Psst! There’s a newer version of this post available here.

What are the main trade-offs between the leading log management tools and how to choose the one that’s right for you?

I don’t know about you, but to me, it can feel like log files are the rabbits of production environments. You look away for a second, and all of a sudden they’ve bred and multiplied. Writing to logs files can take up GB of data per day, all of which is unstructured and coming from potentially several machines and sources. This is where log management tools come in.

Of course, deciding to use a log management tool is just the first step. Next you actually have to decide which one you want to use. This can be a rather large decision. Depending on the tool you choose, you may have to weave it throughout your code or set up and install the whole thing yourself. Either way, the cost of changing these tools can be significant.

With that being said, let’s take a look and compare a few of the tools in this space. Today, I’ll be comparing Logstash, Splunk, and Sumo Logic. There are more tools out there worth considering, like Loggly for example, but these three give a good representation of the different types available. You can read more about log management tools in the new ebook we’ve just released: The Definitive Guide for Production Tools.

Getting Started

First things first. What are these tools all about? The three tools we’re looking at today cover the on-premises, SaaS, and open source models. All three of these tools are designed to help you manage and analyze your log files. They all work with the majority of operating systems and can handle a wide range of log file formats. As always, it’s worth double checking to make sure the tool you choose will work with the particular flavor of your data without too much difficulty before you deploy.

Splunk: Splunk is the big player in the log management tool space. It’s the most enterprise-focused tool and works as an on-premises model. With Splunk, you get the most features and the most integrations, but that comes at the highest price. To keep up with the movement of the log management environment, they also offer a SaaS version and a cheaper light version for SMBs. In this post, I’ll be focusing on their main offering however.

Splunk - Getting Started
Splunk’s search dashboard

Sumo Logic: Sumo Logic started out attempting to be a SaaS version of Splunk. They’ve gone their own way as they’ve matured, but as a result of their beginnings, they are one of the most feature-rich and enterprise-focused SaaS log management tools.

Logstash: Logstash is an open source log management tool that is most often used as part of the ELK stack along with ElasticSearch and Kibana. In the ELK stack, Logstash plays the role of the log workhorse, creating a centralized pipeline for storing, searching, and analyzing log files. It uses built-in filters, inputs, and outputs, along with a range of plugins, to deliver strong functionality to your logs.

Bottom line: On-premises, SaaS, and open source are all represented in this post. These tools are designed for the same purpose – log management – but they accomplish this task in different ways.

Installation

The installation and setup of these tools are very different. On-premises, SaaS, and open source – all are covered here.

Splunk: Splunk Enterprise is an on-premises model, which means you’ll be setting it up locally. Installing Splunk will put a process on your host that acts as a distributed server for accessing, processing, and indexing streaming data. Depending on your OS, there may be a few more processes installed for controlling, monitoring, and configuring certain elements of Splunk. Since Splunk is on-premises, you will need to plan for the hardware and space capacities that you will need.

Sumo Logic: Sumo Logic is a SaaS model, which means you’ll be setting up a communication out to the Sumo Logic cloud. Sumo Logic has two options for their collectors – hosted and installed. Hosted collectors require no local install and are hosted by Sumo Logic directly. With a hosted collector, you will need to have AWS and add an S3 or HTTP source to upload your data to the collector. For an installed collector, you will need to install it locally on a machine within your environment. Once you do so, you will need to configure the sources that will gather and send the logs to Sumo Logic. Installed collectors can work with sources like SSH, Syslog, and scripts. Sumo Logic works as a multi-tenant design, which helps prevent capacity and scaling limitations since it allows using multiple log sources to a single collector.

Logstash: Logstash is open source, which means that you’ll be setting it all up on your own system. One thing to note is that Logstash requires a Java runtime to install. Installing Logstash requires downloading the binary and unpacking it on your local system. Generally, it’s recommended to also include Elasticsearch as your backend for storing your logs. Once this is set up, you’ll need to configure the inputs, filters, and outputs that you’ll want. Open source means that you’ll need to provision the hardware and space that you’re going to need, but as far as open source tools go, Logstash is a fairly simple installation process.

Bottom line: There are large differences in installation and setup for these tools, as you would expect when one is on-premises, one SaaS, and one open source. Which one you prefer comes down to the type of tool you tend to like. Some factors to consider are whether or not you want to keep things within your environment, and whether or not you want to manage capacity and hardware yourself.

Features

There are plenty of similarities between the tools, but some of the differences may be important to you. Once you decide what you want your log management tool to be able to accomplish, you can choose the right one for you much faster.

Splunk: Splunk is likely the most feature-rich log management tool available. Splunk’s search and charting tools are feature-rich to the point that there’s probably no set of data you can’t get to through its UI or APIs, and it has extensive features based around high availability and scale, as befits an enterprise tool. Security is extensive and it can work with a huge range of machine data.

Sumo Logic: As far as SaaS log management tools go, Sumo Logic is one of the most feature-rich. As it was initially started as a SaaS version of Splunk, Sumo Logic has a good chunk of similar features. It is chock-full of features to reduce, search, and chart mass amounts of data. One of Sumo Logic’s main points of attraction is the ability to establish baselines and to actively notify you when key metrics change after an event, such as a new version rollout or a breach attempt.

Sumo Logic Features
The Sumo Logic dashboard

Logstash: Logstash is great for centralizing and unifying your data. It can parse different formats of data and converge them into one common format for your analytics tools. Due to its open source nature, it’s simple to extend it to custom log formats or add plugins for custom data sources. On its own, it doesn’t provide much in the way of front end or back end, which is why the ELK stack is an acronym.

Bottom line: As far as features go, Splunk comes out on top. Outside of large enterprises, you may not need quite the extensive amount of features that Splunk offers, in which case Sumo Logic will likely have you covered. The open source nature of Logstash gives you the most control over what you can do with the tool between your own development and the community.

Dashboard and Usage

Another consideration when choosing a tool is ease of use and, frankly, whether or not it looks good. This section looks at the dashboards and usage for the three tools.

Splunk: Splunk gives you the ability to create and manage your own dashboards. They offer a range of data visualization options, such as tables, charts, and event listings. By default, dashboards are created using Simple XML, but there are extensions available if you want to get fancier. Within Splunk, you can look at specific pages or build out a dashboard with several panels of different measurements. Dashboards can be built in either XML code or through the Splunk dashboard editor.

Sumo Logic: Sumo Logic uses a panel-based dashboard system as well. They offer real-time data, but there are certain limits to the types of queries that can be seen in a dashboard. Creating panels is largely straightforward and simple. Most of the information is presented in a chart-based manner.

Sumo Logic Dashboard
The Sumo Logic Log Analysis Quickstart dashboard

Logstash: On its own, Logstash doesn’t give you dashboards at all. Logstash gives you the flexibility to determine where and how you output the data however. As part of the ELK stack, Kibana is often used as the frontend reporting and visualization tool, but there are existing output options for a wide range of other visualization and metrics tools as well, such as Graphite, Librato, and DataDog.

Logstash on Kibana
Logstash on Kibana

Bottom line: If you’re not already using a separate visualization & metrics tool, then choosing Logstash means that you’ll shortly be adding one of those as well. Splunk gives you a flexible dashboard and visualization platform in either XML or drag-and-drop. Sumo Logic also gives you a panel-based dashboard, with a focus on real-time data.

Integrations and Plugins

An important consideration when choosing a tool is how well it integrates with your existing workflow and tool ecosystem. For log management tools, you want to make sure the tool can handle the format of your log data and can sync up with your environment.

Splunk: Splunk is all about their plugins, with over 600 available. Many of them focus on IT operations, security and compliance, and utilities for Splunk. With this many plugins, you’re very likely to be able to use Splunk to make sense of any format of log data.

Splunk Integrations
Splunk Integrations

Sumo Logic: Sumo Logic has applications targeted for specific large tools, including development automation tools, cloud platforms, OS platforms, and compliance and security tools. Sumo Logic covers the main tools, but if you’re using something smaller or more obscure, they won’t have an application designed for it.

Logstash: As an open source tool, Logstash has a continuously growing plugin environment. As of today, there are over 160 plugins available, many of them from the community. Due to the open source nature of the tool, the documentation and design of these plugins is very clear, and you have the power to change them to your heart’s content if you’re willing to put in the work.

Bottom line: If your environment is made up of the larger tools and platforms available, all three will have plugins and integrations available, but as you start to get smaller and more obscure, Splunk is going to shine.

Pricing

Can’t forget pricing of course. With these three tools, there are real differences here that can have a large impact on the business side of your decision. It’s here that the differences between models come through.

Splunk is very expensive, with real-world applications requiring tens of thousands of dollars. Although at high scale, Splunk has volume discounts which bring it more in line with other tools pricings. Sumo Logic works through the SaaS model, but with a linear pricing model, it can equal Splunk costs at high scale. Logstash is open source, which of course means the tool itself is free, although the equipment you’ll need to install and run it is not.

Documentation and Community

Perhaps you’re someone who is able to be fully self-sufficient when using a tool, in which case this section won’t matter much for you. For the rest of us, good documentation and an active community can be a great boon when we run into a wall or need some help. This section looks at how the three tools are doing on that front.

Splunk: Splunk has excellent documentation. The information is presented clearly and organized well, and they even have a dropdown menu that lets you look at the documentation for any version, so you can be sure that what you’re reading is written for the version of Splunk you’re using. On the community front, they have a forum-based community section for questions and answers that seems to be quite active.

Splunk Docs
Splunk documentation

Sumo Logic: The Sumo Logic support area is pretty poor. It’s difficult to navigate, not well organized, and often seems old. They do have a community section where you can ask questions, but that’s confusing as well. There is a separate service section that provides much more of a traditional documentation feel, but that’s difficult to find (not linked from the website) and is more bare bones than the other tools. They definitely come in third place in this area.

Logstash: The documentation for Logstash is centralized and fairly extensive. Much of the getting started and plugin documentation is quite good, but some of it is inconsistent from page to page, as can happen with open source tools. If you want to dive into it, you can a huge range of info to guide you do whatever it is you want to do. On the community front, there is a mailing list and IRC channel where you can ask questions, report bugs, or request features.

Bottom line: There are some real differences on this front between the tools. Splunk does documentation and community very well, Logstash provides a solid foundation, and Sumo Logic… hasn’t focused on this area much.

Going beyond your log management tool

No matter which tool you use, sifting through masses of log files can be a chore and can get expensive. On top of that, writing all the data to log files can drag your app’s performance and overhead. So another approach then is to reduce the amount you write to log files and your reliance on them for troubleshooting. One way to do this without sacrificing your troubleshooting abilities is to use OverOps.

OverOps error analysis in production
OverOps’s automated root cause analysis screen

OverOps works at the JVM level to capture complete code and variable data for your errors, without relying on log files. Cut down on writing to and sifting through log files and gain actionable information to fix your errors at the same time.

Check it out.

Conclusion

There are of course more log management tool options out there than what I’ve covered here, but what’s here gives you a good example of the main types of tools available in this space. Choosing between these three tools comes down to a few factors. One of the primary factors is going to be the deployment model you’re comfortable with.

On-premises, SaaS, and open source all have different pros and cons that require a careful examination of your needs and environment. Depending on how much control you want and effort you’re willing to put in, you’ll lean more towards one type or another. Other factors include the cost, extensibility, and extra features of the different tools. It’s not exactly a winner takes all scenario.

A “two men enter, one man leaves” Thunderdome style throwdown isn’t in the cards here, but depending on the particulars of your environment, one of these tools (or other log management options) may be the best fit for you. If only there were a Thunderdome for developer tools… Which tool you use? Let us know in the comments section below.

During his time at OverOps, Josh was in charge of product marketing. He wrote and maintained product documentation in addition to his contributions to the OverOps Blog. He's a big baseball fan and a small beer nerd.