Posts Tagged ‘SSB’
People who know that I’m working on a logging software (syslog-ng) often ask me, why logging is so important. Obviously many of these people only use desktop machines and learn about logging only when their root partition fills up because /var/log overflows with logs. But there are also people more aware of logging, and not only because they want to make sure that log messages never make their disks full. There are three major reasons why people do not just delete log messages, but also read (at least part of them) and analyze them.
Developers write code and they need to find problems in their applications during and after development. Logging tools are often deployed in places where they don’t have access or there are no debugging tools, but log messages can still help to localize problems. If regular logs are not enough, many applications can also provide debug logs with different switches which provide a lot more detailed information about what the application is doing.
Operators, system administrators oversee many computers and make sure that they are running as smoothly as possible. They check the logs to see if everything is working as expected. Any previously unseen message is suspicious and needs attention, just as messages about overheating hard drives, dropped packages or logins outside of normal working hours.
And these topics bring us to security. At many places there are people dedicated to IT security. These guys are also working from logs and analyze them from many aspects. Their reports range from authentication through resource access to malware activity which help them to recognize security problems and respond to them.
Of course these often overlap. One of the fastest growing new movements in IT is DevOps, the kind of guys who have both a developer and an operator hat making sure that custom developed applications are running smoothly. And of course, if there is no dedicated security staff, operators also need to deal with security.
Log messages are a very useful tool for a variety of IT tasks but simply collecting logs locally in text files is often not enough. Can you imagine retrieving logs from multiple machines in text files and then merging them to one common file to look a them? It would be an understatement to say that this would be cumbersome. This is where log management comes in. With tools like syslog-ng, security experts, system admins and devops managers can centralize all of the log messages coming from servers, network devices, applications and lots of other sources (even printers and peripherals). With central log collection one can easily check log messages even if the source machine suffered a hardware failure or logs were removed during a security incident. And once all of the logs are centralized then you can do interesting things like filter the messages, getting rid of the ones you don’t want or classify messages so that you can group similar messages together. There is a lot information information in log messages that can be discovered with powerful search tools, like the syslog-ng Store Box, that let you quickly search through millions of messages and find out things like the health of a network, who has been accessing the network, how an application is performing. It’s amazing what you can do with some simple logs.
For a quick introduction about syslog-ng, you can watch this introductory video:
For further reading I’d recommend:
Centralized logging of events has been an important part of the IT infrastructure for many years. It is more convenient to browse logs in a central location rather than viewing them on individual machines. Central storage is also more secure. Even if logs stored locally are altered or removed, one can still check the logs on the central log server. Compliance with different regulations also makes central logging necessary. (This is an updated version of my previous syslog-ng web gui blog.)
Central logging of events is already an important part of the IT infrastructure for many years. It is more convenient to browse logs at a central location instead of on individual machines. It is also more secure, as even if an individual machine is compromised, and local logs are altered or removed, one can still check the logs on the central log server. Compliance with different regulations also makes central logging necessary.
System administrators prefer to use the command line. Why bother with GUIs? Grep, awk & Co. are powerful tools, but for complex queries an SQL based web interface makes the job done a lot more quicker. Once there are many messages to search, it’s not just convenient, it’s a must. With thousands of incoming messages a second, the indexes of log databases still give Google like response times even for the most complex queries, while traditional text based tools don’t scale.
In this comparison of web GUIs for syslog-ng I try to cover solutions from simple scripts to browse logs through cloud logging to enterprise level applications. All of these have different strengths and weaknesses, and target different usage scenarios.