Best way to ensure logs from all hosts are being indexed

Hi all,

The log pipeline for our Linux systems is:

rsyslog => logstash => elasticsearch

We want to put something in place that would alert us if logs from any of our approximately 5000 hosts are not being indexed in Elasticsearch. I would imagine this is a fairly common need so was wondering if there are any best practices for this?

We have a Platinum on-premises licence FWIW.

Many thanks.

Definitely reach out to your Support Engineer about this one then :slight_smile:

You can setup an ML job to let you know if there is an unusual drop in logs from any given host, and then send you an Alert.

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.