I really love Elastic and their product lineup. They have some amazing options and the fact you can get started for FREE is a very strong plus. As a SIEM, the ELK stack (Elastic, Logstash, Kibana) is snappy, responsive, and consistent. Once I setup the index rotation I never have a problem with stability. But like all good things, there must be a dark cloud somewhere, and that dark cloud is the lack of email notifications in the standard free package.
Email Alerts
I reached out to Elastic to inquire to what it would cost me to get email alerts. I know already that email alerts are not included in the standard (free) license. After a 3 day wait, I got a response to my sales related email. Surprisingly the sales rep didn’t know what I was talking about. He insisted that email alerts are included in the Free Tier. After a screenshot of the greyed out options for Email alerts, and some links to Elastic’s own material stating that Email alerts are not free, I felt I knew more about the pricing then he did.
At any rate, he gave me the pricing to upgrade Elastic. As there is no longer a Gold Tier, the first license available to get Email Alert access is the Platinum tier. Platinum, as the name suggests, is expensive. On their own website it lists it as starting at $157/mo. Which is just under $2k a year, just for email access… However I was wrong on the pricing.
Platinum Tier Cost
As it turns out, it costs just under $20k / year to have a self-hosted platinum license! I was in shock. Once again I sent the sales rep a copy of his own pricing information page, which said it was $157/month. That’s when he told me the breakdown of costs:
- If you get Cloud Hosting, you MAY get closer to that $157/month (but it is a usage based pricing model – it’s very hard to pin down exactly how much it would cost).
- For on-premises pricing, well that’s $6k/year per node, and Platinum requires a 3 node minimum! What!!!
It’s our on-site premises, WE are incurring ALL THE COSTS. Why is Elastic forcing a 3 node minimum on us?
At that point I disconnected from the discussion with the sales rep. This pricing model is insanity. Google Chronicle is looking better now, eh?
TL;DR
In order to get simple email alerts, Elastic requires a platinum license. Their on-site platinum license rolls in at just under $20k a year! $20k/year for email alerts is insanity. The high price is likely to push their Cloud solution, but the pricing on that is vague and slippery (based on usage). Even with cloud, the lowest it could possibly be would be just under $2k a year (for email alerts).
This puts me in a position of looking for another SIEM, or finding a 3rd party solution (such as Yelp!’s) to add email alert support.