Buying Logging Backend

Buyer's guide.

Overview

Choosing a logging backend is mostly a cost-and-cardinality conversation that masquerades as a feature conversation. The product surface across vendors converges; the bill, the index strategy, and the retention controls do not. Make the choice on volume math first, ergonomics second.

• Pricing axis. Vendors meter on ingested GB, indexed GB, or query volume; the same workload can vary 5x in monthly cost depending on which axis you land on.
• Retention and access patterns. Hot, warm, and cold tiers exist for a reason. Decide what you actually re-query at 30, 90, and 365 days.
• Schema and parsing. JSON-native ingest, automatic field extraction, and stable column names beat regex-on-message every time.
• Operational fit and exit cost. Agent footprint, OTel collector support, RBAC, and how painful it would be to leave in 18 months all factor into the same decision.

The approach

Run a structured evaluation against your real volume and your real query patterns. Vendor demos use perfect data; your logs are not perfect data.

• Volume baseline first. Measure current GB/day per service before talking to vendors so quotes can be compared on the same number.
• Top-10 query inventory. List the queries on-call actually runs. Replay them in each vendor's trial and time them.
• Total cost of ownership model. Add ingest, indexing, retention tier transitions, and seat licences before comparing. List-price-per-GB lies.
• Document the choice and the exit ramp. Capture the rationale and how you would migrate logs out if pricing or product changed.

Why this compounds

The right backend keeps paying back: lower bills as volume grows, faster incident response from queries that finish in seconds, and a logging stack that doesn't need its own SRE.

• Cost discipline at scale. Picking the right pricing axis early saves more than negotiating discounts later.
• Faster incident response. Queries that finish in seconds change how often on-call reaches for logs versus dashboards.
• Reduced platform tax. A vendor that owns the index, retention, and access layer means fewer in-house components to maintain.
• Decision trail for the next renewal. The evaluation document becomes the renewal scorecard, not a cold start.