Loki vs Graylog: Which Log Platform to Self-Host?
Quick Verdict
Loki wins for most self-hosters. It uses a fraction of the resources, integrates natively with Grafana, and handles typical homelab and small-business logging without breaking a sweat. Graylog is the better tool when you need full-text search across millions of log entries, complex extraction pipelines, or enterprise compliance features. If you’re monitoring 5–50 Docker containers and want to find errors quickly, use Loki. If you’re aggregating logs from hundreds of sources and need to search arbitrary text across all of them, use Graylog.
The Fundamental Difference
Loki and Graylog take opposite approaches to log indexing:
-
Loki indexes only labels (metadata like container name, job, host). The actual log text is stored as compressed chunks and only scanned at query time. This means tiny indices, low RAM, and fast writes — but searching for a random string across all logs is slower.
-
Graylog indexes everything using OpenSearch/Elasticsearch under the hood. Every word in every log line is tokenized, indexed, and searchable. This means large indices, high RAM, but instant full-text search across billions of log entries.
Feature Comparison
| Feature | Loki | Graylog |
|---|---|---|
| Indexing approach | Labels only | Full-text (OpenSearch) |
| Query language | LogQL | Lucene-based |
| RAM (idle) | 300–500 MB | 4–8 GB minimum |
| RAM (production) | 1–3 GB | 8–16 GB |
| Storage efficiency | High (compressed chunks) | Low (full Lucene indices) |
| Full-text search speed | Slow (scans chunks) | Fast (pre-indexed) |
| Label/filter search | Fast | Fast |
| Setup complexity | 3 containers | 4+ containers |
| Dependencies | None (filesystem storage) | OpenSearch + MongoDB |
| Visualization | Grafana (separate) | Built-in dashboards |
| Alerting | Via Grafana or Loki rules | Built-in alert system |
| Log pipelines | Alloy transformations | Built-in extraction/enrichment |
| GELF input | Via Alloy adapter | Native |
| Syslog input | Via Alloy | Native |
| RBAC | Basic (via Grafana) | Enterprise (per-stream ACLs) |
| Compliance/retention | Basic retention policies | Detailed archiving + compliance |
| License | AGPL v3 | SSPL (was GPL v3; cloud restrictions) |
Resource Comparison
This is the decision point for most self-hosters.
| Component | Loki Stack | Graylog Stack |
|---|---|---|
| Log storage | Loki (300 MB–2 GB) | OpenSearch (4–8 GB) |
| Log collection | Alloy (50–128 MB) | Beats/Fluentd (50–200 MB) |
| Visualization | Grafana (200–500 MB) | Built-in (included) |
| Database | — | MongoDB (200–500 MB) |
| Total minimum | ~700 MB | ~5 GB |
| Recommended | 2–3 GB | 8–16 GB |
On a typical 8 GB homelab server, Loki leaves room for everything else. Graylog might consume half or more of your available RAM.
Query Comparison
Finding SSH brute force attempts:
Loki (LogQL):
{job="authlog"} |~ "Failed password"Graylog (Lucene):
source:auth.log AND message:"Failed password"Both work. But if you want to search for an arbitrary string you’ve never queried before — say, a specific IP address across all log sources — Graylog returns results instantly because it’s pre-indexed. Loki has to scan through compressed chunks for every matching label stream, which gets slow on large datasets.
When Loki Is Enough
- You’re monitoring Docker containers and want to see their logs in Grafana
- You’re already running Prometheus and Grafana for metrics
- Your log volume is under 50 GB/day
- You search by known fields (container name, log level, service) more than by arbitrary text
- You want minimal resource overhead
- You’re running a homelab or small team
When You Need Graylog
- You ingest logs from hundreds of diverse sources (network devices, Windows servers, applications)
- You need instant full-text search across all logs
- You need log extraction pipelines (parse syslog into structured fields, enrich with GeoIP)
- Compliance requires detailed log retention and audit trails
- You have 8+ GB of RAM to dedicate to logging
- You need RBAC — different teams see different log streams
Integration Ecosystem
Loki integrates tightly with the Grafana ecosystem. If you run Grafana + Prometheus + Loki, you get unified metrics and logs with shared labels. Click a metric spike in a Grafana dashboard and jump directly to related logs. This integration is Loki’s killer feature.
Graylog is a standalone platform. It has its own dashboards, its own alerting, its own user management. It can feed data to Grafana via its API, but the native experience is self-contained. This is an advantage if you don’t want to manage Grafana separately.
Final Verdict
For self-hosters: start with Loki. It does 90% of what you need at 10% of the resource cost. The Grafana integration is excellent, the LogQL syntax is approachable, and the stack deploys in 5 minutes. If you find yourself needing full-text search or complex log processing pipelines, that’s when Graylog earns its resource budget.
The only scenario where Graylog is the clear first choice is if you’re running a heterogeneous environment with many non-Docker log sources (network devices via syslog, Windows Event logs via GELF, application logs via various formats) and you need to search across all of them instantly.
Related
Get self-hosting tips in your inbox
New guides, comparisons, and setup tutorials — delivered weekly. No spam.