If your using Splunk or need a way to aggregate logs and do searches. Gravwell says they provide everything out of the box, with much better features and only 14 GB per day limit compared to Splunk Free.

Subscribe to my free email newsletter and receive bonus content…

Gravwell Search Filter

Interface for creating complicated flows or automations

Gravwell provides a easy to use visual workflow, where you can click to add different functions and then connect them together.

*This shows multiple queries combined together with Ingester information and then creates a PDF which will be emailed.*

Gravwell vs Splunk Features

Feature	Gravwell	Splunk Free
Daily Ingest	14 GB Daily	500 MB Daily
Self Hosted	Yes	Yes
Monitoring & Alerts	Yes	No
Access Control	Yes	No
PDF Reports	Yes	No

Actionables

Actionables let you identify fields you want to be able to click on and run specific searches, in this case I have it setup to match on source IP address and lets you click on actionable I created “IP-Blocklist-Check” and then define the URLs and the value that will be sent to it. So once you click the url it will autopopulate it with the source IP address so you can run quick checks, without copying and pasting.

*Example of a query and then clicking on a Actionable linking to blocklist checker*

*Result of clicking Gravewell Actionable on source IP address and selecting blacklistchecker.com*

Topology

Topology view to show ingester connectivity.

Storage Interface

Shows how much is used and how soon the disk will fill out.

Network Enrichment Kit

Network Enrichment Kit is a module that you can install that comes with Gravwell. You have to install the kit before you can use it but it provides many benefits such as GeoIP, ASN and Ports to Service Names.

Enriched source IP address with Country, ASN Org and ASN Number

How To Install Gravwell

Its very easy to install Gravwell, once its installed you just need to sign up for a Gravwell community edition to receive the license to install.

Total Time Needed :

Minutes

Total Cost:

USD

Required Tools:

– A computer.

Things Needed?

– Ubuntu 22.04

– Server to send logs

Steps to setup Gravwell:

Step 1 – Install Gravwell Server Components

apt install apt-transport-https gnupg wget apt install apt-transport-https gnupg wget wget -O /usr/share/keyrings/gravwell.asc https://update.gravwell.io/debian/update.gravwell.io.gpg.key echo 'deb [ arch=amd64 signed-by=/usr/share/keyrings/gravwell.asc ] https://update.gravwell.io/debian community main' > /etc/apt/sources.list.d/gravwell.list apt update && apt install gravwell

Step 2 – Install Ingestors on Gravwell Server

apt-get install gravwell-file-follow apt-get install gravwell-simple-relay

Step 3 – Install File Ingester on Gravwell Server to monitor

Step 4 – Configure File Ingester and add additional directories

/opt/gravwell/etc/file_follow.conf

Cleartext-Backend-Target=GRAVWELL_IP_ADDRESS_HERE:4023

[Follower "webserver"] Base-Directory="/var/log/nginx/" File-Filter="*" Tag-Name=default Assume-Local-Timezone=true #Default for assume localtime is false Recursive=true Ignore-Line-Prefix="#" # ignore lines beginning with Ignore-Line-Prefix="//"

Step 5 – Login into Server

The web interface will be available at http://GRAVWELL_IP_ADDRESS_HERE:80

Step 6 – Run a Query

tag=auth tag=syslog
tag=webserver

Extractors

By default supports csv, cef, kv, fields, regex, slice, json, winlog, syslog, netflow, ipfix and xml.

Conclusion

After using Splunk for many years, I am used to massaging the data so Splunk will provide me the output I am looking for. Its a breath of fresh air that I can send JSON logs to Gravwell and be able to search and output the data I am looking for without creating a bunch of transform configurations. You just need to learn how the synatx works in Gravwell, which is very easy to understand in a short time frame.

Gravwell is great system to centralize logs and being able to filter on them and do deep dives to get the data your looking for.

Best Splunk Alternative – Gravwell