Most security leaders can tell you their SIEM bill to the dollar. Far fewer can tell you, line by line, what they’re paying for. That’s a problem because in financial services, that bill grows faster than the security coverage it’s supposed to buy. Let’s break it down.
The bill is a function of volume, and volume is not your friend
Ingestion-priced SIEMs charge by how much data you send. That makes your security budget a direct function of log volume. And in a bank, volume is driven by things that have nothing to do with the security value you’re getting:
- Verbose by default
-
Windows event logs, firewall and proxy logs, and debug-level application output generate an enormous volume of data, much of it low-signal.
- Duplication
-
The same event arrives from multiple sources or gets forwarded through multiple hops, and you pay to ingest it more than once.
- Retention mandates
-
Compliance forces you to keep data long after its value for detection has decayed, at hot-tier prices.
- Growth you don’t control
-
New log sources, an acquisition, a new regulation, an incident-response push. Each one quietly raises the baseline.
The result: you’re paying premium analytics-tier rates to store data your detection engine ignores.
Why financial services gets hit hardest
High transaction volumes, long mandatory retention, and hybrid estates full of chatty legacy and Windows systems combine into a near-worst-case profile for per-GB pricing, and the baseline only climbs. Industry analysis puts average enterprise log volume growth at roughly 50% year over year, with SIEM costs rising by an estimated 20-30% annually. One widely cited example saw a deployment budgeted at 500 GB/day in 2024 push past 2 TB/day a year later, quadrupling annual spend. In a sector where compliance mandates you keep more, for longer, the meter rarely runs the other way.
The hidden costs that don’t show up as a line item
-
Overage penalties when volume spikes past your tier.
-
The sampling tax. The usual fix (drop or sample "low-value" sources) buys a smaller bill at the price of blind spots, which become incident and audit risk.
-
Re-architecting every time you outgrow a tier or change vendors.
In other words, the lever most teams reach for (send fewer events) trades a cost problem for a coverage problem.
Fix it at the layer above the SIEM
The way out is to stop treating "what you collect" and "what you pay your SIEM to ingest" as the same decision. A telemetry pipeline sits in front of your SIEM and lets you:
-
Filter noise and drop duplicates before ingestion, so you stop paying to analyze data nobody queries.
-
Transform and structure at the source, so your SIEM does less work on what it receives.
-
Route by value. The detection-relevant slice goes to the SIEM; the full-fidelity record goes to low-cost storage you control for compliance. Nothing is lost, but you only pay analytics rates for analytics-grade data.
In practice, that’s a few lines of pipeline config. Send every event to a cheap archive at full fidelity, and filter the high-volume, low-value events out of only the copy bound for the SIEM:
<Input windows_events>
Module im_msvistalog
</Input>
# Full fidelity to low-cost storage you control
<Output archive>
Module om_file
File 'C:\Logs\Windows_events.log'
</Output>
# Only the detection-relevant slice pays SIEM rates
<Output siem>
Module om_tcp
Host siem.example.com:1514
<Exec>
if ($EventID IN (4688, 5156, 5158)) {
drop();
}
</Exec>
</Output>
<Route windows_to_archive_siem>
Path windows_events => archive, siem
</Route>
The drop() runs only on the SIEM’s output instance.
Your archive, and with it your compliance record, stays complete while your ingestion bill drops.
And because NXLog Platform is priced per source, not per gigabyte, the model itself breaks the link between volume and cost. When a system’s output doubles overnight, your bill doesn’t. That’s the predictability procurement wants and the cost ceiling the CISO needs.
This is the lever that a top automotive financial services group pulled deliberately. It wanted a tool it could point at the events that mattered and use to skip the vast volume of diagnostics that don’t, trimming retention and licensing costs without losing coverage. In its CISO’s words:
We were looking for a lightweight log collection tool that allows us to flexibly filter and transform events while keeping it easy to deploy across Microsoft infrastructure. We considered NXLog the most versatile product, fully meeting all our needs.
automotive financial services company
What "good" looks like
You keep everything, so coverage and compliance hold. You send your SIEM only what earns its keep, so the bill drops. And your costs scale with the number of systems you monitor—a number you plan—instead of the event volume they happen to emit—a number you don’t.