Before you read further, this question isn't about which one is better. My problem is rooted in legacy architecture and a drive to cloud. In a nutshell, what is the most efficient and cost effective way of performing logging and monitoring in azure so that elk can get its logs and splunk can get security and alerting logs The context: We have just started to move to azure as our chosen csp. On premise architecture still remains, and the enterprise chosen SIEM is splunk. (Important point, the SIEM is outside of azure so log export will be involved somewhere) When the platform was being developed, certain stakeholders wanted elk rather than splunk, due to cost. Security still want their splunk data. The first design of this was certain logs going to splunk, the lion's share going to elk. Splunk would also just hose data back over a vpn to the indexer without much intelligence. This is a terrible design for a host of reasons I won't cover here. Because I want this to change, I want to put forward a couple of options. All elk is a non starter as security ops are cut out of the picture, meaning iso issues. All splunk is a no go due to cost. (Incidentally, what actually are the average costs of running elk stack, compared to splunk?) Is there a half way house where I can maximise the amount of logs retained in the cloud, allow elk to get what it needs and splunk to get what it needs?