Chapter 22. Logging and Monitoring
Most operating systems, applications, and hardware devices produce some kind of event log. Many people consider logs to be simply a historical record that can be used to retrospectively debug issues such as why an email wasn’t delivered, why a web server isn’t running, or how long a server had been complaining about a failing disk before it exploded and somebody actually looked at the logs. Logs can, however, be used much more proactively from a security perspective, providing not only retrospective insights but also much more in-depth views into the environment.
The same can be said of other types of monitoring, too. Companies generally have a better handle on monitoring than logging. For example, telemetry data on disk, memory, CPU, and network interface usage can be used for capacity planning and to provide preemptive information regarding potential issues. This sort of data can also be used to provide additional insights into events that might be happening within the environment.
In this chapter, you will learn what to log, where to log it, and what to do with those logs to gain the best advantage you can from the information that you already have.
Security Information and Event Management
In the past, centralized log aggregation may have simply been handled by a Unix host with a large amount of storage running syslogd and collecting the logs for the environment into its own /var/log/ directory. However, now we have security information ...
Get Defensive Security Handbook, 2nd Edition now with the O’Reilly learning platform.
O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.
