The log pipeline for our Linux systems is:
rsyslog => logstash => elasticsearch
We want to put something in place that would alert us if logs from any of our approximately 5000 hosts are not being indexed in Elasticsearch. I would imagine this is a fairly common need so was wondering if there are any best practices for this?
We have a Platinum on-premises licence FWIW.