diff --git a/component-constructor.yaml b/component-constructor.yaml
index cf1c9e5..66dc79c 100644
--- a/component-constructor.yaml
+++ b/component-constructor.yaml
@@ -164,3 +164,27 @@ components:
           type: ociArtifact
           imageReference: "${KUSTOMIZATIONS_LOCATION_PREFIX}/metrics:${OBSERVABILITY_STACK_VERSION}"
 
+      # observability gateway
+      - name: observability-gateway-kustomization
+        version: ${OBSERVABILITY_STACK_VERSION}
+        type: kustomization
+        access:
+          type: ociArtifact
+          imageReference: "${KUSTOMIZATIONS_LOCATION_PREFIX}/observability-gateway:${OBSERVABILITY_STACK_VERSION}"
+
+      # victoria logs
+      - name: victoria-logs-kustomization
+        version: ${OBSERVABILITY_STACK_VERSION}
+        type: kustomization
+        access:
+          type: ociArtifact
+          imageReference: "${KUSTOMIZATIONS_LOCATION_PREFIX}/victoria-logs:${OBSERVABILITY_STACK_VERSION}"
+
+      - name: victoria-logs-image
+        version: ${VICTORIA_LOGS_IMAGE_VERSION}
+        type: ociImage
+        input:
+          type: ociImage
+          path: "docker.io/victoriametrics/victoria-logs:${VICTORIA_LOGS_IMAGE_VERSION}"
+          repository: images/victoria-logs
+
diff --git a/component-settings.yaml b/component-settings.yaml
index 9a42ce6..0cdb69e 100644
--- a/component-settings.yaml
+++ b/component-settings.yaml
@@ -26,6 +26,9 @@ PROMETHEUS_IMAGE_VERSION: "v3.10.0"
 # prometheus alertmanager
 ALERTMANAGER_IMAGE_VERSION: "v0.31.1"
 
+# victoria logs
+VICTORIA_LOGS_IMAGE_VERSION: "v1.6.0-victorialogs"
+
 
 # E2E Test dependencies
 # Not used for deployment
diff --git a/hack/build-component.py b/hack/build-component.py
index 6e20722..126d20e 100755
--- a/hack/build-component.py
+++ b/hack/build-component.py
@@ -75,6 +75,7 @@ def push_kustomizations(repo_root: Path, version: str) -> None:
         ("prometheus-operator", "prometheus-operator"),
         ("prometheus", "prometheus"),
         ("metrics", "metrics"),
+        ("victoria-logs", "victoria-logs")
     ]
 
     # Get git information
diff --git a/kustomizations/prometheus/gateway-issuer.yaml b/kustomizations/observability-gateway/gateway-issuer.yaml
similarity index 100%
rename from kustomizations/prometheus/gateway-issuer.yaml
rename to kustomizations/observability-gateway/gateway-issuer.yaml
diff --git a/kustomizations/observability-gateway/gateway.yaml b/kustomizations/observability-gateway/gateway.yaml
new file mode 100644
index 0000000..a927fb8
--- /dev/null
+++ b/kustomizations/observability-gateway/gateway.yaml
@@ -0,0 +1,65 @@
+apiVersion: gateway.networking.k8s.io/v1
+kind: Gateway
+metadata:
+  name: observability-gateway
+spec:
+  gatewayClassName: envoy-gateway
+  listeners:
+  - name: prometheus
+    port: 8443
+    protocol: HTTPS
+    hostname: "<prometheus-dnsname>"
+    allowedRoutes:
+      namespaces:
+        from: All
+    tls:
+      mode: Terminate
+      certificateRefs:
+      - kind: Secret
+        name: prometheus-cert
+  - name: victoria-logs
+    port: 8443
+    protocol: HTTPS
+    hostname: "<victoria-logs-dnsname>"
+    allowedRoutes:
+      namespaces:
+        from: All
+    tls:
+      mode: Terminate
+      certificateRefs:
+      - kind: Secret
+        name: victoria-logs-cert
+---
+apiVersion: gateway.envoyproxy.io/v1alpha1
+kind: ClientTrafficPolicy
+metadata:
+  name: prometheus-mtls
+spec:
+  targetRefs:
+  - group: gateway.networking.k8s.io
+    kind: Gateway
+    name: observability-gateway
+    sectionName: prometheus
+  tls:
+    clientValidation:
+      caCertificateRefs:
+      - kind: "Secret"
+        group: ""
+        name: "prometheus-client-ca-cert"
+---
+apiVersion: gateway.envoyproxy.io/v1alpha1
+kind: ClientTrafficPolicy
+metadata:
+  name: victoria-logs-mtls
+spec:
+  targetRefs:
+  - group: gateway.networking.k8s.io
+    kind: Gateway
+    name: observability-gateway
+    sectionName: victoria-logs
+  tls:
+    clientValidation:
+      caCertificateRefs:
+      - kind: "Secret"
+        group: ""
+        name: "victoria-logs-client-ca-cert"
diff --git a/kustomizations/observability-gateway/kustomization.yaml b/kustomizations/observability-gateway/kustomization.yaml
new file mode 100644
index 0000000..a402d5c
--- /dev/null
+++ b/kustomizations/observability-gateway/kustomization.yaml
@@ -0,0 +1,7 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+resources:
+  - gateway.yaml
+  - gateway-issuer.yaml
+  - prometheus-certificates.yaml
+  - victoria-logs-certificates.yaml
diff --git a/kustomizations/prometheus/client-certificates.yaml b/kustomizations/observability-gateway/prometheus-certificates.yaml
similarity index 75%
rename from kustomizations/prometheus/client-certificates.yaml
rename to kustomizations/observability-gateway/prometheus-certificates.yaml
index c9c9848..9ab1e63 100644
--- a/kustomizations/prometheus/client-certificates.yaml
+++ b/kustomizations/observability-gateway/prometheus-certificates.yaml
@@ -1,5 +1,17 @@
 apiVersion: cert-manager.io/v1
 kind: Certificate
+metadata:
+  name: prometheus-gateway-cert
+spec:
+  secretName: prometheus-cert
+  issuerRef:
+    name: gateway-selfsigned-issuer
+    kind: Issuer
+  dnsNames:
+  - "<dnsname>"
+---
+apiVersion: cert-manager.io/v1
+kind: Certificate
 metadata:
   name: prometheus-client-ca
 spec:
diff --git a/kustomizations/observability-gateway/victoria-logs-certificates.yaml b/kustomizations/observability-gateway/victoria-logs-certificates.yaml
new file mode 100644
index 0000000..3e4a91d
--- /dev/null
+++ b/kustomizations/observability-gateway/victoria-logs-certificates.yaml
@@ -0,0 +1,47 @@
+apiVersion: cert-manager.io/v1
+kind: Certificate
+metadata:
+  name: victoria-logs-gateway-cert
+spec:
+  secretName: victoria-logs-cert
+  issuerRef:
+    name: gateway-selfsigned-issuer
+    kind: Issuer
+  dnsNames:
+  - "<dnsname>"
+---
+apiVersion: cert-manager.io/v1
+kind: Certificate
+metadata:
+  name: victoria-logs-client-ca
+spec:
+  isCA: true
+  commonName: victoria-logs-client-ca
+  secretName: victoria-logs-client-ca-cert
+  privateKey:
+    algorithm: RSA
+    size: 2048
+  issuerRef:
+    name: gateway-selfsigned-issuer
+    kind: Issuer
+---
+apiVersion: cert-manager.io/v1
+kind: Issuer
+metadata:
+  name: victoria-logs-client-issuer
+spec:
+  ca:
+    secretName: victoria-logs-client-ca-cert
+---
+apiVersion: cert-manager.io/v1
+kind: Certificate
+metadata:
+  name: victoria-logs-client-cert
+spec:
+  secretName: victoria-logs-client-cert
+  commonName: victoria-logs-client
+  usages:
+  - client auth
+  issuerRef:
+    name: victoria-logs-client-issuer
+    kind: Issuer
diff --git a/kustomizations/opentelemetry-collector/kustomization.yaml b/kustomizations/opentelemetry-collector/kustomization.yaml
index a1320d5..c09d510 100644
--- a/kustomizations/opentelemetry-collector/kustomization.yaml
+++ b/kustomizations/opentelemetry-collector/kustomization.yaml
@@ -2,4 +2,5 @@ apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
 resources:
   - collector.yaml
+  - log-collector.yaml
   - servicemonitor.yaml
diff --git a/kustomizations/opentelemetry-collector/log-collector.yaml b/kustomizations/opentelemetry-collector/log-collector.yaml
new file mode 100644
index 0000000..413007f
--- /dev/null
+++ b/kustomizations/opentelemetry-collector/log-collector.yaml
@@ -0,0 +1,111 @@
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: open-telemetry-log-collector
+---
+apiVersion: opentelemetry.io/v1beta1
+kind: OpenTelemetryCollector
+metadata:
+  name: logs
+spec:
+  mode: daemonset
+  serviceAccount: open-telemetry-log-collector
+  securityContext:
+    runAsUser: 0
+  config:
+    receivers:
+      filelog:
+        include:
+          - /var/log/pods/*/*/*.log
+        start_at: beginning
+        include_file_path: true
+        include_file_name: false
+        operators:
+          # Route to the correct parser based on container runtime format
+          - type: router
+            id: get-format
+            routes:
+              - output: parser-docker
+                expr: 'body matches "^\\{"'
+            default: parser-containerd
+
+          # Docker JSON format (e.g. Docker Desktop, older clusters)
+          - type: json_parser
+            id: parser-docker
+            output: move-log-to-body
+            timestamp:
+              parse_from: attributes.time
+              layout: '%Y-%m-%dT%H:%M:%S.%LZ'
+
+          # Containerd / CRI-O space-delimited format (most modern clusters)
+          - type: regex_parser
+            id: parser-containerd
+            regex: '^(?P<time>[^ Z]+Z) (?P<stream>stdout|stderr) (?P<logtag>[^ ]*) ?(?P<log>.*)$'
+            output: move-log-to-body
+            timestamp:
+              parse_from: attributes.time
+              layout: '%Y-%m-%dT%H:%M:%S.%LZ'
+
+          # Move the parsed log field to body (both Docker and containerd / CRI-O)
+          - type: move
+            id: move-log-to-body
+            from: attributes.log
+            to: body
+            output: extract-pod-metadata
+
+          # Extract pod metadata (namespace, pod name, uid, container) from the file path
+          - type: regex_parser
+            id: extract-pod-metadata
+            parse_from: attributes["log.file.path"]
+            regex: '^/var/log/pods/(?P<k8s_namespace>[^_]+)_(?P<k8s_pod>[^_]+)_(?P<k8s_uid>[^/]+)/(?P<k8s_container>[^/]+)/\d+\.log$'
+            cache:
+              size: 128
+
+          # If the log body is JSON, promote its fields to attributes so Victoria Logs
+          # indexes them as individual fields. parse_to: attributes leaves body (= _msg)
+          # unchanged, so the original JSON string is always retained.
+          - type: json_parser
+            id: parse-json-body
+            parse_from: body
+            parse_to: attributes
+            if: 'body matches "^\\s*\\{"'
+            on_error: send
+
+    processors:
+      memory_limiter:
+        check_interval: 1s
+        limit_percentage: 75
+        spike_limit_percentage: 15
+      # Flatten nested attribute maps produced by json_parser so that nested
+      # objects (e.g. Cluster: {name, namespace}) become dot-separated scalar
+      # attributes (Cluster.name, Cluster.namespace) instead of KeyValueList
+      # values, which Victoria Logs serialises in an ugly AnyValue representation.
+      transform:
+        log_statements:
+          - context: log
+            statements:
+              - flatten(attributes, "", 10)
+      batch: {}
+
+    exporters:
+      otlphttp:
+        endpoint: "http://victoria-logs.victoria-logs-system.svc.cluster.local:9428/insert/opentelemetry"
+        tls:
+          insecure: true
+
+    service:
+      pipelines:
+        logs:
+          receivers: [filelog]
+          processors: [memory_limiter, transform, batch]
+          exporters: [otlphttp]
+
+  volumeMounts:
+    - name: varlogpods
+      mountPath: /var/log/pods
+      readOnly: true
+
+  volumes:
+    - name: varlogpods
+      hostPath:
+        path: /var/log/pods
diff --git a/kustomizations/prometheus/gateway-certificate.yaml b/kustomizations/prometheus/gateway-certificate.yaml
deleted file mode 100644
index 26810f0..0000000
--- a/kustomizations/prometheus/gateway-certificate.yaml
+++ /dev/null
@@ -1,11 +0,0 @@
-apiVersion: cert-manager.io/v1
-kind: Certificate
-metadata:
-  name: prometheus-gateway-cert
-spec:
-  secretName: prometheus-cert
-  issuerRef:
-    name: gateway-selfsigned-issuer
-    kind: Issuer
-  dnsNames:
-  - "<dnsname>"
diff --git a/kustomizations/prometheus/gateway.yaml b/kustomizations/prometheus/gateway.yaml
deleted file mode 100644
index c9b2b9e..0000000
--- a/kustomizations/prometheus/gateway.yaml
+++ /dev/null
@@ -1,35 +0,0 @@
-apiVersion: gateway.networking.k8s.io/v1
-kind: Gateway
-metadata:
-  name: prometheus
-spec:
-  gatewayClassName: envoy-gateway
-  listeners:
-  - allowedRoutes:
-      namespaces:
-        from: Same
-    name: https
-    port: 8443
-    protocol: HTTPS
-    tls:
-      mode: Terminate
-      certificateRefs:
-      - kind: Secret
-        name: prometheus-cert
-        namespace: prometheus-system
----
-apiVersion: gateway.envoyproxy.io/v1alpha1
-kind: ClientTrafficPolicy
-metadata:
-  name: enable-mtls
-spec:
-  targetRefs:
-  - group: gateway.networking.k8s.io
-    kind: Gateway
-    name: prometheus
-  tls:
-    clientValidation:
-      caCertificateRefs:
-      - kind: "Secret"
-        group: ""
-        name: "prometheus-client-ca-cert"
\ No newline at end of file
diff --git a/kustomizations/prometheus/httproute.yaml b/kustomizations/prometheus/httproute.yaml
index d017b6c..3accb8a 100644
--- a/kustomizations/prometheus/httproute.yaml
+++ b/kustomizations/prometheus/httproute.yaml
@@ -4,8 +4,9 @@ metadata:
   name: prometheus
 spec:
   parentRefs:
-  - name: prometheus
-    namespace: prometheus-system
+  - name: observability-gateway
+    namespace: observability-gateway-system
+    sectionName: prometheus
   hostnames: []
   rules:
   - matches:
diff --git a/kustomizations/prometheus/kustomization.yaml b/kustomizations/prometheus/kustomization.yaml
index e141656..85cbc03 100644
--- a/kustomizations/prometheus/kustomization.yaml
+++ b/kustomizations/prometheus/kustomization.yaml
@@ -3,8 +3,4 @@ kind: Kustomization
 resources:
   - prometheus.yaml
   - alertmanager.yaml
-  - gateway.yaml
-  - gateway-issuer.yaml
-  - gateway-certificate.yaml
-  - client-certificates.yaml
   - httproute.yaml
diff --git a/kustomizations/victoria-logs/httproute.yaml b/kustomizations/victoria-logs/httproute.yaml
new file mode 100644
index 0000000..288e4c9
--- /dev/null
+++ b/kustomizations/victoria-logs/httproute.yaml
@@ -0,0 +1,18 @@
+apiVersion: gateway.networking.k8s.io/v1
+kind: HTTPRoute
+metadata:
+  name: victoria-logs
+spec:
+  parentRefs:
+  - name: observability-gateway
+    namespace: observability-gateway-system
+    sectionName: victoria-logs
+  hostnames: []
+  rules:
+  - matches:
+    - path:
+        type: PathPrefix
+        value: /
+    backendRefs:
+    - name: victoria-logs
+      port: 9428
diff --git a/kustomizations/victoria-logs/kustomization.yaml b/kustomizations/victoria-logs/kustomization.yaml
new file mode 100644
index 0000000..3c69063
--- /dev/null
+++ b/kustomizations/victoria-logs/kustomization.yaml
@@ -0,0 +1,5 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+resources:
+  - victoria-logs.yaml
+  - httproute.yaml
diff --git a/kustomizations/victoria-logs/victoria-logs.yaml b/kustomizations/victoria-logs/victoria-logs.yaml
new file mode 100644
index 0000000..cd65ca3
--- /dev/null
+++ b/kustomizations/victoria-logs/victoria-logs.yaml
@@ -0,0 +1,59 @@
+apiVersion: apps/v1
+kind: StatefulSet
+metadata:
+  name: victoria-logs
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app.kubernetes.io/name: victoria-logs
+  template:
+    metadata:
+      labels:
+        app.kubernetes.io/name: victoria-logs
+    spec:
+      containers:
+        - name: victoria-logs
+          args:
+            - -storageDataPath=/vlogs-data
+            - -retentionPeriod=7d
+          ports:
+            - containerPort: 9428
+              name: http
+          volumeMounts:
+            - name: storage
+              mountPath: /vlogs-data
+          resources:
+            requests:
+              memory: 256Mi
+              cpu: 100m
+            limits:
+              memory: 1Gi
+              cpu: 500m
+      securityContext:
+        fsGroup: 2000
+        runAsNonRoot: true
+        runAsUser: 1000
+  volumeClaimTemplates:
+    - metadata:
+        name: storage
+      spec:
+        accessModes:
+          - ReadWriteOnce
+        resources:
+          requests:
+            storage: 10Gi
+---
+apiVersion: v1
+kind: Service
+metadata:
+  name: victoria-logs
+spec:
+  type: ClusterIP
+  ports:
+    - name: http
+      port: 9428
+      targetPort: http
+      protocol: TCP
+  selector:
+    app.kubernetes.io/name: victoria-logs
diff --git a/resource-graph-definitions/observability-gateway.yaml b/resource-graph-definitions/observability-gateway.yaml
new file mode 100644
index 0000000..f400e33
--- /dev/null
+++ b/resource-graph-definitions/observability-gateway.yaml
@@ -0,0 +1,153 @@
+apiVersion: kro.run/v1alpha1
+kind: ResourceGraphDefinition
+metadata:
+  name: observability-gateway
+spec:
+  schema:
+    apiVersion: v1alpha1
+    kind: ObservabilityGateway
+    spec:
+      componentRef:
+        name: string | default="obs-stack-component"
+      imagePullSecretRef:
+        name: string | default="imgpull"
+        namespace: string | default="obs-stack"
+      openMCPGatewayRef:
+        name: string | default="default"
+        namespace: string | default="openmcp-system"
+      forProvider:
+        namespace: string | default="observability-gateway-system"
+        port: integer | default=8443 minimum=1024 maximum=49151
+        prometheus:
+          namespace: string | default="prometheus-system"
+        victoriaLogs:
+          namespace: string | default="victoria-logs-system"
+    status:
+      ready: ${observabilityGatewayKustomization.status.conditions.exists(c, c.type == "Ready" && c.status == "True")}
+      lastAttemptedRevisionDigest: ${observabilityGatewayKustomization.status.lastAttemptedRevision}
+
+  resources:
+    # shared image pull secret copied into the gateway namespace
+    - id: sharedImagePullSecret
+      externalRef:
+        apiVersion: v1
+        kind: Secret
+        metadata:
+          name: ${schema.spec.imagePullSecretRef.name}
+          namespace: ${schema.spec.imagePullSecretRef.namespace}
+
+    # openMCP default gateway used to acquire the DNS base domain
+    - id: sharedGateway
+      externalRef:
+        apiVersion: gateway.networking.k8s.io/v1
+        kind: Gateway
+        metadata:
+          name: ${schema.spec.openMCPGatewayRef.name}
+          namespace: ${schema.spec.openMCPGatewayRef.namespace}
+
+    - id: observabilityGatewayKustomizationResource
+      template:
+        apiVersion: delivery.ocm.software/v1alpha1
+        kind: Resource
+        metadata:
+          name: observability-gateway-kustomization
+          namespace: ${schema.metadata.namespace}
+        spec:
+          componentRef: ${schema.spec.componentRef}
+          resource:
+            byReference:
+              resource:
+                name: observability-gateway-kustomization
+          additionalStatusFields:
+            registry: resource.access.imageReference.toOCI().registry
+            repository: resource.access.imageReference.toOCI().repository
+            tag: resource.access.imageReference.toOCI().tag
+          interval: 1m
+
+    - id: observabilityGatewayOCIRepository
+      template:
+        apiVersion: source.toolkit.fluxcd.io/v1
+        kind: OCIRepository
+        metadata:
+          name: observability-gateway-ocirepository
+          namespace: ${schema.metadata.namespace}
+        spec:
+          interval: 1m0s
+          insecure: true
+          layerSelector:
+            mediaType: "application/vnd.cncf.flux.content.v1.tar+gzip"
+            operation: copy
+          url: oci://${observabilityGatewayKustomizationResource.status.additional.registry}/${observabilityGatewayKustomizationResource.status.additional.repository}
+          ref:
+            tag: ${observabilityGatewayKustomizationResource.status.additional.tag}
+          secretRef:
+            name: ${schema.spec.imagePullSecretRef.name}
+
+    - id: observabilityGatewayNamespace
+      template:
+        apiVersion: v1
+        kind: Namespace
+        metadata:
+          name: ${schema.spec.forProvider.namespace}
+
+    - id: observabilityGatewayImagePullSecret
+      template:
+        apiVersion: v1
+        kind: Secret
+        metadata:
+          name: observability-gateway-imgpull
+          namespace: ${observabilityGatewayNamespace.metadata.name}
+        type: ${sharedImagePullSecret.type}
+        data: ${sharedImagePullSecret.data}
+
+    - id: observabilityGatewayKustomization
+      template:
+        apiVersion: kustomize.toolkit.fluxcd.io/v1
+        kind: Kustomization
+        metadata:
+          name: observability-gateway-kustomization
+          namespace: ${schema.metadata.namespace}
+        spec:
+          interval: 1m
+          targetNamespace: ${observabilityGatewayNamespace.metadata.name}
+          sourceRef:
+            kind: OCIRepository
+            name: ${observabilityGatewayOCIRepository.metadata.name}
+          path: ""
+          prune: true
+          timeout: 1m
+          patches:
+          - target:
+              kind: Gateway
+              name: observability-gateway
+            patch: |-
+              - op: replace
+                path: /spec/listeners/0/hostname
+                value: prometheus.${schema.spec.forProvider.prometheus.namespace}.${sharedGateway.metadata.annotations["dns.openmcp.cloud/base-domain"]}
+              - op: replace
+                path: /spec/listeners/1/hostname
+                value: victoria-logs.${schema.spec.forProvider.victoriaLogs.namespace}.${sharedGateway.metadata.annotations["dns.openmcp.cloud/base-domain"]}
+              - op: replace
+                path: /spec/listeners/0/port
+                value: ${"%d".format([schema.spec.forProvider.port])}
+              - op: replace
+                path: /spec/listeners/1/port
+                value: ${"%d".format([schema.spec.forProvider.port])}
+          - target:
+              kind: Certificate
+              name: prometheus-gateway-cert
+            patch: |-
+              - op: add
+                path: /spec/dnsNames
+                value:
+                - prometheus.${schema.spec.forProvider.prometheus.namespace}.${sharedGateway.metadata.annotations["dns.openmcp.cloud/base-domain"]}
+          - target:
+              kind: Certificate
+              name: victoria-logs-gateway-cert
+            patch: |-
+              - op: add
+                path: /spec/dnsNames
+                value:
+                - victoria-logs.${schema.spec.forProvider.victoriaLogs.namespace}.${sharedGateway.metadata.annotations["dns.openmcp.cloud/base-domain"]}
+      readyWhen:
+        - ${observabilityGatewayKustomization.status.conditions.exists(c, c.type == "Ready" && c.status == "True")}
diff --git a/resource-graph-definitions/observability-stack.yaml b/resource-graph-definitions/observability-stack.yaml
index 0826a1d..6b23718 100644
--- a/resource-graph-definitions/observability-stack.yaml
+++ b/resource-graph-definitions/observability-stack.yaml
@@ -29,8 +29,11 @@ spec:
         namespace: string | default="prometheus-operator-system"
       prometheus:
         namespace: string | default="prometheus-system"
-        dashboard:
-          port: integer | default=8443 minimum=1024 maximum=49151
+      victoriaLogs:
+        namespace: string | default="victoria-logs-system"
+      observabilityGateway:
+        namespace: string | default="observability-gateway-system"
+        port: integer | default=8443 minimum=1024 maximum=49151
     status:
       certManager:
         ready: ${certManager.status.ready}
@@ -46,8 +49,12 @@ spec:
         ready: ${prometheusOperator.status.ready}
       prometheus:
         ready: ${prometheus.status.ready}
+      victoriaLogs:
+        ready: ${victoriaLogs.status.ready}
+      observabilityGateway:
+        ready: ${observabilityGateway.status.ready}
       ready:
-        ${(certManager.status.ready == true) && (metricsOperator.status.ready) && (openTelemetryOperator.status.ready == true) && (prometheusOperator.status.ready == true) && (prometheus.status.ready == true) && (openTelemetryCollector.status.ready == true) && metrics.status.ready == true}
+        ${(certManager.status.ready == true) && (metricsOperator.status.ready) && (openTelemetryOperator.status.ready == true) && (prometheusOperator.status.ready == true) && (prometheus.status.ready == true) && (openTelemetryCollector.status.ready == true) && metrics.status.ready == true && victoriaLogs.status.ready == true && observabilityGateway.status.ready == true}
 
   resources:
     - id: certManager
@@ -136,6 +143,28 @@ spec:
       readyWhen:
         - ${prometheusOperator.status.ready == true}
 
+    - id: observabilityGateway
+      template:
+        apiVersion: kro.run/v1alpha1
+        kind: ObservabilityGateway
+        metadata:
+          name: observability-gateway
+          annotations:
+            dependency/cert-manager: ${certManager.status.lastAttemptedRevisionDigest}
+        spec:
+          componentRef: ${schema.spec.componentRef}
+          imagePullSecretRef: ${schema.spec.imagePullSecretRef}
+          openMCPGatewayRef: ${schema.spec.openMCPGatewayRef}
+          forProvider:
+            namespace: ${schema.spec.observabilityGateway.namespace}
+            port: ${schema.spec.observabilityGateway.port}
+            prometheus:
+              namespace: ${schema.spec.prometheus.namespace}
+            victoriaLogs:
+              namespace: ${schema.spec.victoriaLogs.namespace}
+      readyWhen:
+        - ${observabilityGateway.status.ready == true}
+
     - id: prometheus
       template:
         apiVersion: kro.run/v1alpha1
@@ -143,11 +172,31 @@ spec:
         metadata:
           name: prometheus
           annotations:
-            dependency/cert-manager: ${certManager.status.lastAttemptedRevisionDigest}
+            dependency/observability-gateway: ${observabilityGateway.status.lastAttemptedRevisionDigest}
         spec:
           componentRef: ${schema.spec.componentRef}
           imagePullSecretRef: ${schema.spec.imagePullSecretRef}
           openMCPGatewayRef: ${schema.spec.openMCPGatewayRef}
+          observabilityGatewayRef:
+            namespace: ${schema.spec.observabilityGateway.namespace}
           forProvider: ${schema.spec.prometheus}
       readyWhen:
         - ${prometheus.status.ready == true}
+
+    - id: victoriaLogs
+      template:
+        apiVersion: kro.run/v1alpha1
+        kind: VictoriaLogs
+        metadata:
+          name: victoria-logs
+          annotations:
+            dependency/observability-gateway: ${observabilityGateway.status.lastAttemptedRevisionDigest}
+        spec:
+          componentRef: ${schema.spec.componentRef}
+          imagePullSecretRef: ${schema.spec.imagePullSecretRef}
+          openMCPGatewayRef: ${schema.spec.openMCPGatewayRef}
+          observabilityGatewayRef:
+            namespace: ${schema.spec.observabilityGateway.namespace}
+          forProvider: ${schema.spec.victoriaLogs}
+      readyWhen:
+        - ${victoriaLogs.status.ready == true}
diff --git a/resource-graph-definitions/otel-collector.yaml b/resource-graph-definitions/otel-collector.yaml
index dba2c80..a6f5400 100644
--- a/resource-graph-definitions/otel-collector.yaml
+++ b/resource-graph-definitions/otel-collector.yaml
@@ -108,6 +108,14 @@ spec:
                 path: /imagePullSecrets
                 value:
                 - name: ${openTelemetryCollectorImagePullSecret.metadata.name}
+          - target:
+              kind: ServiceAccount
+              name: open-telemetry-log-collector
+            patch: |-
+              - op: add
+                path: /imagePullSecrets
+                value:
+                - name: ${openTelemetryCollectorImagePullSecret.metadata.name}
           - target:
               kind: ServiceMonitor
               name: otel-collector
diff --git a/resource-graph-definitions/prometheus.yaml b/resource-graph-definitions/prometheus.yaml
index 9168dfd..8270922 100644
--- a/resource-graph-definitions/prometheus.yaml
+++ b/resource-graph-definitions/prometheus.yaml
@@ -15,10 +15,10 @@ spec:
       openMCPGatewayRef:
         name: string | default="default"
         namespace: string | default="openmcp-system"
+      observabilityGatewayRef:
+        namespace: string | default="observability-gateway-system"
       forProvider:
         namespace: string | default="prometheus-system"
-        dashboard:
-          port: integer | default=8443 minimum=1024 maximum=49151
     status:
       ready: ${prometheusKustomization.status.conditions.exists(c, c.type == "Ready" && c.status == "True")}
       lastAttemptedRevisionDigest: ${prometheusKustomization.status.lastAttemptedRevision}
@@ -160,31 +160,9 @@ spec:
                 path: /spec/hostnames
                 value:
                 - prometheus.${prometheusNamespace.metadata.name}.${sharedGateway.metadata.annotations["dns.openmcp.cloud/base-domain"]}
-          - target:
-              kind: Certificate
-              name: prometheus-gateway-cert
-            patch: |-
-              - op: add
-                path: /spec/dnsNames
-                value:
-                - prometheus.${prometheusNamespace.metadata.name}.${sharedGateway.metadata.annotations["dns.openmcp.cloud/base-domain"]}
-          - target:
-              kind: Gateway
-              name: prometheus
-            patch: |-
-              - op: replace
-                path: /spec/listeners/0/port
-                value: ${"%d".format([schema.spec.forProvider.dashboard.port])}
-              - op: replace
-                path: /spec/listeners/0/tls/certificateRefs/0/namespace
-                value: ${prometheusNamespace.metadata.name}
-          - target:
-              kind: HTTPRoute
-              name: prometheus
-            patch: |-
               - op: replace
                 path: /spec/parentRefs/0/namespace
-                value: ${prometheusNamespace.metadata.name}
+                value: ${schema.spec.observabilityGatewayRef.namespace}
           - target:
               kind: Prometheus
               name: prometheus
diff --git a/resource-graph-definitions/victoria-logs.yaml b/resource-graph-definitions/victoria-logs.yaml
new file mode 100644
index 0000000..1cebd95
--- /dev/null
+++ b/resource-graph-definitions/victoria-logs.yaml
@@ -0,0 +1,159 @@
+apiVersion: kro.run/v1alpha1
+kind: ResourceGraphDefinition
+metadata:
+  name: victoria-logs
+spec:
+  schema:
+    apiVersion: v1alpha1
+    kind: VictoriaLogs
+    spec:
+      componentRef:
+        name: string | default="obs-stack-component"
+      imagePullSecretRef:
+        name: string | default="imgpull"
+        namespace: string | default="obs-stack"
+      openMCPGatewayRef:
+        name: string | default="default"
+        namespace: string | default="openmcp-system"
+      observabilityGatewayRef:
+        namespace: string | default="observability-gateway-system"
+      forProvider:
+        namespace: string | default="victoria-logs-system"
+    status:
+      ready: ${victoriaLogsKustomization.status.conditions.exists(c, c.type == "Ready" && c.status == "True")}
+      lastAttemptedRevisionDigest: ${victoriaLogsKustomization.status.lastAttemptedRevision}
+
+  resources:
+    # shared image pull secret copied into the Victoria Logs namespace
+    - id: sharedImagePullSecret
+      externalRef:
+        apiVersion: v1
+        kind: Secret
+        metadata:
+          name: ${schema.spec.imagePullSecretRef.name}
+          namespace: ${schema.spec.imagePullSecretRef.namespace}
+
+    # openMCP default gateway used to acquire the DNS base domain
+    - id: sharedGateway
+      externalRef:
+        apiVersion: gateway.networking.k8s.io/v1
+        kind: Gateway
+        metadata:
+          name: ${schema.spec.openMCPGatewayRef.name}
+          namespace: ${schema.spec.openMCPGatewayRef.namespace}
+
+    - id: victoriaLogsKustomizationResource
+      template:
+        apiVersion: delivery.ocm.software/v1alpha1
+        kind: Resource
+        metadata:
+          name: victoria-logs-kustomization
+          namespace: ${schema.metadata.namespace}
+        spec:
+          componentRef: ${schema.spec.componentRef}
+          resource:
+            byReference:
+              resource:
+                name: victoria-logs-kustomization
+          additionalStatusFields:
+            registry: resource.access.imageReference.toOCI().registry
+            repository: resource.access.imageReference.toOCI().repository
+            tag: resource.access.imageReference.toOCI().tag
+          interval: 1m
+
+    - id: victoriaLogsImage
+      template:
+        apiVersion: delivery.ocm.software/v1alpha1
+        kind: Resource
+        metadata:
+          name: victoria-logs-image
+          namespace: ${schema.metadata.namespace}
+        spec:
+          componentRef: ${schema.spec.componentRef}
+          resource:
+            byReference:
+              resource:
+                name: victoria-logs-image
+          additionalStatusFields:
+            registry: resource.access.imageReference.toOCI().registry
+            repository: resource.access.imageReference.toOCI().repository
+            tag: resource.access.imageReference.toOCI().tag
+          interval: 1m
+
+    - id: victoriaLogsOCIRepository
+      template:
+        apiVersion: source.toolkit.fluxcd.io/v1
+        kind: OCIRepository
+        metadata:
+          name: victoria-logs-ocirepository
+          namespace: ${schema.metadata.namespace}
+        spec:
+          interval: 1m0s
+          insecure: true
+          layerSelector:
+            mediaType: "application/vnd.cncf.flux.content.v1.tar+gzip"
+            operation: copy
+          url: oci://${victoriaLogsKustomizationResource.status.additional.registry}/${victoriaLogsKustomizationResource.status.additional.repository}
+          ref:
+            tag: ${victoriaLogsKustomizationResource.status.additional.tag}
+          secretRef:
+            name: ${schema.spec.imagePullSecretRef.name}
+
+    - id: victoriaLogsNamespace
+      template:
+        apiVersion: v1
+        kind: Namespace
+        metadata:
+          name: ${schema.spec.forProvider.namespace}
+
+    - id: victoriaLogsImagePullSecret
+      template:
+        apiVersion: v1
+        kind: Secret
+        metadata:
+          name: victoria-logs-imgpull
+          namespace: ${victoriaLogsNamespace.metadata.name}
+        type: ${sharedImagePullSecret.type}
+        data: ${sharedImagePullSecret.data}
+
+    - id: victoriaLogsKustomization
+      template:
+        apiVersion: kustomize.toolkit.fluxcd.io/v1
+        kind: Kustomization
+        metadata:
+          name: victoria-logs-kustomization
+          namespace: ${schema.metadata.namespace}
+        spec:
+          interval: 1m
+          targetNamespace: ${victoriaLogsNamespace.metadata.name}
+          sourceRef:
+            kind: OCIRepository
+            name: ${victoriaLogsOCIRepository.metadata.name}
+          path: ""
+          prune: true
+          timeout: 1m
+          patches:
+          - target:
+              kind: HTTPRoute
+              name: victoria-logs
+            patch: |-
+              - op: add
+                path: /spec/hostnames
+                value:
+                - victoria-logs.${victoriaLogsNamespace.metadata.name}.${sharedGateway.metadata.annotations["dns.openmcp.cloud/base-domain"]}
+              - op: replace
+                path: /spec/parentRefs/0/namespace
+                value: ${schema.spec.observabilityGatewayRef.namespace}
+          - target:
+              kind: StatefulSet
+              name: victoria-logs
+            patch: |-
+              - op: replace
+                path: /spec/template/spec/containers/0/image
+                value: ${victoriaLogsImage.status.resource.access.imageReference}
+              - op: add
+                path: /spec/template/spec/imagePullSecrets
+                value:
+                - name: ${victoriaLogsImagePullSecret.metadata.name}
+      readyWhen:
+        - ${victoriaLogsKustomization.status.conditions.exists(c, c.type == "Ready" && c.status == "True")}
diff --git a/test/e2e/obs_stack_test.go b/test/e2e/obs_stack_test.go
index 3014a23..850b1a2 100644
--- a/test/e2e/obs_stack_test.go
+++ b/test/e2e/obs_stack_test.go
@@ -154,6 +154,17 @@ func TestObsStack(t *testing.T) {
 
 			return ctx
 		}).
+		Assess("can read logs from victoria logs", func(ctx context.Context, t *testing.T, config *envconf.Config) context.Context {
+			localPort, stop, err := portForwardToPod(t, "victoria-logs-system", "victoria-logs-0", 9428)
+			if err != nil {
+				t.Fatalf("failed to port-forward to Victoria Logs: %v", err)
+			}
+			defer stop()
+
+			assertLogsAvailable(ctx, t, localPort)
+
+			return ctx
+		}).
 		Teardown(func(ctx context.Context, t *testing.T, config *envconf.Config) context.Context {
 			// Delete objects in reverse order to handle dependencies
 			for i := len(objectList) - 1; i >= 0; i-- {
diff --git a/test/e2e/platform/observability-stack/observability-stack.yaml b/test/e2e/platform/observability-stack/observability-stack.yaml
index 5c86bf0..26b2882 100644
--- a/test/e2e/platform/observability-stack/observability-stack.yaml
+++ b/test/e2e/platform/observability-stack/observability-stack.yaml
@@ -23,5 +23,8 @@ spec:
     namespace: prometheus-operator-system
   prometheus:
     namespace: prometheus-system
-    dashboard:
-      port: 8443
+  victoriaLogs:
+    namespace: victoria-logs-system
+  observabilityGateway:
+    namespace: observability-gateway-system
+    port: 8443
diff --git a/test/e2e/victoria-logs.go b/test/e2e/victoria-logs.go
new file mode 100644
index 0000000..dbd82f5
--- /dev/null
+++ b/test/e2e/victoria-logs.go
@@ -0,0 +1,48 @@
+package e2e
+
+import (
+	"bytes"
+	"context"
+	"fmt"
+	"io"
+	"net/http"
+	"testing"
+	"time"
+
+	"sigs.k8s.io/e2e-framework/klient/wait"
+)
+
+// assertLogsAvailable waits until Victoria Logs contains at least one log entry,
+// failing the test if no logs appear after the timeout.
+//
+// It queries the LogsQL HTTP API at /select/logsql/query, which returns NDJSON.
+// A non-empty response body indicates that logs have been ingested.
+func assertLogsAvailable(ctx context.Context, t *testing.T, localPort int) {
+	t.Helper()
+	if err := wait.For(func(ctx context.Context) (bool, error) {
+		url := fmt.Sprintf("http://localhost:%d/select/logsql/query?query=*&limit=1&start=now-30m", localPort)
+		req, err := http.NewRequestWithContext(ctx, http.MethodGet, url, nil)
+		if err != nil {
+			return false, nil
+		}
+
+		resp, err := http.DefaultClient.Do(req)
+		if err != nil {
+			return false, nil
+		}
+		defer resp.Body.Close()
+
+		if resp.StatusCode != http.StatusOK {
+			return false, nil
+		}
+
+		body, err := io.ReadAll(resp.Body)
+		if err != nil {
+			return false, nil
+		}
+
+		return len(bytes.TrimSpace(body)) > 0, nil
+	}, wait.WithTimeout(10*time.Minute), wait.WithContext(ctx)); err != nil {
+		t.Errorf("no logs found in Victoria Logs after timeout: %v", err)
+	}
+}