// the find
Graylog2/graylog2-server
Free and open log management
Graylog is a centralized log management platform built on top of OpenSearch/Elasticsearch and MongoDB, targeting ops teams and security teams who need to collect, search, and alert on logs at scale. It handles GELF, syslog, AMQP, Kafka, and a dozen other input types out of the box. The target user is a team that has outgrown shipping logs directly to the ELK stack and wants a purpose-built UI and pipeline on top.
The input/pipeline system is genuinely well-designed — you can parse, transform, and route messages with extractors and processing pipelines before they hit storage, which saves a lot of post-hoc query pain. GELF (Graylog Extended Log Format) is a structured alternative to syslog that handles chunking and compression natively, and the ecosystem around it is mature. The alerting engine supports correlating events across streams with a configurable event definition system, not just simple threshold alerts. Active development cadence is real — the 5.x changelog is dense with actual bug fixes and security patches, not just cosmetic work.
The license is SSPL, not Apache or MIT — MongoDB used this same move to restrict cloud hosting, and it has the same effect here: you can self-host freely, but building a managed service on top puts you in legal grey territory. The dependency on OpenSearch/Elasticsearch plus MongoDB means you're running three separate systems before you even get to Graylog itself; the operational overhead is real and the memory footprint is substantial even for modest log volumes. The 'free' tier is increasingly a funnel into Graylog Cloud — features like threat intelligence and certain content packs are enterprise-only, and the boundary shifts between versions. Upgrade paths between major versions have historically been painful, with mandatory intermediate version hops and index migrations that block on the old cluster being healthy.