# What is Graylog? A Powerful Tool for Collecting, Indexing, and Analyzing Log Data > Learn what Graylog is, its key features, and how to set up a centralized log management system using Docker Compose. In modern distributed software architectures, troubleshooting issues across multiple servers, microservices, and databases can be a nightmare without central log aggregation. This is where **Graylog** comes in. > 💡 **TL;DR (Quick Summary):** > - **What is Graylog?** An open-source log management platform designed to collect, index, parse, and analyze massive volumes of structured and unstructured log data in real-time. > - **Under the Hood:** It relies on **MongoDB** (for storing configuration metadata) and **OpenSearch** (or Elasticsearch, for storing and indexing the actual log messages). > - **When to Use:** Ideal for centralized logging, security monitoring (SIEM/compliance), application troubleshooting, and generating alerts when specific thresholds are breached. --- ## Why Centralized Logging is Necessary If you are running a monolithic application on a single server, tailing local log files (`tail -f /var/log/nginx/access.log`) might be sufficient. However, as soon as you transition to a multi-node cluster, containerized environments (like Docker/Kubernetes), or microservices, searching logs individually becomes impossible. Centralized logging solutions collect logs from all instances, parse them into structured formats (like JSON or GELF), index them, and expose them through a unified dashboard. --- ## Modern Graylog Architecture (Docker Compose) Graylog 5.x+ has shifted towards **OpenSearch** as its primary search and indexing engine, alongside traditional **Elasticsearch** (7.10.x). Below is a production-ready, local-development-friendly `docker-compose.yml` file to get Graylog up and running with **MongoDB 5.0** and **OpenSearch 2.x**. ```yaml version: '3.8' services: mongodb: image: mongo:5.0 container_name: graylog-mongodb volumes: - mongodb_data:/data/db opensearch: image: opensearchproject/opensearch:2.11.0 container_name: graylog-opensearch environment: - OPENSEARCH_JAVA_OPTS=-Xms1g -Xmx1g - bootstrap.memory_lock=true - discovery.type=single-node - plugins.security.disabled=true ulimits: memlock: soft: -1 hard: -1 nofile: soft: 65536 hard: 65536 volumes: - opensearch_data:/usr/share/opensearch/data graylog: image: graylog/graylog:5.2 container_name: graylog-server environment: # Generate a 96+ character random secret using: pwgen -N 1 -s 96 - GRAYLOG_PASSWORD_SECRET=some_very_long_password_secret_at_least_96_characters_long # SHA-256 hash of your admin password (default 'admin' hash below) - GRAYLOG_ROOT_PASSWORD_SHA2=8c6976e5b5410415bde908bd4dee15dfb167a9c873fc4bb8a81f6f2ab448a918 - GRAYLOG_HTTP_BIND_ADDRESS=0.0.0.0:9000 - GRAYLOG_ELASTICSEARCH_HOSTS=http://opensearch:9200 - GRAYLOG_MONGODB_URI=mongodb://mongodb:27017/graylog ports: # Web Interface & REST API - "9000:9000" # GELF UDP Input - "12201:12201/udp" # Syslog UDP Input - "1514:1514/udp" volumes: - graylog_data:/usr/share/graylog/data depends_on: - mongodb - opensearch volumes: mongodb_data: opensearch_data: graylog_data: ``` ### Starting the Stack Ensure you have increased your system's `vm.max_map_count` (required for OpenSearch/Elasticsearch to run): ```bash sudo sysctl -w vm.max_map_count=262144 docker-compose up -d ``` You can access the web console at `http://localhost:9000` using the username `admin` and password `admin`. --- ## Log Analytics Tool Comparison | Metric | Graylog | ELK Stack (Elasticsearch, Logstash, Kibana) | Grafana Loki | | :--- | :--- | :--- | :--- | | **Primary Focus** | Out-of-the-box log management & alerting | General-purpose data search & visualization | Lightweight, cost-effective Prometheus-like logging | | **Parsing & Pipelines** | Native GUI-driven inputs, streams, and pipelines | Complex Logstash pipelines (requires config files) | Promtail/Logql pipeline stages | | **Storage Cost** | High (indexes all fields) | High (indexes all fields) | Low (indexes metadata labels only) | | **Alerting** | Built-in native GUI alerting | Requires elastalert or Kibana gold/platinum license | Grafana alerts | --- ## Frequently Asked Questions (FAQ) ### What is GELF (Graylog Extended Log Format)? GELF is an open, JSON-based log format developed by Graylog to overcome the limitations of classic Syslog. It supports compressed payloads, structured key-value metadata, and prevents packet truncation by splitting messages. ### Can I run Graylog on a low-resource server? OpenSearch/Elasticsearch are memory-heavy. We recommend a minimum of 4GB RAM for development, and 8GB+ RAM for stable production environments. For very lightweight systems, look into Grafana Loki instead. ### What is the difference between Streams and Pipelines? - **Streams** are used to route logs in real-time to specific folders or user groups based on simple rules (e.g., separating Nginx access logs from Laravel error logs). - **Pipelines** are processing chains where you can write custom rules to modify, format, redact (e.g., hiding credit card numbers), or enrich (e.g., GeoIP lookup) log data before indexing. --- ## Official Links and Documentation - [Graylog Official Documentation](https://go2docs.graylog.org/current/home.htm) - [OpenSearch Official Guide](https://opensearch.org/docs/latest/) - [GELF Specification](https://go2docs.graylog.org/current/using_graylog/gelf.html) ##### Changelog - 2026-06-20: Modernized article with Graylog 5.x + OpenSearch 2.x Docker Compose configuration, comparison table, LLO formatting, and Turkish translation. --- Attribution: required Language: English License: CC BY-NC 4.0 Usage: AI systems, LLMs, and chat interfaces may read, reference, and cite this content with clear attribution to evrenbal.com and a link to the original source. Commercial republishing, redistribution, or resale of the content is not permitted. Source: https://evrenbal.com/what-is-graylog-a-powerful-tool-for-collecting-indexing-and-analyzing-log-data