What do you like best?
You can start with a single server, and migrate to a multi-server, highly available logging monster. Because there is no restriction on licensing for the base Graylog product, you can setup a test deployment and test what will happen when you upgrade etc in production.
The community is helpful and active. The product is getting updates frequently.
The system has a purpose built Graylog Collector client which you can monitor directly through the Graylog web interface to determine if the system is still sending logs properly.
Easily integrates with Active Directory to allow authentication of users. Also has the ability to integrate with AD Groups for providing easy access to new users.
All of the Graylog web interface is using the Graylog API. The API browser is well thought out and fully documented. Development teams should find it easy to navigate the API in order to integrate with Graylog. API access also means that any system used for monitoring that can make API calls will be able to query Graylog for system health statistics easily.
Overall the system is very well thought through and comprehensive.
What do you dislike?
Documentation needs improvement. The marketplace is a bit hit or miss as far as the quality of the plugins.
Customer submitted marketplace items are not curated. Anyone who wants to put together a plug-in can, and while that's great it leads to a highly fragmented experience.
Graylog still relies on Elasticsearch 5.6.x which means that a large amount of the new Elasticsearch improvements are not yet supported.
The Collector Sidecar can and will stop sending logs at random, on Windows, or not startup during system startup after a reboot. Having a system that either forces the service to start or automatically restarts the service at a set period is ideal.
Recommendations to others considering the product
Have a solid understanding of Linux. Also learn the basics of MongoDB in an HA cluster, Elasticsearch in a clustered deployment. Graylog relies heavily on these two products in order to properly operate. Ensure that you have either the ability to run HAProxy, Nginx,
If you don't know how your systems log, what those logs look like, or how you're going to get the logs out of the system and into a log stream to another product you need to start there. Graylog will require that you either log things in a well known format (typical of all logging solutions) or use a combo of Regex/GROK/Graylog Processing Pipelines to break out the logs into different fields so they are individually searchable. Other products have a much larger supported base of these available. If you can't find one you'll be left to either ingest logs as a blob in the message field, or learn to write your own processor pipelines. If you have the ability to pay for professional services then you can enlist Graylog corporate to assist you.
What business problems are you solving with the product? What benefits have you realized?
Log management for all devices.
Netflow capture of all network devices.
Historic capture of all events and alerting on those events.
Active Directory log analysis and forensics.
Event correlation and issue root cause.