re: Lets Talk About Logs VIEW POST


I think the question "Are all your logs worth consuming and if so, why?" is better asked "if so, when".

The same logs that are monitored in realtime to generate alerts should be batched once a day for trend analysis and again once a week and then once a month; sometimes a longer view shows behaviors that can be obscured in shorter windows.

I'm sure that commercial log analyzers can manage this sort of thing, but due to slow adoption and a certain amount of territorial infighting they are not a regular part of my job. Because of this I tend to write specialist parsing scripts for log handling. YMMV!

code of conduct - report abuse