portfolio/observability-stack/docs/architecture.md

# Observability Stack Architecture

## Components

- Filebeat: tails sample and container logs.
- Logstash: receives and processes log events.
- Elasticsearch: stores searchable observability data.
- Kibana: supports log exploration and dashboards.
- Grafana: provides operational dashboards.
- Alert rules: document symptoms, thresholds, and severity.
- Incident simulation: generates controlled failure signals.

## Data Flow

```
Log source -> Filebeat -> Logstash -> Elasticsearch -> Kibana
                                            |
                                            v
                                         Grafana
```

Incident exercises follow this flow:

```
Operator -> incident_simulation.sh -> logs/incident_simulation.log -> Filebeat -> Logstash -> alerts/dashboards
```

## Notes

This is a local demonstration stack, not a production Elasticsearch deployment. A production version would add dedicated nodes, TLS, secret management, retention policies, index lifecycle management, and external alert delivery.