5 out of 5.0, Reviewed Jun 8, 2015
Product is quick to implement and extend existing log collection capabilities. Not a closed system, so was simple to adapt.
Focus more on getting the logs into the system than compliance. Without user buy-in, collecting certain application logs was a non-starter. Granting users access into their own logs from one central location was key in the deployment.
Log visualization, cost, speed of improvements to the software.
Lack of canned extractors to support specific application (Oracle Database, OIM, Cisco ASA, etc) logs.
Multi-datacenter capabilities are there, but I was not satisfied with the deployment strategies for doing so, which led to separate deployments for separate datacenters.
Initial purchase proved viability of log collection and will likely extend budget further for SIEM tools.
Graylog is very comparable to tools like Splunk at a much lower TCO. While there are many capabilities that are less refined, the price point reflects that. The most useful capability I've found so far has been the alerting, which has been helpful everywhere from having application owners given the ability to generate alerts on application failures (LDAP timeouts, etc) to security incidents (failed logins, successful logins, etc). Being able to plot these on a graph is exceptional and something that opened a lot of eyes to a true SIEM in our environment.
Use of support has been minimal, but is available. Every time I've had to contact support, they've been quick with responses and helpful.
Was able to quickly integrate with AD for user authentication and authorization. Unfortunately, the only way to restrict access was to create new streams and grant access to users stream by stream. This is inefficient and does not scale well with hundreds of streams. Hopefully a role-based access control option is available in the future (Grant access to stream to role, assign users to roles or pull roles from AD).
4 of 4 peer(s) found this review helpful.