Log management tools have become essential as teams handle more distributed systems, cloud services, and machine data than ever before. Notably, 87% of organizations use logs, 57% use traces, and companies use an average of eight observability technologies. That supports the point that log data is still central, but tool choice is harder because stacks are more complex.
This guide compares the top 8 log management tools in 2026 with sourced drawbacks, real pricing breakdowns (including Datadog’s ingest-and-index double-billing problem), and a decision framework matched to your team’s scale and priorities.
Quick answer: What are the best log management tools in 2026?
- CubeAPM — Best for unified log + APM + traces in one self-hosted platform
- Datadog — Best for managed log analytics with broad integration ecosystem
- Better Stack — Best for fast setup and developer-friendly log monitoring
- Splunk Observability Cloud— Best for enterprise log analytics, SIEM, and security-heavy workflows
- Graylog — Best for centralized open-source log management and operational control
- New Relic — Best for logs inside a broader managed observability platform
- Dynatrace — Best for enterprise AI-assisted log analysis in complex environments
- Coralogix — Best for real-time log analytics with in-stream processing and cost control
Log management tools comparison table: 8 platforms at a glance
Pricing based on a standardized growing team profile (~13 TB/month, 60 hosts). Figures are directional estimates from public rate cards, early 2026. Estimated monthly pricing is based on our internal cost model and a standardized usage profile. Actual pricing may vary by retention, indexing, host size, user seats, discounts, support, and add-ons. Please verify with each vendor directly.
| Tool | Pricing (Small / Mid) | Deployment | OTel? | Full MELT? | Log pricing model | Best for |
| CubeAPM | $2,080 / $7,200 | Self-hosted (vendor-managed) | Native | Yes | $0.15/GB all-in | Unified logs + APM + traces |
| Graylog | $1,500 / $4,000 | SaaS + self-hosted | Native | Logs-first | Free OSS; Enterprise starts at $15K/yr | Centralized log management |
| Splunk Observability Cloud | $2,290 / $8,625 | SaaS + self-hosted | Native | Yes | Infra: Starts at $15/host/mo | Enterprise SIEM + log analytics |
| Coralogix | $4,090 / $13,200 | SaaS only | Native | Yes | $0.42/GB logs (Streama filtering) | Log-heavy teams + real-time analytics |
| Better Stack | $5,723 / $20,550 | SaaS only | Strong | Yes | Per-responder + bundles | Fast setup, developer-friendly |
| New Relic | $7,896 / $25,990 | SaaS only | Strong | Yes | $0.40/GB beyond 100 GB free | Logs in broad observability platform |
| Dynatrace | $7,740 / $21,850 | SaaS + self-hosted | Strong | Yes | $0.20/GiB logs | Enterprise AI-assisted analysis |
| Datadog | $8,185 / $27,475 | SaaS only | Strong | Yes | $0.10/GB ingest + $1.70/M indexed | Managed multi-cloud with 900+ integrations |
The log management pricing trap that catches most teams: Ingest vs. index billing
Most log management tools look affordable based on a single number, $0.10/GB, $0.50/GB, or a per-event rate. The gap between headline pricing and real monthly cost can be substantial once indexing, retention, seats, or host-based charges are added. Understanding the pricing model types is the most important thing in this comparison.
The five log pricing model types and what each one means for your bill
Disclaimer: This table reflects vendor pricing information publicly available at the time of writing. Prices, packaging, and included features may change, so check the latest vendor rate card before making decisions.
| Model | Who uses it | What you pay | The catch | Risk at scale |
| Flat ingestion-based | CubeAPM | $0.15/GB ingested; no separate indexing fee. | None, low complexity | Low |
| Ingest + index (two-part) | Datadog | $0.10/GB to ingest. Then $1.70 per million events to make logs searchable for 15 days. | Searchability adds a second charge | Very high |
| Per-GB by signal type | Coralogix | $0.42/GB logs, $0.16/GB traces, $0.05/GB metrics. | Egress charges apply when archived data is retrieved from your customer S3. | Low-Medium |
| Usage + ingestion (with free) | New Relic | 100 GB free/month, then $0.40/GB. Users billed separately ($49/Core, $349/year Full Platform). | Team size adds cost beyond data | Medium |
| Per-host (includes logs) | Dynatrace | Platform fee + separate log charges | Multiple billing dimensions | High |
| Enterprise volume pricing | Splunk Observability Cloud | Ingest-based at volume tiers. Negotiated annually. | Harder to forecast from list pricing | High for small teams |
| Per-responder + telemetry bundles | Better Stack | Bundle pricing + responder seats | Log retention beyond 30 days adds a separate per-GB charge. | Medium |
| Open-source + enterprise tier | Graylog | Open (free), Small Business (free up to 2 GB/day), Enterprise ($15K/yr), and Security ($18K/yr). | Self-hosting requires managing MongoDB. | Medium |
The Datadog ingest-and-index problem in plain numbers
Datadog’s log pricing is more complex than the headline ingest rate suggests. The platform charges once for log ingestion and again for indexed log events, which are the logs kept searchable under a retention policy. That means total cost depends not just on data volume, but also on event count, indexed share, and retention setting
Disclaimer: This table reflects Datadog pricing information publicly available at the time of writing. Prices and packaging may change, so confirm the latest Datadog pricing page before making decisions.
| Step | What it costs | What it gives you |
| Ingestion | $0.10/GB | Logs flow into Datadog and can be archived |
| Indexing | $1.70/million events for 15-day retention | Logs become searchable in Log Explorer. |
| Extended retention (30 days) | Higher indexed log cost depending on retention policy | Longer searchable retention |
| Rehydration (from archive) | Additional charge when archived logs are brought back for search | Accessing logs you archived but didn’t index. |
| Log forwarding (to external) | Additional outbound cost depending on destination and usage | Sending logs to external storage or tools |
The practical consequence is that Datadog log costs do not depend on ingest alone. Teams also pay for indexed log events, which means the final bill changes based on event count, how much data is kept searchable, and how long that searchable retention lasts. In practice, that makes Datadog log pricing harder to forecast than flat ingestion-based models.
How CubeAPM’s flat model compares at real log volumes
Disclaimer: All figures are directional estimates based on published rate cards at the time of writing. Verify current pricing with each vendor before making decisions. Datadog estimates here assume an average log event size of about 2 KB, or roughly 500 million events per TB. Archive storage and rehydration charges are not included in the partially indexed scenario.
| Monthly log volume | CubeAPM cost (flat $0.15/GB, fully searchable) | Datadog cost (all logs indexed, 15-day retention) | Datadog cost (20% indexed, rest archived) |
| 6 TB/month (growing team) | $900 | $5,700 (ingest $600 + indexing $5,100) | $1,620 (ingest $600 + indexing $1,020, excluding archive storage/rehydration) |
| 20 TB/month (mid-market) | $3,000 | $19,000 (ingest $2,000 + indexing $17,000) | $5,400 (ingest $2,000 + indexing $3,400, excluding archive storage/rehydration) |
| 100 TB/month (large team) | $15,000 | $95,000 (ingest $10,000 + indexing $85,000) | $27,000 (ingest $10,000 + indexing $17,000, excluding archive storage/rehydration) |
Thinking about moving from Datadog? See how CubeAPM compares on cost, data control, and full-stack observability.
How we evaluated the best log management tools
- Data collection and ingestion: How easily teams can collect logs from applications, servers, containers, cloud services, and network devices without added complexity.
- Search and query experience: Search speed and query flexibility during incidents. The difference between finding an error in 10 seconds vs. 90 seconds at 3am is significant.
- Parsing, enrichment, and pipelines: Whether the platform helps structure raw logs, extract useful fields, enrich events with context, and route data intelligently.
- Correlation with metrics and traces: How easily teams can pivot from a log entry to the trace it belongs to, or from a metric anomaly to the relevant log stream.
- Scalability and architecture: How the tool handles rising log volume, distributed systems, Kubernetes environments, and high-cardinality fields at scale.
- Pricing model and predictability: Whether the pricing structure stays forecastable as ingestion, retention, and team usage increase, specifically whether ingest and index are billed separately.
- Retention, security, and compliance: Retention controls, access policies, auditability, RBAC, and compliance fit for regulated environments.
- Deployment model: SaaS, self-hosted, or vendor-managed and the operational overhead and data residency implications each carries.
Log management vs. log monitoring vs. full observability: What is the difference?
| Concept | What it covers | When it is enough |
| Log management | Collection, storage, retention, search, and archival of logs. | When the primary need is centralized log collection, compliance archival, and basic search. |
| Log monitoring | Using logs to trigger alerts, detect anomalies, and support ongoing operations. | When you need real-time alerting on log patterns, error rate spikes, or specific event strings. |
| Log analytics | Running queries, building dashboards, and extracting insights from log data at scale. | When you need to understand trends, investigate patterns, or run security forensics across log history. |
| Full observability | Logs + metrics + traces + infrastructure + RUM correlated in one unified investigation workflow. | When troubleshooting distributed systems where a log entry alone is not enough to find root cause. |
Most teams evaluating ‘log management tools’ actually need log analytics at minimum and increasingly need logs correlated with traces and infrastructure metrics for full observability. This is why many of the tools in this guide are observability platforms with strong log management capabilities, not standalone logging products.
Open-source log management vs commercial tools
| Factor | Open-source (Graylog, Loki, ELK) | Commercial SaaS (Datadog, New Relic) | Vendor-managed self-hosted (CubeAPM) |
| License cost | Free (OSS tier) | High, scales with data volume | Usage-based flat rate ($0.15/GB) |
| Ops overhead | High, you manage the logging stack and supporting infrastructure. | Zero SaaS managed | Zero, vendor manages the backend |
| Data residency | Full control, stays in your cloud | Data goes to vendor cloud | Full control, stays in your cloud |
| Search performance | Good with tuning | Strong and managed | Strong, vendor-optimised |
| Real TCO | Infrastructure + engineering time | Subscription cost | Subscription cost only |
| Best for | Teams with DevOps capacity + budget constraints | Convenience and enterprise observability | Control without ops overhead |
The ‘open source is free’ assumption breaks down when engineering time is counted. At $80/hour, 10 hours/month managing Elasticsearch indexes, Graylog upgrades, or Loki retention, a realistic estimate for mid-market teams is $800/month in hidden cost. That changes the cost comparison materially against both self-hosted and managed alternatives.
Real-world scenarios: Which log management tool fits best?
How to find your scenario
| Primary driver | Deployment preference | Best fit |
| Predictable pricing as log volume grows | Any | CubeAPM ($0.15/GB flat) or Coralogix (Streama in-stream filtering) |
| Logs + traces + metrics in one platform | Any | CubeAPM, Datadog, or New Relic |
| Data residency / compliance | Self-hosted | CubeAPM (vendor-managed) or Graylog (self-managed) |
| Enterprise SIEM + security workflows | SaaS or self-hosted | Splunk Cloud Observability or Coralogix |
| Open-source, no SaaS costs | Self-hosted | Graylog or Grafana Loki stack |
| Fast setup, developer-friendly | SaaS | Better Stack or New Relic (100 GB free tier) |
| AI-assisted log investigation | SaaS | Dynatrace or Datadog |
| Replacing ELK stack complexity | Any | CubeAPM, Graylog, or Coralogix |
Scenario 1: Growing team moving beyond basic log collection
Profile: ~60 hosts, 6 TB logs/month (13 TB total with traces and metrics), 4 engineers, 30-day retention. Moving beyond ad hoc log queries toward structured incident investigation.
Disclaimer: Estimated monthly costs are modeled from our internal comparison sheet using standardized usage assumptions. Actual pricing varies by log volume, event size, retention, indexed percentage, user seats, host tiers, and negotiated vendor terms.
| Tool | Est. monthly cost | Logs fully searchable? | Unified with traces? | Self-hosted option? |
| CubeAPM | $2,080 | Yes, included in $0.15/GB | Yes, full APM | Yes (vendor-managed) |
| Graylog | $2,500 | Yes | Limited | Yes (self-managed) |
| Splunk Observability Cloud | $2,290 | Yes | Yes | Yes (self-managed) |
| Coralogix | $4,090 | Yes, with Streama cost filtering | Yes | No |
| Better Stack | $5,723 | Yes | Yes | No |
| New Relic | $7,896 | Yes (100 GB free, $0.40/GB beyond) | Yes, full MELT | No |
| Dynatrace | $7,740 | Yes, $0.20/GiB on top of host fee | Yes, full APM | Yes |
| Datadog | $8,185 | Only indexed portion (20–100% choice) | Yes, full MELT | No |
- CubeAPM: Flat $0.15/GB covers logs, traces, and metrics together. All logs are fully searchable; no separate indexing fee. Vendor-managed self-hosted means data stays in your cloud without a backend-ops burden. At this profile, 64% cheaper than Datadog.
- Graylog: Strong open-source option for teams primarily focused on centralized log collection and operational control. Best if trace correlation and full MELT are secondary requirements.
- Coralogix: Strong log analytics with Streama in-stream filtering that lets teams control what reaches searchable storage, directly addressing the “paying for logs you never query” problem.
Scenario 2: Mid-market team where log volume is driving cost decisions
Profile: 200 hosts, 20 TB logs/month (45 TB total), 10 users, 30-day retention. Log costs have become a visible budget line. Teams need to balance search coverage, retention, and cost.
Disclaimer: Estimated monthly costs are modeled from our internal comparison sheet using standardized usage assumptions. Actual pricing varies by log volume, event size, retention, indexed percentage, user seats, host tiers, and negotiated vendor terms.
| Tool | Est. monthly cost | vs CubeAPM | All logs searchable? | Log pricing model |
| CubeAPM | $7,200 | Baseline | Yes, flat rate | $0.15/GB flat (logs + traces + metrics) |
| Graylog | $6,000 | -17% | Yes (log-only scope) | Enterprise $15K/yr (~$1,250/month) |
| Splunk Observability Cloud | $8,625 | +20% | Yes | Volume-based / quote-based pricing |
| Coralogix | $13,200 | +83% | Yes, with in-stream filtering | $0.42/GB logs + Streama filtering |
| Better Stack | $20,550 | +185% | Yes | Telemetry bundles + responder seats + retention charges |
| Dynatrace | $21,850 | +203% | Yes, $0.20/GiB + host fee | Per-host platform + $0.20/GiB logs |
| New Relic | $25,990 | +261% | Yes, beyond 100 GB free at $0.40/GB | Per-GB + per-user seats |
| Datadog | $27,475 | +281% | Only indexed portion | $0.10/GB ingest + $1.70/M events indexed |
- CubeAPM: Best all-in cost with full MELT coverage. All 20 TB of logs are fully searchable at the flat $0.15/GB rate, with no decision about what to index and what to hide from incident investigation.
- Graylog: Cheapest option at this scale for teams that only need log management (not traces or metrics). The enterprise tier at $15K/year suits dedicated log-management deployments without APM requirements.
- Coralogix: Strong for log-heavy teams that want Streama’s in-stream filtering to control what actually gets indexed and stored. At 20 TB/month of logs, the ability to filter before indexing is a meaningful cost control.
Top log management tools: Detailed profiles
1. CubeAPM
Best for: Teams that want log management as part of unified observability logs, metrics, traces, and infrastructure correlation in one vendor-managed self-hosted platform with flat, predictable pricing.
Known for
CubeAPM is a self-hosted, vendor-managed, OpenTelemetry-native observability platform covering APM, logs, infrastructure, Kubernetes, RUM, synthetic monitoring, Kafka monitoring, and error tracking. All logs are fully searchable at $0.15/GB, with no separate indexing tier and no per-event charge on top of ingestion. It runs inside your cloud, so there is no data egress and no external dependency during incidents.
Recognized as a High Performer in G2’s Spring 2026 APM Grid Report and ranked #5 among the easiest-to-use APM tools on G2. Trusted by redBus (part of NASDAQ-listed MakeMyTrip, 8+ countries), Delhivery ($3.5B), Mamaearth ($1.2B), Policybazaar, and Practo.
Key features
- Full-stack unified monitoring: APM, logs, infrastructure, Kubernetes, Kafka, RUM, synthetic monitoring, error tracking
- OpenTelemetry-native compatible with Prometheus, Datadog, and New Relic agents for incremental migration
- Self-hosted and BYOC data sovereignty by design; SOC 2 and ISO 27001 certified
- Unlimited data retention: no separate retention tiers, no egress charges
- AI-based trace sampling retains traces that matter while reducing storage overhead
- Log-to-trace correlation: pivot directly from a log entry to its distributed trace without switching tools
- Direct engineering support via shared channel responds in minutes during incidents
Log management specifics vs competitors
- All logs searchable at one rate: $0.15/GB, no ingest + index split. Unlike Datadog’s two-part model, CubeAPM’s stated price is the real price.
- Unlimited retention: No 15-day default search window, no rehydration cost for older logs. Keep logs as long as needed at no additional charge.
- Full-text log search: Structured and unstructured logs with field-based filtering and full-text search in one interface.
Pros
- Simplest pricing: $0.15/GB flat no ingest/index split, no per-event indexing charge
- Complete data ownership: no telemetry leaves your infrastructure
- 70–75% lower cost than enterprise APM + log management at scale
- Multi-agent compatible incremental migration from Datadog or New Relic
Cons
- Not suited for teams looking for off-prem solutions
- Strictly an observability platform and does not support cloud security management
Pricing
- $0.15/GB ingested. All signals (logs, traces, and metrics) at the same rate. No per-host, per-user, per-event, or separate retention charges. Unlimited retention included.
CubeAPM vs Datadog for log management
Choose CubeAPM when you want all logs to be fully searchable without making a cost-driven decision about which 20% to index. Datadog’s separate ingest and indexing charges make it more expensive to keep 100% of logs searchable: a 200 GB/month deployment is about $190/month in Datadog versus about $30/month in CubeAPM at the same log volume. CubeAPM also includes distributed tracing and APM in the same platform, so teams do not need to buy log management and APM as separate products.
2. Datadog
Best for: Teams that want the broadest managed SaaS platform with 1000+ integrations, deep AWS/multi-cloud coverage, and logs correlated with metrics, traces, RUM, and security in one managed product.
Known for
Datadog is the leading managed SaaS observability platform. Its log management product, Datadog Logs, is built around centralized ingestion, search, analytics, and automatic correlation with APM traces and infrastructure metrics. It is the strongest managed option for teams that need log investigation tied directly to trace context and infrastructure state.
Key features
- Centralized log ingestion, search, and analytics with Log Explorer
- Automatic log-to-trace and log-to-metrics correlation
- 900+ integrations including deep AWS, GCP, and Azure connectors
- Real-time log processing, parsing, and pattern detection
- Flex Logs tiered storage with different ingestion and retention cost options
Pros
- Broad platform coverage across logs, metrics, traces, RUM, and security.
- Strong log to trace and log to metric correlation during incident investigation.
- Very large integration ecosystem across cloud, infrastructure, and developer tools.
- Managed SaaS experience that reduces backend operational overhead.
- Flexible indexing, archive, and storage options for teams with different retention needs.
Sourced drawbacks
- Log cost can rise quickly when indexing a large share of events.
- Pricing is spread across multiple usage dimensions and products.
- No self-hosted option.
Pricing
- Log ingestion: $0.10/GB
- Log indexing (15-day retention): $1.70/million indexed log events
- Log indexing (30-day retention): $2.50/million indexed log events
- Log forwarding: $0.25/GB outbound per destination
Datadog vs CubeAPM for log management
Choose Datadog when you want a managed SaaS platform with broad integrations and unified observability in one vendor. Choose CubeAPM when you want all logs to be fully searchable at one flat rate, keep data in your own cloud, and avoid separate ingest and indexed-event pricing.
3. Better Stack
Best for: Developers and smaller teams that want fast setup, clean dashboards, and simple log monitoring with uptime and incident management without enterprise observability complexity.
Known for
Better Stack combines log management with uptime monitoring, incident response, and status pages in one developer-friendly interface. Its log management is built on ClickHouse and supports SQL-compatible queries, making it approachable for teams familiar with SQL but unfamiliar with proprietary query languages.
Key features
- Pricing scales across telemetry bundles and responder seats, not just one usage line.
- Log retention beyond 30 days costs extra.
- Better Stack is SaaS only.
Pros
- Fast setup with a simple and developer-friendly user experience.
- Combines logs, uptime monitoring, incident response, and status pages in one platform.
- SQL-style querying makes log search approachable for teams familiar with structured queries.
- Telemetry bundles include logs, metrics, and traces in one package.
- Good fit for smaller teams that want observability and operational tooling in one managed product.
Sourced drawbacks
- Pricing scales across telemetry bundles and responder seats, not just one usage line.
- Log retention beyond 30 days costs extra.
- Better Stack is SaaS only
Pricing
- Telemetry bundles start at $25/month.
- On-call seats start at $29/responder/month on annual billing.
- 30-day log retention is included.
- Extra retention is billed separately.
Better Stack vs CubeAPM for log management
Choose Better Stack when fast setup, uptime monitoring, incident response, and developer-friendly SaaS workflows matter more than deployment control. Better Stack bundles logs with a broader operational toolkit, and its pricing combines telemetry bundles, responder seats, and retention-related charges.
4. Splunk Observability Cloud
Best for: Enterprises that need log analytics alongside security, SIEM, and compliance workflows, particularly teams already invested in the Splunk ecosystem.
Known for
Splunk defined enterprise log management and SIEM over a decade ago. Its Search Processing Language (SPL) remains the most expressive query language for complex log analytics, threat hunting, and compliance reporting. Splunk Observability Cloud is Splunk’s modern observability platform, while Splunk Enterprise handles the traditional log management and SIEM workload.
Key features
- Enterprise-scale log analytics and search (SPL)
- SIEM, threat detection, and security observability
- Infrastructure and application monitoring
- Distributed tracing and OpenTelemetry support
Pros
- Strong full-stack observability coverage.
- Mature OpenTelemetry support for enterprise teams.
- Useful for teams already invested in Splunk logs or Splunk Cloud Platform.
Sourced drawbacks
- Pricing is split across different Observability Cloud editions and products.
- Public pricing does not provide one simple standalone log rate card for every setup.
- Log Observer Connect depends on Splunk Enterprise or Splunk Cloud Platform log data.
Pricing
- Infrastructure monitoring starts at $15 per host per month, billed annually.
- App and Infra starts at $60 per host per month, billed annually.
- End-to-end starts at $75 per host per month, billed annually.
Splunk vs CubeAPM for log management
Choose Splunk Observability Cloud when you already use Splunk and want enterprise-grade observability with strong OpenTelemetry support and in-context log analysis across a larger platform. Choose CubeAPM when you want a simpler self-hosted, vendor-managed model with predictable flat pricing for logs, metrics, and traces, and when clear cost forecasting matters more than broader enterprise packaging.
5. Graylog
Best for: Teams that want centralized log management with flexible self-hosted deployment, open-source control, and operational visibility without moving to a broader observability platform.
Known for
Graylog is one of the most widely adopted open-source log management platforms. It provides centralized log collection, powerful search, processing pipelines, RBAC, and alerting. Graylog Open is free, while Graylog Enterprise ($15K/yr) and Graylog Security ($18K/yr) add advanced features and managed support.
Key features
- Centralised log collection from syslog, GELF, Beats, and more
- Processing pipelines for parsing and enrichment
- Search and filtering with regex and field extraction
- RBAC for access control
- Alerting and dashboards
- Graylog Security for SIEM and threat detection
Pros
- Open-source style entry point with self-hosted control.
- Strong log collection, search, and pipeline features.
- Good fit for teams focused mainly on log management.
Sourced drawbacks
- Enterprise features start in paid editions, with Graylog Enterprise starting at $15,000/year.
- Self-hosted deployment still requires running the Graylog stack and supporting components.
- Graylog is logs first, not a full native MELT platform on the level of broader observability suites. This is an inference from its product scope and pricing structure.
Pricing
- Graylog Open is available for self-hosted use.
- Graylog Enterprise starts at $15,000/year, paid annually.
- Graylog Security starts at $18,000/year, paid annually.
Graylog vs CubeAPM for log management
Choose Graylog when the main goal is centralized log management with self-hosted control and open-source-style flexibility. Choose CubeAPM when you want logs, traces, and metrics in one vendor-managed, self-hosted platform with predictable usage-based pricing and less backend operational overhead.
6. New Relic
Best for: Teams that want logs inside a broad managed observability platform with 100 GB free ingest, no host-based charges, and strong APM and infrastructure correlation.
Known for
New Relic’s log management is part of its Telemetry Data Platform: logs, metrics, traces, and events are all ingested and queried in one system using NRQL. The 100 GB free ingest per month is the most generous free tier in this category.
Key features
- Centralised log ingestion and search inside Telemetry Data Platform
- Log-to-trace and log-to-metric correlation using NRQL
- APM and infrastructure monitoring alongside logs
- OpenTelemetry support
- 100 GB free ingest/month
Pros
- Generous free tier for getting started with log management.
- Unified platform for logs, metrics, traces, and application monitoring.
- Strong OpenTelemetry compatibility across agents and collectors.
Sourced drawbacks
- Paid ingest starts after the free tier, so costs rise directly with data volume beyond 100 GB/month.
- New Relic pricing also includes user types and platform editions, so total cost is not driven by ingest alone.
- Extended retention and advanced admin capabilities sit in higher platform editions, not the base free entry point.
Pricing
- Free tier includes 100 GB/month of data ingest.
- Log ingest beyond the free tier is priced at $0.40/GB.
- New Relic also uses user types and platform editions, including Basic, Core, and Full Platform users.
- Standard includes up to 5 full platform users, while Pro and Enterprise expand capabilities and retention.
Use the New Relic pricing calculator to estimate your expected spend across ingest, user seats, synthetics, and other usage-based charges.
New Relic vs CubeAPM for log management
Choose New Relic when you want a managed SaaS platform with a generous free tier and unified logs, metrics, and traces in one place. Choose CubeAPM when you want predictable flat pricing across signals, self-hosted data control, and to avoid mixing ingest costs with user- and edition-based platform pricing.
7. Dynatrace
Best for: Large enterprises that want AI-assisted log analysis tied to automatic topology mapping and deep full-stack observability across complex hybrid environments.
Known for
Dynatrace’s log management is integrated with its Davis AI engine. Log patterns are automatically analyzed, correlated with infrastructure events, and surfaced in the context of topology-aware problem detection. This makes Dynatrace’s logs more powerful for complex environment investigations than standalone log tools, though at significantly higher cost.
Pros
- Strong enterprise observability coverage in one platform.
- Good OpenTelemetry support for teams standardizing on OTel.
- Flexible pricing options for log analysis workflows
Sourced drawbacks
- Log pricing is multi-part, with separate charges for ingest and process, retention, and query under the pay-per-query model.
- Public pricing is more complex than simpler flat rate logging tools because Dynatrace offers more than one consumption model.
- Dynatrace is positioned for broad enterprise observability, so it is usually a heavier fit than teams need when the main requirement is only centralized log management. This is an inference from the platform scope and pricing structure
Pricing
- Log ingest and process: $0.20 per GiB.
- Log retention: $0.0007 per GiB day.
- Log query: $0.0035 per GiB scanned.
- Retain with included queries: $0.02 per GiB day.
- Log retention can be configured from 1 day up to 10 years.
Dynatrace vs CubeAPM for log management
Choose Dynatrace when automated AI-assisted log correlation with full-stack topology awareness is the priority and when the budget supports the full-stack platform cost. Choose CubeAPM when cost predictability is the primary constraint and teams need logs + traces + infrastructure in one platform at a fraction of the per-host cost.
8. Coralogix
Best for: Teams with high log volumes that want real-time in-stream processing, strong log analytics, and cost control over what actually gets indexed; the most direct answer to the Datadog ingest-and-index problem.
Known for
Coralogix’s Streama architecture is its core differentiator in log management. Streama processes logs in-stream before they reach storage, enabling real-time analysis, routing, filtering, and cost reduction based on content rather than a blanket retention policy. This is directly relevant to teams trying to avoid paying for logs they never actually query.
Key features
- Streama in-stream processing analyzes and routes logs before storage, not after
- Log query and filtering with SQL and PromQL
- Customer-cloud archival logs go to your own S3, not Coralogix’s storage
- Real-time log analytics and alerting
- Metrics and traces alongside logs
- OpenTelemetry-native ingestion
Pros
- Strong fit for log-heavy environments that need real-time analytics.
- Good data control story with storage in the customer’s own bucket.
- Unified observability coverage beyond logs alone.
Sourced drawbacks
- Coralogix is SaaS only, so it is not a fit for teams that require self-hosted deployment.
- Pricing is usage-based by signal type, so total cost still rises with data volume across logs, traces, and metrics.
- Public Coralogix pages show some pricing variation across site pages, so teams should verify the live rate card before publishing or budgeting.
Pricing
- Logs: $0.42/GB
- Traces: $0.16/GB
- Metrics: $0.05/GB
Coralogix vs CubeAPM for log management
Choose Coralogix when your environment generates very high log volumes and the primary need is real-time in-stream filtering to control what gets indexed and stored. Streama’s approach is the most direct counter to Datadog’s ingest-and-index double billing problem. Choose CubeAPM when you want logs, traces, and metrics at a single flat rate with self-hosted data control or when APM depth is as important as log analytics.
Best log management tool by use case
- CubeAPM: OTel-native Kubernetes log collection correlated with pod/node metrics and distributed traces in one vendor-managed platform.
- Datadog: Strong managed Kubernetes log collection with Container Insights and Service Map correlation. Best when the full Datadog ecosystem is in use.
- Coralogix: Good for high-volume Kubernetes log environments where Streama filtering reduces indexing costs across many containers.
- Splunk: Deepest SIEM capability, threat detection, compliance reporting, and SPL analytics. Standard for regulated industries with existing Splunk investments.
- Coralogix: Security observability alongside log analytics, including anomaly detection and compliance-focused data routing.
- Dynatrace: AI-assisted log correlation with infrastructure events for security-relevant incident investigations in complex environments.
- CubeAPM: $0.15/GB flat — all logs fully searchable. Consistently the lowest total cost across growing and mid-market profiles.
- Graylog: Open-source edition is free (infrastructure costs only). Enterprise tier at $15K/year for teams that need managed support.
- Coralogix: Streama in-stream filtering reduces what reaches paid storage, effective cost control for teams with high log volumes and low query rates.
- CubeAPM: OTel-native ingestion, no proprietary agents required, multi-agent compatible for incremental migration.
- Coralogix: Strong OTel support with Streama processing for log, trace, and metric ingestion.
- New Relic: OTel ingestion alongside NRQL-powered analytics and 100 GB free ingest.
- CubeAPM: Replaces Elasticsearch management and Kibana configuration with a vendor-managed platform for full log analytics without the stack overhead.
- Graylog: Uses OpenSearch as its backend (ELK-compatible) but with a better management layer and RBAC. Familiar for teams with Elasticsearch experience.
- Coralogix: Managed SaaS replacement for ELK with stronger pipeline control and real-time analytics.
- Better Stack: Fastest onboarding in this category. SQL-based log querying and uptime monitoring in one product.
- New Relic: 100 GB free tier and fast managed SaaS onboarding with no host-based charges.
- Coralogix: Quick SaaS setup with strong out-of-the-box log analytics.
What changes at scale when choosing a log management tool
Unlike APM tools where host-based pricing is the primary cost driver, log management costs are almost always ingestion-driven. The number of hosts matters less than how verbose each service is. A single Kubernetes deployment can generate 10x more logs after adding debug-level tracing. Pricing models that charge per host give false comfort for log-heavy environments; ingestion-based pricing reflects actual usage more accurately.
The most consequential decision in log management at scale is not which tool to use; it is what percentage of logs to make searchable. In tools with separate ingestion and indexing charges (Datadog and historically Splunk), teams are economically incentivized to index as few logs as possible. But during a production incident, the logs that reveal root cause are often in the unindexed majority. Flat-rate tools (CubeAPM) eliminate this tradeoff entirely.
Full-text search across all log content is powerful for investigation but computationally expensive at high volume. Label-based or stream-based approaches (Coralogix’s Streama, Grafana Loki’s label model) reduce search cost by organising logs before they reach the query engine. At mid-market and enterprise scale, the choice between these approaches has both cost and performance implications.
As environments grow, logs carry more dynamic fields: request IDs, user IDs, container names, regions, deployment versions, and tenant IDs. Platforms that index every unique field value as a searchable dimension can experience schema explosion that slows queries and increases storage costs. Structured logging with controlled schema (JSON, structured fields) is increasingly important beyond early-stage log collection.
Short-term debugging needs 15–30 days of hot, searchable data. Compliance requirements for financial services, healthcare, and government often require 90 days, 1 year, or longer. The retention architecture matters: hot storage (immediately searchable), warm storage (searchable with delay), and cold storage (archive with rehydration cost). Datadog’s rehydration at $1.27/million events adds significant cost for teams that archive and then query. CubeAPM’s unlimited retention includes all logs at one rate with no rehydration charge.
Common mistakes teams make when evaluating log management tools
Datadog’s $0.10/GB ingestion number looks competitive until you add $1.70/M events for indexing. Always model the complete bill at your actual log event density.
A log retention policy that starts at 30 days and extends to 90 for compliance review can triple the monthly storage bill on tools that charge per GB per month for extended retention.
Splunk SPL, Datadog Logs search syntax, NRQL, and Graylog’s query language all have a real onboarding time. Factor training costs into the total cost of adoption.
Container log verbosity is typically 3–5x higher than equivalent VM-based services. A Kubernetes migration can multiply log ingestion without a code change.
Investigation workflows that require pivoting from a log to its trace or from a metric anomaly to the relevant log stream are 60–90 seconds faster in unified platforms than in multi-tool setups.
Graylog and ELK are free to license but require engineering time to operate. At $80/hour, 10 hours/month of stack management = $800/month in hidden cost.
SaaS-only tools (Datadog, New Relic, Better Stack) cannot satisfy data residency requirements for teams in regulated industries. This eliminates options before evaluation starts.
Log volume grows with services, traffic, and debugging activity. A tool that fits today at 6 TB/month often costs 3–5x more after a year of growth.
Migrating to a new log management tool: What to expect
Most log management migrations are simpler than teams expect, especially if existing logging infrastructure already uses structured log formats or OpenTelemetry. The main effort is not moving log data; it is recreating dashboards, alert rules, and saved queries in the new platform.
Update the OTLP exporter endpoint in your collector config. Logs continue flowing through the same pipeline to the new destination. No changes to application code required. CubeAPM, Coralogix, and New Relic all accept OTel log ingestion natively.
CubeAPM supports multi-agent operation — you can run both the existing agent and a new OTel Collector in parallel. Route specific log groups to the new platform while keeping others in the existing tool during the transition. Mamaearth completed its full migration in under an hour with zero downtime using this approach.
CubeAPM, Graylog, and Coralogix all accept logs via Filebeat and Logstash. Graylog specifically supports GELF and Beats inputs natively teams can redirect existing Beats agents to Graylog without reconfiguring data sources.
Estimated migration timelines
| Team profile | Est. migration effort | Main work |
| Growing team (10–50 services) | 1–3 days | Update exporter/agent endpoints; recreate key dashboards and alert rules |
| Mid-market (50–200 services) | 1–2 weeks | Phased rollout by service; validate query parity; recreate investigation workflows |
| Enterprise (200+ services) | 3–6 weeks | Governance review; multi-team coordination; compliance validation; staged cutover |
Conclusion: How to choose the right log management tool
The best log management tool depends on what your team needs most as log volume, retention requirements, and investigation complexity grow. Here is the decision framework:
| Primary requirement | Best fit | Why |
| Cost predictability + full log searchability | CubeAPM | Flat $0.15/GB, all logs searchable at one rate, no ingest/index split |
| Data residency/compliance: self-hosted | CubeAPM or Graylog | Vendor-managed in your cloud (CubeAPM) or open-source self-managed (Graylog) |
| Broadest managed SaaS + integrations | Datadog | 1000+ integrations; best log-APM-infrastructure correlation in managed SaaS |
| Enterprise SIEM + security analytics | Splunk | SPL, threat detection, compliance reporting, and unmatched security depth |
| In-stream processing to control what you pay | Coralogix | Streama filters logs before indexing, reducing cost on high-volume environments |
| Fast setup, uptime + logs together | Better Stack | Best developer-friendly option for smaller teams wanting quick adoption |
| AI-assisted log investigation in enterprise | Dynatrace | Davis AI correlated log analysis with automatic topology awareness |
| Logs in broad SaaS platform + free tier | New Relic | 100 GB free ingest/month; strong MELT platform with no host-based charges |
Disclaimer: The information in this article is based on publicly available sources and reflects details available at the time of publication. Pricing, features, and packaging may change. Verify all pricing with each vendor before making decisions.
FAQs
A log management tool helps teams collect, store, search, and analyze logs from applications, servers, containers, cloud services, and other systems. Modern log management tools increasingly include real-time alerting, retention controls, compliance archival, and correlation with metrics and traces for unified observability.
Log management focuses on the collection, storage, organization, and querying of logs. Log monitoring focuses on using those logs to detect issues and trigger alerts in real time. Full log analytics combines both and adds the ability to investigate historical patterns and build operational dashboards from log data.
Datadog’s log pricing uses a two-part model: $0.10/GB to ingest logs (not searchable), plus $1.70 per million events to index them for search. A 200 GB/month log volume costs $190 total, not $20 from the headline rate. Teams that index 100% of logs for full incident visibility face an indexing bill 8.5x the ingestion cost. This is widely documented across independent analyses and G2 reviews.
Log volume grows faster than most teams expect; adding microservices, increasing debug verbosity, or enabling Kubernetes logging can double ingestion overnight. Costs also compound across multiple dimensions: ingestion + indexing (Datadog), retention tiers (most platforms), and per-user seats (New Relic). Flat-rate ingestion-based tools (CubeAPM at $0.15/GB) stay proportional to actual data growth without multiplying across billing axes.
Graylog Open and Grafana Loki are free to self-host; you pay only infrastructure costs. For managed/SaaS log management, CubeAPM at $0.15/GB flat is consistently the lowest cost at growing and mid-market scales. New Relic’s 100 GB free ingest is the best entry point for teams starting out. Splunk and Datadog are the most expensive at scale.
Yes. Metrics show that something changed. Traces show which services were involved and where latency occurred. Logs provide the detailed event-level context needed to understand what actually happened: the specific error message, the failing database query, and the exact request payload. All three signals are needed for complete incident investigation. The trend is toward unified platforms that correlate all three in one workflow.
CubeAPM is the strongest cost-effective option for OTel-native Kubernetes log collection correlated with pod/node metrics and distributed traces in one vendor-managed platform. Datadog offers the most mature managed Kubernetes log collection with Container Insights. Coralogix’s Streama is effective for high-volume Kubernetes log environments where filtering before indexing reduces cost. Grafana Loki is the most widely adopted open-source option for Kubernetes-native log collection.
Graylog Open is the most feature-complete open-source log management platform, with centralized collection, search, processing pipelines, RBAC, and alerting. Grafana Loki is the best open-source option for Kubernetes-native log collection at high volume. The ELK stack (Elasticsearch + Logstash + Kibana) remains widely used but carries significant operational overhead. All self-hosted options require engineering time to operate, which narrows the cost advantage vs. managed alternatives.
Growing teams (10–50 services) typically complete an OTel-based migration in 1–3 days. Mid-market teams (50–200 services) typically take 1–2 weeks for phased rollout and workflow recreation. Enterprise teams (200+ services) typically need 3–6 weeks for governance review and staged cutover. Mamaearth completed its full migration to CubeAPM in under an hour with zero downtime enabled by OTel-native instrumentation and parallel agent operation.