Logging – Graylog vs ELK
I’ve been dealing with logging a lot recently. Mainly audit logging for security/governance reasons but also logging for performance and support. I probably put 2-3 months total into setting up logging to meet all our FedRAMP requirements. Even though we settled on Graylog I wouldn’t count ELK out for the count.
Logging with Graylog
I’m going to go over Graylog first since it’s the logging solution we ended up with. We’re using filebeats to forward files to Graylog over TLS. It was actually a HUGE pain getting TLS to work with Graylog but I won’t get into that too much now. All I can say, is if you want Graylog with TLS then your best bet is with filebeats.
The primary reason we chose Graylog was because it comes with authentication/authorization built in and for free. That was a deal breaker for us due to FedRAMP requirements and ELK requires Shield or X-Pack. Graylog also takes a bit more to get setup. We opted for separate Elasticsearch Nodes so our current Graylog setup is 7 total nodes: 3 Graylog, 4 Elasticsearch (We’re likely adding a few more ES nodes soon). You can probably get away with only 3 nodes if you configure them properly and run Elasticsearch on the same nodes as Graylog.
Logging with ELK Stack
Although we didn’t go with ELK I do prefer it for non-audit logging. With ELK I had a demo stood up with only 3 nodes, which were all Elasticsearch and one with Kibana. Logstash works great for parsing logs and making sense of all the different data.
Personally I don’t mind sending logs over plain text when it’s within a private network, but once again FedRAMP blocked that. I had no issues getting logs to Logstash over TLS and then forwarding them from Logstash locally to Elasticsearch.
I was really close to setting up authentication via httpd and ldap but time constraints forced us into Graylog.
Key Differences
Built in authorization and authentication won it for Graylog in my current use case. Graylog feels like it’s more built for the System Administrator with a lot of the setup and log parsing built into the UI. ELK feels more built for developers where you can use logstash to parse logs. The lighter infrastructure of ELK also makes me like it more, Graylog is huge and the server end of it is more complicated to setup.
In the future, I’ll be turning to ELK for my logging needs, unless I need authorization/authentication, than it’s Graylog.