gimmic
commented
5 years ago This is basically a request for an orchestration system. You could have an actual orchestration system query the graylog/ES and perform actions based on log content/data/alerts.
I don't know that the complexity involved would be useful in the centralized logging system as a core function.
Graylog is missing an active response type engine.
Here is my idea: Flag events with Pipeline rules and tag an event, if the event is tagged, contact sidecar's and execute action, this could be shutting down the system, killing a process/etc.