Logs. You have them. You need to keep track of them.
The process of log monitoring can be tedious. Typically it’s one of those things we take for granted and only look at when it stops working. So, how do you deal with them? In this post, we’re going to talk about why and how to monitor logs. Toward the end, we’ll discuss a few tools that’ll help, mostly to avoid manual labor.
What’s a Log?
A log is a detailed list of events that happens to your system. Your system can be your website, errors, user events, access to your server, or system errors. If you can name it, there’s a log for it!
You can use logs to keep track of many things. Similarly, logs can help you prevent vulnerabilities, raise alerts for bottlenecks, improve services, and so on. They’re invaluable assets when it comes to tracking and preventing problems.
Not All Logs Are the Same
Logs are typically appended chronologically for ease of use. However, not all logs are created equal. For instance, a simple Ubuntu system can have several different system log types, including but not limited to:
Not to mention the application logs, and if you’re familiar with sysadmin practices, you probably know about the Apache error and access logs. If you have several applications, then you probably set up an access log and an error log for each one. If you have different servers, then you’re looking at an increasing number. Custom apps? That one developer you outsourced the work to probably set up some logs for it. Haven’t looked at them for years? Then you’re looking at a file several hundred megs big.
Did I forget already that one hacker that may have tried an SQL injection on your signup form? Chances are, the attempt is probably timestamped somewhere in a log.
Manage and Monitor Your Logs
All right, fine, your situation may not be as dramatic as I’ve described it, or maybe your architecture isn’t as complicated. You’re probably secured enough behind that corporate intranet. Whatever the case may be, the logs are crucial elements to be aware of, and it’s up to you to manage them. You’re probably curious about logs already, since that’s what brought you here!
So, to wrap up my initial argument, determining what each log does is way beyond the scope of this article. But understanding that you need to manage and monitor logs is not. Now, how exactly do you go about doing that?
Log Management, Step by Step
First of all, we have to check out your logs. List them all if possible.
Navigating to your logs directory should always come first. There, you’ll start to see where you stand. A simple directory change to /var/log would do. At this point, you might be tempted to know how you can keep track of all of them. And you’re more than welcome to go ahead and try. The first thing you might be wondering is how all of that happens. At a minimum, you’re probably looking at a dozen different files.
Several tools allow you to keep track of logs manually. Keep in mind that you haven’t even opened them yet, and you don’t know what data lies within those weird names. And why would you want to keep track of these logs? That’s a great question. There’s a lot of valuable and critical data in your application’s logs. Understanding who had access to your server or collaborating to process your business intelligence (BI) logs might provide relevant and insightful information. Even more than that, being able to process performance indicators and set KPIs for your production environment might help you create a better product for your users.
Keeping an eye on logs is an essential part of the sysadmin strategy. Being able to know what to look for might be crucial at a critical moment, like a troubleshooting situation, or when it comes to QA those sweet new features of your app. However, the scope of what you might need them for may not end there.
Say you just suffered from an attack to your server. In that case, you might benefit from opening and making sense of several logs at once: your PHP error log to try to check for frequent attacks, your database log, and your access log. Without getting too technical, we’d be talking about parsing thousands of entries, looking for one or two lines and cross-matching those to form a timeline of events. That is, if you can make sense of them. They’re probably plain text but have different formats. Tedious.
Let me circle back to BI. Let’s say you need to measure the performance of your applications and come up with an aggregation system. You might benefit from drawing intelligence out of different logs and from different microservices spanning weeks or months of data. Some of them might be in Windows, and others might be in Linux-based servers. Some may even include geolocation coordinates to track global services. Did I mention that you have to visualize and organize that in a pretty dashboard? Good luck with that meeting.
Let’s take a look at how toolkits can help you with all this.
Where’s My Toolkit?
There are plenty of tools out there that you can use to help you out. After all, who wants to store, process, index, and parse thousands of lines by hand? You may even great creative and set up some log replication by hand. Then you’d have to think of a transport layer to send all of that information, and maybe you’ll be naïve enough to set up a cron every second to copy the files somewhere else. Once you’ve done that, you need to aggregate your logs and start parsing them. Before that though, remember you need the storage to keep all of that in one place. And they can grow in size rather quickly.
Are you thinking of two servers? One of them in IIS? Then the process changes; the file formatting is going to be off. That application log you’re dying to QA may not even be on the same directory, and have I mentioned mobile apps and REST services?
Streamlining the Process
Don’t worry. I have a solution: enter XPLG. Get ready to streamline the process! This tool will automatically collect the logs and transport them to their servers (with unlimited retention, people!). From there, the tool is in charge of recognizing the pattern (it can receive many different formats using its marketplace). Once that’s done, it starts running the analytical apps to collect intelligence. The people at XPLG even created a free-forever tier for unlimited users.
Let me list a few of XPLG’s main features. In addition to being able to visualize the log and cherry-pick bottlenecks and potential problems in your app, XPLG also provides proactive log monitoring. On top of letting you use simple search, proactive log monitoring adds complex search capabilities, including timings and math operations to find what you’re searching for.
As if that’s not enough, the folks at XPLG have added machine learning. This allows them to automatically set up monitors, effectively fine-tuning your data strategy. I could spend hours just trying to list some of their features and the many use cases available for your organization, but I have to do some log monitoring on my own.
Have I Said Enough?
XPLG is more than just a tool. The folks there have created a software suite that will become the best friend of everyone out there, especially sysadmins. The aggregation feature has no match. The fact that it integrates with a lot of libraries and other tools using their extensive marketplace is in a word inspiring.
Those logs are ready to be tackled. Best of luck to you as you collect vital intelligence for your organization.
This post was written by Guillermo Salazar. Guillermo is a solutions architect with over 10 years of experience across a number of different industries. While his experience is based mostly in the web environment, he’s recently started to expand his horizons to data science and cybersecurity.