The database underneath your SIEM determines how fast you can investigate an incident, how much log history you can afford to keep, and how much hardware you need. Elasticsearch has been the default for log storage for a decade, but ClickHouse has emerged as a compelling alternative for security workloads.
Elasticsearch is a document store built on Lucene, designed for full-text search — it indexes every field. ClickHouse is a columnar database built for analytical processing, designed to scan and aggregate huge volumes of structured data quickly. Security logs are mostly structured, time-series data queried with time-bounded filters and aggregations — an analytical workload, exactly what ClickHouse is built for.
For the analytical queries that dominate security investigation — filtering and aggregating over time ranges across billions of rows — ClickHouse is typically significantly faster, often by an order of magnitude. Columnar storage means a query touching three fields only reads those three columns, not the entire document. Elasticsearch excels at ranked full-text relevance search, but that is a minority of security analytics work.
The practical impact
During an active incident, an analyst runs dozens of iterative queries. The difference between each taking 8 seconds versus 0.5 seconds is the difference between fluid investigation and frustrating context-switching. Latency compounds across an investigation.
This is where ClickHouse delivers its biggest advantage. Columnar storage compresses far better because adjacent values in a column are similar. ClickHouse routinely achieves 10:1 compression on log data. Elasticsearch, indexing every field for search, carries substantial storage overhead — indexes can be as large as the raw data. For a team retaining a year of logs for compliance, the cost difference is enormous: retention that is prohibitive on Elasticsearch becomes affordable on ClickHouse with standard hardware.
Running production Elasticsearch for SIEM is a specialist skill: shard allocation, index lifecycle, JVM heap tuning, hot-warm-cold tiering, cluster rebalancing. ClickHouse is generally simpler at the scale most security teams need — no JVM heap to tune, smaller operational surface, predictable resource usage. For a self-hosted SIEM that must run reliably without a dedicated platform team, this matters enormously.
nPro uses ClickHouse specifically because security log analytics is an analytical workload. Fast time-bounded aggregations, high compression for affordable retention, and lower operational complexity make it the right foundation for a self-hosted SIEM. See our nPro vs Elastic comparison for how this affects deployment time and total cost of ownership.
If your primary need is genuinely full-text search across unstructured documents where you frequently search arbitrary strings, Elasticsearch inverted index is excellent. Some large organisations run both: ClickHouse for high-volume structured telemetry, Elasticsearch for specific full-text needs. The right choice depends on your actual query patterns.
Sub-second queries on billions of events. Self-hosted, 5-minute deploy.
Related: What is a SIEM? · nPro vs Elastic · Deploy on Ubuntu