Vendor Spotlight: Graylog

Graylog began as an open-source package for log processing. As such, it is similar to the original Splunk. The management of Graylog must have noticed how Splunk has evolved from a non-profit organization to a multi-billion dollar enterprise and they are going for the same plan. As such, Graylog has added a paid version, while still offering its community-supported open-source tool. It has also generated a SIEM, which scans log messages for threats.

There are now four versions of Graylog:

• Graylog Open: a free, open-source log manager
• Graylog Enterprise: A cloud-hosted paid log manager
• Graylog Security: A cloud-based SIEM
• Graylog API Security: A vulnerability scanner for APIs

The evolution of Graylog is interesting because it follows the Splunk strategy so closely, so in explaining the history and trajectory of Graylog because the parallels are so clear.

Founding and Background

Graylog started off as a side project for Systems Architect, Lennart Koopmann, first as an idea he had in 2009 and then, as a project plan in May 2010. Which is the date that he now officially marks as the beginning of everything. Koopmann was living in Hamburg at the time and working at XING. He carried on working there all the way through his early development phase when he worked alone to create the log management tool.

Koopmann called his system Torch and he set up a holding company to properly manage the finances of the project. That company was called Torch GmbH and it was founded in late 2012. He pulled in a colleague from XING, a Swede called Haas Chapman, to help out. Chapman recalls his involvement starting in November 2012. So, by the time that Chapman came on board, there was already a system. In July 2013, the pair quit XING to dedicate themselves to the log management project full-time.

At this point, Torch was renamed to Graylog; Koopmann moved to Houston, Texas to set up a US company, called Graylog, Inc., which was incorporated on 8th December 2014. This became the new owner of the system, with the aim of managing the open-source project while also looking for ways to raise an income from it. Many count this event as the birth of Graylog. While it is true that this is when the current name was coined, the system actually existed for four years before that under the Torch name.

The name was inspired by “gray matter”, which means the brain. The concept is that the tool can sort through log data like a superfast brain. Oddly, the tool was named Graylog2 and when the company took that name, the log manager was redeveloped and renamed Graylog 1.0 in 2015.

The initial release of Graylog was aimed at simplifying log management by allowing users to collect and analyze logs efficiently. It quickly gained traction due to its flexibility and powerful features. Over the years, Graylog has evolved to include advanced functionalities such as real-time analysis, alerting, and extensive data visualization capabilities. It supports various data inputs, making it compatible with diverse IT environments.

Community and Ecosystem

An open-source project is usually created for a tool that an enthusiast develops and makes available to the public for free. Other technicians look at the tool and write to the developers with ideas on how it can be improved or alert the developer of bugs. Some of those who take interest offer to help out.

The concept behind an open-source system is that the source code is available and anyone can copy it and change it. In many cases, those who write their own improvements will submit them to the project and a panel will assess those suggestions, adopting changes that they think improved the package.

This is how Graylog evolved. Both Koopmann and Chapman had previously worked as software team leads and development project management. Chapman specialized in Agile development and had been an instructor in the technique. So, the pair were well-placed to manage their own project.

As they don’t generate revenue, open-source projects can evolve in four ways:

1. The project stays enthusiast-driven, it never gets enough money to properly resource the development, and the software gets out of date with contributors drifting away. Paros Proxy is an example of this outcome.
2. A sponsor provides funds and/or facilities that enable the tool to operate as a non-profit. A company that operates in the same field or a well-funded non-profit, such as the Mozilla Foundation and the Software Security Project, might be inclined to help out. These open-source systems tend to endure successfully. An example of such a history is the Apache HTTP Server and the Apache Software Foundation.
3. A company that develops software that is similar to the open-source project enters into an agreement that it will be allowed to develop a commercial product using the open-source system as its core. Royalty fees paid for this right fund the continued operation of the open-source project. Quite often, this scenario leads to the sponsor taking over the software entirely with a promise to maintain a free edition but then phases out that version. This is what happened to the OSWAP ZAP, which was sponsored by Checkmarx and then absorbed entirely.
4. The managers of the open-source project decide to emulate that commercial sponsorship plan and set up their own commercial arm, running the free open-source system alongside a paid tool based on the same core but with premium extras. This is the strategy that Splunk implemented. As with commercial partnerships, many commercialized open-source projects (including Splunk) end up dropping the free option.

Koopmann owned the rights to Graylog because the core of the system was entirely his creation. So, he followed Splunk in implementing the fourth strategy explained above. The commercialization strategy highlighted a disparity between Koopmann and Chapman.

Koopmann took the role of Chief Technology Officer, which enabled him to continue his work as lead developer for Graylog. Chapman became the Chief Executive Officer, running the entire operation. A CEO is usually the CTO’s boss. However, as Koopmann was the sole owner of Graylog, Inc., he was Chapman’s boss. Ultimately, Gaylog was Koopmann’s property and Chapman owned nothing.

Chapman had stayed behind in Hamburg when Koopmann moved to Houston to set up the US company. He resigned in September 2014 and he wasn’t replaced in Germany. Instead, Koopmann took the opportunity to make Graylog, Inc the parent company and owner of the Graylog software.

Koopmann appointed Michael Sklar to run the company from Houston, Texas. He was replaced in 2017 when Logan Wray became the CEO.

Wray retired in November 2020, hiring Andy Grolnick as his replacement. Grolnick is still the CEO of Graylog, Inc. today. Lennart Koopmann moved from Chief Technology Officer to Chief Product Officer in November 2022 when Robert Rea was hired for the CTO role. Among Kopmann’s new responsibilities was the management of the developer and user community, bringing him back to his roots and his original role, encouraging a group of independent technologists to contribute to the development of Graylog.

Graylog Funding

Graylog has been through seven guiding rounds, including early fundraising when its holding company was Torch GmbH. This first Seed round occurred in November 2013 with four funds contributing $1.9 million. These were Texas Atlantic (TA) Capital, High-Tech Gruenderfonds (HTGF), Headline (e.ventures), and Hasso Plattner Ventures. A second Seed round occurred in February 2015. This raised £2.5 million from Mercury Fund, Draper Associates, High-Tech Gruenderfonds (HTGF), and Crosslink Capital.

Three Venture rounds took place. An Early Venture round occurred in June 2018. This was a buy-in by Lytical Ventures for $5 million. A Growth Equity Venture round in June 2021 raised $18 million from High-Tech Gründerfonds, Harbert Growth Partners, Mercury Fund, Piper Sandler, and Integr8d Capital. A Late Venture round happened in October 2023 and that raised $9 million from Silver Lake Partners, Harbert Growth Partners, and Piper Sandler.

As well as attracting investments in October 2023, Graylog, Inc. took on $30 million of debt.

Timeline and Evolution

• 2009: Torch project launched by Lennart Koopmann to create a log management solution focused on handling vast amounts of data.
• 2012: Haas Chapman joined the project to run its administration from Hamburg, Germany. The tool is launched as an open-source solution, as version 0.2 and becomes known as Graylog2.
• July 2013: Koopmann and Chapman leave their employment to commit to torch full-time.
• November 2013: First Seed funding round raises $1.9 million.
• 2013: Rebranding of the project from Torch to Graylog.
• September 2014: Chapman leaves the project and is replaced as CEO by Michael Sklar.
• December 2014: Graylog, Inc. is registered. The headquarters of the company is set up in Houston, Texas.
• January 2015: The tool is rewritten and released as Graylog 1.0.
• February 2015: Series A funding round raised £2.5 million.
• March 2016: The paid version of Graylog, called Graylog Enterprise, is launched.
• January 2017: Logan Wray becomes CEO.
• June 2018: Lytical Ventures invests $5 million.
• November 2020: Logan Wray retires and Andy Grolnick is appointed CEO.
• March 2021: Release of Graylog Cloud, which ran as a deployment option alongside the on-premises Graylog Enterprise and the free Graylog Open.
• June 2021: Graylog secured $18 million in Series B funding.
• July 2021: Launch of Graylog Security, a SIEM system.
• November 2022: Robert Rea is appointed Chief Technology Officer. Lennart Koopmann becomes Chief Product Officer.
• January 2023: Lennart Koopmann leaves Graylog to start up nzyme, a network security system.
• October 2023: Graylog raises $39 million through a combination of share sales and debt.
• February 2024: Launch of Graylog API Security, a vulnerability scanner.

Company Ownership

As a private company, Graylog, Inc. doesn’t have to publish its share register. No one has ever sold shares in the business, so there have been no transfers to examine. Instead, all the current owners bought in through the company issuing more shares. This action needs to be notified to the Security and Exchange Commission (SEC) but the notifier has the option of not disclosing the value of the shares and Graylog used this right.

Haas Chapman didn’t own any part of Graylog and when Lennart Koopmann left the company in 2023, he didn’t sell up his shares. The venture capital firms that invested in the company all got shares, but none have sold them yet. So, it isn’t possible to know how much Graylog is worth or precisely who owns what amount. However, the people and entities that hold shares are known. These are:

• Lennart Koopmann
• Texas Atlantic (TA) Capital
• High-Tech Gruenderfonds (HTGF)
• Headline (e.ventures)
• Hasso Plattner Ventures
• Mercury Fund
• Draper Associates
• Crosslink Capital
• Lytical Ventures
• Harbert Growth Partners
• Piper Sandler
• Integr8d Capital
• Silver Lake Partners

The exact proportion of ownership is not known. However, the funds that have the biggest holdings can be guessed based on which have been allowed to place a partner on the Board of Directors of Graylog. These fund managers who are directors are:

• Aziz Gilani of Mercury Fund
• Lucas Nelson of Lytical Ventures
• Bob Rinek of Piper Sandler
• Brian Carney of Harbert Growth Partners

Key People

Lennart Koopmann, Founder: Lennart started out as a Web development programmer in his hometown of Hamburg, Germany. He learned about software projects and went on to become a Software Engineer, designing API-based systems, and then a Software Architect, which gave him the ability to plan and manage software projects. He started writing a log management system, called Torch, and made it an open-source project. He then moved to the USA and started a company to commercialize the tool and change the system’s name to Graylog. Koopmann hired a series of business experts to run the company while he focused on the technical development of the Graylog system. He is still a major shareholder in Graylog, even though he left the company to create a startup network security system.

Haas Chapman, Founder: The Torch (Graylog) project was already underway when Chapman joined part-time as a business manager. Originally from Sweden, Haas studied IT in the UK and followed a career in IT in management roles. He lived and worked in Sweden until 2011 when he took up a position at XING in Hamburg, Germany. Chapman specialized in Agile development, which is a fast way to get a Web application to launch before it is completely finished. This is a strategy that involves repeated cycles of additions and rework. He became the full-time business manager of Torch in June 2013 and helped the project raise funds. He left in September 2014 and moved to Spain. Chapman has taken a series of senior positions on software projects and has lived in Lisbon, Portugal since 2018.

Aziz Gilani, Director: Gilani joined Mercury Fund as an Intern in May 208 and has risen to become a Partner and the Managing director of the fund. As well as leading Mercury, Gilani has become a leader in the Venture Capital sector. He is a Board Member of the National Venture Capital Association and he is on the National Advisory Council on Innovation and Entrepreneurship. Gilani has lectured at the Jones Graduate School of Business at Rice University. Gilani has been involved with Graylog since Mercury made its first investment in the company in 2015. This is when he became a Director. He also holds directorships of many other businesses in the Houston area. Gilani has fostered the growth of Graylog, helping to plan the commercial strategy for the tool and encouraging other funds to invest in the business.

Andy Grolnick, CEO: Grolnick is the fourth CEO of Graylog and he joined in November 2020. His time in office has seen Graylog move its paid products to the SaaS model on the cloud. He has also been in charge during the creation of Graylog’s security systems, which will prove to be more profitable than its original log management service. Before arriving at Graylog, Grolnick had decades of experience in C-Suite roles at technology businesses. However, the most relevant appointment in his background was as President and CEO of LogRhythm from 2005 to 2019. LogRhythm is a cloud-based SIEM system and is exactly the type of business that Graylog wanted to become.

Locations

Graylog operates three locations. Additionally, many Graylog employees work remotely. The company’s offices are in:

1. Houston, Texas, USA (Headquarters)

The Houston office serves as the main hub for company operations, including executive leadership, marketing, sales, and customer support, particularly focusing on the North American market.

2. Hamburg, Germany (Founding Office)

The Hamburg office continues to be a major operational center, focusing on engineering, development, and European market activities. It supports both the open-source community and enterprise clients in Europe.

3. London, United Kingdom

Graylog has operations in London, focusing on sales, business development, and customer support for the UK and broader European regions.

Graylog Target Market and Customer Base

Graylog primarily serves organizations that require advanced log management, security monitoring, and operational insights. The platform’s versatility and scalability make it a popular choice across industries for both IT operations and security teams.

Target Market

1. Enterprise businesses: Graylog’s Enterprise and Cloud versions provide log management functions for large businesses with complex IT environments.
2. Security Operations Centers (SOCs): Graylog Security and Graylog API Security target Security Operations Centers (SOCs) with threat detection, incident response, and forensic analysis systems.
3. Mid-sized companies: Graylog targets mid-sized companies that need scalable log management solutions.
4. Small-to-medium sized businesses (SMBs): The free Graylog Open is popular among SMBs for its cost-efficiency and flexibility.
5. IT Operations and DevOps teams: Graylog provides infrastructure monitoring, troubleshooting, and operational intelligence.

Customer Base

Graylog’s customer base includes a wide range of industries, including:

1. Technology Companies
2. Financial Institutions
3. Healthcare Organizations
4. Retail and eCommerce
5. Educational Institutions
6. Telecommunications
7. Managed Service Providers (MSPs)
8. Government Agencies

Graylog Security is a SIEM system that is built on a reliable log management package. This system is cloud-hosted and can draw activity reports from multiple sites, cloud platforms, and the devices of remote workers. This is a centralized system for analyzing log data, making it an effective tool for both IT operations and security operations (SecOps).

Key Features:

• Centralized log management: Collects and analyzes logs from various systems, servers, and devices in real time, providing unified visibility.
• Threat detection and alerts: Pre-built and custom rules identify suspicious behavior, including brute-force attacks, malware, and unauthorized access.
• Incident investigation: Analytical tools that correlate events from multiple sources to trace and resolve incidents.
• Compliance monitoring: Built-in dashboards and reporting tools for GDPR, HIPAA, and PCI DSS.
• Assesses the security fabric: Measures critical security operations KPIs.

Graylog Security is a cost-effective alternative to traditional Security Information and Event Management (SIEM) solutions, offering flexibility and customization for a range of business sizes. It provides essential security features like threat detection, log analysis, and compliance, all within a single platform.

Check out a demo to assess the tool. There is a 14-day free trial available but it is difficult to find. Users who download Graylog Open are offered a free trial of Graylog paid products and Graylog Security is one of the options.

Other Notable Products

1. Graylog Open

Graylog Open is the free, open-source version of Graylog, designed for organizations requiring robust log management and analysis without the cost. It provides essential features like log collection, search, and visualization, making it ideal for IT teams, developers, and security professionals. While it lacks some enterprise-level features, its flexibility and community support make it a popular choice for smaller teams and technical users.

2. Graylog Enterprise

Graylog Enterprise is the premium, feature-rich version of Graylog, designed for large organizations with complex log management and security needs. It offers advanced capabilities like archiving, role-based access control, audit logs, and extended search, along with scalability and high availability. Graylog Enterprise also includes premium support and enhanced security features, making it ideal for businesses that require extensive monitoring, compliance, and operational insights.

3. Graylog API Security

Graylog API Security is designed to monitor, analyze, and protect API traffic, ensuring that potential threats targeting APIs are detected and mitigated. Launched in 2023, it helps organizations gain visibility into API usage, identify vulnerabilities, and prevent attacks like data breaches and unauthorized access. Ideal for businesses relying on APIs, it strengthens security in an increasingly API-driven world.

Major Competitors

1. Splunk A leading log management and SIEM solution, offering powerful machine learning, real-time monitoring, and advanced analytics. It excels in large-scale data environments, providing deep insights into security, operations, and compliance. Graylog is following Splunk’s development strategy but it keeps its package much simpler.
2. Elastic (ELK Stack) A popular open-source log management platform combining Elasticsearch, Logstash, and Kibana. It offers adaptable search, analysis, and visualization capabilities, making it a flexible tool for log analysis. Download each component for free, or pay for the entire stack on the cloud. ELK is also available in a Security edition.
3. LogRhythm A comprehensive SIEM platform designed for threat detection, compliance, and security management. It offers features like real-time monitoring, analytics, and automated incident response. Its integrated approach makes it ideal for security teams, but its pricing and resource requirements often position it as a solution for larger enterprises. Graylog’s current CEO guided LogRhythm to growth.
4. Sumo Logic A cloud-native log management and security analytics platform. It delivers real-time insights into application performance, infrastructure health, and security events. Its ease of use, scalability, and cloud integration make it attractive for modern IT environments and it is a very similar platform to Graylog.
5. Datadog A cloud-based monitoring and analytics platform, focusing on infrastructure, applications, and log management. Known for its strong integration with cloud services, Datadog provides real-time visibility and alerting. The platform offers many other modules besides Log Management and Cloud SIEM.

Spotlight Wrap-Up

Graylog’s journey from Torch in 2009 to becoming a leader in log management and security operations has been fueled by innovation, its strong open-source community, and strategic funding rounds. With continued investments in product development and scaling its enterprise solutions, Graylog has expanded its market reach, offering scalable solutions for organizations of all sizes. The appointment of Andy Grolnick as CEO shows that Graylog is serious about getting into the security monitoring market.