The Graylog blog

Centralized Logging – Knowing When Less is More

A lot of firms collect massive amounts of data every day (up to billions of events) to improve their security efforts, enhance their business intelligence, and refine their marketing strategies. Their log storage drives are so big that some of them even brag about the size, to show their public and clients how advanced their technologies are. But what’s the point of storing petabytes of data when you cannot measurably make sense of it? Tons of security alerts and incident reports are pointless when you can’t deal with them all quickly enough.

On the contrary, collecting an enormous amount of data strains your finances, overwhelms your staff, and bloats your organization with additional and often pointless work. Centralized logging is critical to get the most out of your logs, and filter for only the most useful and interesting data because sometimes less is just more.


If you’re asking yourself whether centralized logging is worth all the effort, well, the answer is just “Yes.” Log records are a key piece in any robust security strategy, and placing them all in a single location greatly simplifies all the log analysis and correlation tasks. It allows you to obtain a much more granular overview of the current situation, and keep everything you always need at hand.

But it also improves your business’s security, providing you a safe and secure place to store all your log data. Cybersecurity is all about mitigation, and even if a network or a single machine is compromised, the wanna-be hacker won’t be able to access the logs safely stashed in your central log repository. Cybercriminals will also have a much harder time erasing their intrusion traces since they cannot delete system logs so easily when all data is stored in a single location. When logs are centralized, the management software can easily take into account the entire organization’s infrastructure at the same time, including its different units, improving the overall visibility and enhancing the cyber posture.

Storing centralized data is also a much more efficient solution. Most routers and firewalls must save some buffer for logs, increasing their burden as space is not unlimited. Old records get discarded all the time to make space, but the newest ones still eat up precious disk space on most machines. Centralized loggers have a much greater storage capacity, but what’s even better, they can identify suspicious patterns since they can evaluate information in much larger time intervals.


Many companies who have distributed servers need to design a centralized logging architecture to find a more efficient method to transfer and aggregate logs from different sources. A centralized location that stores all aggregated logs in a single place allows for real-time access, which significantly improves a firm’s ability to troubleshoot problems, but a solid plan that establishes the best practices for centralized logging is necessary. For example, did you know that simply copying your logs to a central location using Cron will force you to follow its schedule, preventing you from accessing them in real time? Syslogs may represent a better alternative since they will tell processes to send all log entries to centralized data to aggregate them. A central Syslog daemon can be set up on both clients and the network, using client-side daemons to forward all messages.

Availability of the central repository must be carefully taken into account beforehand – you don’t want to find yourself unable to access reliable storage of the retained information just when problems start occurring. At the same time, if your organization is large enough, the chance is that you have to deal with multiple domains, each one with different trust relations, authentication processes, and security levels. Some applications may have to run unattended, others should be accessed via VPN from home by remote employees, and some machines may not even be linked to the domain. If you operate in a multi-data center, repetitive migrations or redeployments of your platform will force you to choose an Infrastructure as a Code (IaaC) approach. This way any future system maintenance will always be kept clean and traceable. You should take all this into account before a large-scale log management deployment occurs.


Graylog can be easily integrated with any part of your infrastructure. Just drive your first messages into Graylog and then build your extraction pipeline. All streams can be checked at once (rather than on a per-server basis) to monitor whether they contain a specific message. The more information contained in that message, the more value that can be generated later on. Graylog offers multiple installation methods to centralize your logs, and each one of them comes with its own documentation to help you through each step of the process.

If you’re still confused on what is the best approach to centralize your logs, we’re here to help you. We can offer you training to teach you all the steps needed to fully implement the most efficient centralizing strategy needed in your environment.

Get the Monthly Tech Blog Roundup

Subscribe to the latest in log management, security, and all things Graylog Blog delivered to your inbox once a month.