Graylog: Introduction

Introduction to Graylog, everything you need to know

👋 Welcome to the Stackhero documentation!

Stackhero offers a ready-to-use Graylog cloud solution that provides a host of benefits, including:

  • Unlimited and dedicated SMTP email server included.
  • Effortless updates with just a click.
  • Customisable domain name secured with HTTPS (for example, https://logs.your-company.com).
  • Optimal performance and robust security powered by a private and dedicated VM.

Save time and simplify your life: it only takes 5 minutes to try Stackhero's Graylog cloud hosting solution!

What is Graylog

Graylog is an open-source log management platform that provides engineering and operations teams with a centralised location to collect, store, search, and analyse log data from their entire infrastructure. Rather than SSH-ing into individual servers to read log files one by one, you centralise all your logs in Graylog, where they are indexed in real time and can be searched across billions of events in milliseconds.

The platform is built around three main capabilities. First, it collects log data from virtually any source — servers, applications, containers, network devices, cloud services — using standard protocols such as Syslog, GELF, Beats, raw TCP/UDP, and HTTP. Second, it indexes this data in an embedded OpenSearch engine, making every field instantly searchable. Third, it analyses the data through a web interface that offers full-text search, customisable dashboards, alert rules, and processing pipelines capable of enriching, filtering, and routing log events in real time.

The company behind Graylog

Graylog was created in 2010 by Lennart Koopmann in Hamburg, Germany. The project began as a personal tool for centralised log management and was open-sourced in 2012 under the name GELF (Graylog Extended Log Format). It quickly gained traction in the DevOps and infrastructure communities, and Graylog, Inc. was founded to offer a commercial solution built around the open-source core.

The company is headquartered in Houston, Texas, with offices in London and Hamburg. Over the years, it has raised significant venture funding and now supports thousands of organisations worldwide, from startups to large enterprises and public sector bodies.

What is Graylog used for

Graylog is used by engineering and operations teams in a wide variety of scenarios. The most common use case is production debugging: when an incident occurs, engineers need to search across logs from dozens of services at once, rather than trawling through files on each machine. Graylog makes this search instant.

Beyond debugging, teams use Graylog for infrastructure monitoring — setting up alerts that trigger on error spikes, service outages, or unusual patterns in the logs. Security teams use it for audit and compliance, tracking authentication attempts, access patterns, and anomalies across the entire system, and retaining logs for the periods required by GDPR, ISO 27001, SOC 2, or HIPAA. Platform teams use it to correlate events across different systems — web servers, databases, load balancers, Kubernetes pods — into a single searchable timeline.

How Graylog works

Graylog acts as a central hub between your infrastructure and your team. Log shippers — Filebeat, Fluentd, rsyslog, or native GELF client libraries — collect logs from your systems and forward them to Graylog's input endpoints. Graylog then processes each incoming message through configurable pipelines that can parse fields, apply transformations, enrich events with geo-IP data or lookup tables, and route messages to the correct streams.

Processed messages are indexed by OpenSearch, which is bundled with Graylog and handles the full-text search workload. MongoDB, also included, stores Graylog's configuration — streams, dashboards, users, alert rules, and pipeline definitions. Your team accesses everything through Graylog's web interface, where they can run ad-hoc searches, build dashboards, configure alerts, and investigate incidents. This provides a unified view of all your logs, with sub-second searches even at scale.

Is Graylog free

Graylog is available in two editions. Graylog Open is the community edition — free to use, including in production. It covers the essential log management needs: collection, indexing, search, dashboards, streams, pipelines, and basic alerting. The source code is available on GitHub. Graylog Operations and Graylog Security are commercial editions that add features such as anomaly detection, compliance reporting, advanced correlation rules, and enterprise support.

One important licensing note: in 2023–2024, Graylog changed the licence of its core codebase from Apache 2.0 to the Server Side Public License (SSPL). For the vast majority of users — companies running Graylog internally for their own logs — this change has no practical impact. You can continue to use Graylog Open for free. The SSPL mainly affects organisations wishing to offer Graylog as a hosted service to third parties. If you specifically require the Apache 2.0 licence, the last release under that licence was Graylog 5.0; versions 5.1 and later are under SSPL.

When to use Graylog

Graylog is the ideal solution when your team needs to centralise logs from multiple servers, services, or applications into a single searchable interface. If your engineers are spending time SSH-ing into machines to diagnose production issues, or if you lack real-time visibility across your infrastructure, Graylog addresses that need directly.

It is also an excellent choice if you require real-time alerts on log patterns — error spikes, failed logins, service outages — or if you need to retain logs for compliance or audit purposes. Graylog is particularly well suited to teams seeking a dedicated log management interface without the complexity of assembling and maintaining several separate tools.

When not to use Graylog

Graylog is purpose-built for log management. If your primary requirement is to store and query time-series metrics — CPU usage, request latency, memory consumption — a dedicated time-series database such as InfluxDB or Prometheus will be more suitable. Graylog is optimised for log events, not for the high-frequency numeric measurements that metrics databases are designed to handle efficiently.

Why choose Graylog

Graylog offers several major advantages over assembling a log management stack from scratch:

  1. All-in-one: OpenSearch and MongoDB are included and pre-configured — no need to install, configure, and maintain three separate services.
  2. Powerful search: Full-text search across billions of events in milliseconds, using the straightforward Graylog Query Language (GQL) — no complex syntax to learn.
  3. Streams and pipelines: Route and transform log data in real time — filter noise, enrich fields, and send specific events to precise destinations, all without writing custom code.
  4. Built-in alerting: Alert conditions and notifications via email, Slack, PagerDuty, etc., are integrated directly into Graylog — no need for a separate alerting tool.
  5. Dashboards: Create visual dashboards directly in the Graylog web interface, without needing an additional visualisation layer such as Grafana or Kibana.
  6. Multi-protocol ingestion: Accept logs via Syslog, GELF, Beats, raw TCP/UDP, HTTP, and more — compatible with virtually any log shipper already present in your infrastructure.

What is Graylog cloud

Graylog cloud refers to a managed deployment of Graylog provided by a cloud provider, rather than an on-premises installation. Self-hosting Graylog requires running three services together — Graylog, OpenSearch, and MongoDB — and keeping them updated, backed up, and secure, which is a significant operational burden.

With Stackhero, you can have a dedicated Graylog instance up and running in just 2 minutes. OpenSearch and MongoDB are included and pre-configured. Your instance runs on a dedicated VM — not shared infrastructure — ensuring your log data remains isolated. Connections are encrypted with TLS 1.3, backups are automatic every 24 hours and retained for up to 3 months, and updates are available with a single click. Servers are available in the United States and Europe, with hourly billing so you only pay for what you use.

How to start Graylog

If you believe Graylog is the right solution for your project, you can try a managed, pre-configured instance that is ready to use with just one click. Launch a free demo instance in under 2 minutes and explore Graylog without any hassle. Once you are satisfied with your tests, upgrading to a production-ready instance is just as straightforward.

Click here to learn more about Graylog cloud and start it for free.

Other articles for Graylog

  1. Getting started
    How to get started with Graylog
  2. Choose input types
    How to choose the right Graylog input type
  3. Configure inputs
    How to configure Graylog inputs
  4. Manage retention
    How to configure log retention
  5. Alerting
    How to send Graylog alerts by email, Slack, or Mattermost
  6. Enterprise licence
    How to manage the Graylog Enterprise licence
  7. Data mapping issues
    How to resolve Graylog index data mapping problems
  8. Using with Node.js
    How to send logs from Node.js to Graylog
  9. Using with Dot NET
    How to send logs from .NET/Serilog to Graylog
  10. Using with Python
    How to send logs from Python to Graylog