I’ve got the ability to (re)architect endpoint logging/metrics (don’t plan to replace logstash/es/kibana nor do I plan to have extra servers for elastic agent/osquery management - ansible is the deployment and I don’t want other mechanisms for that atm). What would be your preferred endpoint log stack? I was just thinking osquery -> syslog -> vecter (or fluent or just rsyslog) but figured this was the place to ask.

I think you’ve got lots of choices, and it depends a lot on what you want.