Best way to ensure logs from all hosts are being indexed

Hi all,

The log pipeline for our Linux systems is:

rsyslog => logstash => elasticsearch

We want to put something in place that would alert us if logs from any of our approximately 5000 hosts are not being indexed in Elasticsearch. I would imagine this is a fairly common need so was wondering if there are any best practices for this?

We have a Platinum on-premises licence FWIW.

Many thanks.

Definitely reach out to your Support Engineer about this one then :slight_smile:

You can setup an ML job to let you know if there is an unusual drop in logs from any given host, and then send you an Alert.