Can ELK + Watcher replace my current setup


I've been roaming these forums for a little while now, trying to find out what ELK can do and how.
Now I'd like the opinion of other users if it can replace my current monitoring setup.

We are already running ELK Stack to receive log files from our production servers. So basically Logstash is grabbing the logs from out production servers (which by the way have multiple projects and each are hosted as a separate URL).
This separate url would be similar to this "https://(customer company name).(our company).com"
After Logstash filters the logs, it sends it to Elasticsearch and Kibana can be used to query the log files. Nothing more nothing less.

Now we have a homemade product which also filters log files and checks the servers and the projects on these servers for multiple things. With every new project or server we make a couple of checks for it by adding values by hand. They check for availability (Value would be 5000ms. Every 5000ms perform this check.) or how much memory does it have (5% or less)?

If the availability returns false or the memory returns a value that is less than 5%, we'll get an email.

I figure that this is quite possible with ELK and Watcher and maybe Marvel for convenience. Now here is the kicker, we also categorize these logs. Examples of the categories are: "Info, Warning, Severe". Is there a way of replicating that feature within ELK? So our logs will return one of those categories if they exceed a certain condition set by us.

So basically, am I correct in believing that ELK and Watcher can replace what I have mentioned and is there a way of replicating the log category part?

Thank you for your assistance!

How exactly is this categorisation done?

Assuming the most common case where simply you filter logs by some hand crafted condition that categorisation shouldn't be any problem. You could check the query dsl guide for the exact queries you can formulate:



Hi Isabel. The categorisation is done quite easily. The checks I mentioned earlier have these categories within it. You enter specific values for each category and if it exceeds these set values a number of times then it is categorized as such. So basically a warning has values which are still acceptable but we need to do something about it asap. The severe will have values we preferably don't want to see and if it manages to exceed these values it will be a severe.

So yes hand crafted conditions. I will look into your suggestion.
Also I noticed something while diving into the docs. I found this which is practically the categorisation that I'm looking for. How are these severity labels used? Can I use them like I just explained or do they work via their own conditions similar to the "red", "yellow", "green" status of a cluster?