Graylog is strongest for centralized log management, SIEM, and security analytics. Elastic Stack is strongest for search, log analytics, dashboards, and flexible observability workflows built on Elasticsearch, Kibana, and integrations. CubeAPM is strongest for OpenTelemetry-native full-stack observability with customer-hosted deployment and predictable ingest-based pricing.
As teams move deeper into cloud-native and Kubernetes-based systems, observability decisions are no longer just about collecting logs. Teams also need to think about data control, cost growth, telemetry coverage, and root-cause speed.
This guide compares Graylog, ELK Stack, and CubeAPM across deployment, MELT coverage, OpenTelemetry support, retention, sampling, pricing behavior, and debugging workflows.
Quick Comparison: Graylog vs ELK Stack vs CubeAPM
| Dimension | Graylog | Elastic Stack (ELK Stack) | CubeAPM |
|---|---|---|---|
| Primary Focus | Log management & SIEM | Log analytics, search & visualization | Unified MELT observability, |
| Deployment | Self-hosted, cloud, or hybrid | Serverless, hosted, or self-manage | Self-hosted (vendor-managed ops) |
| Pricing Model | Free option; Enterprise from $15k/year | Resource/usage-based; self-managed pricing via sales | Ingestion-based ($0.15/GB); no per-user fees |
| MELT Coverage | Strong log management; limited native tracing | FULL MELT via Elastic Observability | Full MELT |
| OpenTelemetry Support | Supports OTel log ingest; log-centric design | Strong OTel support via OTLP and Elastic Agent | Fully OTel-native |
| Setup Complexity | Moderate, Graylog server + OpenSearch + MongoDB | Higher self-managed; lower with Elastic Cloud | Low, vendor-managed operations |
| Retention | Configurable; defaults ~30–40 days on new index sets | Configurable; longer retention increases storage costs | unlimited |
| Sampling | Stream rules, pipeline-level log routing | Log-level filtering + Head-based + tail-based | Context-aware smart sampling for traces |
| Best For | Log-centric ops, SIEM, compliance | Teams needing deep search customization and flexibility | OTel-native teams needing cost control & data ownership |
How We Evaluated These Platforms
To keep this comparison grounded and reproducible, all three platforms were evaluated against a consistent set of technical and commercial criteria.
Test Architecture Assumptions
- Kubernetes-based microservices architecture
- JVM and Node.js services with distributed tracing enabled
- Centralized log ingestion from multiple sources (applications, containers, network devices)
- 30, 125, and 250 engineer team models
Telemetry Assumptions
- Logs: 250–1,500 GB/month scaled by team size
- Traces: 20–200 million spans/month
- Metrics: Standard infrastructure and application metrics
- Retention baseline: 30–90 days for cost modeling
This comparison focuses on architectural design and pricing behavior at scale. Entry-level free-tier experiences are noted where relevant, but most meaningful cost and coverage differences emerge under real production workloads.
Architecture Philosophy and Deployment Models
The biggest difference between these three platforms is not just feature coverage. It is how the observability pipeline is put together and where the data is stored.
CubeAPM: Unified observability in the customer environment
CubeAPM is positioned as a unified observability platform that runs inside the customer’s own environment rather than sending telemetry to a typical external SaaS backend. Its docs and website describe it as OpenTelemetry-based and focused on collecting telemetry from applications and infrastructure in one platform. CubeAPM also markets itself around full-stack visibility, data staying inside the customer’s environment, and managed operations on top of a self-hosted deployment model.
Graylog: More integrated for log management
Graylog gives teams a more integrated log management experience than assembling a full Elastic pipeline themselves. The Graylog layer handles ingestion, processing, search access, and the main user experience, while MongoDB stores metadata, and the search backend is handled through OpenSearch, self-managed OpenSearch, or Graylog Data Node depending on the deployment model. That means there are still multiple components under the hood, but day-to-day interaction is centered more directly around Graylog itself.
This usually makes Graylog simpler to adopt for teams whose main operational signal is logs. Graylog also positions its Security offering around SIEM, threat intelligence, and anomaly detection, which makes it a practical choice for security and compliance-focused teams that want log management plus security workflows in the same ecosystem.
ELK Stack: Modular and flexible, but heavier to operate
Elastic describes the Elastic Stack as a group of products that work together to store, search, analyze, and visualize data. The stack includes Elasticsearch, Kibana, Beats, Logstash, and more. This gives teams strong control over ingestion, search, indexing, dashboards, and data lifecycle design.
That flexibility also creates more operational work in self-managed deployments. Teams need to deploy, secure, upgrade, scale, and tune the stack themselves. Elastic Cloud reduces some of that burden, but self-managed Elastic still requires stronger platform engineering ownership.
There is also an important licensing point. Elastic says it moved Elasticsearch and Kibana source code away from Apache 2.0 in 2021 to a dual SSPL 1.0 and Elastic License 2.0 model. Teams considering Elastic for open-source or commercial use should review the current licensing terms carefully before deciding.
| Dimension | ELK Stack | Graylog | CubeAPM |
|---|---|---|---|
| Deployment | Self-hosted or Elastic Cloud | Self-hosted, hybrid, or Graylog Cloud | Self-hosted in customer environment |
| Data Location | Customer-controlled or Elastic’s cloud | Customer-controlled or Graylog Cloud | Inside customer’s own cloud or on-prem |
| Operational Ownership | Customer-managed if self-hosted; Elastic-managed if cloud/serverless | Customer-managed if self-hosted; Graylog-managed if cloud | Vendor-managed ops; customer owns data and infra |
| Self-Hosted Option | Yes | Yes | Yes |
| Compliance Readiness | Strong when self-hosted; audit logging available | Strong; full data control when self-hosted | Strong; data never leaves customer boundary |
Feature Evaluation
Core Focus
CubeAPM is a full-stack observability platform for teams that want logs, metrics, events, and traces in one OpenTelemetry-based system while keeping data inside their own environment. That positioning comes from CubeAPM’s own product materials.
Graylog is built mainly for centralized log management, alerting, and security analytics. Its main strength is collecting, processing, searching, and investigating logs from many sources in one place, especially for operations, compliance, and SIEM-style use cases.
ELK Stack is best suited to teams that want deep search, analytics, and flexible pipeline control. Its main strength is Elasticsearch for large-scale search and analysis, combined with Kibana for dashboards and exploration. For teams with enough engineering capacity, it can support very customized logging and observability workflows.
MELT Coverage
CubeAPM delivers a unified MELT platform with correlated investigation across telemetry types in the same environment, based on CubeAPM’s own product messaging.
Graylog is strongest on logs. It supports ingestion, enrichment, routing, alerting, and security investigation well, but native trace- and metrics-centered observability is not its main design focus.
ELK Stack provides broad coverage across logs, metrics, traces, uptime, synthetics, and user experience monitoring. It can cover the main observability signals well, but teams usually get the most from it by adopting the wider Elastic observability ecosystem rather than just the original logging stack alone.
OpenTelemetry Support
OpenTelemetry has become a common vendor-neutral standard for collecting traces, metrics, and logs. A platform’s OTel support affects instrumentation portability, migration risk, and long-term lock-in.
| Platform | OTel log ingest | OTel trace ingest / OTLP | OTel metrics | Native OTel design |
| CubeAPM | Yes | Yes | Yes | Yes, OTel-native |
| Elastic Stack | Yes | Yes | Yes | Partial; strong OTel support, with Elastic also using ECS |
| Graylog | Yes, via OTLP/gRPC input | No native OTLP trace ingest in the current Graylog OTel input | No native OTLP metrics ingest in the current Graylog OTel input | Graylog remains log-centric |
Sampling Strategy
CubeAPM employs smart sampling as part of its OpenTelemetry-native observability model. The goal is to reduce low-value telemetry while still keeping the traces that matter most for troubleshooting. This makes it a strong fit for teams that want better control over ingestion costs without losing visibility into important production issues.
Graylog is different because its strength is log filtering, routing, and pipeline processing rather than trace-aware sampling. Teams can use stream rules and pipelines to decide which logs should be indexed, routed, or archived based on severity, source, or content. That makes Graylog useful for controlling log volume and storage costs, but it is not designed as a trace-sampling platform for distributed tracing workflows.
ELK Stack supports both head-based and tail-based sampling. Head-based sampling makes the decision at the start of a request, which helps reduce data volume early. Tail-based sampling waits until the full trace is visible, so slow requests, failed transactions, and unusual traces can be kept more reliably. This gives teams more flexibility when they want to balance cost control with deeper debugging coverage.
Real-World Debugging Scenario: Intermittent API Latency Spike
A payment service is intermittently spiking from 120ms to over 2 seconds during peak traffic. The team receives an alert and begins an investigation.
Using CubeAPM
CubeAPM uses smart sampling as a way to keep high-value traces while reducing lower-value telemetry volume. In this kind of incident, the team can inspect a slow trace, review span-level details, and move across related logs and infrastructure metrics inside the same platform, while keeping telemetry in the customer’s own environment. This gives CubeAPM a stronger unified workflow for teams that want correlated troubleshooting without relying on an external SaaS backend. Claims about very long retention or no extra retention cost should be tied directly to CubeAPM’s own pricing or product pages rather than stated as a neutral fact.
Using Graylog
The investigation starts in Graylog’s search interface, where the engineer filters logs by service name and time window to find errors or unusual messages around the latency spike. Streams, pipelines, and extractors can help structure, enrich, and route log data for easier investigation.
This makes Graylog effective for log-based troubleshooting, but its current OpenTelemetry gRPC input supports log data only. Metrics and traces sent over OTLP/gRPC are not ingested by that input. If the team needs trace-level visibility into the exact downstream database call or span causing the slowdown, it will usually need a separate tracing or APM tool.
Using Elastic Stack
The engineer can open Kibana and use Discover to search logs by service name, time range, and error patterns around the spike. If Elastic APM is deployed, the team can move into APM views to inspect transactions and spans, including database-query spans. Elastic documents that root spans map to APM transactions, while child spans such as database queries map to APM spans.
Pricing Behavior at Scale
Pricing differences tend to be modest at low volumes and material at scale. Understanding how each model behaves as telemetry grows is essential for total cost of ownership projections.
Disclaimer: The figures below are directional estimates based on standardized telemetry assumptions across logs, metrics, and traces. They are not vendor quotes. ELK Stack self-hosted figures reflect estimated infrastructure cost only and do not include internal engineering time. Elastic Cloud pricing is usage-based and may add separate ingest and retention charges depending on the deployment model. Graylog public pricing starts at annual plan minimums, while larger deployments typically require custom quotes.
| Team Size | ELK Stack (self-hosted infra est.) | Graylog Enterprise (est.) | CubeAPM (est.) |
|---|---|---|---|
| ~30 engineers | $800–$1,500/month (infra only) | $3,200/month | $2,080/month |
| ~125 engineers | $3,000–$5,500/month (infra only) | $11,400/month | $7,200/month |
| ~250 engineers | $6,500–$12,000/month (infra only) | $28,600/month | $15,200/month |
ELK Stack self-hosted costs are primarily infrastructure (compute, storage, network) and ongoing engineering time. Graylog Enterprise starts at $15,000/year, with Graylog Security from $18,000/year. CubeAPM’s flat $0.15/GB ingestion pricing includes all platform capabilities, APM, infrastructure monitoring, logs, traces, with no per-user or per-host fees.
Key Pricing Dynamics to Watch
CubeAPM uses flat per-GB pricing at $0.15/GB, with no per-user or per-host fees. Its pricing is easier to forecast as telemetry grows because cost mainly scales with data volume, not seats, hosts, or separate modules. Smart sampling can also help reduce lower-value trace volume while keeping useful traces for incident investigation.
Graylog has a free open-source option, while Graylog Enterprise starts at $15,000/year and Graylog Security starts at $18,000/year. Its paid model focuses on active data, with features like Data Lake, selective retrieval, and data tiering to help teams keep lower-priority logs outside high-cost active storage while still making them available for investigation.
Elastic Cloud Hosted starts at $99/month for the Standard plan. Higher tiers include Gold, Platinum, and Enterprise, with pricing increasing based on resources, cloud provider, region, and configuration. For Elastic Stack self-managed deployments, teams mainly pay for infrastructure, storage, support/subscription if used, and the engineering time needed to operate the stack well.
Data Retention
CubeAPM: CubeAPM offers unlimited data retention, which is useful for teams that need long lookback windows for debugging, compliance, trend analysis, and slow-moving production issues. Logs, metrics, and traces do not have to be shortened because of a fixed SaaS retention tier. This helps teams investigate older incidents, compare current failures with past patterns, and keep operational history available for longer.
Graylog: Graylog retention is configurable. Its documentation shows that new index sets can use a Time Size Optimizing window of about 30 to 40 days by default. Longer retention can be handled through archive, Data Lake, and tiering features depending on the plan and deployment. This gives teams flexibility, but the actual retention period still depends on how Graylog is configured.
Elastic Stack: Elastic Stack does not have one fixed retention period. Teams manage retention through lifecycle policies and data tiers such as hot, warm, cold, frozen, and delete. In practice, retention may be 7 days, 30 days, 90 days, or much longer depending on storage, lifecycle policy design, and budget. This gives Elastic Stack strong flexibility, but retention planning stays with the team.
Best-Fit Scenarios and Trade-offs
CubeAPM
Best for: Engineering teams running Kubernetes-based microservices that need full OpenTelemetry-native observability with stronger data control, predictable ingestion-based pricing, and deployment inside their own cloud or on-premises environment. It is especially relevant for teams that want unified visibility across APM, logs, and infrastructure while keeping telemetry in their own environment.
- Strengths: Full MELT coverage across logs, metrics, traces, and infrastructure visibility; OpenTelemetry-based APM with AI-based sampling; deployment inside the customer’s cloud with no traces or logs sent out; unlimited retention; predictable pricing with no per-user or per-host fees.
- Limitations: Not suited for teams that want a fully off-prem SaaS-only observability model. Also focused on observability, not SIEM or cloud security management.
Graylog
Best for: Teams that need centralized log management and SIEM capabilities, especially for IT operations, security analytics, and DevOps environments where logs are the main operational signal. Graylog is also positioned for flexible deployment across on-prem, hybrid, or cloud environments.
- Strengths: Integrated log management experience with fewer moving parts than a fully self-assembled ELK deployment; strong search and analysis for log-heavy workflows; active-data-oriented pricing model; flexible deployment across on-prem, hybrid, or cloud; security and compliance workflows through Graylog Security.
- Limitations: Stronger for logs than trace-level debugging. Larger self-managed environments still require operational ownership. Graylog’s current OpenTelemetry gRPC input supports log data only, not metrics or traces.
ELK Stack
Best for: Teams with strong DevOps or platform engineering capacity that need deep search customization, flexible pipeline design, and full control over how data is ingested, stored, and visualized. It is a strong fit for organizations comfortable operating a modular self-managed stack or using Elastic Cloud for a managed deployment model.
- Strengths: Highly customizable pipeline and data model; Elasticsearch provides powerful full-text search and analytics; Kibana supports exploration and visualization; Elastic Observability extends the stack into APM, infrastructure monitoring, and broader observability workflows.
- Limitations: Self-managed deployments can create higher operational overhead because teams must manage scaling, upgrades, security, storage, and lifecycle policies. Long-term costs include infrastructure, storage, engineering time, and paid support or subscriptions if needed. Elastic also changed Elasticsearch and Kibana licensing in 2021 from Apache 2.0 to SSPL 1.0 and Elastic License 2.0, so teams should review licensing before using it in commercial or open-source-sensitive contexts.
Decision Framework
Teams evaluating these three platforms typically prioritize one of the following needs. The table below maps common requirements to the most likely architectural fit, along with the key trade-off to evaluate.
| Primary priority | Likely best fit | Key trade-off to consider |
| Centralized log management + SIEM | Graylog | Strong for logs and security analytics; native distributed tracing is not its core strength. |
| Deep search customization and pipeline control | Elastic Stack | Very flexible, but self-managed deployments need more engineering ownership. |
| Full-stack observability + data ownership | CubeAPM | Best fit when teams want customer-hosted observability, not off-prem SaaS-only delivery. |
| OpenTelemetry-native stack without re-instrumentation | CubeAPM | Strong fit for OTel-based teams; less suitable for teams that want a typical vendor-hosted SaaS backend. |
| Large existing Elastic investment | Elastic Stack | Good fit if the team already uses Elastic, but full observability may require APM, metrics, and lifecycle setup. |
| SIEM + security analytics + compliance | Graylog Security | Strong security/log workflow; APM and trace-led debugging usually need another tool. |
| Predictable billing at scale, no per-user costs | CubeAPM | Strong cost predictability; not a SIEM or cloud security platform. |
| Managed cloud with lower ops overhead | Elastic Cloud | Less self-management, but cost and data location depend on deployment, region, usage, and retention. |
Conclusion
The right platform depends on three things: what your primary operational signal is, where your data needs to live, and how the pricing model behaves as telemetry grows. Choose Graylog if log management and SIEM are your core workflows. Choose ELK if you need deep search customization and have the engineering capacity to manage a multi-component stack. Choose CubeAPM if full-stack OpenTelemetry-native observability, data sovereignty, and predictable ingestion-based pricing inside your own environment are the priority.
None of these platforms is universally superior. Each makes deliberate trade-offs. The best choice is the one that fits how your team actually works.
Disclaimer: The information in this article reflects the latest details available at the time of publication and may change as technologies and products evolve. Pricing figures are estimates based on publicly available or documented information.
FAQs
1. What is the main difference between Graylog and Elastic Stack?
Graylog is mainly built for centralized log management, SIEM, and security analytics. Elastic Stack is broader and more modular, built around Elasticsearch, Kibana, Beats, Logstash, and related components for search, analytics, dashboards, and observability workflows.
2. Is CubeAPM a replacement for Graylog or Elastic Stack?
Not as a direct drop-in replacement. Graylog is stronger for log management and SIEM, while Elastic Stack is strong for search, dashboards, and flexible observability use cases. CubeAPM is a better fit when teams need full-stack observability, OpenTelemetry-based workflows, customer-hosted deployment, and predictable ingest-based pricing.
3. Can Elastic Stack handle distributed tracing?
Yes. Elastic supports distributed tracing through Elastic APM. Elastic also documents OTLP support for traces, metrics, and logs, so teams can send OpenTelemetry data into Elastic when APM and observability components are deployed.
4. How does OpenTelemetry support compare across these platforms?
CubeAPM supports OpenTelemetry-based observability across logs, metrics, and traces. Elastic Stack has strong OTLP support for traces, metrics, and logs. Graylog’s current OpenTelemetry gRPC input is log-focused, so it does not provide native OTLP trace or metrics ingestion through that input.
5. Which platform is better for compliance and data residency?
CubeAPM, Graylog self-managed, and Elastic Stack self-managed can all support data residency because data can stay in a customer-controlled environment. Elastic Cloud and Graylog Cloud handle this through managed cloud deployment choices, regions, and compliance controls rather than full customer-owned infrastructure.
6. Is Elastic Stack free?
Partly. Teams can run Elastic Stack components without a hosted cloud bill, but self-managed deployments still require infrastructure, storage, upgrades, and engineering time. Elastic’s licensing also changed from Apache 2.0 to SSPL and Elastic License 2.0 in 2021, with AGPLv3 added as another source-code license option in 2024.
7. What is the best platform for Kubernetes-based microservices?
CubeAPM and Elastic Stack are stronger fits for full-stack Kubernetes observability because they support traces, metrics, and logs. Graylog works well for Kubernetes log collection and security workflows, but deeper trace-led debugging usually needs an APM tool alongside it.