Log management: Helping IT admins to achieve infrastructure-wide visibility

When properly configured and deployed, log management tools can unearth a veritable treasure trove of data that IT administrators can use to triage and diagnose problems in enterprise IT infrastructures

A recurring challenge for IT administrators working within complex, enterprise IT estates is to keep track of all the information generated by the systems contained within. And those that fail to do so could be missing out on some valuable insights and opportunities.

After all, pretty much every application that an enterprise uses, generates some form of logging data, which can include errors and warning messages or provide reports on other events that give IT admins some insight into how things are performing.

From a trouble-shooting perspective, being able to retrieve and make sense of such detailed information from all these disparate systems should serve to ensure that any minor issues that might be brewing can be dealt with before they become major problems.

And it is worth remembering that it is not just broken things that log management and monitoring tools can bring to light. Their usefulness in bolstering a company’s security posture is well documented.

Security teams are known to make great use of this aggregate data to highlight not just isolated issues, but to build up an extensive knowledge and big picture view of all the challenges the infrastructure might be facing.

For some companies, logging tools are a regulatory must-have, not just a nice-to-have. For example, in the US, the Sarbanes-Oxley Act, which is a set of financial and auditing-related regulations for public companies to follow, demands that key parameters are logged and reviewed to help prevent insider threats.

It can also be used to monitor the use of elevated commands and many other items. Logs, when combined with good tools, are extremely good at highlighting suspicious or anomalous behaviour.

Failing to prepare or preparing to fail

A properly configured and used log management server also presents other quick wins. It keeps the logs in a safe and secure environment, maintaining a true record of what is going on, and keeps tabs on bad people (or processes) from retrospectively altering the logs. 

It provides a history that can be reviewed as needed with little fear that the important data has been overwritten or removed. When trying to trace back an incident that started several months ago, the fact that this data is still available can often prove invaluable.

Good logging tools can also make the life of an IT administrator so much easier. From personal experience, a company logging infrastructure can be used to extend the functionality of existing tools.

On this point, there is a tool that is regularly used by IT administrators that only provides users with alerts and alarms in the web-based GUI. So, if something went wrong, there is potentially no way of knowing until a crisis of some sort has hit.

To sidestep this, you can use a script to pick up the error logs that were forwarded to a centralised logging infrastructure. The logging infrastructure has the ability to create alerts based on the error message that could then generate email alert tickets. In short, a good logging system can be as flexible as you want it to be.

Depending on requirements, there are many logging tools available, from free offerings to eye-wateringly expensive options. Some of the most popular tools are Splunk and GreyLog. Both of these come with either community editions or evaluations.  A third, and quite popular, open source alternative is Elk stack, which is free to use, as upselling its service and support offerings are how the company makes its money.

Read more about log management

Although putting together proof-of-concept environments is quite straightforward, building a production environment can be a different matter. The larger the environment, the more complex the data collection infrastructure needs to be – so you either need to plan well or call in the professionals.

It is also worth remembering that log servers can devour CPU and disk space at alarming rates when planning any work of this nature.

Most tools have some form of log-forwarding built in to make life easier. Configuring them depends very much on the platform.

Out of the box, most Linux and Unix-based infrastructure will have all the requirements to send data, by having the in-built data and utilising a “push” mentality – the data is pushed from the host in question to the syslog server on the log management server.

Windows, on the other hand, works with a “pull” methodology. Speaking from personal experience, this means that most Windows hosts need a log-forwarding agent installed on them to get the data out of the Windows infrastructure.

In summary, log management provides an extremely useful tool to manage the mass of data and highlight anomalies and issues as needed. It can even be used to work around gaps in infrastructure if the administrator is canny enough and can repurpose the logging tool.

Read more on Infrastructure-as-a-Service (IaaS)