Graylog: Introduction

Introduction to Graylog, everything you need to know about it

👋 Welcome to the Stackhero documentation!

Stackhero offers a ready-to-use Graylog cloud solution that provides a host of benefits, including:

  • Unlimited and dedicated SMTP email server included.
  • Effortless updates with just a click.
  • Customizable domain name secured with HTTPS (for example, https://logs.your-company.com).
  • Optimal performance and robust security powered by a private and dedicated VM.

Save time and simplify your life: it only takes 5 minutes to try Stackhero's Graylog cloud hosting solution!

What is Graylog

Graylog is an open-source log management platform that gives engineering and operations teams a single place to collect, store, search, and analyze log data from every part of their infrastructure. Instead of SSH-ing into individual servers to read log files one by one, you ship all your logs to Graylog, where they are indexed in real time and made searchable across billions of events in milliseconds.

The platform is built around three core capabilities. First, it collects log data from virtually any source — servers, applications, containers, network devices, cloud services — using standard protocols like Syslog, GELF, Beats, raw TCP/UDP, and HTTP. Second, it indexes that data in an embedded OpenSearch engine, making every field instantly queryable. Third, it analyzes the data through a web interface that includes full-text search, customizable dashboards, alert rules, and processing pipelines that can enrich, filter, and route log events in real time.

The company behind Graylog

Graylog was created in 2010 by Lennart Koopmann in Hamburg, Germany. The project started as a personal tool for centralized log management and was open-sourced in 2012 under the name GELF (Graylog Extended Log Format). It quickly gained traction in the DevOps and infrastructure communities, and Graylog, Inc. was founded to build a commercial offering around the open-source core.

The company is headquartered in Houston, Texas, with offices in London and Hamburg. It has raised significant venture funding over the years and serves thousands of organizations worldwide, from startups to large enterprises and government agencies.

What is Graylog used for

Graylog is used by engineering and operations teams across a wide range of scenarios. The most common use case is production debugging: when something breaks, engineers need to search across logs from dozens of services simultaneously, not grep through files on individual machines. Graylog makes that search instant.

Beyond debugging, teams use Graylog for infrastructure monitoring — setting up alert conditions that fire when error rates spike, services stop responding, or unusual patterns appear in the logs. Security teams use it for audit and compliance, tracking authentication attempts, access patterns, and anomalies across the entire stack, and retaining logs for the periods required by GDPR, ISO 27001, SOC 2, and HIPAA. Platform teams use it to correlate events across heterogeneous systems — web servers, databases, load balancers, Kubernetes pods — into a single searchable timeline.

How Graylog works

Graylog sits as a central hub between your infrastructure and your team. Log shippers — Filebeat, Fluentd, rsyslog, or native GELF client libraries — collect log data from your systems and forward it to Graylog's input endpoints. Graylog then processes each incoming message through configurable pipelines that can parse fields, apply transformations, enrich events with geo-IP data or lookup tables, and route messages to the appropriate streams.

Processed messages are indexed by OpenSearch, which is bundled with Graylog and handles the full-text search workload. MongoDB, also bundled, stores Graylog's configuration — streams, dashboards, users, alert rules, and pipeline definitions. Your team interacts with all of this through Graylog's web interface, where they can run ad-hoc searches, build dashboards, configure alerts, and investigate incidents. The result is a single pane of glass for all your log data, with sub-second search even at scale.

Is Graylog free

Graylog is available in two editions. Graylog Open is the community edition — free to use, including in production. It covers the core log management use case: collection, indexing, search, dashboards, streams, pipelines, and basic alerting. The source code is available on GitHub. Graylog Operations and Graylog Security are commercial editions that add features like anomaly detection, compliance reporting, advanced correlation rules, and enterprise support.

One important licensing note: in 2023–2024, Graylog changed the license of its core codebase from Apache 2.0 to the Server Side Public License (SSPL). For the vast majority of users — companies running Graylog internally to manage their own logs — this change has no practical impact. You can still use Graylog Open for free. The SSPL primarily affects organizations that want to offer Graylog as a hosted service to third parties. If you were relying on the Apache 2.0 license specifically, the last Apache-licensed release was Graylog 5.0; versions 5.1 and later are under SSPL.

When to use Graylog

Graylog is the right tool when your team needs to centralize logs from multiple servers, services, or applications into one searchable interface. If engineers are spending time SSH-ing into machines to debug production issues, or if you have no visibility into what is happening across your infrastructure in real time, Graylog solves that problem directly.

It is also a strong choice when you need real-time alerting on log patterns — error spikes, failed logins, service outages — and when you must retain logs for compliance or audit purposes. Graylog is particularly well suited to teams that want a purpose-built log management UI without the complexity of assembling and maintaining multiple separate tools.

When not to use Graylog

Graylog is purpose-built for log management. If your primary need is to store and query time-series metrics — CPU usage, request latency, memory consumption — a dedicated time-series database like InfluxDB or Prometheus will serve you better. Graylog is optimized for log events, not for the high-frequency numeric measurements that metrics databases are designed to handle efficiently.

What makes Graylog so great

Graylog offers several compelling advantages over assembling a log management stack from scratch:

  1. All-in-one: OpenSearch and MongoDB are bundled and pre-configured — no need to install, configure, and maintain three separate services.
  2. Powerful search: Full-text search across billions of log events in milliseconds, using the intuitive Graylog Query Language (GQL) that requires no specialized query syntax knowledge.
  3. Streams and pipelines: Route and transform log data in real time — filter noise, enrich fields, and send specific events to specific destinations without writing custom code.
  4. Built-in alerting: Alert conditions and notifications via email, Slack, PagerDuty, and more are built directly into Graylog — no separate alerting tool required.
  5. Dashboards: Build visual dashboards directly in the Graylog web UI, without needing a separate visualization layer like Grafana or Kibana.
  6. Multi-protocol ingestion: Accept logs via Syslog, GELF, Beats, raw TCP/UDP, HTTP, and more — compatible with virtually any log shipper your infrastructure already uses.

What is Graylog cloud

Graylog cloud refers to a managed deployment of Graylog provided by a cloud provider, rather than an on-premises installation. Self-hosting Graylog requires running three services together — Graylog itself, OpenSearch, and MongoDB — and keeping all three updated, backed up, and secured is a non-trivial operational burden.

With Stackhero, you can have a dedicated Graylog instance up and running in just 2 minutes. OpenSearch and MongoDB are included and pre-configured. Your instance runs on a dedicated VM — not shared infrastructure — so your log data stays isolated. Connections are encrypted with TLS 1.3, backups run automatically every 24 hours and are retained for up to 3 months, and updates are available in one click. Servers are available in the United States and Europe, with hourly billing so you pay only for what you use.

How to start Graylog

If you believe Graylog is the right solution for your project, you might consider trying a managed instance that is pre-configured and ready to use with just a single click. You can start a free demo instance in as little as 2 minutes and explore Graylog without any hassle. Once you are satisfied with your tests, upgrading to a production-ready instance is equally straightforward.

Click here to learn more about Graylog cloud and start it for free.

Other articles for Graylog

  1. Getting started
    How to get started with Graylog
  2. Choose input types
    How to choose the right Graylog input type
  3. Configure inputs
    How to configure Graylog inputs
  4. Handle retention
    How to configure log retention
  5. Alerting
    How to send Graylog alerts by email, Slack, or Mattermost
  6. Enterprise license
    How to handle Graylog Enterprise license
  7. Data mapping issues
    How to solve Graylog index data mapping problems
  8. Using with Node.js
    How to send logs from Node.js to Graylog
  9. Using with Dot NET
    How to send logs from .NET/Serilog to Graylog
  10. Using with Python
    How to send logs from Python to Graylog