You have many tools to reach for before that one:
1) built-in osquery logging plugins (AWS Kinesis/Firehose, Kafka, etc.)
2) TLS logging (built-in) to aggregate logs on a server and then use aggregation tools on that server.
2) Deploy aggregation to individual endpoints (as you describe)