How a Small Business Should Approach Graylog Pricing: What to Ask, and How to Survive the First Two Years

Graylog is a genuinely good log management and security platform. Its stream-based routing, ingest-time parsing pipelines, and per-team access controls solve real problems that lighter tools make you build yourself. None of what follows is an argument against the software.

It is an argument about the pricing model — and specifically about how that model treats a small business in its first two years, which is exactly when a small business is least equipped to deal with it. If you walk into a Graylog conversation knowing how the pricing works and what to ask, you can set yourself up well. If you walk in blind, you can get walled in. This article is the briefing I wish more small businesses had before that first sales call.

The one number that decides everything: GB ingested per day

Graylog’s commercial pricing is driven by how much log data you ingest per day, measured in gigabytes. The public-facing posture is a “starting from” figure followed by “contact us for a quote.” There is a free tier for low volumes — broadly, traffic under 5 GB/day — and a fully free, self-hostable Graylog Open edition that has no such meter at all.

Hold onto that 5 GB/day number, because the entire trap hinges on it.

Why volume-based pricing quietly punishes beginners

Here is the uncomfortable truth about charging by log volume: it bills you hardest exactly when you know the least.

A new small business setting up monitoring should log almost everything at first. You don’t yet know which logs matter, which are noise, and which will save you at 3 a.m. during an incident. Learning what to keep and what to drop is the actual work of running an observability stack — and it takes months of watching real traffic before you can do it confidently. Over-logging at the start isn’t waste; it’s how you learn.

And modern infrastructure hits that 5 GB/day line astonishingly fast. A worked example that plays out constantly:

You stand up four firewall appliances for production — entry-level Fortinet boxes, or OPNsense on cheap hardware. You enable full logging, including accept events, because nobody told you to filter yet and the defaults log everything. Those four devices alone can produce 3–4 GB of logs per day. You haven’t even put an application live, and you’re already at the edge of the free tier.

This is not an exotic scenario. It is the normal starting state for a business that doesn’t yet have a senior administrator trimming logs at the source. Give it 12 to 24 months, and that same business will have learned to filter aggressively — dropping accept-logs, sampling health checks, parsing and discarding noise — and 20 GB/day will become 2 GB/day. The volume problem largely solves itself with experience.

The pricing model, however, charges full freight during the learning period and eases off only after you’ve already become skilled enough not to need the help. It rewards the experienced and penalizes the inexperienced — which is backwards, because the inexperienced are the ones who needed a logging tool to learn from in the first place.

There’s a second sting if you’re self-hosting. When you run Graylog on your own servers, the cost of ingesting more data is already yours: your disk, your CPU, your retention policy. A per-GB license fee on top of self-hosted infrastructure is charging you for volume the vendor never has to store or process. For a vendor-hosted cloud product, the per-GB fee at least maps to their storage and compute. For self-hosted, it maps to their pricing power and nothing else. That distinction is the single strongest point you can raise in any negotiation.

Why “starting from + call us” should make you cautious

Opaque enterprise pricing isn’t fraud — there are honest reasons for it. Real costs depend on edition, volume, retention, node count, support tier, and add-ons, so a single published number genuinely can’t capture everything. Vendors also price-discriminate openly (a bank pays more than a five-person shop for identical software) and keep quotes secret from competitors.

But for a one-person shop or a small business, the sales motion built on top of that opacity is a poor fit, and it’s worth being clear-eyed about why:

• Your time is the cost. A discovery call, a scoping call, a quote, a negotiation — that’s hours of unbillable time to extract one figure. A large company has a procurement person for exactly this; you don’t.
• The anchor gets set on you, not the software. Once sales knows your budget and your client, the quote is shaped around what they think you can pay, not what the bits cost.
• Annual commitments plus volume creep. Yearly contracts priced on GB/day mean you can cross a tier threshold and watch the bill jump — and the contract makes leaving expensive.
• Sales is structurally uninterested in you. A sub-million-revenue business is too small to move a salesperson’s quota and too high-touch to be worth their time. The opacity isn’t them circling you as prey; it’s them being unwilling to publish a number that commits them to a customer they don’t prioritize.

That last point is oddly freeing: if the vendor’s pricing model is built for procurement departments, then “just don’t play that game” costs you very little, because they were never going to serve a small business well anyway.

What to actually ask before and during the conversation

If you do engage with Graylog (or any volume-priced log vendor), go in with these questions answered or asked explicitly. Getting them in writing is what separates a good first two years from a nasty surprise at renewal.

1. Do I even need a paid edition? Find out before the call whether the features you actually want live in Graylog Open or behind a paid licence. Open includes the streams, pipelines, and per-stream access control that most people love about Graylog. Several headline capabilities — Sigma rule support, anomaly detection, case management, the cluster-management dashboard — are paid-only. If your needs are covered by Open, there is no call to make.

2. Exactly what counts toward my daily volume? Is it measured pre- or post-processing? If Graylog’s pipelines drop or filter a message before indexing, does that reduce the counted volume, or are you billed on raw ingest? This single answer can change your bill by a large factor.

3. What happens when I cross a tier threshold? Ask for the thresholds in writing and what the price does at each one. Ask specifically: if I spike for one week during onboarding, am I bumped to a higher tier for the whole contract?

4. Is there an onboarding or learning-curve grace period? This is the fair ask, and it’s the one to push hardest. The legitimate grievance isn’t “your software costs money” — it’s “you meter volume with no allowance for the months I spend learning what to filter.” Ask directly for a flat-rate or uncapped first 12–18 months so you can over-log while you learn, then settle at your tuned steady-state volume. Some vendors offer onboarding ramps or commit-with-overage grace. If they won’t, that tells you something.

5. What does renewal look like? Get the renewal price mechanism in writing, not just year one. The trap is rarely the first invoice; it’s the second.

Your strongest negotiating position is having an alternative

The best leverage in any pricing conversation is a credible willingness to walk away. For log management, that alternative is real and free: Graylog Open, or other self-hosted open-source tools where ingest volume costs you only infrastructure and never a licence fee.

This reframes the whole firewall-flood problem. On a self-hosted, unmetered tool, your client’s journey from “log everything for the first year” to “filtered down to 2 GB/day” costs them some disk and a little CPU — and nothing in fees. The filtering they learn becomes pure operational upside instead of desperate bill reduction under contract pressure. The volume trap simply does not exist when there is no per-GB meter.

So the practical strategy for a small business is:

• Start on Graylog Open (or another free self-hosted option) for the first one to two years. Log generously, learn what matters, and tune your filters at the source — at the firewall, at the collector, in the pipeline — before anything gets indexed.
• Reach the paid edition only when a specific paid feature justifies it — typically when security operations (Sigma rules, case management) become a real requirement, not a nice-to-have.
• By the time you negotiate a paid contract, you’ll be the experienced customer with a tuned 2 GB/day volume and a clear idea of what you need — which is exactly the position from which volume pricing stops hurting.

What “fair and transparent” would actually look like

It’s tempting to propose pricing tied to company revenue — pay a flat base under €1M in revenue, pay by volume only above that, scale the base by company size including sister companies. The instinct is right: tie price to ability to pay and value received, not to a metric that punishes learning.

But that model is harder to make transparent than it sounds. Revenue is private and easy to engineer around; “including sister companies” is the correct anti-gaming clause but it rebuilds exactly the complex, negotiated, tell-us-about-your-structure conversation that opacity thrives on. The honest core of the idea isn’t the revenue band — it’s the grace period. The cleanly expressible, genuinely fair ask is: meter volume if you must, but don’t bill on it while I’m still learning to filter.

That single sentence is the reform worth asking for. And in its absence, the transparency you want already exists under a different name: open source, self-hosted, no ingest meter. A vendor that won’t give you a clean number is, in effect, pointing you toward exactly that.

The takeaway

Graylog is a strong tool, and there is nothing wrong with eventually paying for it. The thing to protect is your first two years — the period when you’ll over-log out of necessity, learn what matters, and gradually tune your volume down by an order of magnitude. Don’t sign a volume-metered contract during that period if you can avoid it. Start on Graylog Open, do your learning on infrastructure you already pay for, and walk into any future paid conversation as the tuned, experienced customer the pricing model was quietly designed to reward.

Ask what counts toward volume. Ask what happens at the thresholds and at renewal. Ask for a learning-curve grace period. And keep the free self-hosted alternative firmly in your back pocket — not as a bluff, but as a genuinely good place to spend your first two years.