People who know that I’m working on a logging software (syslog-ng) often ask me, why logging is so important? Obviously many of these people only use desktop machines and learn about logging only when their root partition fills up because /var/log overflows with logs. But there are also people more aware of logging, and not only because they want to make sure that log messages never make their disks full. Read more to learn why logging is important.
There are three major reasons why people do not just delete log messages, but also read (at least part of them) and analyze them.
Developers write code and they need to find problems in their applications during and after development. Logging tools are often deployed in places where they don’t have access or there are no debugging tools, but log messages can still help to localize problems. If regular logs are not enough, many applications can also provide debug logs with different switches which provide a lot more detailed information about what the application is doing.
Operators, system administrators oversee many computers and make sure that they are running as smoothly as possible. They check the logs to see if everything is working as expected. Any previously unseen message is suspicious and needs attention, just as messages about overheating hard drives, dropped packages or logins outside of normal working hours.
For security team
And these topics bring us to security. At many places there are people dedicated to IT security. These guys are also working from logs and analyze them from many aspects. Their reports range from authentication through resource access to malware activity which help them to recognize security problems and respond to them.
Of course these often overlap. One of the fastest growing new movements in IT is DevOps, the kind of guys who have both a developer and an operator hat making sure that custom developed applications are running smoothly. And of course, if there is no dedicated security staff, operators also need to deal with security.
Log messages are a very useful tool for a variety of IT tasks but simply collecting logs locally in text files is often not enough. Can you imagine retrieving logs from multiple machines in text files and then merging them to one common file to look a them? It would be an understatement to say that this would be cumbersome. This is where log management comes in. With tools like syslog-ng, security experts, system admins and devops managers can centralize all of the log messages coming from servers, network devices, applications and lots of other sources (even printers and peripherals). With central log collection one can easily check log messages even if the source machine suffered a hardware failure or logs were removed during a security incident. And once all of the logs are centralized then you can do interesting things like filter the messages, getting rid of the ones you don’t want or classify messages so that you can group similar messages together. There is a lot information in log messages that can be discovered with powerful search tools, like the syslog-ng Store Box, that let you quickly search through millions of messages and find out things like the health of a network, who has been accessing the network, how an application is performing. It’s amazing what you can do with some simple logs.
For a quick introduction about syslog-ng, you can watch this introductory video: