Hello, I am planning to write an alert plugin that will emit alert data to ELK implementations, and wanted feedback from the community.
Mainly, would it be better to emit as a Syslog or as a direct Elasticsearch insertion?
- Allows people to use this for more than ELK stack
- Allows people to do post-processing in Logstash
- More challenging format for transmitting alert attributes - will need to establish a parsable format, and people will need to write logstash parsing code.
- People might prefer LibreNMS as a syslog destination than as a syslog emitter
- Can submit alert data “normally”, with explicit key:value pairs
- Allows people to use this if they only have ES and not the full ELK stack
- Will need a rigid structure, all flexibility will be in the plugin design which will never be as full-featured as logstash
- Leaves out the people who use syslogs without ELK
Please give feedback ASAP! Thanks!