ML
    • Recent
    • Categories
    • Tags
    • Popular
    • Users
    • Groups
    • Register
    • Login

    Log & Alerts Management

    IT Discussion
    log management elk elasticsearch
    4
    13
    862
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • H
      hobbit666
      last edited by

      Do people here monitor all there windows/linux server logs, even when there are no issues? Also things like failed logon attempts?

      We had a server play up the other day and i think we might of caught it sooner if we were looking at the logs 🙂

      D 1 Reply Last reply Reply Quote 1
      • D
        DustinB3403 @hobbit666
        last edited by

        @hobbit666 Generally we monitor for alerts only, things that cause issues, no one is going through each log looking for specific issues. We generate alerts based on known issue events.

        From those we then investigate further.

        Logging everything would be very space consuming for us.

        H 2 Replies Last reply Reply Quote 1
        • H
          hobbit666 @DustinB3403
          last edited by

          @DustinB3403 said in Log & Alerts Management:

          @hobbit666 Generally we monitor for alerts only, things that cause issues, no one is going through each log looking for specific issues. We generate alerts based on known issue events.

          From those we then investigate further.

          Logging everything would be very space consuming for us.

          Are you using any particular solution for this or is it all windows alerting?

          D 1 Reply Last reply Reply Quote 0
          • D
            DustinB3403
            last edited by

            An example of wasted logs would be a successful user login with domain credentials.

            In most cases, we don't care that a user was able to login successfully, only if some event was attributed to that user (virus infection etc) would this information be useful to build a timeframe around the incident.

            But on it's own, an event like this is near worthless.

            O 1 Reply Last reply Reply Quote 0
            • D
              DustinB3403 @hobbit666
              last edited by

              @hobbit666 said in Log & Alerts Management:

              @DustinB3403 said in Log & Alerts Management:

              @hobbit666 Generally we monitor for alerts only, things that cause issues, no one is going through each log looking for specific issues. We generate alerts based on known issue events.

              From those we then investigate further.

              Logging everything would be very space consuming for us.

              Are you using any particular solution for this or is it all windows alerting?

              With my newer job working for an MSP we have a toolset that does all of this for us. We just install the agent on the client systems and they send the logs to the portal.

              1 Reply Last reply Reply Quote 1
              • O
                Obsolesce @DustinB3403
                last edited by

                @DustinB3403 said in Log & Alerts Management:

                An example of wasted logs would be a successful user login with domain credentials.

                No, things like that can be required for providing proper audit trails.

                D 1 Reply Last reply Reply Quote 0
                • D
                  DustinB3403 @Obsolesce
                  last edited by

                  @Obsolesce

                  If you read the rest of my comment you would see where I pointed that point.

                  1 Reply Last reply Reply Quote 0
                  • H
                    hobbit666 @DustinB3403
                    last edited by

                    @DustinB3403 said in Log & Alerts Management:

                    Logging everything would be very space consuming for us.

                    We have less than 50 servers so i'm wondering if we could just log everything and only keep for say a month. As we should have seen and sorted any "Error / Alerts / bad event" by then.

                    1 Reply Last reply Reply Quote 0
                    • H
                      hobbit666
                      last edited by

                      Guess it would hurt to just spin up something like a ELK stack and try with 2 or 3 servers, see what space they use up and what we can see 🙂

                      D 1 Reply Last reply Reply Quote 0
                      • D
                        DustinB3403 @hobbit666
                        last edited by

                        @hobbit666 Zabbix is something of a go-to solution. Very simple to get started with and it does a ton right out of the box.

                        C H 2 Replies Last reply Reply Quote 1
                        • C
                          coliver @DustinB3403
                          last edited by

                          @DustinB3403 said in Log & Alerts Management:

                          @hobbit666 Zabbix is something of a go-to solution. Very simple to get started with and it does a ton right out of the box.

                          It doesn't really do log management though. Graylog would be the solution for that.

                          H 1 Reply Last reply Reply Quote 0
                          • H
                            hobbit666 @DustinB3403
                            last edited by

                            @DustinB3403 said in Log & Alerts Management:

                            @hobbit666 Zabbix is something of a go-to solution. Very simple to get started with and it does a ton right out of the box.

                            Already have zabbix going.

                            1 Reply Last reply Reply Quote 0
                            • H
                              hobbit666 @coliver
                              last edited by

                              @coliver said in Log & Alerts Management:

                              Graylog would be the solution for that.

                              Recognise that name will have to look into that again

                              1 Reply Last reply Reply Quote 0
                              • 1 / 1
                              • First post
                                Last post