LOG MONITORING ON PRODUCTION

I once worked with a company where a lot of people had ssh access to the production serve for checking logs . All developers (Junior ,senior, intermediate etc) and the technical support team had access to the production server simply because they needed to be checking application logs. The highly technical staff who had access to the server were able to navigate to different directories and retrieve unnecessary / unauthorised information .

Do we need to check logs on production ? The answer is YES.

Is it the best practise to give everyone access to your production environment because they need to check logs ? The answer is NO.

Checking logs via ssh is the traditional approach but centralised logging is a better approach which helps in reducing the complexity involved especially with distributed systems.

What are Logs ?

According to Wikipedia , a log file is a file that records either events that occur in an operating system or other software runs, or messages between different users of a communication software. Logging is the act of keeping a log.

Applications , network devices, servers, workstations create logs of events, messages, transactions etcetera. By default , these logs are written to files on the local disk and they might contain crucial information which can be use for audit trail, information retrieval and trouble shooting errors. For instance, a web server log might contain request IP, request header, request type , time etc. Logs could be structured and unstructured. However, it’s better to implore a well structure format across you system.

What is centralised logging ?

Centralised logging is a process of acquiring logs from different sources ,consolidate them and push to an easy to use logging interface.

Centralised logging aims at making your life easy through a centralised logging solution management (CLM). CLM stores data from multiple sources into a central location, generates alert based on metrics you designed in the logs, present logs in a user friendly graphical interface, access control, historical backup etc.

What is Log Monitoring ?

Log monitoring is an act of categorising actions that occurs in our log files , searching the data information for abnormalities that might interfere with our system. This could include but not limited to application exceptions, login difficulties , potential threats, http codes, error codes and so on.

Log monitoring could cut across network monitoring, database monitoring, application monitoring , web server monitoring , cloud monitoring etc.

Some best practices for log monitoring and analysis.

There are several log monitoring and analysing tools with lovely user interfaces, functionalities and features. However, I randomly listed few in no particular order.

1. LogDNA
2. SolarWinds Papertrail
3. Splunk
4. Graylog
5. Sumo Logic
6. Netwrix Event Log Manager
7. XpoLog
8. Cloudwatch
9. LogFusion

In conclusion , I believe you should know (well thats if you do not know before reading my post ) that you don’t have to give every one access to your production server because of log monitoring.

Are you the one in charge of giving access to staff because they need to check logs or are you feeling sad because you don’t have access to the server to check logs ? please share this post with your team so that you can start looking at a better approach.

There are numerous logging and analysis tools , feel free to share your thought and experiences with other tools in the comment section.