Hello,
i'm a bit confused over the way the alerting works in the elastic stack.
I have multiple small applications that generate logs and also have to manage multiple larger applications that generate multiple different log files each.
I want to introduce something that tells me if something goes wrong, what went wrong and where to look. I heard that elasticsearch has may ways to deal with logs, so i'm trying to setup a log monitoring for my purpose, but i don't understand how it is intended to work.
So for the small applications i want to recieve a notification on every single error containing the errormessage. They do stuff like file processing and only generate errors if an input file is corrupt, which doesn't happen often, but if it happens i have to look.
While the bigger applications can generate all kinds of errors and i want to define some rules that allow me to control on which kind of errors a notification is generated.
I use filebeat to ship all logs to elastic.
So now my questions:
-
On Observability > Logs > Stream there is a list with all the logs. But how can i only view the logs of one application? I can set a filter on the log.file.path, but obviously there is more than one log file per application and it is not even possible to use a regex to get all logfiles of one application.
-
What can i do such that an email is sent on every error log of a certain application? I don't see a way to do it. I tried using log treshold but this only does something if a certain amount of error messages is reached. So i set it to is more than or equal 1, but there is a timewindow and such. So if two errors happen in a short timeframe, only one alert will happen and thus only one email sent. Also i want to include the error message in the email, but in the connector the {{message}} is empty, which makes sense if the alert always happens on thresholds and not on single error messages.
And again, there is no way to handle all logfiles of a single application, as log.file.path only has an IS operator that doesn't allow a regex.
So i'm really confused as i heard all the time that elasticsearch is a great way of handling logs but for me it looks like it can't even deal with more than one application if it happens to create more than 1 logfile. What am i missing here?