Log & Alerts Management
-
Do people here monitor all there windows/linux server logs, even when there are no issues? Also things like failed logon attempts?
We had a server play up the other day and i think we might of caught it sooner if we were looking at the logs
-
@hobbit666 Generally we monitor for alerts only, things that cause issues, no one is going through each log looking for specific issues. We generate alerts based on known issue events.
From those we then investigate further.
Logging everything would be very space consuming for us.
-
@DustinB3403 said in Log & Alerts Management:
@hobbit666 Generally we monitor for alerts only, things that cause issues, no one is going through each log looking for specific issues. We generate alerts based on known issue events.
From those we then investigate further.
Logging everything would be very space consuming for us.
Are you using any particular solution for this or is it all windows alerting?
-
An example of wasted logs would be a successful user login with domain credentials.
In most cases, we don't care that a user was able to login successfully, only if some event was attributed to that user (virus infection etc) would this information be useful to build a timeframe around the incident.
But on it's own, an event like this is near worthless.
-
@hobbit666 said in Log & Alerts Management:
@DustinB3403 said in Log & Alerts Management:
@hobbit666 Generally we monitor for alerts only, things that cause issues, no one is going through each log looking for specific issues. We generate alerts based on known issue events.
From those we then investigate further.
Logging everything would be very space consuming for us.
Are you using any particular solution for this or is it all windows alerting?
With my newer job working for an MSP we have a toolset that does all of this for us. We just install the agent on the client systems and they send the logs to the portal.
-
@DustinB3403 said in Log & Alerts Management:
An example of wasted logs would be a successful user login with domain credentials.
No, things like that can be required for providing proper audit trails.
-
If you read the rest of my comment you would see where I pointed that point.
-
@DustinB3403 said in Log & Alerts Management:
Logging everything would be very space consuming for us.
We have less than 50 servers so i'm wondering if we could just log everything and only keep for say a month. As we should have seen and sorted any "Error / Alerts / bad event" by then.
-
Guess it would hurt to just spin up something like a ELK stack and try with 2 or 3 servers, see what space they use up and what we can see
-
@hobbit666 Zabbix is something of a go-to solution. Very simple to get started with and it does a ton right out of the box.
-
@DustinB3403 said in Log & Alerts Management:
@hobbit666 Zabbix is something of a go-to solution. Very simple to get started with and it does a ton right out of the box.
It doesn't really do log management though. Graylog would be the solution for that.
-
@DustinB3403 said in Log & Alerts Management:
@hobbit666 Zabbix is something of a go-to solution. Very simple to get started with and it does a ton right out of the box.
Already have zabbix going.
-
@coliver said in Log & Alerts Management:
Graylog would be the solution for that.
Recognise that name will have to look into that again