Splunk vs. Sumo Logic vs. LogStash vs. GrayLog vs. Loggly vs. PaperTrails vs. Splunk>Storm

Splunk, Sumo Logic, LogStash, GrayLog, Loggly, PaperTrails – did I miss someone? I’m pretty sure I did. Logs are like fossil fuels – we’ve been wanting to get rid of them for the past 20 years, but we’re not quite there yet. Well, if that’s the case I want a BMW!

To deal with the growth of log data a host of log management & analysis tools have been built over the last few years to help developers and operations make sense of the growing data. I thought it’d be interesting to look at our options and what are each tools’ selling point, from a developer’s standpoint.

Edit: A new version of this post is available right here.


As the biggest tool in this space, I decided to put Splunk in a category of its own. That’s not to say it’s the best tool for what you need, but more to give credit to a product who essentially created a new category.


Splunk is probably the most feature rich solution in the space. It’s got hundreds of apps (I counted 537) to make sense of almost every format of log data, from security to business analytics to infrastructure monitoring. Splunk’s search and charting tools are feature rich to the point that there’s probably no set of data you can’t get to through its UI or APIs.


Splunk has two major cons. The first, that is more subjective, is that it’s an on-premise solution which means that setup costs in terms of money and complexity are high. To deploy in a high-scale environment you will need to install and configure a dedicated cluster. As a developer, it’s usually something you can’t or don’t want to do as your first choice.

Splunk’s second con is that it’s expensive. To support a real-world application you’re looking at tens of thousands of dollars, which most likely means you’ll need sign offs from high-ups in your organization, and the process is going to be slow. If you’ve got a new app and you want something fast that you can quickly spin up and ramp as things progress – keep reading.

Some more enterprise log analyzers can be found here.

SaaS Log Analyzers

Sumo Logic

Sumo was founded as a SaaS version of Splunk, going so far as to imitate some of splunk’s features and visuals early on. Having said that, SL has developed to a full fledged enterprise class log management solution.


SL is chock-full of features to reduce, search and chart mass amounts of data. Out of all the SaaS log analyzers, it’s probably the most feature rich. Also, being a SaaS offering it inherently means setup and ongoing operation are easier. One of Sumo Logic’s main points of attraction is the ability to establish baselines and to actively notify you when key metrics change after an event such as a new version rollout or a breach attempt.


This one is shared across all SaaS log analyzers, which is you need to get the data to the service to actually do something with it. This means that you’ll be looking at possible GBs (or more) uploaded from your servers. This can create issues on multiple fronts –

  1. As a developer, if you’re logging sensitive or PII you need to make sure it’s redacted.
  2. There may be a lag between the time data is logged and the time it’s visible to to the service.
  3. There’s additional overhead on your machines transmitting GBs of data, which really depends on your logging throughput.

Sumo’s pricing is also not transparent, which means you might be looking at a buying process which is more complex than swiping your team’s credit card to get going.

Update – I just got a note from Brandon at the Sumo Logic team letting us know you can purchase the product directly using your credit card from within the Free version. Not as easy as going through the web site, but quite close.


Loggly is also a robust log analyzer, focusing on simplicity and ease of use for a devops audience.



Whereas Sumo Logic has a strong enterprise and security focus, Loggly is geared more towards helping devops find and fix operational problems. This makes it very developer-friendly. Things like creating custom performance and devops dashboards are super-easy to do. Pricing is also transparent, which makes start of use easier.


Don’t expect Loggly to scale into a full blown infrastructure, security or analytics solution. If you need forensics or infrastructure monitoring you’re in the wrong place. This is a tools mainly for devops to parse data coming from your app servers. Anything beyond that you’ll have to build yourself.


PaperTrails is a simple way to look and search through logs from multiple machines, in one consolidated easy-to-use interface. Think of it like tailing your log in the cloud, and you won’t be too far off.



PT is what it is. A simple way to look at log files from multiple machines in a singular view in the cloud. The UX itself is very similar to looking at a log on your machine, and so are the search commands. It aims to do something simple and useful, and does it elegantly. It’s also very affordable.


PT is mostly text based. Looking for any advanced integrations, predictive or reporting capabilities? You’re barking up the wrong tree.


This is Splunk’s little (some may say step) SaaS brother. It’s a pretty similar offering that’s hosted on Splunk’s servers.


Storm lets you experiment with Splunk without having to install the actual software on-premise, and contains much of the features available in the full version.


This isn’t really a commercial offering, and you’re limited in the amount of data you can send. It seems to be more of an online limited version of Splunk meant to help people test out the product without having to deploy first. A new service called Splunk Cloud is aimed at providing a full-blown Splunk SaaS experience.

Open Source Analyzers


Logstash is an open source tool for collecting and managing log files. It’s part of an open-source stack which includes ElasticSearch for indexing and searching through data and Kibana for charting and visualizing data. Together they form a powerful Log management solution.



Being an open-source solution means you’re inherently getting a lot of a control and a very good price. Logstash uses three mature and powerful components, all heavily maintained, to create a very robust and extensible package. For an open-source solution it’s also very easy to install and start using. We use Logstash and love it.


As Logstash is essentially a stack, it means you’re dealing with three different products. That means that extensibility also becomes complex. Logstash filters are written in Ruby, Kibana is pure javascript and ElasticSearch has its own REST API as well as JSON templates.

When you move to production, you’ll also need to separate the three into different machines, which adds to the complexity.


A fairly new player in the space, GL2 is an open-source log analyzer backed by MongoDB as well as ElasticSearch (similar to Logstash) for storing and searching through log errors. It’s mainly focused on helping developers detect and fix errors in their apps.

Also in this category you can find fluentd and Kafka whose one of its main use-cases is also storing log data. Phew, so many choices!

OverOps for Logs

While this post is not about OverOps, I thought there’s one feature it has which you might find relevant to all of this.

The biggest disadvantage in all log analyzers and log files in general, is that the right data has to be put there by you first. From a dev perspective, it means that if an exception isn’t logged, or the variable data you need to understand why it happened isn’t there, no log file or analyzer in the world can help you. Production debugging sucks 🙁

One of the things we’ve added to OverOps is the ability to jump into a recorded debugging session straight from a log file error. This means that for every log error you can see the actual source code and variable values at the moment of error. You can learn more about it here.

This is one post where I would love to hear from you guys about your experiences with some of the tools mentioned (and some that I didn’t). I’m sure there are things you would disagree with or would like to correct me on – so go ahead, the comment section is below and I would love to hear from you.

This post is now in Spanish.

Tal is the CTO of OverOps. Tal has been designing scalable, real-time Java and C++ applications for the past 15 years. He still enjoys analyzing a good bug though, and instrumenting code. In his free time Tal plays Jazz drums.
  • https://www.dataloop.io Colin Hemmings

    There is Splunk cloud, so you dont have to run it on-premise : http://www.splunk.com/view/cloud/SP-CAAAG58

    • http://www.takipi.com/ Tal Weiss

      Hi Colin,

      Thanks for the comment. It’s right there with Splunk>Storm.

      • Johannes Nicolai

        AFAIK, Splunk Cloud and Splunk Storm are different products. Splunk Cloud is very feature compatible to Splunk on premise and does not have any index size restrictions (as long as you pay for it).

  • logscape

    Hi Tal, You can also take a look at http://logscape.com

    • http://www.takipi.com/ Tal Weiss

      Hey Logscape, thanks for the comment – looks great!

      I Would love to hear more about the tool’s special features and advantages.

  • Francis DB

    Another option: https://logentries.com/

  • cdukes

    Please consider LogZilla (http://www.logzilla.net) as well. It scales to 1B events per day on a single server and is about 1/10th of the cost of the other tools in its class. There’s also a free version for small networks.

  • Ashish Mohindroo

    Try the new Cloud based log management platform for Java: http://www.oohlalog.com. It’s Free! And it offers Non-Blocking I/O and stacktraces.

  • Da Beave

    You might want to consider checking out “Sagan”. While archiving and being able to search mass amounts of logs is very powerful, knowing what to search for and doing it in real time is also important from a security monitoring standpoint. Sagan basically “watches” you logs and detects security related events based off them (malware detection, brute force attacks, suspicious traffic, etc). It was a lot like a Snort IDS system, but for logs. In fact, the rule syntax is very similar to Snort and Sagan can even write to Snort/Suricata graphical interfaces (ie – Snorby, Sguil, etc). Oh, and it’s a open source project. More information is at:


  • Kurt

    In regards to some of the cons associated w/ SaaS based log management solutions, Sumo Logic does the best job in regards to security, data collection, and real-time ingest. Their founders are from Arcsight (SIEM tool purchased by HP), so their service is very secure and extremely robust (real-time data ingest of up to 1TB per day). Their collectors encrypt data via SSL and compress 10x before sending to their service (something Splunk and other competitors DO NOT offer).

  • Julian Cohen

    Hey, this is Julian from Logentries. If you are looking for an easy-to-use service for centralizing, managing and analyzing your log data, check out our free account at http://logentries.com. We have built the service for the cloud so that you can get to the important data you need, in seconds, at a very cost-effective price. Let us know your feedback or technical questions at support@logentries.com

  • Kattant

    Great article with useful pros and cons. I think that Open source tools have a major disadvantage: they become ineffective above several GB/day log data input, because they have general regex logic; for every query they go through the log data again and again. Commercial products generally solve this by relying on a massive infrastructure – e.g. Splunk is able to work in a distributed way, or in case of Arcsight or QRadar parsed logs with metadata can be put in an expensive high performance database plus you can use high-end HP/IBM servers for data processing. But for your big money you can get some extra features and nice GUI too. (Cloud is not so effective if you need to transfer log data, or the data is sensitive) I am writing because there is a different approach:
    http://www.logdrill.com : you can find a free software here if you register. They created a domain specific easy to use descriptive language for effective parsing, which is capable of around 130000 EPS on one CPU depending on the input and the rule complexity. LogDrill developed an in-memory OLAP framework, which gives instant results on a drag&drop GUI, and one click drilldown to original logs. A few TB log analysis can run on a laptop.

  • Praveen D Kumar

    Hey Tal, have you heard/tried http://www.alienvault.com/ please provide your inputs on it.

  • Jim Sherman

    Thanks Tal, great list. One that you missed and I really like is Stackify (www.stackify.com). We use it both for the error and logs which are integrated and give you a lot more info per exception, but they also integrated the monitoring piece so you can monitor the app, the servers (VMs and physical), DB etc but also frequency of occurrence of an errors and if one that I’ve resolved came back etc.

  • http://mrjarichard.info Jesse Andrew

    There’s also Logentries (http://logentries.com), another great SaaS log management platform.

  • Sébastien Lorber

    Afaik Kafka is a log management system but not exactly like others. Kafka’s primary purpose is to collect applicative logs, ie applicative events, to be processed in a CQRS/Lambda architecture. This is not really like logging string statements in a text file. But it still can be used that way anyway (Loggly uses Kafka)

    • Jens Rantil

      LinkedIn also uses Kafka. Based on their initial posts, it sounds as if they are using it for their log infrastructure specifically, too.

      • Sébastien Lorber

        Yes but when LinkedIn engineers are talking about log infrastructure, they really mean something that has nothing to do with text based logs produced by Log4J or Logback. Their log infrastructure based on Kafka is their master database, their source of truth that drives all the components of their infrastructure. Check this wonderful article: http://engineering.linkedin.com/distributed-systems/log-what-every-software-engineer-should-know-about-real-time-datas-unifying

        • Jens Rantil

          Yeah, it’s a great article 🙂 From previous posts I’ve understood they were using it for regular application logs, too, but I might be wrong! I have no sources.

  • Scott Wilkerson

    And an inexpensive commercial offering from and industry leader can now be added to the list Nagios Log Server – http://www.nagios.com/products/nagios-log-server

  • http://nguyenvulong.com Long Nguyen Vu

    Actually ELK stack which comprises Logstash, Kibana & ElasticSearch – all 3 products now belong to ElasticSearch company. The engineers they took care of their compatibilities and as I have seen so far – no problem at all.

  • http://www.vrmactech.com/ Vivek Krishnan
    • http://www.takipi.com/ Alex Zhitnitsky

      Thanks, fixed it!

  • Gail Smith

    Nice list, another option that needs to be here is Stackify (http://stackify.com/) probably the only tool that combine log management with error tracking and monitoring

  • Selva Raman

    Hey Tal, Good read!!

    Another one to check out http://www.happiestminds.com/cybervigil/

  • Guilherme Nogueira

    I really think you should expand the section on Graylog. We’ve moved from Splunk>Storm to ELK then Graylog and couldn’t be more satisfied. It’s way easier to manage than ELK, and more flexible than Splunk.

    I highly recommend it.

    • Aimon Bustardo

      Why did you move from ELK to GrayLog?

  • http://www.rigabyte.com travi

    Check out http://www.rigabyte.com/ , the SaaS version is free.

  • Albert Mavashev

    Another option: https://www.jkoolcloud.com. SaaS based logging and tracking platform focused on real-time, historical built on open source NoSQL stack from ground up.

  • Dimitri Bershadsky

    AppDynamics. It runs as javaagent, just like Takipi. Will not show INFO and WARN level, only errors, but ideal for troubleshooting performance issues.

  • E Z


    the holy grail affordable SIEM

  • Rotem Zajonce


    Does anyone familiar with log management tool that can connet to an external data source (DB, DW) using ODBC/JDBC connector?


  • Narendran V
  • https://www.itcentralstation.com/ Danielle Felder

    Great article with pros and cons for a variety of log management tools. Users who are looking into these tools might benefit from real user review on IT Central Station: https://www.itcentralstation.com/categories/log-management.

    One software that wasn’t yet mentioned is LogRhythm. This Information Security Analyst wrote that LogRhythm “brought all of our devices into one area, so I am able to understand and manage all of our devices and understand what is going on with an individual device.” Read his full review here: https://www.itcentralstation.com/product_reviews/logrhythm-review-36108-by-ryan-cossette.

  • Mario Macías

    There is also Kynerix log manager http://www.kynerix.com

  • Ironbox Support

    For a simple and easy to use log tool try Distiller. http://ironboxnetworks.com/

  • Otis Gospodnetić

    I’m not sure why Logsene (http://sematext.com/logsene ) is not on this list, but it’s something anyone looking at log management (whether SaaS/Cloud or On Premises) should consider using, esp. if they are using either Splunk (expensive) or ELK/Elastic Stack (looks tree or cheap, but can actually turn out to be expensive if you need to buying support, or if you need to acquire expertise to manage it).

    Also, a colleague of mine just published a good overview of 5 Logstash Alternatives, which should be of interest to anyone dealing with logs today. https://sematext.com/blog/2016/09/13/logstash-alternatives/

  • Saygun Onay

    Hey thanks for the post, great review! There is new SaaS log management platform ZettaLogs (https://zettalogs.com) which is feature-rich with the most cost-effective plans. It focuses on maximum features for devops and IT teams with intuitive interface. I particularly like their multi-search feature for correlative analysis of log events. And any type of log can be parsed by defining rules using Grok style hierarchical named-regexes which are really easy to use and effective.

  • Anand Borad

    Great list Tal!

    In case of splunk, It now supports 1300+ apps.

    Also, I came across Motadata (http://motadata.com/log-management) which has a support for almost any app for collection, monitoring and collaboration.

    It is a plugin based architecture, so that one need to write plugin to support any apps.

  • http://techtiptrick.com/ Jitu Dabhi
  • Jeorge Confederate Flag

    Most be a young audience as nobody has mentioned Rsyslog. They have been around longer then splunk. An old one but a good one. http://www.rsyslog.com/

  • moo

    Don’t forget LogDNA (http://www.logdna.com), there has been a recent exodus from PaperTrail, SumoLogic and the rest to LogDNA due to search speed and the UI/UX

  • https://www.comakeit.com/ anil rao

    What is the max logs we can track per day?

  • Robin Ersek-Obadovics

    Check NXLog – https://nxlog.co/products/nxlog-community-edition – which is free and open source, and highly scalable, while providing high-performance and collects logs from Windows, Linux, Android, etc. as a multi-platform tool.

  • Robin Ersek-Obadovics

    There is also NXLog (https://nxlog.co/products/nxlog-community-edition) which is open source and free to download from the website. It provides high-performance, even when scaled to thousands of servers. Totally recommended.

  • https://www.armemberplugin.com/ Almin Reputeinfosystems

    Hi admin,

    This is undoubtedly a great list. You have covered most of the popular server monitoring tool in this article. However, I’d like to take the opportunity to introduce Nodelizer ( https://www.nodelizer.com/ )- the latest addition to the server monitoring market. It is developed by Reputeinfosystems , the maker of repute and WP User Frontend. It’s very user friendly and amazingly feature

    If you can, please take out the time to check it out. I am positive that you will like it!

  • https://www.armemberplugin.com/ Almin Reputeinfosystems

    Hi admin,

    This is undoubtedly a great list. You have covered most of the popular server monitoring tool in this article. However, I’d like to take the opportunity to introduce Nodelizer ( https://www.nodelizer.com/ )- the latest addition to the server monitoring market. It is developed by Reputeinfosystems , the maker of repute and WP User Frontend. It’s very user friendly and amazingly feature

    If you can, please take out the time to check it out. I am positive that you will like it!…

  • sandeep kumar

    Very nice post here thanks for it .I always like and such a super contents of these post.Excellent and very cool idea and great content of different kinds of the valuable information’s. Thanks for Educating me and keeping me caught up. I just wanted to share information about Elasticsearch it will useful to users.

  • Logicify

    A nice and comprehensive article – thanks a lot for sharing.

    We use Graylog + Grafana in our company to monitor the system performance and manage the logs.

    If you’re interested, you could find more here: https://www.logicify.com/en/blog/graylog-as-a-tool-for-technical-monitoring-of-software-products-we-build/ We’ve shared our experience with Graylog.

  • stella

    Thanks Tal Weiss. Good list on log management. Please refer this too.https://stackify.com/retrace/. Visit:https://www.indiumsoftware.com/

  • http://www.cuelogic.com Prakash

    Hey Tal,

    According to my knowledge about SaaS log management platforms, manly we should focus on below 5 things.

    1. Realize the Importance of Monitoring
    2. Incorporate a Monitoring Strategy Early On
    3. Have Application Logging as a Code Standard
    4. Automate Your Monitoring Configuration
    5. Use Alerts on Your Key Metrics.

    Prakash Parmar
    DevOps Engineer at Cuelogic

  • Danial James

    Really helpful Post! Thank you so much for sharing this amazing piece of content, it was so good to read and useful to improve my knowledge as an updated one, keep blogging.
    Check out some amazing DevOps blogs here- https://www.bdccglobal.com/