Unlimited Logs: What Security Leaders Should Know

As a security leader, when you think of ‘unlimited logs’, what comes to mind?  

For most, it’s the promise of unlimited visibility, infinite retention, and unrestricted access to log data. After all, with so many compliance frameworks to follow, so many incidents to investigate, and so much data being generated every second, having everything at your fingertips sounds like the perfect answer. 

But here’s the reality: the promise of unlimited logs rarely means what you think it does.  

Often, you’ll find hidden restrictions, unforeseen costs, and operational limitations that can undermine your expectations and blow your budget.  

Before committing to a Managed Detection and Response (MDR) service provider that offers unlimited logs as part of their MDR solution, it’s critical to understand what’s actually being promised and what’s not. 

In this blog, we break down the nuances of the ‘unlimited logs’ promise, hidden costs, and smarter approaches to log management so you can avoid pitfalls and focus on solutions that truly deliver value. 

The Myth of Unlimited Logs 

When security vendors advertise unlimited logs, the promise usually revolves around three core ideas: 

1. You can send as much log data as you want (unlimited ingestion). 
2. The provider will store it indefinitely (unlimited retention). 
3. You can access and query the data whenever needed (unlimited access). 

But if you dig deeper into contracts and ask the right questions, you’ll likely uncover significant limitations: 

• Many MDR providers only ingest specific types of logs, typically security-related logs like those from certain firewalls, endpoints, and intrusion detection systems. Logs from other sources, like cloud applications or DevOps tools, may not be supported or may require additional charges to ingest. 
• Unlimited retention is rarely included in the base price. Many providers offer short retention periods (e.g., 30 to 90 days), charging extra for longer storage to meet compliance or forensic needs. Sometimes, logs may also be moved to offline or “cold” storage, where they’re no longer available for quick or on-demand access. 
• While logs may technically be “accessible,” retrieving or querying them often incurs additional fees. In some cases, vendors even charge for basic portal logins or API access to your own data. 

The promise of unlimited logs is often less about comprehensive value and more about clever messaging. As a security leader, if you don’t investigate the fine print, you’ll risk paying far more than you anticipated for what you were promised. 

The Hidden Costs of Unlimited Logs 

The hidden costs of "unlimited" logging solutions fees may not be apparent at first glance but can add up quickly, creating headaches for security leaders trying to manage budgets and investing in more cost-effective solutions.  

Here are three common traps to watch out for: 

Retention Surcharges 

Some MDR vendors often include short-term retention (e.g., 30 days) in their base pricing, but anything beyond that can trigger hefty surcharges.  

If your organization is subject to compliance requirements that mandate 6 months, 1 year, or longer retention periods, these costs can spiral out of control. 

Search and Access Fees 

Need to investigate an incident or run a report? With some providers, every search query can come with a price tag. So, although you may have unlimited logs in theory, accessing or analyzing them could turn into a pay-per-use scenario. 

What’s more, some vendors even charge for basic functionalities like logging into their portal or using APIs to integrate log data with other tools. These fees can make routine investigations costly and unpredictable. 

Remember, if you want to get the benefits of true 24/7 multi-signal MDR, or even Incident Response (IR), querying and analyzing log data is critical. In many cases, this is not a one-time event; you may need to query and analyze data repeatedly for a single threat investigation.  

Your Analysts or IR investigators shouldn’t feel limited in their use of logs, especially when they’re focused on collecting enough threat intel to stop cybercriminals.  

Redundant Spending Across Teams 

Since there are multiple use cases for log data (e.g., compliance checks, debugging, or monitoring server performance), investing in a log monitoring solution that limits usage only for security teams can lead to redundant spending.  

Not only will your organization waste money with this siloed approach, but you risk fragmenting your data, which may make it harder to get a complete view of your organization’s activities. 

By consolidating log data into a platform that supports multiple use cases, you can improve collaboration, reduce costs, and maximize the value of your logs. 

Smart Questions to Ask Your MDR Provider 

When evaluating MDR vendors, especially those that promise unlimited logs, make sure you ask detailed questions related to their log retention, access, and scoping practices. Here are some key questions to start with: 

1. Log Retention: How long will the MDR provider retain logs before additional fees apply? Will long-term retention be included in the base price? 
2. Search and Access: Are there extra charges for searching or querying log data? Will accessing the log data be self-service and on-demand or are you expected to work with support teams to gain access? Lastly, will the data access (via a portal or API) incur additional fees?  
3. Scope of Logs: Will logs from all sources (e.g., cloud apps, IT systems) be ingested, or is it limited to security-specific data? 
4. Flexibility: Can the logs be shared across multiple teams like compliance, IT, and DevOps? 
5. Total Cost of Ownership (TCO): What is the full cost when factoring in storage, search, and access charges? 

A transparent MDR provider will give straightforward answers to these questions. But, if you get vague or evasive responses, be cautious since this may signal hidden costs or limitations. 

The Real Solution: Usability and Value 

The allure of unlimited logs can be tempting, but as the saying goes, if it sounds too good to be true, it probably is. Hidden fees, siloed platforms, and limited usability often make this promise more of a burden than a benefit. 

Ultimately, the key to effective log management isn’t “unlimited” data, it’s actionable data. Here’s what we recommend you should prioritize instead: 

• Right-Sized Log Collection: Focus on collecting the logs that matter most for your security, compliance, and operational goals. 
• Usability Over Quantity: A security incident that demands extensive investigation will substantially increase your costs. So, choose platforms that make it easy to search, analyze, and act on log data without these per-use charges that lead to unpredictable costs and unbudgeted true ups. 
• Transparency: Per-use charges may appear in the form of a true-up charge later, or you may be required to pre-buy usage credits. So, it’s better to work with providers who are upfront about pricing and limitations, so there are no surprises later.  
• Collaboration Across Teams: Consolidate log data into a platform that serves the needs of security, compliance, and IT, reducing redundancy and maximizing ROI. 

When evaluating MDR providers, ask the hard questions, prioritize usability and transparency, and choose a solution that delivers real value.  

To learn about how eSentire MDR for Log can deliver critical visibility, compliance, and a system of record across your multi-cloud and hybrid environments, contact an eSentire cybersecurity specialist today.