Key Takeaways
- ✓Loki reduces costs with object storage but without full-text indexing
- ✓Elasticsearch offers advanced search at the cost of heavier infrastructure
- ✓82% of production Kubernetes clusters require a logging solution (CNCF 2025)
The choice of Loki vs Elasticsearch for Kubernetes logs represents a major architectural decision for teams operating clusters in production. These two solutions dominate the log centralization market, but with radically different philosophies. According to the CNCF Annual Survey 2025, 82% of container users run Kubernetes in production, making this choice critical.
TL;DR: Loki excels for cloud-native environments with budget constraints (object storage, no full-text indexing). Elasticsearch suits advanced analytics and full-text search needs on large volumes. The choice depends on your desired cost/feature ratio.
Observability skills are covered in the LFS458 Kubernetes Administration training.
Why Kubernetes Log Centralization Is Critical
A Kubernetes cluster generates thousands of log lines per minute. Without centralization, debugging becomes impossible.
Loki is a solution developed by Grafana Labs, designed specifically for Kubernetes. It only indexes metadata (labels) and stores compressed raw logs.
Elasticsearch is a distributed search engine that indexes entire content. Combined with Kibana and Filebeat/Fluentd, it forms the ELK/EFK stack.
Key takeaway: The Loki vs Elasticsearch choice for Kubernetes logs directly impacts your storage costs, diagnosis time, and the skills required from your teams.
For an overview of observability, consult Understanding Kubernetes Observability: Metrics, Logs, Traces.
Technical Architecture: Loki vs Elasticsearch for Kubernetes Logs
Loki Architecture
Loki adopts a minimalist approach optimized for the cloud.
# Loki installation with Helm
helm repo add grafana https://grafana.github.io/helm-charts
helm install loki grafana/loki-stack \
--set promtail.enabled=true \
--set grafana.enabled=true
Key components:
- Promtail: collection agent deployed as DaemonSet
- Loki: storage and query service
- Grafana: visualization interface
Loki stores logs in object storage (S3, GCS, MinIO) with gzip compression. Only Kubernetes labels (namespace, pod, container) are indexed.
Elasticsearch Architecture
Elasticsearch requires a more substantial infrastructure.
# ECK deployment (Elastic Cloud on Kubernetes)
apiVersion: elasticsearch.k8s.elastic.co/v1
kind: Elasticsearch
metadata:
name: logs-cluster
spec:
version: 8.12.0
nodeSets:
- name: default
count: 3
config:
node.store.allow_mmap: false
volumeClaimTemplates:
- metadata:
name: elasticsearch-data
spec:
accessModes:
- ReadWriteOnce
resources:
requests:
storage: 500Gi
Key components:
- Filebeat/Fluentd: log collectors
- Elasticsearch: storage and full-text indexing
- Kibana: visualization interface and dashboards
Key takeaway: Elasticsearch indexes every word of every log, enabling full-text searches but consuming 10x more storage.
The Kubernetes production monitoring architecture details integration patterns.
Detailed Feature Comparison
| Criterion | Loki | Elasticsearch |
|---|---|---|
| Indexing | Labels only | Full-text |
| Query language | LogQL | KQL / Lucene |
| Storage | Object (S3, GCS) | SSD blocks |
| Storage cost | ~$0.02/GB/month (S3) | ~$0.10/GB/month (SSD) |
| Scalability | Native horizontal | Manual sharding |
| Full-text search | No | Yes |
| Grafana integration | Native | Via plugin |
| Ops complexity | Low | High |
Querying: LogQL vs KQL
Loki (LogQL):
{namespace="production", app="api"} |= "error" | json | response_time > 500
Elasticsearch (KQL):
kubernetes.namespace: "production" AND kubernetes.labels.app: "api" AND message: "error"
LogQL is inspired by PromQL (Prometheus), facilitating adoption for teams already using the Grafana stack.
For distributed tracing, compare with Jaeger vs Zipkin: Distributed Tracing Comparison.
Cost Analysis: Kubernetes Infrastructure Engineer CKA Certification
A Kubernetes system administrator must evaluate TCO (Total Cost of Ownership) over 3 years.
Scenario: 100 GB of logs per day
| Item | Loki | Elasticsearch |
|---|---|---|
| Monthly storage | 3 TB x $0.02 = $60 | 3 TB x $0.10 = $300 |
| Compute (3 nodes) | 3 x 4 vCPU = $150 | 3 x 16 vCPU = $600 |
| 30-day retention | $210/month | $900/month |
| Annual TCO | ~$2,500 | ~$10,800 |
Loki savings: 75% on this typical scenario.
Note: Elasticsearch justifies its cost for use cases requiring:
- Complex full-text search
- Security analysis (SIEM)
- Advanced multi-source correlation
Key takeaway: For a Kubernetes system administrator preparing for CKA, Loki offers an optimal features/cost ratio for standard clusters.
The kubectl essential commands cheatsheet complements debugging skills.
Recommended Use Cases
Choose Loki if:
- Constrained budget: startup or team with limited resources
- Existing Grafana stack: Prometheus, Tempo, Grafana already deployed
- Structured logs: applications emitting JSON with consistent labels
- Cloud-native: infrastructure on AWS, GCP or Azure
# Optimized Promtail configuration
scrape_configs:
- job_name: kubernetes-pods
kubernetes_sd_configs:
- role: pod
pipeline_stages:
- json:
expressions:
level: level
msg: message
- labels:
level:
Choose Elasticsearch if:
- Full-text search: analysis of unstructured logs
- Compliance: regulatory requirements (PCI-DSS, HIPAA)
- SIEM: integration with security tools
- Experienced team: Elasticsearch administrators available
The LFS460 Kubernetes Security training covers compliance aspects.
Performance and Scalability
Ingestion Benchmarks
| Metric | Loki | Elasticsearch |
|---|---|---|
| Max ingestion (node) | 10 GB/h | 50 GB/h |
| Query latency P95 | 2-5 sec | 100-500 ms |
| Scalability | Linear | Sub-linear |
Elasticsearch offers lower query latencies but Loki scales more easily thanks to object storage.
Loki High Availability Configuration
# Loki scalable mode
loki:
auth_enabled: false
server:
http_listen_port: 3100
distributor:
ring:
kvstore:
store: memberlist
ingester:
lifecycler:
ring:
replication_factor: 3
storage_config:
boltdb_shipper:
active_index_directory: /loki/index
cache_location: /loki/cache
shared_store: s3
aws:
s3: s3://eu-west-1/loki-logs
Key takeaway: Loki in scalable mode requires object storage but eliminates disk management.
To compare other tools, consult Prometheus vs Datadog: Which Monitoring Tool to Choose.
Migration Between Solutions
From Elasticsearch to Loki
Migration involves rethinking querying rather than migrating historical data.
# Export Kibana dashboards to Grafana
# Community tool: https://github.com/grafana/kibana-to-grafana
# Parallel Loki deployment
helm install loki grafana/loki-stack -n monitoring
Recommended strategy:
- Deploy Loki in parallel
- Switch new logs to Loki
- Keep Elasticsearch in read-only mode for history
- Disable Elasticsearch after retention expires
From Loki to Elasticsearch
Rarer migration, but justified for advanced search needs.
# ECK deployment
kubectl apply -f https://download.elastic.co/downloads/eck/2.11.0/crds.yaml
kubectl apply -f https://download.elastic.co/downloads/eck/2.11.0/operator.yaml
Consult our Kubernetes vs alternatives comparison for other comparisons.
Integration with the Kubernetes Ecosystem
Loki with the LGTM Stack
Loki integrates natively with:
- Grafana: unified visualization
- Tempo: logs-traces correlation
- Mimir: metrics (Prometheus fork)
# Logs-traces correlation in Grafana
datasources:
- name: Loki
type: loki
url: http://loki:3100
jsonData:
derivedFields:
- name: traceID
matcherRegex: "traceID=(\\w+)"
url: "$${__value.raw}"
datasourceUid: tempo
Elasticsearch with Elastic APM
Elasticsearch offers native APM integration for logs-metrics-traces correlation.
The LFS458 system administrator training covers these observability architectures.
Loki vs Elasticsearch Decision Checklist
| Question | Loki | Elasticsearch |
|---|---|---|
| Monthly budget < $500? | ✓ | |
| Need full-text search? | ✓ | |
| Existing Grafana stack? | ✓ | |
| SIEM compliance required? | ✓ | |
| Team < 5 people? | ✓ | |
| Logs > 500 GB/day? | ✓ |
Key takeaway: Start with Loki for new projects, migrate to Elasticsearch if analytical needs justify it.
Our Kubernetes Monitoring and Troubleshooting page gathers all observability resources.
Master Kubernetes Log Centralization
The Loki vs Elasticsearch for Kubernetes logs choice depends on your context.
Summary of recommendations:
- Startups and SMBs: Loki for cost/efficiency ratio
- Large enterprises: Elasticsearch for advanced analytical needs
- Hybrid: Loki for application logs, Elasticsearch for security
Recommended next steps:
- Audit your needs in search and retention
- Test both solutions on a development cluster
- Train your teams on the chosen solution
SFEIR supports teams in mastering Kubernetes observability:
- LFS458 Kubernetes Administration: monitoring, logging and production troubleshooting
- LFS460 Kubernetes Security: audit logs and compliance
- Kubernetes Fundamentals: discovery of observability concepts
Contact our experts to define your observability strategy.