Consider replacing Logstash by Vector.dev

[ypid-geberit]

I have not used HELK but it looks to me that you are heavily relying on Logstash (a beast). I looked at most alternatives and am super happy with https://vector.dev/. Shameless selfplug: I wrote https://github.com/ypid/event-processing-framework which could be a base for HELK when using Vector.dev.

[neu5ron]

same and I agree, but converting over thousands of lines of configs for the benefit of saving a few resources does not seem ideal. Using logstash for 8 years I have not run into any issues that I am unable to solve.
But yes, vector dev is theoretically much easier and in practice seems much more performant. but again, with this use case doesn't make sense to switch any time soon.

[neu5ron]

there isn't a vector dev, logstash pipeline, or any other open source ETL that I have seen that even after 2 years of no updates is more involved than HELK.. even thousands of dollar SANS classes SOF-ELK is no where near.
It would take a lot to lift this over to vector.
but with that said, if you want to help I would be open @ypid-geberit

[ypid-geberit]

I understand, thanks for your feedback. I try to avoid touching Logstash when possible and rather migrate everything that I have to Vector (which is obviously less than what HELK has). So I will push https://github.com/ypid/event-processing-framework forward. I will see how I can integrate with HELK or cover some of its use cases.