📊 SIEM & log management
Graylog
Polished open-source log management with strong search and dashboarding.
Why use it
Graylog Open is a clean, fast log platform with a search experience that beats most free SIEMs. The Cyentrix team recommends it when log volume matters more than out-of-the-box detections — Graylog's pipelines and dashboards are friendlier to non-experts than ELK.
What you get
- Centralised structured and unstructured log ingestion
- Pipeline-based parsing and enrichment
- Dashboards and saved searches per team
- Alerts via email, webhook, or Slack
- Sidecar agent for managing collectors at scale
System requirements
| Cpu | 4 cores |
|---|---|
| Ram | 8 GB minimum |
| Disk | 50 GB+ depending on retention |
| Os | Linux (Ubuntu, Debian, RHEL) |
| Docker | Yes |
Installation
The official Docker Compose file at docs.graylog.org/docs/docker brings up Graylog, MongoDB, and OpenSearch in one command. Bare-metal install adds the Graylog APT/YUM repo and runs graylog-server as a service. Generate the admin password hash via echo -n yourpw | sha256sum and place it in server.conf.
Suggested configuration
Set per-stream retention so noisy syslog doesn't evict critical data. Build pipelines that extract IPs, hostnames, and user fields into structured form — your dashboards depend on it. Add a default dashboard for each source category (firewall, server, app) before adding detection rules.
Integration ideas
- Ship Wazuh alerts as a separate stream
- Pull Suricata EVE JSON via Filebeat
- Forward critical alerts to TheHive via webhook
Alternatives
- Wazuh — Bundles SIEM + agents; weaker pure log search UX.
- Elastic Security — More features, steeper learning curve.
Cyentrix verdict
Best free option when you mostly want excellent log search and clean dashboards without writing detection logic on day one. Pair with Wazuh if you also need agents.