Problem Statement
How can we get notified when the stream is suspended?
Solution
The best option to detect a stream failure is to create an alarm on the log service, which generates a notice for a configured window when there aren’t new logs. The time window would be better set based on the tenant traffic. It could be set to a couple of tens of minutes to generate this alarm for high-load tenants, whereas, for a test tenant with a few logins per day, it may be needed to keep the monitoring window up to a day.
Most logging vendors should support generating alarms. Here is one community FAQ for Splunk as an example.
If the log service doesn’t support generating alarms, you may check the health of the log stream with the get logs streams by Id management API. Polling this endpoint once per hour could help to generate the alarm when the log stream suspends.