use, including in production. It covers the essential log management needs: collection, indexing, search, dashboards, streams, pipelines, and basic alerting. The source code is available on GitHub. Graylog Operations and Graylog Security are commercial editions that add features such as anomaly detection, compliance reporting, advanced correlation rules, and enterprise support.

One important licensing note: in 2023–2024, Graylog changed the license of its core codebase from Apache 2.0 to the Server Side Public License (SSPL). For the vast majority of users — companies running Graylog internally for their own logs — this change has no practical impact. You can continue to use Graylog Open for free. The SSPL mainly affects organizations that want to offer Graylog as a hosted service to third parties. If you specifically require the Apache 2.0 license, the last Apache-licensed release was Graylog 5.0; versions 5.1 and later are under SSPL.

When to use Graylog

Graylog is the ideal solution when your team needs to centralize logs from multiple servers, services, or applications into a single searchable interface. If your engineers are spending time SSH-ing into machines to troubleshoot production issues, or if you lack real-time visibility into your infrastructure, Graylog addresses that need directly.

It is also an excellent choice if you need real-time alerting on log patterns — error spikes, failed logins, service outages — or if you must retain logs for compliance or audit purposes. Graylog is particularly well suited to teams looking for a dedicated log management UI without the complexity of assembling and maintaining several separate tools.

When not to use Graylog

Graylog is purpose-built for log management. If your primary need is to store and query time-series metrics — CPU usage, request latency, memory consumption — a specialized time-series database like InfluxDB or Prometheus will be a better fit. Graylog is optimized for log events, not for the high-frequency numeric measurements that metrics databases are designed to handle efficiently.

What makes Graylog so great

Graylog offers several major advantages over building a log management stack from scratch:

  1. All-in-one: OpenSearch and MongoDB are included and pre-configured — no need to install, configure, and maintain three separate services.
  2. Powerful search: Full-text search across billions of log events in milliseconds, using the intuitive Graylog Query Language (GQL) that requires no complex query syntax.
  3. Streams and pipelines: Route and transform log data in real time — filter out noise, enrich fields, and send specific events to specific destinations, all without writing custom code.
  4. Built-in alerting: Alert conditions and notifications via email, Slack, PagerDuty, and more are built directly into Graylog — no separate alerting tool required.
  5. Dashboards: Build visual dashboards directly in the Graylog web UI, without needing an additional visualization layer like Grafana or Kibana.
  6. Multi-protocol ingestion: Accept logs via Syslog, GELF, Beats, raw TCP/UDP, HTTP, and more — compatible with virtually any log shipper already present in your infrastructure.

What is Graylog cloud

Graylog cloud refers to a managed deployment of Graylog provided by a cloud provider, rather than an on-premises installation. Self-hosting Graylog requires running three services together — Graylog itself, OpenSearch, and MongoDB — and keeping all three updated, backed up, and secured, which is a significant operational burden.

With Stackhero, you can have a dedicated Graylog instance up and running in just 2 minutes. OpenSearch and MongoDB are included and pre-configured. Your instance runs on a dedicated VM — not shared infrastructure — ensuring your log data remains isolated. Connections are encrypted with TLS 1.3, backups are automatic every 24 hours and retained for up to 3 months, and updates are available with a single click. Servers are available in the United States and Europe, with hourly billing so you only pay for what you use.

How to start Graylog

If you believe Graylog is the right solution for your project, you can try a managed instance that is pre-configured and ready to use with just one click. Launch a free demo instance in less than 2 minutes and discover Graylog without any hassle. Once you are satisfied with your tests, upgrading to a production-ready instance is just as simple.

Click here to learn more about Graylog cloud and start it for free.

Other articles for Graylog

  1. Getting started
    How to get started with Graylog
  2. Choose input types
    How to choose the right Graylog input type
  3. Configure inputs
    How to configure Graylog inputs
  4. Manage retention
    How to configure log retention
  5. Alerting
    How to send Graylog alerts by email, Slack, or Mattermost
  6. Enterprise licence
    How to manage your Graylog Enterprise licence
  7. Data mapping issues
    How to resolve Graylog index data mapping problems
  8. Using with Node.js
    How to send logs from Node.js to Graylog
  9. Using with Dot NET
    How to send logs from .NET/Serilog to Graylog
  10. Using with Python
    How to send logs from Python to Graylog