Most teams don’t notice their logging problem until an incident forces them to go hunting for answers across a dozen servers, each with its own syslog file and its own retention policy that nobody remembers setting. Graylog exists to fix that: it pulls application logs, network events, container output, and security-relevant activity into one searchable, alertable place, instead of leaving them scattered across whatever disk they happened to be written to. The project has been under continuous development since 2009, and its current 7.1 release line – what Graylog’s own team calls the “Spring 2026 Release” – adds automated investigations and native behavioral anomaly detection on top of the centralized log-aggregation core that made the tool popular in the first place. This tutorial builds a complete Graylog stack from a blank Linux host: Docker Compose, real log shipping, parsing pipelines, Sigma-rule threat detection, and alerting, in 13 steps you can realistically finish in about 45 minutes, with a working project you can point at real servers the same day.
Don't miss new tech stories on Google
Add Tech Insider once in the Google app and our stories appear in your news suggestions.
What Is Graylog? Architecture, License, and the 2026 Release
Graylog began on February 13, 2009, when developer Lennart Koopmann released the first lines of what was then called Graylog2, later joined by co-founder Bernd Ahlers. The project formalized as a company, Graylog, Inc., on December 8, 2014, and today runs a dual-headquarters model out of Houston, Texas and Hamburg, Germany, with additional offices in London and Boulder, Colorado. On GitHub, the core graylog2-server repository – written in Java – has collected 8,076 stars and 1,117 forks since it was created in May 2010, with commits landing as recently as this week, which says something about how actively the project is still maintained.
Under the hood, a Graylog deployment is really four components working together. MongoDB stores configuration and metadata – users, inputs, streams, pipeline rules. OpenSearch stores and indexes the actual log data so it can be searched in near-real time. The Data Node is Graylog’s own management layer for OpenSearch: it handles certificate issuance, cluster membership, and version compatibility so you’re not hand-tuning a raw search cluster. And the Graylog server itself is the piece that ingests, parses, processes, and serves the web interface and REST API. This separation is also why the licensing conversation matters: releases before Graylog v4.0 shipped under GPLv3, but every release from v4.0 onward – including the free “Graylog Open” tier – is licensed under the Server Side Public License (SSPL) v1, a license the Open Source Initiative has not approved, even though Graylog itself remains free to self-host. Graylog explained the switch as a defense against large cloud providers repackaging the project as a managed service without contributing back.
The release this tutorial targets is Graylog 7.1, announced ORIGINAL NEEDED: The “Spring 2026 Release” is incorrectly dated; as of April 6, 2026, May 4, 2026 is a future date and cannot be the release date, and no source confirms this date as the official Spring 2026 Release” It adds self-building investigations, native behavioral anomaly detection, impossible-travel detection, the ability to pull Sigma rules from private Git repositories, parallel archive restores, and native Azure Blob Storage support for long-term archival – according to Graylog’s own release notes. A patch, 7.1.3, followed on ORIGINAL NEEDED: The Illuminate content-pack layer reaching v7 on June 3, 2026 is a future date as of April 6, 2026 and is not confirmed by any source; the current version and release date are unverified1.2 on July 6, 2026 with new “spotlights” and processing packs, per the official releases page. Illuminate is worth understanding on its own: rather than writing extractors and pipeline rules from scratch for every log source, you install a content pack for the technology you’re already running – Nginx, Windows, common firewall vendors – and get parsing, GeoIP enrichment, and a starter set of Sigma detections for that source pre-wired. It’s the difference between staring at a blank pipeline editor and starting from something that already understands the shape of your logs.
That release cadence matters if you’re deciding whether to invest an afternoon in this stack: Graylog isn’t an abandoned or slow-moving project. Log-management category trackers regularly place Graylog Enterprise in the same conversation as Elastic Security and Splunk Enterprise Security, even as the broader field of dedicated security-data platforms keeps widening and splitting that market further. For a self-hosted option with no license fee attached to the core product, Graylog remains one of the few candidates that pairs an actively committed GitHub repository with a commercial company standing behind it – which matters the day you need to escalate a serious support issue rather than wait on a community forum for an answer.
Graylog vs. Wazuh vs. Splunk vs. ELK: Choosing the Right Log Tool
Graylog doesn’t exist in a vacuum, and it’s worth being upfront about where it fits before you spend 45 minutes deploying it. If you’ve already worked through our Wazuh SIEM tutorial, you’ve seen an agent-based alternative that ships with file-integrity monitoring and compliance checks built in. Graylog takes a different approach: it’s a centralized log-management platform first, with security features – Sigma rule detection, correlation, alerting – layered on top, a positioning Graylog itself now markets as “TDIR” (threat detection, investigation, and response) rather than a traditional agent-per-host SIEM.
| Tool | Category | License / Cost Model | Best For | Out-of-Box Log Coverage |
|---|---|---|---|---|
| Graylog | Centralized log management + TDIR | Free (Graylog Open, SSPL) or paid Small Business / Enterprise / Cloud / API Security tiers | Teams that want a searchable, alertable log platform with security features layered on top | Broad, via GELF, Syslog, and Beats inputs plus Illuminate content packs |
| Wazuh | Endpoint-focused SIEM / XDR | Free and open source (GPLv2 core) | Teams that want agent-based detection – file integrity monitoring, rootkit checks, compliance – working immediately | Very broad by default: Windows Event Viewer, Linux syslog, and JSON app logs without extra plugins |
| Splunk | Enterprise SIEM / observability | Commercial, priced by data ingested per day | Large enterprises with budget for a mature, polished platform | Broad, but cost scales directly with ingestion volume |
| ELK / Elastic Stack | General-purpose data and search platform | Free core (Elasticsearch, Logstash, Kibana); paid Elastic Security tier | Teams that want to assemble a custom pipeline and are comfortable maintaining more moving parts | Minimal by default – you build ingestion yourself with Logstash or Beats |
When Graylog Is (and Isn’t) the Right Choice
Reach for Graylog when you want one searchable home for logs from many different sources – application servers, network devices, containers, firewalls – plus the ability to write detection rules against that stream without paying per gigabyte. It’s a weaker fit if what you actually need is Wazuh’s host-agent capabilities (file integrity monitoring, rootkit detection) out of the box, or Elastic’s broader observability ecosystem beyond security logs. Plenty of teams run both: Wazuh or CrowdSec for host-level detection, Graylog as the central search-and-alert layer everything else feeds into. None of this is an either-or decision you’re locked into forever, either – because Graylog ingests via open formats like GELF and syslog rather than a proprietary agent, pointing an existing Wazuh or CrowdSec deployment’s alerts at Graylog as one more log source is a config change, not a migration.
Understanding GELF: Why Graylog’s Native Log Format Matters
Plain syslog is a stream of loosely structured text, and every tool that wants to search it has to reinvent parsing for whatever format your particular application happens to emit. Graylog’s answer to that problem is the Graylog Extended Log Format (GELF), a simple structured logging format built around JSON that ships a message alongside explicit fields rather than a single unstructured string. A GELF message carries a short human-readable summary, an optional longer message body, a severity level, a timestamp, the originating host, and any number of custom fields an application wants to attach – a request ID, a user ID, a response time in milliseconds – all queryable individually the moment the message lands, with no regular expression required after the fact.
The format has spread well beyond Graylog itself. Docker ships a built-in GELF logging driver, which is exactly what Step 9 of this tutorial uses to pull container logs without installing a separate shipping agent inside every image. That’s a meaningfully different experience than parsing arbitrary application log lines with regular expressions after the fact: a Node.js API, a Python worker, and an Nginx reverse proxy can all emit GELF with the same consistent shape, so a single search or pipeline rule works across all three without three separate extractors to maintain.
None of this means you have to abandon syslog, and this tutorial doesn’t ask you to. The stack you’ll build runs both inputs side by side deliberately – GELF for anything you control the logging code for, syslog for network gear, legacy applications, and anything else that only knows how to speak the older format. Graylog treats both as first-class citizens once messages are inside its index, which is really the point of centralizing logs in the first place: the format a system was born speaking shouldn’t determine whether you can search, alert, or build a dashboard against it six months from now.
Prerequisites and System Requirements
You’ll need a Linux host – Ubuntu 24.04 LTS is a safe default, though any distribution that runs Docker works – with sudo access, outbound internet to pull container images, and basic comfort with a terminal. Install Docker Engine 27 or newer with the Compose v2 plugin (docker compose, not the standalone docker-compose binary) before you start; Docker’s own installation documentation covers this for every major distribution. If you plan to expose the web interface beyond your local network, have a domain name or internal DNS entry ready for a reverse proxy with TLS – this tutorial runs everything over plain HTTP on localhost, which is fine for a lab but not for anything production-facing.
Sizing depends entirely on how much log volume you’re pointing at it. OpenSearch – the search-and-storage layer underneath Graylog – is the resource-hungry piece, not the Graylog server itself.
On the network side, make sure whatever firewall sits in front of this host will actually let the traffic you care about reach it – inbound TCP 9000 for anyone who needs the web UI, plus whichever of the log-input ports from the table in Step 4 you plan to use from other machines. It’s easy to build the entire stack locally, confirm it works over localhost, and then discover a security group or host firewall silently dropping every packet from your actual log sources once you try to point real servers at it.
| Deployment Size | vCPU | RAM | Disk | Typical Use Case |
|---|---|---|---|---|
| Lab / evaluation | 2 | 4 GB | 20 GB SSD | Kicking the tires, low log volume |
| Small production | 4 | 16 GB | 100 GB SSD | A handful of servers, under 5 GB/day ingest |
| Production | 8+ | 32 GB+ | 500 GB+ SSD, separate volume for OpenSearch data | Multiple teams, security-relevant retention windows |
Step 1: Prepare Your Linux Host and Tune Kernel Parameters
OpenSearch – like Elasticsearch before it – memory-maps large numbers of files and will refuse to start, or crash-loop, if the host’s vm.max_map_count is left at the Linux default. Raise it and make the change persistent across reboots:
sudo sysctl -w vm.max_map_count=262144
echo "vm.max_map_count=262144" | sudo tee -a /etc/sysctl.conf
ulimit -n 65536
While you’re in there, disable or minimize swap on this host if you can – a search cluster that gets swapped to disk under memory pressure will feel catastrophically slow rather than gracefully degraded. A low vm.swappiness value (1 or 10) is a reasonable middle ground if you can’t disable swap entirely.
Step 2: Generate Graylog’s Secrets
Graylog requires two secrets before it will start: a password-pepper secret used to secure stored user passwords, and a SHA-256 hash of the admin password (Graylog never stores or accepts the plaintext directly). Generate both now:
openssl rand -hex 96
echo -n 'YourStrongAdminPassword' | sha256sum | cut -d' ' -f1
Save both outputs somewhere safe – you’ll paste them into the environment file in the next step. One detail that trips people up: the Data Node component needs its own copy of the first secret, and it must match the Graylog server’s copy exactly, character for character, or the two services will never establish trust with each other.
Step 3: Create the .env Configuration File
Create a project directory, and inside it a file named .env, with the secrets you just generated:
GRAYLOG_PASSWORD_SECRET=paste_the_96_char_hex_string_here
GRAYLOG_ROOT_PASSWORD_SHA2=paste_the_sha256_hash_here
GRAYLOG_DATANODE_PASSWORD_SECRET=paste_the_same_96_char_hex_string_here
GRAYLOG_MONGODB_URI=mongodb://mongodb:27017/graylog
GRAYLOG_DATANODE_MONGODB_URI=mongodb://mongodb:27017/graylog-datanode
GRAYLOG_HTTP_EXTERNAL_URI=http://127.0.0.1:9000/
GRAYLOG_TIMEZONE=Etc/UTC
TZ=Etc/UTC
Note that GRAYLOG_DATANODE_PASSWORD_SECRET is a straight copy of GRAYLOG_PASSWORD_SECRET – not a separate value. If you swap in your real server’s IP or hostname, update GRAYLOG_HTTP_EXTERNAL_URI to match, since Graylog uses it to build links back to itself in emails and API responses.
Step 4: Write the docker-compose.yml Stack Definition
This is the full stack: MongoDB for configuration, the Data Node managing a bundled OpenSearch, and the Graylog server itself. It follows the same three-service shape Graylog documents in its own containerized deployment guide.
version: "3.8"
services:
mongodb:
image: mongo:6.0
restart: unless-stopped
volumes:
- mongodb_data:/data/db
networks:
- graylog-net
datanode:
image: graylog/graylog-datanode:7.1
restart: unless-stopped
hostname: datanode
environment:
GRAYLOG_DATANODE_PASSWORD_SECRET: ${GRAYLOG_DATANODE_PASSWORD_SECRET}
GRAYLOG_DATANODE_MONGODB_URI: ${GRAYLOG_DATANODE_MONGODB_URI}
ports:
- "8999:8999/tcp"
- "9200:9200/tcp"
- "9300:9300/tcp"
volumes:
- datanode_data:/var/lib/graylog-datanode
- datanode_journal:/var/lib/graylog-datanode/journal
networks:
- graylog-net
depends_on:
- mongodb
graylog:
image: graylog/graylog:7.1
restart: unless-stopped
hostname: graylog
environment:
GRAYLOG_PASSWORD_SECRET: ${GRAYLOG_PASSWORD_SECRET}
GRAYLOG_ROOT_PASSWORD_SHA2: ${GRAYLOG_ROOT_PASSWORD_SHA2}
GRAYLOG_HTTP_EXTERNAL_URI: ${GRAYLOG_HTTP_EXTERNAL_URI}
GRAYLOG_MONGODB_URI: ${GRAYLOG_MONGODB_URI}
ports:
- "9000:9000/tcp"
- "5044:5044/tcp"
- "5140:5140/tcp"
- "5140:5140/udp"
- "12201:12201/tcp"
- "12201:12201/udp"
volumes:
- graylog_data:/usr/share/graylog/data
networks:
- graylog-net
depends_on:
- mongodb
- datanode
volumes:
mongodb_data:
datanode_data:
datanode_journal:
graylog_data:
networks:
graylog-net:
driver: bridge
Only expose the ports you actually need. If you’re only shipping logs via GELF, for example, you can drop the Beats (5044) and Syslog (5140) mappings entirely – every open port is one more thing to secure and monitor.
Step 5: Start the Stack and Verify Container Health
docker compose up -d
docker compose ps
docker compose logs -f graylog
Give it a couple of minutes on first boot – MongoDB needs to initialize, the Data Node needs to stand up OpenSearch and issue its internal certificates, and only then does the Graylog server finish connecting. Watch the log stream for a line indicating the REST API and web interface are listening before you try to log in.
Step 6: Complete the Preflight Setup Wizard
Modern Graylog boots into a “preflight” mode before the full interface is available, and it gates that step behind a one-time password printed to the container’s own logs – not something you set in advance. Find it with:
docker compose logs graylog | grep -i "preflight"
Open http://127.0.0.1:9000 in a browser, enter that preflight password, and confirm the Data Node connection when prompted. Once you accept it, Graylog finishes initializing and redirects to the normal login screen.
Step 7: Log In and Tour the Web Interface
Log in as admin using the plaintext password whose SHA-256 hash you generated in Step 2 – Graylog checks it against GRAYLOG_ROOT_PASSWORD_SHA2. From the top navigation, Search is where you’ll spend most of your time once logs are flowing; Streams lets you route subsets of messages (by source, severity, or any field) into their own views; Alerts holds event definitions and notifications; and System is where inputs, indices, users, and pipelines all live. It’s worth clicking through each section once now, before there’s any real data, so the layout is familiar later.
Step 8: Create Your First Inputs (GELF and Syslog)
Graylog doesn’t listen for anything until you explicitly launch an input. Go to System > Inputs, select GELF UDP from the dropdown, click Launch new input, and bind it globally on port 12201. Repeat the process for Syslog UDP on port 5140. Test the GELF input immediately with a raw message, before you wire up anything real:
echo -n '{"version":"1.1","host":"test-host","short_message":"Hello Graylog"}' | nc -u -w1 127.0.0.1 12201
Switch back to Search and you should see that message appear within a second or two. If it doesn’t, jump ahead to the troubleshooting section below before moving on – there’s no point wiring up real log sources against an input you haven’t confirmed works.
Step 9: Ship Real Logs with Rsyslog and the Docker GELF Driver
For a Linux server already running rsyslog, forward everything to Graylog’s syslog input with a one-line config drop-in:
# /etc/rsyslog.d/60-graylog.conf
*.* @@127.0.0.1:5140
The double @@ tells rsyslog to forward over TCP rather than UDP, which matters if you care about not silently dropping messages under load. Restart the service with sudo systemctl restart rsyslog to pick up the change.
For containerized workloads, Docker ships a built-in GELF logging driver that talks directly to Graylog’s GELF input without any extra agent:
docker run -d --name demo-app --log-driver gelf --log-opt gelf-address=udp://127.0.0.1:12201 nginx:latest
Every log line that container writes to stdout and stderr now lands in Graylog automatically, tagged with the container name and image.
Step 10: Parse Logs with Extractors and Pipeline Rules
Raw log lines are only useful once you can search and filter on structured fields, not just full-text match a blob of text. Graylog gives you two tools for this: extractors, which are quick regex or grok-style field pulls attached directly to an input, and pipeline rules, a small purpose-built rule language for anything more conditional. A pipeline rule follows a rule / when / then / end structure, per Graylog’s own pipeline rule documentation:
rule "Tag high severity syslog"
when
has_field("level") && to_long($message.level) <= 3
then
set_field("severity_tag", "high");
end
Save that under System > Pipelines, attach it to a stream, and every message with a syslog severity of 3 or lower – error, critical, alert, emergency – gets a new severity_tag field you can filter, alert, or dashboard on without touching the original message.
Step 11: Import Sigma Rules for Threat Detection
Sigma is a vendor-neutral, YAML-based format for writing detection logic once and running it against any log backend that supports it – Graylog wires Sigma directly into its event-processing engine rather than treating it as a bolt-on import format. You can add rules three ways: write them manually in the UI, pull them from a public or private Git repository (the private-repo option is new in 7.1), or upload a rule file directly. However you add one, Graylog auto-generates a matching event definition behind the scenes, which means the rule is immediately wired into alerting with no separate configuration step. The appeal of Sigma specifically – as opposed to writing detections in a tool-specific language from scratch – is portability: a rule written against Sigma’s generic field names can, in principle, be translated to run against Splunk, Elastic, or any other backend with a Sigma converter, so security teams that write detections once aren’t locked into whichever log platform happened to be in place when the rule was authored. Here’s a simplified example rule you could adapt and import:
title: Multiple Failed SSH Logins From Single Source
id: 8f3b2b40-9c1a-4e6a-9d3a-000000000001
status: experimental
description: Detects repeated failed SSH authentication attempts from one source IP
logsource:
product: linux
service: sshd
detection:
selection:
process_name: sshd
message: 'Failed password'
timeframe: 5m
condition: selection | count() by src_ip >= 5
level: medium
Graylog’s own team has documented using this exact pattern in the wild – publishing Sigma rules to help defenders detect the 3CX supply-chain compromise shortly after it became public, which is a reasonable proof that the rule format holds up outside of textbook examples.
Step 12: Configure Alerts and Notifications
An event definition without a notification attached will happily log matches to a list you have to check manually – not useful at 2 a.m. Open the event definition tied to your Sigma rule (or create a new one from a saved search), and add a notification under its Notifications tab. Email and HTTP webhook notifications are built in; the webhook option is the most flexible since it can forward straight into Slack, PagerDuty, or any internal on-call system that accepts a POST request:
{
"title": "SSH Brute Force Detected",
"notification_type": "http-notification-v1",
"url": "https://hooks.example.com/graylog-alert",
"method": "POST"
}
Always use the Test Notification button before you walk away – a webhook typo or an unreachable internal URL is the single most common reason alerts silently go nowhere.
Step 13: Set Index Rotation, Retention, and Backups
Left alone, an index set will grow until it fills the disk. Under System > Indices, set a rotation strategy – size-based (rotate at a fixed index size) or time-based (rotate daily or weekly) – and a retention strategy that deletes or closes the oldest indices once you exceed a set count. If you need to keep old logs around for compliance without paying for OpenSearch to keep indexing them, Graylog 7.1’s native Azure Blob Storage archive tier lets you move cold indices to cheap object storage and restore them later – the “parallel archive restores” feature from the same release exists specifically so a restore of several archived indices doesn’t queue up one at a time.
Back up the two stateful pieces separately: MongoDB holds your configuration (users, streams, pipeline rules, event definitions), and OpenSearch holds the actual log data.
mongodump --uri="mongodb://127.0.0.1:27017/graylog" --out=/backups/graylog-mongo-$(date +%F)
curl -X PUT "http://127.0.0.1:9200/_snapshot/graylog_backup/snapshot_$(date +%F)?wait_for_completion=false" -H "Content-Type: application/json"
Schedule both as cron jobs, and periodically test that a restore from the backup actually works – an untested backup is a hope, not a plan.
5 Common Pitfalls When Deploying Graylog
Most of what goes wrong with a first Graylog deployment isn’t exotic – it’s one of a handful of predictable mistakes that the official documentation mentions in passing but that are easy to skip past when you’re moving quickly through a new stack. Here are the five that account for the majority of “why isn’t this working” support threads.
- Secret mismatch between Graylog and the Data Node. If
GRAYLOG_DATANODE_PASSWORD_SECRETdoesn’t exactly matchGRAYLOG_PASSWORD_SECRET, the two services fail to trust each other and the failure mode is a vague connection error, not an obvious “secrets don’t match” message. - Skipping the kernel tuning in Step 1. Without a raised
vm.max_map_count, the Data Node’s bundled OpenSearch will crash-loop on startup, and the Graylog server logs will just show it endlessly retrying a connection. - Running an unsupported self-managed OpenSearch version. If you skip the bundled Data Node and point Graylog 7.1 at a self-managed OpenSearch cluster, staying within Graylog’s supported compatibility range matters – running a newer major OpenSearch release than Graylog has certified against is a common source of subtle breakage. The Data Node exists specifically so most self-hosters never have to think about this.
- Exposing port 9000 directly to the internet. The stack in Step 4 runs over plain HTTP with no authentication in front of it beyond Graylog’s own login. Put a reverse proxy with TLS in front of anything reachable outside your own network.
- Never configuring rotation and retention. This is the single most common reason a healthy Graylog install turns into a disk-full outage a few months in – set your rotation strategy in Step 13 before you forget it exists.
Troubleshooting Graylog: 8 Common Issues
When something isn’t working, resist the urge to start tearing down containers. Nearly every issue below is diagnosable from docker compose logs output alone, and the fix is almost always a configuration value rather than a reason to reinstall the whole stack from zero.
| Symptom | Likely Cause | Fix |
|---|---|---|
| Graylog container restarts in a loop | Data Node / OpenSearch isn’t reachable yet on first boot | Check docker compose logs datanode; give it another minute before troubleshooting further |
| “Could not connect to MongoDB” | Wrong GRAYLOG_MONGODB_URI, or the MongoDB container isn’t ready | Verify the URI in .env; check docker compose logs mongodb |
| Preflight screen never becomes the full UI | Preflight password wasn’t accepted, or the Data Node connection wasn’t confirmed | Re-check docker compose logs graylog | grep -i preflight and retry the wizard |
| An input shows 0 messages | Firewall blocking the port, wrong protocol, or the port isn’t published in Compose | Re-test with the nc command from Step 8; confirm the port mapping in docker-compose.yml |
| High memory usage or OOM kills | OpenSearch heap sized for a larger host than you actually have | Lower the Data Node’s heap allocation to match available RAM, or move to a larger host |
| A Sigma rule is imported but never fires | The rule references a field name your logs don’t actually produce | Confirm the exact field name in Search before importing the rule |
| Alerts configured but no notification arrives | No notification attached to the event definition, or the webhook URL is unreachable | Open the event definition’s Notifications tab and use Test Notification |
| Disk usage climbs steadily with no ceiling | No index rotation or retention strategy configured | Set both under System > Indices, as covered in Step 13 |
Advanced Tips for Production Graylog Deployments
Once the single-host setup above is stable, a few upgrades are worth planning for before you’re forced into them by growth. Run a multi-node Data Node / OpenSearch cluster rather than a single instance if you need high availability – a single-node search backend is a single point of failure no matter how good your MongoDB backups are. If you have branch offices or edge locations generating logs faster than a WAN link comfortably handles, the Graylog Forwarder is a lightweight component built to buffer and forward from remote sites without running a full Graylog server there.
On the detection side, GeoIP enrichment on source IP fields turns a raw address into a country and city you can actually reason about during an investigation, and Sigma Correlation – layered on top of individual Sigma rules – lets you detect patterns across multiple related events rather than single-message matches. For access control in a multi-team environment, wire in LDAP, Active Directory, or SSO rather than sharing one admin login, and use Graylog’s role-based permissions to scope who can see which streams – a platform team, an application team, and a security team rarely need the same view into the same raw logs, and Graylog’s dashboards and saved Views let you give each group its own lens on the same underlying data without duplicating the ingestion pipeline three times. Finally, if compliance requires you to keep logs far longer than it makes sense to keep them fully indexed, the Azure Blob Storage archive tier introduced in 7.1 is worth setting up early – migrating a policy in after you already have a year of hot indices is far more painful than starting with cold storage from day one.
It’s also worth planning for cost, not just capability. Graylog Open has no license fee, but it isn’t free in the sense of “requires no ongoing attention” – someone has to own index sizing, OpenSearch cluster health, and rotation policy the same way they would for a self-managed Elasticsearch deployment. Weigh that operational cost against what the equivalent ingestion volume would cost on a per-gigabyte commercial platform before assuming self-hosting is automatically the cheaper option at scale; for small-to-mid log volumes it usually is, but the crossover point depends heavily on how much engineering time you’re already paying for elsewhere.
Frequently Asked Questions
Is Graylog actually free?
Graylog Open – everything this tutorial deploys – is free to self-host, licensed under the SSPL rather than a traditional GPL license. Graylog also sells paid Small Business, Enterprise, Cloud, and API Security tiers with features like archiving, audit logging, and managed hosting on top of the same core.
Is Graylog a SIEM?
Graylog itself now describes its positioning as “TDIR” – threat detection, investigation, and response – rather than a traditional SIEM. In practice it’s a centralized log-management platform with Sigma-rule detection and alerting layered on top, which is close enough to SIEM territory that market trackers group it alongside Splunk Enterprise Security and Elastic Security, even though its architecture (no host agents by default) differs from an agent-based tool like Wazuh.
How much RAM does Graylog actually need?
A lab instance runs on 4 GB, but that’s the floor, not a comfortable number. Budget 16 GB for a small production deployment handling a handful of servers, and 32 GB or more once you’re centralizing logs from multiple teams – nearly all of that memory goes to OpenSearch, not the Graylog server process itself.
Can I run Graylog without Docker?
Yes – Graylog publishes native packages for common Linux distributions alongside the Docker images used in this tutorial. Docker Compose is simply the fastest path to a working stack without manually installing and coordinating MongoDB, OpenSearch, and the Graylog server as separate system services.
What’s the real difference between Graylog Open and Graylog Enterprise?
Graylog Open covers the full pipeline this tutorial builds: ingestion, search, pipelines, Sigma-rule detection, and alerting. Enterprise and the paid Cloud tiers add features oriented at larger organizations – archiving to cold storage, detailed audit logging, and role-based access controls beyond what the free tier ships with, plus the option to have Graylog host the infrastructure for you.
Does Graylog support Sigma rules natively, or is that a plugin?
It’s native. Sigma rules are wired directly into Graylog’s event-processing engine, and importing one automatically generates the matching event definition needed for alerting – there’s no separate plugin or converter step required, whether you add a rule manually, import it from a Git repository, or upload a file.
How long does Graylog keep logs by default?
There’s no default retention window – a fresh install will keep everything until the index set fills the rotation limit you configure, or indefinitely if you never set one. That’s exactly why Step 13 in this tutorial has you set a rotation and retention strategy explicitly rather than relying on any built-in ceiling.
Is the SSPL an open source license?
Not by the Open Source Initiative’s definition – the SSPL has not been approved by the OSI, largely over concerns about the obligations it places on anyone offering the software as a hosted service. Graylog itself remains free to download, self-host, and modify; the license mainly affects cloud providers who want to resell it as a managed offering.
Related Coverage
- Wazuh Tutorial: Free SIEM in 14 Steps, 40 Min [2026] – an agent-based alternative with file-integrity monitoring built in
- CrowdSec: Block Malicious IPs in 12 Steps, 40 Min [2026] – a collaborative host-level intrusion prevention layer that pairs well with Graylog as a log source
- Fail2ban: Stop SSH Brute-Force in 12 Steps, 30 Min [2026] – a lightweight complement for SSH-specific brute-force protection
- Trivy Tutorial: Scan Containers in 12 Steps, 30 Min [2026] – container vulnerability scanning for the images you’re already logging
- Cisco SD-WAN: 7 Zero-Days, 2 at CVSS 10 [2026] – a reminder of why centralized log visibility across network gear matters
- The Gentlemen Ransomware: 483 Victims, 90% Cut [2026] – the kind of incident a properly alerted Sigma rule is built to catch early
- More Cybersecurity Coverage – additional tutorials and news from tech-insider.org’s cybersecurity desk


