System Logging Best Practices

Ask about this page
Perplexity
Grok

Advancements in technology have led to the expansion of on-premise infrastructure including widespread adoption of cloud computing. Distributed systems are difficult to manage, but monitoring for anomalies and detecting potential issues is even more challenging. To improve analytics output and forensics, you can follow some best practices to better leverage these files for system maintenance, root cause analysis, bug fixes, and cybersecurity alerts.

Log Meaningful Information

You can customize the information stored in logs to help them identify exactly where and when an error occurred, but events should be meaningful for human reviews. For example, the following information doesn’t tell you much about an error:

Unhandled Exception:
System.IndexOutOfRangeException: Index was outside the bounds of the array.

You know what happened is that a loop likely attempted to retrieve data from an index that does not exist in an array, but when did this happen? Where did it happen? Who received the error? An even better log looks like the following:

Unhandled Exception:
System.IndexOutOfRangeException: Index was outside the bounds of the array. Transaction ID 47492389 failed on 2021-01-28T20:04:13Z at /checkout/pay.

In addition to the exception, the above information tells you the transaction, date, time, and the endpoint where the error occurred. A collection of more verbose error information better helps root cause analysis during bug fixes and remediation. For system administrators with hundreds of machines to manage, more information gives a quicker overview of the problem coupled with the information that both locates the machine and the issue causing errors.


Create Logs Using Structured Formatting

Formatting logs in a structured way is beneficial for two reasons: it makes reading easier for humans and machines. At some point, you may need to import large volumes of logs. In a large enterprise environment, infrastructure and applications could create thousands of events a day making it difficult to use them for analysis without third-party tools. Eventually, you may want to import logs into an analytical solution to parse data and get visual output that represents the health of the system.

For example:

APP:commerce Transaction:47492389 TIME:2021--01-24T08:38Z ENDPOINT:/checkout/pay

The above log event uses a structure that makes it easier to import data into an analysis tool. It also structures the event so that humans can better identify important information when reviewing logs for specific data.

Include Logs in Backup Routines

Logs can be parsed and used in data recovery efforts, but administrators often forget to make them a part of the backup process. Logs should be backed up just like any other critical file. Should an event such as ransomware permanently destroy or damage logs, they can then be restored and used during forensics and data recovery.

Somewhat related, logs should also be redundant just like data and storage. Should one logging solution fail, the system can use the alternative until system administrators can restore the original. This strategy requires more storage space, but the cloud gives organizations the ability to scale storage to accommodate increased requirements.

Don’t Log Sensitive Information

While logs should contain enough information for audit trails and root cause analysis, the information should not expose sensitive data. Only specific accounts should have access to logs, but creating events with sensitive information adds risk of threats should an attacker compromise security surrounding logs. Not only could logs be used to mount additional attacks, but they could also violate compliance rules.

In addition to always determining if data improperly discloses personally identifiable information (PII), here is a short list of items that should not be logged:

  • Passwords
  • Social security numbers
  • API keys or secrets
  • Private encryption keys
  • Credit card numbers

Centralize Log Aggregation

It’s easy to get overwhelmed with numerous log storage locations, system monitoring solutions, and application alerts. Centralized logging reduces much of this overhead and eliminates many of the issues with fragmented log storage across several systems. It also facilitates better analytics, especially if these logs are imported into third-party tools.

Centralized logging solutions also provide easier management for backups, cybersecurity, and monitoring. It mitigates risks of losing logs and information and provides collaboration between several individual resources and monitoring solutions that use events to determine anomalies to alert administrators of suspicious activity.

Don’t Forget Endpoint and Device Events

Any network resource that provides critical infrastructure or adds risk to the organization should be included in log strategies. In an enterprise environment, users could potentially have their own devices connected to the network, and mobile applications might connect to internal processes using API endpoints. A component of good event logging strategies includes collecting data from devices where users are able to connect to the network.

By logging events on all endpoints, it helps you understand the user experience and interpret feedback from application activity. It also helps administrators recognize bottlenecks and scale resources before they create severe productivity limitations.


Limit Log Access to High-Privileged User Accounts

If logs are disorganized, low-privileged users could accidentally have access to sensitive information. Centralizing your logs with a solution that offers Role Based Access Control can help you manage who has access to what information. For example, you may want to provide high-privileged users access to read all raw data logs but only allow standard users to see logs from certain sources or visualization tools that provide high-level overview of systems and applications.

Allowing unnecessary access to logs increases your attack surface. If just one user falls victim to a phishing scam, logs would disclose information that can be used in future attacks. It also provides critical information about the infrastructure of network resources and applications. An advanced persistent threat (APT) giving attackers access to logs could provide them with numerous data points leading to a severe compromise and systemwide breach.

Log Successful and Failed Events

Not every anomaly results in a failed event such as an application error or an unsuccessful authentication attempt. To get the full picture, administrators need several events that tell a story during investigations. Without enough events, anomalies and suspicious activity could be missed. For instance, a cyber-criminal launching brute-force attacks against account passwords would show several unsuccessful authentication attempts, but logs would not show suspicious activity from stolen credentials and successful authentication after phishing attacks.

Administrators should develop a strategy for events that should be logged. Too much information makes logs undecipherable and wasteful of storage, but verbose logs with useful information can be used in effective monitoring and auditing.

Conclusion

Logging is essential in the enterprise for investigation into cyber-events, monitoring, root cause analysis, forensics, and overall maintenance of your systems. Developing a strategy before implementing logging solutions is just as important as the actual logging solution. Before diving into logging solutions, ensure that you put together a plan and follow best practices. Learn how Mezmo, formerly known as LogDNA, makes logging accurate, easy, and scalable.

Table of contents

    More articles

    How to Reduce Log Volume Without Losing Visibility
    How to Reduce Log Volume Without Losing Visibility
    Log Management
    What Is Log Rehydration? Understanding the Process and Benefits
    What Is Log Rehydration? Understanding the Process and Benefits
    Log Management
    Log Metrics: What are they? How can they be used? What insights can be garnered at scale?
    Log Metrics: What are they? How can they be used? What insights can be garnered at scale?
    Log Management
    What is MultiCloud Monitoring & Management?
    What is MultiCloud Monitoring & Management?
    Log Management
    Live Tail: What It Is, Why It’s Useful, How To Use It
    Live Tail: What It Is, Why It’s Useful, How To Use It
    Log Management
    Log Data: What it is and why it matters
    Log Data: What it is and why it matters
    Log Management
    Istio Logging 101
    Istio Logging 101
    Log Management
    How to Use JSON Logs
    How to Use JSON Logs
    Log Management
    Understanding and Leveraging AWS Cloudwatch Logs
    Understanding and Leveraging AWS Cloudwatch Logs
    Log Management
    What Is a Tail Log?
    What Is a Tail Log?
    Log Management
    How to Use S3 Access Logs
    How to Use S3 Access Logs
    Log Management
    Benefits of Data Logging
    Benefits of Data Logging
    Log Management
    What is Real-time Log Monitoring?
    What is Real-time Log Monitoring?
    Log Management
    Managing Digital Compliance During Digital Transformation
    Managing Digital Compliance During Digital Transformation
    Log Management
    A Comprehensive Guide to Kubernetes Monitoring Tools
    A Comprehensive Guide to Kubernetes Monitoring Tools
    Log Management
    The Role of Infrastructure Monitoring in DevOps
    The Role of Infrastructure Monitoring in DevOps
    Log Management
    5 Practical Ways to Build a Secure CI/CD Pipeline
    5 Practical Ways to Build a Secure CI/CD Pipeline
    Log Management
    Why and How to Analyze Deployment Health Through CI/CD Logs
    Why and How to Analyze Deployment Health Through CI/CD Logs
    Log Management
    What is Application Lifecycle Management
    What is Application Lifecycle Management
    Log Management
    What Is A Real-Time Dashboard?
    What Is A Real-Time Dashboard?
    Log Management
    Log Indexing and Rotation for Optimized Archival
    Log Indexing and Rotation for Optimized Archival
    Log Management
    What is Log Rotation? How Does it Work?
    What is Log Rotation? How Does it Work?
    Log Management
    Logging for Application Security
    Logging for Application Security
    Log Management
    How Do You Manage Logs?
    How Do You Manage Logs?
    Log Management
    How Custom Parsing Can Boost Developer Productivity
    How Custom Parsing Can Boost Developer Productivity
    Log Management
    7 Best Practices for Log Management and Analytics
    7 Best Practices for Log Management and Analytics
    Log Management
    Enhancing Communication Across Your Teams With Logging
    Enhancing Communication Across Your Teams With Logging
    Log Management
    Which Log Files Should Users Onboard to Build an Observability Platform?
    Which Log Files Should Users Onboard to Build an Observability Platform?
    Log Management
    What Information Does Log Aggregation Capture?
    What Information Does Log Aggregation Capture?
    Log Management
    The Key Benefits of Log Data
    The Key Benefits of Log Data
    Log Management
    Planning Your Log Collection
    Planning Your Log Collection
    Log Management
    Capturing the Most Critical Information Within Your Logs
    Capturing the Most Critical Information Within Your Logs
    Log Management
    The Importance of Data Privacy and Confidentiality for Log Management
    The Importance of Data Privacy and Confidentiality for Log Management
    Log Management
    SOC 2 and its Benefits
    SOC 2 and its Benefits
    Log Management
    Logging for Microservices
    Logging for Microservices
    Log Management
    Why HIPAA and Compliance Matters to Logging
    Why HIPAA and Compliance Matters to Logging
    Log Management
    Application Security and Compliance through Logging
    Application Security and Compliance through Logging
    Log Management
    Log Management Compliance for Saas Applications
    Log Management Compliance for Saas Applications
    Log Management
    What is Log Aggregation? Log Aggregation Explained
    What is Log Aggregation? Log Aggregation Explained
    Log Management
    What is Log Analysis?
    What is Log Analysis?
    Log Management
    What to Look for in a HIPAA-Compliant Log Management Tool
    What to Look for in a HIPAA-Compliant Log Management Tool
    Log Management
    What is Structured Logging?
    What is Structured Logging?
    Log Management
    Why Is Log Management Important?
    Why Is Log Management Important?
    Log Management
    Top Use Cases for Log Analysis
    Top Use Cases for Log Analysis
    Log Management