Graylog2 and Party Gorilla

I discovered Splunk about 6 months ago, and aside from the unfortunate name and the truly evil pricing model, I was quite taken with the app itself, a searchable realtime interface to a centralized logging server.

I read about Logstash and Graylog2 a few months back, which seemed to offer a similar functionality, but just had never had the time or opportunity to implement it until now. There are many moving pieces so it can be a bit confusing at first, but the confusion simply stems from the flexibility of how you configure the components. I found the explanation on this blog piece to be the simplest way to explain how the components can be connected.

Graylog2 by itself can take the place of your central Syslog server. It utilizes quite a few other pieces of software to run – Elasticsearch, MongoDB and some ruby gems for the web interface, so even in this most simplified setup, there are still quite a few steps to getting it up and running. There are several tutorials online and linked from the Graylog2 website – the one I followed, and would highly recommend was this blog post – took me a few hours from initial futzing around to having a working setup.

If you already have a central Syslog server up and running, you might not be so keen to change all your hosts (why not? you’re running Puppet surely! :) – in which case, you can configure Rsyslog or Syslog-ng to forward to your Graylog2, or alternatively, use Logstash to parse, optionally transform and forward your syslogs. This post has some decent info on setting up like this.

But of course, the most important thing is that they have a “motherfucking party gorilla with a motherfucking party hat” for their logo, and how can you argue with that??!

( Here’s why! )