When I first began using Graylog, I could not believe it was free. The product feels like a proprietary product and doesn't feel like an open source product at all and feels very complete. There are also several features that I will touch on below that really make it comparable to any other SIEM platform on the market.



Because Graylog is Open Source, all the Plugin's are free. The plugins are located in the Graylog Martketplace and are kept up to date. You can find all sorts of pre-built dashboards for things like Active Directory, Firewalls, and Snort. Although it is convenient to have all of these pre-built dashboards, every environment is different and your fields may not match exactly with the pre-built dashboards. I normally use the plugin's to get ideas on how to better monitor my environment, as well as how to better visualize my data and build better dashboards with my existing data.


Graylog is growing and there are a lot of active developers making Graylog into a complete SIEM, so you can always find support in the freenode chat #graylog as well as the community forums. If you feel as though you need support, you can purchase support, but it is quite expensive as you are required to pay by node and you are required to have a minimum of three nodes. You can also join the #graylog IRC channel on Freenode as there are quite a few people there on a regular basis supporting others, including myself.


Because Graylog is Open Source, you can customize your instance as much as like. If you are really good at programming you can even join in on developing plugins to for things you may feel Graylog is missing. Even if you are not a good programmer, there are still a lot of things you can customize by yourself. Either way, to get Graylog to work appropriately you will need someway of shipping your logs to your instance, which is what the next section addresses.