Scribd
Upload
95 views5 pages

Graylog Product Adoption Guide

This document provides an overview and getting started guide for users of the Graylog Enterprise log management solution. It describes Graylog's capabilities for log collection, storage, enrichment and analysis. It recommends starting with a single server installation and provides tips on planning use cases, connecting data sources, and preparing for production use within the 5GB per day limit.

Uploaded by

Miguel Angel Revuelta Mantecon
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
95 views5 pages

Graylog Product Adoption Guide

This document provides an overview and getting started guide for users of the Graylog Enterprise log management solution. It describes Graylog's capabilities for log collection, storage, enrichment and analysis. It recommends starting with a single server installation and provides tips on planning use cases, connecting data sources, and preparing for production use within the 5GB per day limit.

Uploaded by

Miguel Angel Revuelta Mantecon
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 5

GRAYLOG ENTERPRISE

PRODUCT
ADOPTION GUIDE
Thank you for downloading and installing Graylog Enterprise. Graylog is a purpose-built solution that delivers
the best in class log collection, storage, enrichment, and analysis. We’re glad you’re here, and we look forward
to helping you improve your organization’s security, compliance, and system performance with centralized
log management.

You will find Graylog is considerably faster and


easier for your entire IT organization, from system
WITH THE ENTERPRISE EDITION, YOU GET: and network admins to security analysts, so let’s
get started!
Scheduled Reports

ABOUT THIS GUIDE


Customized dashboards in your inbox

Views
Groups of saved searches that eliminate the
This guide is designed to be a complement to our
need for complex workflows
product documentation (located here). If you’ve
Auditing gotten this far, then you’ve already managed to
Keep track of every action performed by a install Graylog and provide us with your cluster
Graylog user for compliance purposes ID to get an enterprise license. The focus here is
to provide some tips and tricks to get you up and
Archiving
running in a test environment as quickly and as
Easily store and retrieve older data offline
successfully as possible.
to lower costs

Data Fowarder
Quickly move large amounts of data
between multiple Graylog instances for
consolidation across large, multi-tenant, or
geographically-dispersed environments
GRAYLOG ARCHITECTURE
At this stage, we recommend using the standard Graylog architecture on a single server, or you can try the
OVA. As a reminder, Graylog is pretty simple, comprised of 3 components that allow for quick setup and easy
maintenance, while allowing for expansion to very large, complex structures.

Graylog server for web UI and management


MongoDB to store configuration information
Elasticsearch to store the logs and allow for quick searching

Collection Enrichment Analysis, Action, and Storage

When it is time for production, you will install Elasticsearch on it’s own server for performance and high
availability reasons. For large and/or complex environments, you may also need to set up multiple Graylog
servers - we’re here to help you with that.
PLANNING
Whether you are conducting a Proof of Concept for a large implementation or installing in a Test environment
in preparation for a production system that will remain under 5GB per day, there are some basics to
have ready:

A project plan or at least high-level timeline of when you want to be in production and how you are going
to get there
A list of all the people that need to be involved to get you the info you need and access to the necessary
endpoints
A clear set of success criteria, including interim project criteria and key uses cases
3-5 data sources that you can access from your Test environment and mirror data sources you will collect
logs from in production
What data collectors you want to use to send log messages to Graylog (you can centrally manage all
collectors from the Graylog admin console)

USE CASES
Graylog can be used to perform many use cases, from Security to Network & Telecomm to Application
performance optimization. To help in the planning process, here are a few examples of the most common
ways Graylog is used:

DNS Tunneling Observation and Reporting


Privilege Escalation Monitoring
Compliance Mandates
Website Performance Troubleshooting
Network or Server Error Monitoring and Alerting
User Lockouts, Failed Password Attempts

DATA SOURCES
We recommend testing a variety of log sources to show the maximum value of Graylog to all parts of your IT
organization. Here are a few examples, but a more extensive list can be found in the documentation.
Security: firewalls, endpoint security, operating systems, IDS/IPS, web proxies, and authentication sources
Ops: off-the-shelf applications, flow traffic, and network devices
DevOps: custom applications, load balancers, automation systems, and business logic
DATA INPUT
With such a rich variety of quality, free data collectors out there, including many built-in by the manufacturers,
Graylog has chosen not to build our own. Instead, we have focused on making sure it is easy to centrally
deploy and manage those collectors at scale. Graylog supports many input types out of the box and can collect
any log in any format, when it comes in through these inputs:

Syslog (TCP, UDP, AMQP, Kafka)


GELF (TCP, UDP, AMQP, Kafka, HTTP)
AWS - AWS Logs, FlowLogs, CloudTrail
Beats/Logstash
CEF (TCP, UDP, AMQP, Kafka)
JSON Path from HTTP API
Netflow (UDP)
Plain/Raw Text (TCP, UDP, AMQP, Kafka)

More inputs are available in the Graylog Marketplace.

GETTING STARTED
With your test installation complete and plan in place, it’s time to ingest and analyze data. This will be a limited
data set to get you up and running, we’ll get you ready for all your data sources in the next phase.

1 Get data into Graylog by creating inputs for the 3-5 sources you identified in Planning

2 Make sense of that data by parsing, organizing, and enriching log messages using Streams, Processing
Pipelines, and Lookup Tables..

3 Create a few Dashboards, Reports, Views, and Alerts; and perform a few Searches to validate success
criteria, but you will mostly build these in production as-needed once you have all data sources
connected and user input

4 Test a hardened Graylog environment and set up role-based access control (RBAC) if you need to
segment which analysts can see which data
PREPARE FOR
PRODUCTION
Where you go from here somewhat depends on your purpose in requesting a free Enterprise license. If you
have been conducting a self-service Proof-of-Concept, this is a good time to pause and contact us if you
haven’t already.

If you plan to stay under 5GB / day, then it’s time to get ready for production.

Refresh or build a quick project plan and re-evaluate your success criteria for the move to production

Create a complete list of production data sources - type, version #, IP address, log type

Get to know Graylog Sidecar to efficiently deploy, configure, and manage all your log collectors

Architect for scale and integrate with the rest of your tech stack using load balancers, multi-node setup,
and our REST API

Make sure you have a hardware plan based on the size of your environment, you can find
recommendations in our sizing guide

Configure audit logging to track all changes to Graylog itself for compliance purposes

Ensure you have adequate storage capacity and configure archiving for offline, inexpensive storage of
older data

Install a separate instance of Graylog in production - we support a wide variety of packages,


environments, and change management tools here

Use Content Packs to migrate configurations and any work you want to keep or add extensions from the
Marketplace

For further help, please reach out to your Account Rep, or check out our online documentation.
Happy Logging!

www.graylog.com | [email protected] | 708 Main Street, Houston, TX 77002


© 2019 Graylog, Inc. All rights reserved.

You might also like