One control layer. Many clients. Full isolation.
MSPs and MSSPs need per-tenant routing, hard isolation, and accurate cost attribution across many client environments. Logmetry designs and builds a vendor-neutral control layer in front of your stack so one pipeline serves every tenant across every destination.
Why is multi-tenant telemetry so hard for service providers?
Most SIEM and APM platforms were built for a single organization, not for a provider managing dozens of tenants with different data sources, jurisdictions, and detection requirements. The result is duplicated infrastructure per client, parsing rules that have to be rebuilt each time, and cost attribution that lives in spreadsheets instead of the platform.
Without a control layer, every new client means standing up isolated SIEM configuration, custom parsing, and manual validation before the first invoice goes out. That timeline stalls deal momentum and compresses margin on every tenant you add.
The harder problem is economics. When you cannot see volume per tenant at the point of ingest, you cannot bill accurately, you cannot spot the noisy client that is eroding your margin, and you cannot plan capacity as the book of business grows.
30-50%
Duplicate events typical across raw telemetry before routing (your number depends on your environment)
60-70%
Firewall allow logs as a share of volume in a typical client environment
40-70%
Ingest reduction commonly achievable per tenant with a control layer in place
How do you run per-tenant routing and cost attribution from one control layer?
A vendor-neutral control layer tags every event with a tenant identifier before it reaches any destination, then routes per tenant to the right index, workspace, or storage tier. Volume is measured per tenant at the point of ingest, so cost attribution and margin analysis come from the pipeline itself rather than from reconciliation after the fact.
This is real multi-tenant architecture work. The design has to account for tenant identification, per-client schema normalization, compliance routing by jurisdiction, enrichment that differs by client, and isolation guarantees that hold under load. Logmetry is platform-agnostic across Splunk, Microsoft Sentinel, Datadog, and Cribl, so the control layer fits the destinations each tenant actually runs.
- Tenant-aware tagging that identifies and isolates each client at the moment data enters the pipeline, before it reaches any SIEM or APM
- Per-tenant routing to dedicated indexes, workspaces, or storage partitions with isolation guarantees that hold across destinations
- Volume and cost measured per tenant at ingest, so billing, margin analysis, and the noisy-client problem are visible in the platform
- Per-tenant parsing, normalization, and enrichment that respect each client's data sources and schema differences
- Compliance-aware routing that keeps each tenant's data within its jurisdiction and handling requirements across your whole client base
How does Logmetry design and run multi-tenant pipelines?
Logmetry leads the full lifecycle: review the environment, design the tenant model, recommend the right destinations per client with honest pros and cons, implement at config-level depth, and govern it as the book grows. Zbigniew Gajuk, Co-Founder and Chief Observability and Security Architect, has delivered telemetry architecture at Fortune 500 scale across 100+ countries over 26+ years, including a 20,000+ server program.
Once the control layer sits in front of your stack, onboarding a new client and changing a tenant's destination become a parallel run plus a routing change rather than a rebuild. Reduction figures vary by client mix, so your number depends on your environment.
Frequently asked questions
How does a control layer give me multi-tenancy when my SIEM has none?
It adds tenant context to every event before the data reaches the SIEM. Each event gets a tenant_id, then a routing stage sends it to per-client destinations, so the SIEM only ever sees pre-isolated data. The architecture work is in designing the tenant model, source mappings, and compliance routing for your specific client mix.
Can I attribute cost per client through the pipeline?
Yes. Volume is measured per tenant at the point of ingest and dimensioned by source and destination, so billing and margin analysis come from the pipeline rather than spreadsheets. Building an accurate model still requires understanding each client's data composition, routing, and storage tier, which is part of the design work.
Why is multi-tenant pipeline design genuinely complex?
Each client brings different data sources, schema formats, volume patterns, and compliance requirements. A healthcare client running CrowdStrike and Palo Alto needs different parsing, enrichment, and routing than a financial-services client on a different stack. The pipeline must handle all of them at once with isolation that holds under load.
Does Logmetry replace my SIEM or run my detections?
No. Logmetry is never a SIEM and never runs in place of one. The control layer sits in front of your SIEMs and APMs across tenants and routes to them. We design, implement, and optimize the pipeline. Your detections and your compliance audits stay with your team.
Ready to explore this further?
Let's discuss how this applies to your environment.
Schedule a Discovery CallRelated solutions