Michele Leroux Bustamante, profile picture
Uploaded byMichele Leroux Bustamante
PPTX, PDF10,159 views

The Ultimate Logging Architecture - You KNOW you want it!

The document discusses comprehensive logging architecture essential for troubleshooting, security audits, and gaining insights into user activity. It outlines various types of logs, including event, audit, and activity logs, along with best practices for implementing logging mechanisms and ensuring compliance. Additionally, it emphasizes the importance of robust logging solutions that evolve over time and facilitate real-time analysis and archival processes.

Embed presentation

Downloaded 350 times
The Ultimate Logging Architecture You know you WANT it! Michele Leroux Bustamante michelebusta@solliance.net @michelebusta http://solliance.net http://michelebusta.com
The Hello World Of Logging 1992
Hello World!
Hello World!
Logging Today 2014
Web Browsers Mobile Apps Client Apps
Why do we log? • Troubleshooting visibility • Security audits, review, early detection • Post incident forensics • Track change history • Insights into user activity • Reporting and analysis
What to log? EXAMPLE: Application Events Windows Logs IIS Logs Trace Output EXAMPLE: Login Attempts Unauthorized/ Authorized Access Password Resets EXAMPLE: Session Trace Purchase Flow Report Generation Feature Access EXAMPLE: Change history for any critical system records Live Streaming / Analytics Event Logs Audit Logs Activity Logs History Logs
Make Logging EASY
Implement a Log Helper ILogger Logger Trace Debug() Trace Information() Trace Warning() Trace Error() Throw() Logger.Current.TraceInformation(); Logger.Current.Throw(ex);
Failure is NOT an option.
Event Logging
Just Do It • Whatever is built in • Whatever you know best • Just do it
Encapsulate the Mechanism ILogger Logger ELMAH / SLAB Azure Diagnostics log4j / log4net ElasticSearch
Audit Logging
Logs and Compliance • Contain no user credentials • No PII, PHI or identifiable user data • Retention period (1 year is good baseline) • A structured archival process • Alert if log reaches capacity • Authorized access • Protections from modifications (write-only)
Implement an Audit Helper Logger.Current.TraceInformation(); Logger.Current.Throw(ex); ILogger Logger Trace xxx() Throw() AuditLogger.Current.Write(); AuditLogger.Current.Throw(ex); Write() Throw() IAuditLogger AuditLogger Azure Blobs Event Logs Audit Logs DocumentDB
Benefits of noSQL • Log details tend to evolve – Schema-less storage is best – Re-indexing may be necessary • Co-location with mainline databases – Adds complexity and overhead (potentially) – Does not allow a separate “evolution” team around telemetry and analysis
Audit Log Use Cases • Every login attempt (success or failure) • Excessive login attempts and lockouts • Blocking/blacklisting users, IP addresses, access ports • Every logout • Every modification to user table, including permissions • All configuration changes • Attempts to access restricted resources, APIs from unexpected paths • All access to PII / PHI in an individually identifiable way
Audit Log Fields • Date/time of event • Machine name/instance • Process ID • User ID (possibly encrypted) / Session ID • Type of event • Success or failure of the event (if applicable) • Seriousness of the event violation (if applicable) • Message (free form) • Stack Trace (if applicable)
History and Activity Logging
History Logs • Changes made to key tables • Describes – Who changed the record? – From which application? – Which fields changed? • Need the ability to surface this to applications – Sometimes to users – Always to operations to solve problems
Implement a History Log Helper HistoryLogger.Current.Write(); IHistoryLogger HistoryLogger History Logs DocumentDB Claims Users Orders Claims Claims …
Wrap History in the DAL History Logs OrdersDal UsersDal ContentDal Relational DB Orders Claims Users Content
Wrap History in the DAL History Logs OrdersDal UsersDal ContentDal Relational DB Orders Claims Users Content
What happened with my order? History Logs OrdersDal UsersDal ContentDal Relational DB Orders Claims Users Content
Activity Logs • Not specific to code execution and troubleshooting, diagnostics • Specific to the application, user activity • COULD be informative to users as well – History of recent activity in the site – Reports they requested, downloads, other… • Provides insights to the business regarding user activity, trends and patterns – Non-critical analysis
Implement an Activity Log Helper ActivityLogger.Current.UserDownload(); ActivityLogger.Current.ReportRequest(); ActivityLogger.Current.PurchaseOrder(); IActivityLogger ActivityLogger Activity Logs DocumentDB
What happened with my order? History Logs OrdersDal Relational DB Orders Activity Logs
Automate Logging Where Possible • View controllers • API controllers • Authorization hooks • Outbound calls • Data Access layers
To Queue Or NOT To Queue
Client and Server Logging Client Apps Mobile API Client API Log API Client API Log API Loggers Web Browsers Mobile Apps Event Logs Audit Logs Activity Logs History Logs
What can I queue? Loggers ETW DocDB Event Logs Audit Logs Activity Logs History Logs
ETW Goal Loggers ETW History Publisher Activity Publisher Audit Publisher ALERTS Stream Analytics Events Publisher Event Logs Audit Logs Activity Logs History Logs
Queued Logging • Considerations – Timestamps matter – Correlation across nodes matters (to a point) – Guaranteed exactly one in order doesn’t exist – Async is good (mostly) • That said – Priority matters (hot, warm, default) – Simplicity matters – Throughput matters
Troubleshooting Is Important!
Problem Statement • We need immediate access to what the HECK is going on when there is a problem • Sometimes I use (in order): – Google Analytics – Event Logs (Azure Website) – Table Storage queries (STRIKE THAT, USELESS) – Blob storage CSVs (good enough, not realtime)
Elasticsearch Architecture Logger AuditLogger HistoryLogger ActivityLogger Elasticsearch
Kibana Visualization
LogStash LogStash Elasticsearch Identity Server Web Server / IIS / Event Logs CPU / Memory Perf Counters Blob CSVs …
Archives, Aggregation and Analytics
ARCHIVE Elastic Search Audit Logs Activity Logs History Logs HDInsight PoweShell Spin up, analyze, spin down Ingest Blob Storage Event Logs OR, just…
What you’re looking for is… • Manageable implementation • Ability to “evolve” log content • Reduce IO / socket overhead (monitor this) • Prioritization • Real-time analytics, troubleshooting • Accessibility for UI lookups (history, activity) • Archival and mass analysis
References • Conference resources: – http://michelebusta.com • Contact me: – michelebusta@solliance.net – @michelebusta • Founder, CIO of Solliance – http://solliance.net

More Related Content

PPTX
Introduction to Apache Kafka
byAIMDek Technologies
 
PPTX
Yaml
byChristoph Santschi
 
PPT
Backup And Recovery
byraghu_designer
 
PDF
Monitoring Oracle Database Instances with Zabbix
byGerger
 
PPTX
Introduction to Kafka and Zookeeper
byRahul Jain
 
PDF
WebSphere MQ tutorial
byJoseph's WebSphere Library
 
PDF
Monitoring all Elements of Your Database Operations With Zabbix
byZabbix
 
PDF
Oracle Data Guard A to Z
byZohar Elkayam
 
Introduction to Apache Kafka
byAIMDek Technologies
 
Yaml
byChristoph Santschi
 
Backup And Recovery
byraghu_designer
 
Monitoring Oracle Database Instances with Zabbix
byGerger
 
Introduction to Kafka and Zookeeper
byRahul Jain
 
WebSphere MQ tutorial
byJoseph's WebSphere Library
 
Monitoring all Elements of Your Database Operations With Zabbix
byZabbix
 
Oracle Data Guard A to Z
byZohar Elkayam
 

What's hot

PDF
Cloud Monitoring tool Grafana
byDhrubaji Mandal ♛
 
PPTX
Apache kafka
byViswanath J
 
PPTX
IBM Spectrum Scale Authentication For Object - Deep Dive
bySmita Raut
 
PPTX
Retos en la arquitectura de Microservicios
byDomingo Suarez Torres
 
PPTX
Cours 70 410 - J5
byMohamed Diallo
 
PPT
AD & LDAP
byCynoteck Technology Solutions Private Limited
 
PDF
Scouter와 influx db – grafana 연동 가이드
byJi-Woong Choi
 
PPTX
Running Airflow Workflows as ETL Processes on Hadoop
byclairvoyantllc
 
PPTX
Apache Kafka Best Practices
byDataWorks Summit/Hadoop Summit
 
PDF
Apache Spark on K8S Best Practice and Performance in the Cloud
byDatabricks
 
PPT
08 Dynamic SQL and Metadata
byrehaniltifat
 
PDF
Oracle Database Performance Tuning Advanced Features and Best Practices for DBAs
byZohar Elkayam
 
PDF
Reporting Large Environment Zabbix Database
byAlain Ganuchaud
 
PPTX
Elastic stack Presentation
byAmr Alaa Yassen
 
PPTX
Grafana.pptx
byBhushan Rane
 
PDF
Lessons from the Field: Applying Best Practices to Your Apache Spark Applicat...
byDatabricks
 
PPTX
Dell Boomi Integration with Salesforce
byNagarjuna Kaipu
 
PDF
Creating the PromQL Transpiler for Flux by Julius Volz, Co-Founder | Prometheus
byInfluxData
 
PDF
Hacking Lab con ProxMox e Metasploitable
byAndrea Draghetti
 
PDF
MySQL Scalability and Reliability for Replicated Environment
byJean-François Gagné
 
Cloud Monitoring tool Grafana
byDhrubaji Mandal ♛
 
Apache kafka
byViswanath J
 
IBM Spectrum Scale Authentication For Object - Deep Dive
bySmita Raut
 
Retos en la arquitectura de Microservicios
byDomingo Suarez Torres
 
Cours 70 410 - J5
byMohamed Diallo
 
AD & LDAP
byCynoteck Technology Solutions Private Limited
 
Scouter와 influx db – grafana 연동 가이드
byJi-Woong Choi
 
Running Airflow Workflows as ETL Processes on Hadoop
byclairvoyantllc
 
Apache Kafka Best Practices
byDataWorks Summit/Hadoop Summit
 
Apache Spark on K8S Best Practice and Performance in the Cloud
byDatabricks
 
08 Dynamic SQL and Metadata
byrehaniltifat
 
Oracle Database Performance Tuning Advanced Features and Best Practices for DBAs
byZohar Elkayam
 
Reporting Large Environment Zabbix Database
byAlain Ganuchaud
 
Elastic stack Presentation
byAmr Alaa Yassen
 
Grafana.pptx
byBhushan Rane
 
Lessons from the Field: Applying Best Practices to Your Apache Spark Applicat...
byDatabricks
 
Dell Boomi Integration with Salesforce
byNagarjuna Kaipu
 
Creating the PromQL Transpiler for Flux by Julius Volz, Co-Founder | Prometheus
byInfluxData
 
Hacking Lab con ProxMox e Metasploitable
byAndrea Draghetti
 
MySQL Scalability and Reliability for Replicated Environment
byJean-François Gagné
 

Viewers also liked

PPTX
Elastic search overview
byABC Talks
 
PDF
Combine Apache Hadoop and Elasticsearch to Get the Most of Your Big Data
byHortonworks
 
PDF
Centralized + Unified Logging
byGabor Kozma
 
PDF
Java logging
byJumping Bean
 
PPTX
SLF4J+Logback
byGuo Albert
 
PDF
Centralized Logging with syslog
byamiable_indian
 
PDF
Docker Logging Webinar
bySematext Group, Inc.
 
PDF
Intro to Elasticsearch
byClifford James
 
PPTX
Realtime Analytics and Anomalities Detection using Elasticsearch, Hadoop and ...
byDataWorks Summit
 
PPTX
Spark 101 - First steps to distributed computing
byDemi Ben-Ari
 
PDF
The basics of fluentd
byTreasure Data, Inc.
 
PPTX
Introduction to Elasticsearch with basics of Lucene
byRahul Jain
 
PPTX
Real time analytics using Hadoop and Elasticsearch
byAbhishek Andhavarapu
 
PDF
Fluentd and Kafka
byN Masahiro
 
PPTX
Data Science with Spark & Zeppelin
byVinay Shukla
 
PPTX
Deep Dive with Spark Streaming - Tathagata Das - Spark Meetup 2013-06-17
byspark-project
 
PPTX
No data loss pipeline with apache kafka
byJiangjie Qin
 
PPTX
Capgemini Insights and Data
byDataWorks Summit/Hadoop Summit
 
PPTX
Introduction to Machine Learning
byJames Ward
 
PPTX
Processing Large Data with Apache Spark -- HasGeek
byVenkata Naga Ravi
 
Elastic search overview
byABC Talks
 
Combine Apache Hadoop and Elasticsearch to Get the Most of Your Big Data
byHortonworks
 
Centralized + Unified Logging
byGabor Kozma
 
Java logging
byJumping Bean
 
SLF4J+Logback
byGuo Albert
 
Centralized Logging with syslog
byamiable_indian
 
Docker Logging Webinar
bySematext Group, Inc.
 
Intro to Elasticsearch
byClifford James
 
Realtime Analytics and Anomalities Detection using Elasticsearch, Hadoop and ...
byDataWorks Summit
 
Spark 101 - First steps to distributed computing
byDemi Ben-Ari
 
The basics of fluentd
byTreasure Data, Inc.
 
Introduction to Elasticsearch with basics of Lucene
byRahul Jain
 
Real time analytics using Hadoop and Elasticsearch
byAbhishek Andhavarapu
 
Fluentd and Kafka
byN Masahiro
 
Data Science with Spark & Zeppelin
byVinay Shukla
 
Deep Dive with Spark Streaming - Tathagata Das - Spark Meetup 2013-06-17
byspark-project
 
No data loss pipeline with apache kafka
byJiangjie Qin
 
Capgemini Insights and Data
byDataWorks Summit/Hadoop Summit
 
Introduction to Machine Learning
byJames Ward
 
Processing Large Data with Apache Spark -- HasGeek
byVenkata Naga Ravi
 

Similar to The Ultimate Logging Architecture - You KNOW you want it!

PPTX
What is going on? Application Diagnostics on Azure - Copenhagen .NET User Group
byMaarten Balliauw
 
PPTX
Logging In Database For Concurrency control .pptx
byAhmadErshad2
 
PDF
SplunkApplicationLoggingBestPractices_Template_2.3.pdf
byTuynNguyn819213
 
PPTX
Security Practices - Logging.pptx
byAlireza Vafi
 
PPTX
Logs as Data: Using Logs to track Web Application Performance
byTrevor Parsons
 
PDF
Azure Application insights - An Introduction
byMatthias Güntert
 
PPTX
What is going on - Application diagnostics on Azure - TechDays Finland
byMaarten Balliauw
 
PDF
Python vs JLizard.... a python logging experience
byPython Ireland
 
PPTX
Enterprise Logging and Log Management: Hot Topics by Dr. Anton Chuvakin
byAnton Chuvakin
 
PPTX
Logging, tracing and metrics: Instrumentation in .NET 5 and Azure
byAlex Thissen
 
PPT
Making Logs Sexy Again: Can We Finally Lose The Regexes?
byAnton Chuvakin
 
PPTX
Cashing in on logging and exception data
byStackify
 
PPTX
Deep-Dive to Application Insights
byGunnar Peipman
 
PPT
Application Logging Good Bad Ugly ... Beautiful?
byAnton Chuvakin
 
PPT
ArcSight Basics.ppt
byneoalt
 
PDF
VMworld 2013: Deep Dive into vSphere Log Management with vCenter Log Insight
byVMworld
 
PDF
A Real Time Web Analytics System
byMahesh Patwardhan
 
PPT
Log Mining: Beyond Log Analysis
byAnton Chuvakin
 
PDF
Implementing Auditing in SQL Server
byDavid Dye
 
PDF
Secure Audit Logs in MySQL 8.4 | Vinoth Kanna | Mydbops Webinar 45
byMydbops
 
What is going on? Application Diagnostics on Azure - Copenhagen .NET User Group
byMaarten Balliauw
 
Logging In Database For Concurrency control .pptx
byAhmadErshad2
 
SplunkApplicationLoggingBestPractices_Template_2.3.pdf
byTuynNguyn819213
 
Security Practices - Logging.pptx
byAlireza Vafi
 
Logs as Data: Using Logs to track Web Application Performance
byTrevor Parsons
 
Azure Application insights - An Introduction
byMatthias Güntert
 
What is going on - Application diagnostics on Azure - TechDays Finland
byMaarten Balliauw
 
Python vs JLizard.... a python logging experience
byPython Ireland
 
Enterprise Logging and Log Management: Hot Topics by Dr. Anton Chuvakin
byAnton Chuvakin
 
Logging, tracing and metrics: Instrumentation in .NET 5 and Azure
byAlex Thissen
 
Making Logs Sexy Again: Can We Finally Lose The Regexes?
byAnton Chuvakin
 
Cashing in on logging and exception data
byStackify
 
Deep-Dive to Application Insights
byGunnar Peipman
 
Application Logging Good Bad Ugly ... Beautiful?
byAnton Chuvakin
 
ArcSight Basics.ppt
byneoalt
 
VMworld 2013: Deep Dive into vSphere Log Management with vCenter Log Insight
byVMworld
 
A Real Time Web Analytics System
byMahesh Patwardhan
 
Log Mining: Beyond Log Analysis
byAnton Chuvakin
 
Implementing Auditing in SQL Server
byDavid Dye
 
Secure Audit Logs in MySQL 8.4 | Vinoth Kanna | Mydbops Webinar 45
byMydbops
 

More from Michele Leroux Bustamante

PPTX
You are not excused! How to avoid security blind spots on the way to production
byMichele Leroux Bustamante
 
PPTX
Security Tips for Enterprise Azure Solutions
byMichele Leroux Bustamante
 
PPTX
So Many Docker Platforms...so little time
byMichele Leroux Bustamante
 
PPTX
Surviving Microservices - v2
byMichele Leroux Bustamante
 
PPTX
.NET Developer Days - Launching Patterns for Containers
byMichele Leroux Bustamante
 
PPTX
.NET Developer Days - So many Docker platforms, so little time...
byMichele Leroux Bustamante
 
PPTX
Design Practices for a Secure Azure Solution
byMichele Leroux Bustamante
 
PPTX
The Power of Social Login
byMichele Leroux Bustamante
 
PPTX
Unleash Your Inner Startup (Sweden, Dev Sum)
byMichele Leroux Bustamante
 
PPTX
Deep thoughts from the real world of azure
byMichele Leroux Bustamante
 
PPTX
Social Login
byMichele Leroux Bustamante
 
PPTX
Security Avalanche
byMichele Leroux Bustamante
 
PPTX
Surviving the Azure Avalanche
byMichele Leroux Bustamante
 
PPTX
DevOps for Azure
byMichele Leroux Bustamante
 
PPTX
End to End Security with MVC and Web API
byMichele Leroux Bustamante
 
PPT
Windows Azure Essentials V3
byMichele Leroux Bustamante
 
PPTX
Channel Your Inner Startup and Go For It!
byMichele Leroux Bustamante
 
PPTX
Global Windows Azure Bootcamp - San Diego
byMichele Leroux Bustamante
 
PPTX
Windows Azure Essentials
byMichele Leroux Bustamante
 
PPTX
Pricing and Revenue Projection in a Cloud-Centric World
byMichele Leroux Bustamante
 
You are not excused! How to avoid security blind spots on the way to production
byMichele Leroux Bustamante
 
Security Tips for Enterprise Azure Solutions
byMichele Leroux Bustamante
 
So Many Docker Platforms...so little time
byMichele Leroux Bustamante
 
Surviving Microservices - v2
byMichele Leroux Bustamante
 
.NET Developer Days - Launching Patterns for Containers
byMichele Leroux Bustamante
 
.NET Developer Days - So many Docker platforms, so little time...
byMichele Leroux Bustamante
 
Design Practices for a Secure Azure Solution
byMichele Leroux Bustamante
 
The Power of Social Login
byMichele Leroux Bustamante
 
Unleash Your Inner Startup (Sweden, Dev Sum)
byMichele Leroux Bustamante
 
Deep thoughts from the real world of azure
byMichele Leroux Bustamante
 
Social Login
byMichele Leroux Bustamante
 
Security Avalanche
byMichele Leroux Bustamante
 
Surviving the Azure Avalanche
byMichele Leroux Bustamante
 
DevOps for Azure
byMichele Leroux Bustamante
 
End to End Security with MVC and Web API
byMichele Leroux Bustamante
 
Windows Azure Essentials V3
byMichele Leroux Bustamante
 
Channel Your Inner Startup and Go For It!
byMichele Leroux Bustamante
 
Global Windows Azure Bootcamp - San Diego
byMichele Leroux Bustamante
 
Windows Azure Essentials
byMichele Leroux Bustamante
 
Pricing and Revenue Projection in a Cloud-Centric World
byMichele Leroux Bustamante
 

Recently uploaded

PDF
DIGITAL FORENSICS - Notes for Everything.pdf
bypankajkumavatbeit
 
PPTX
RISE with SAP for Automotive - S4 HANA Value.pptx
byAmira Jemi
 
PDF
Knowing and Doing: Knowledge graphs, AI, and work
bymarainglezakis1
 
PDF
Zero Trust & Defense-in-Depth: The Future of Critical Infrastructure Security
byYasir Naveed Riaz
 
PDF
Decoding the DNA: The Digital Networks Act, the Open Internet, and IP interco...
byCSUC - Consorci de Serveis Universitaris de Catalunya
 
PPTX
Combining Induction and Transduction for Abstract Reasoning.pptx
byallen578468
 
PDF
Digit Expo 2025 - EICC Edinburgh 27th November
byRay Bugg
 
PDF
Ransomware_Resilience_Strategic_Playbook.pdf
byAfonso Henrique Rodrigues Alves
 
PDF
eResource Scheduler Enterprise Resource Management and Scheduling Software.pdf
byeResource Scheduler
 
DOCX
Introduction to the World of Computers (Hardware & Software)
byALIABBAS ABASOV
 
PDF
Igniting the Future: Copilot trends, agentic transformation and product roadm...
byUni Systems S.M.S.A.
 
PDF
The major tech developments for 2026 by Pluralsight, a research and training ...
byChris Skinner
 
PPTX
Ritesh_kumar_Aatmanirbhar Bharat: Make in India, Make for the World.pptx
byriteshrkgs2008
 
PDF
Safeguarding AI-Based Financial Infrastructure
byYasir Naveed Riaz
 
PPTX
Basics of Identity Access Management In mordern Infrastructure
byPrinceXavier18
 
PDF
TrustArc Webinar - Assessing AI Risk with Confidence
byTrustArc
 
PDF
8 LLM Surveys https://tinyurl.com/bdz8e6fp
byBob Marcus
 
PDF
Top Cybersecurity Threats 2025 Guide by Sureshdas
byPrintersassist
 
PDF
TPPmark2025 Kenta Inoue's answer 12/04/2025
byKenta Inoue
 
PDF
The year in review - MarvelClient in 2025
bypanagenda
 
DIGITAL FORENSICS - Notes for Everything.pdf
bypankajkumavatbeit
 
RISE with SAP for Automotive - S4 HANA Value.pptx
byAmira Jemi
 
Knowing and Doing: Knowledge graphs, AI, and work
bymarainglezakis1
 
Zero Trust & Defense-in-Depth: The Future of Critical Infrastructure Security
byYasir Naveed Riaz
 
Decoding the DNA: The Digital Networks Act, the Open Internet, and IP interco...
byCSUC - Consorci de Serveis Universitaris de Catalunya
 
Combining Induction and Transduction for Abstract Reasoning.pptx
byallen578468
 
Digit Expo 2025 - EICC Edinburgh 27th November
byRay Bugg
 
Ransomware_Resilience_Strategic_Playbook.pdf
byAfonso Henrique Rodrigues Alves
 
eResource Scheduler Enterprise Resource Management and Scheduling Software.pdf
byeResource Scheduler
 
Introduction to the World of Computers (Hardware & Software)
byALIABBAS ABASOV
 
Igniting the Future: Copilot trends, agentic transformation and product roadm...
byUni Systems S.M.S.A.
 
The major tech developments for 2026 by Pluralsight, a research and training ...
byChris Skinner
 
Ritesh_kumar_Aatmanirbhar Bharat: Make in India, Make for the World.pptx
byriteshrkgs2008
 
Safeguarding AI-Based Financial Infrastructure
byYasir Naveed Riaz
 
Basics of Identity Access Management In mordern Infrastructure
byPrinceXavier18
 
TrustArc Webinar - Assessing AI Risk with Confidence
byTrustArc
 
8 LLM Surveys https://tinyurl.com/bdz8e6fp
byBob Marcus
 
Top Cybersecurity Threats 2025 Guide by Sureshdas
byPrintersassist
 
TPPmark2025 Kenta Inoue's answer 12/04/2025
byKenta Inoue
 
The year in review - MarvelClient in 2025
bypanagenda
 
In this document
Powered by AI

Introduction to logging and its evolution from 1992 to 2014, emphasizing fundamental logging concepts.

Exploration of why logging is essential: troubleshooting, forensics, user insights, and more.

Strategies for making logging easier through implementation of log helpers and standardized methods.

Highlighted the necessity of robust logging mechanisms and simply implementing existing solutions.

Discussion on audit logging mechanisms, compliance aspects, and elements to be included in logs.

Benefits of using noSQL for logging, highlighting logging evolution and its complexities.

Specific scenarios for audit logging such as login attempts and modifications to sensitive data.

Focus on tracking changes in key metrics and facilitating insights into past activities.

Strategies to integrate history logs within data access layers for better data management.

Log implementations focus on order inquiries, encapsulating relevant history and activity logs.

Encouragement for automatic logging across various application layers to enhance monitoring.

Information on client and server logging dynamics, including queuing and handling loggers.

Criteria for implementing queued logging, emphasizing timestamp importance and troubleshooting.

Methods to analyze issues effectively using various logging tools and Elasticsearch for insights.

Utilization of Kibana and LogStash for log analysis, visualization, and architecture overview.

Key strategies for efficient log implementation ensuring manageability, evolutionary capabilities, and archival.

The Ultimate Logging Architecture - You KNOW you want it!

  • 1.
    The Ultimate LoggingArchitecture You know you WANT it! Michele Leroux Bustamante michelebusta@solliance.net @michelebusta http://solliance.net http://michelebusta.com
  • 2.
    The Hello World Of Logging 1992
  • 3.
  • 4.
  • 5.
  • 6.
    Web Browsers Mobile Apps Client Apps
  • 7.
    Why do welog? • Troubleshooting visibility • Security audits, review, early detection • Post incident forensics • Track change history • Insights into user activity • Reporting and analysis
  • 8.
    What to log? EXAMPLE: Application Events Windows Logs IIS Logs Trace Output EXAMPLE: Login Attempts Unauthorized/ Authorized Access Password Resets EXAMPLE: Session Trace Purchase Flow Report Generation Feature Access EXAMPLE: Change history for any critical system records Live Streaming / Analytics Event Logs Audit Logs Activity Logs History Logs
  • 9.
  • 10.
    Implement a LogHelper ILogger Logger Trace Debug() Trace Information() Trace Warning() Trace Error() Throw() Logger.Current.TraceInformation(); Logger.Current.Throw(ex);
  • 11.
    Failure is NOTan option.
  • 12.
  • 13.
    Just Do It • Whatever is built in • Whatever you know best • Just do it
  • 14.
    Encapsulate the Mechanism ILogger Logger ELMAH / SLAB Azure Diagnostics log4j / log4net ElasticSearch
  • 15.
  • 16.
    Logs and Compliance • Contain no user credentials • No PII, PHI or identifiable user data • Retention period (1 year is good baseline) • A structured archival process • Alert if log reaches capacity • Authorized access • Protections from modifications (write-only)
  • 17.
    Implement an AuditHelper Logger.Current.TraceInformation(); Logger.Current.Throw(ex); ILogger Logger Trace xxx() Throw() AuditLogger.Current.Write(); AuditLogger.Current.Throw(ex); Write() Throw() IAuditLogger AuditLogger Azure Blobs Event Logs Audit Logs DocumentDB
  • 18.
    Benefits of noSQL • Log details tend to evolve – Schema-less storage is best – Re-indexing may be necessary • Co-location with mainline databases – Adds complexity and overhead (potentially) – Does not allow a separate “evolution” team around telemetry and analysis
  • 19.
    Audit Log UseCases • Every login attempt (success or failure) • Excessive login attempts and lockouts • Blocking/blacklisting users, IP addresses, access ports • Every logout • Every modification to user table, including permissions • All configuration changes • Attempts to access restricted resources, APIs from unexpected paths • All access to PII / PHI in an individually identifiable way
  • 20.
    Audit Log Fields • Date/time of event • Machine name/instance • Process ID • User ID (possibly encrypted) / Session ID • Type of event • Success or failure of the event (if applicable) • Seriousness of the event violation (if applicable) • Message (free form) • Stack Trace (if applicable)
  • 21.
  • 22.
    History Logs •Changes made to key tables • Describes – Who changed the record? – From which application? – Which fields changed? • Need the ability to surface this to applications – Sometimes to users – Always to operations to solve problems
  • 23.
    Implement a HistoryLog Helper HistoryLogger.Current.Write(); IHistoryLogger HistoryLogger History Logs DocumentDB Claims Users Orders Claims Claims …
  • 24.
    Wrap History inthe DAL History Logs OrdersDal UsersDal ContentDal Relational DB Orders Claims Users Content
  • 25.
    Wrap History inthe DAL History Logs OrdersDal UsersDal ContentDal Relational DB Orders Claims Users Content
  • 26.
    What happened withmy order? History Logs OrdersDal UsersDal ContentDal Relational DB Orders Claims Users Content
  • 27.
    Activity Logs •Not specific to code execution and troubleshooting, diagnostics • Specific to the application, user activity • COULD be informative to users as well – History of recent activity in the site – Reports they requested, downloads, other… • Provides insights to the business regarding user activity, trends and patterns – Non-critical analysis
  • 28.
    Implement an ActivityLog Helper ActivityLogger.Current.UserDownload(); ActivityLogger.Current.ReportRequest(); ActivityLogger.Current.PurchaseOrder(); IActivityLogger ActivityLogger Activity Logs DocumentDB
  • 29.
    What happened withmy order? History Logs OrdersDal Relational DB Orders Activity Logs
  • 30.
    Automate Logging WherePossible • View controllers • API controllers • Authorization hooks • Outbound calls • Data Access layers
  • 31.
    To Queue OrNOT To Queue
  • 32.
    Client and ServerLogging Client Apps Mobile API Client API Log API Client API Log API Loggers Web Browsers Mobile Apps Event Logs Audit Logs Activity Logs History Logs
  • 33.
    What can Iqueue? Loggers ETW DocDB Event Logs Audit Logs Activity Logs History Logs
  • 34.
    ETW Goal Loggers ETW History Publisher Activity Publisher Audit Publisher ALERTS Stream Analytics Events Publisher Event Logs Audit Logs Activity Logs History Logs
  • 35.
    Queued Logging •Considerations – Timestamps matter – Correlation across nodes matters (to a point) – Guaranteed exactly one in order doesn’t exist – Async is good (mostly) • That said – Priority matters (hot, warm, default) – Simplicity matters – Throughput matters
  • 36.
  • 37.
    Problem Statement •We need immediate access to what the HECK is going on when there is a problem • Sometimes I use (in order): – Google Analytics – Event Logs (Azure Website) – Table Storage queries (STRIKE THAT, USELESS) – Blob storage CSVs (good enough, not realtime)
  • 38.
    Elasticsearch Architecture LoggerAuditLogger HistoryLogger ActivityLogger Elasticsearch
  • 39.
  • 40.
    LogStash LogStash Elasticsearch Identity Server Web Server / IIS / Event Logs CPU / Memory Perf Counters Blob CSVs …
  • 41.
  • 42.
    ARCHIVE Elastic Search Audit Logs Activity Logs History Logs HDInsight PoweShell Spin up, analyze, spin down Ingest Blob Storage Event Logs OR, just…
  • 43.
    What you’re lookingfor is… • Manageable implementation • Ability to “evolve” log content • Reduce IO / socket overhead (monitor this) • Prioritization • Real-time analytics, troubleshooting • Accessibility for UI lookups (history, activity) • Archival and mass analysis
  • 44.
    References • Conferenceresources: – http://michelebusta.com • Contact me: – michelebusta@solliance.net – @michelebusta • Founder, CIO of Solliance – http://solliance.net

Editor's Notes

  • #2 1
  • #8 Visibility into runtime behavior for troubleshooting or analysis Early detection of security incidents, identification of potential threats Forensic analysis to discover the cause of events, and ways to avoid them in future with software controls or other means General business intelligence and analysis of user and system behavior
  • #9  ----- Meeting Notes (12/3/14 07:53) ----- it starts to look like a lot of work... so, if I could impart one message up front it would be this
  • #10 Add heavy lifting guy ----- Meeting Notes (12/3/14 07:53) ----- assume your devs are stupid and lazy
  • #11  ----- Meeting Notes (12/3/14 05:45) ----- with this we can litter our code with verbose logs
  • #12 Example, migration to cloud, risky to add logs, risky not to have them ----- Meeting Notes (12/3/14 07:53) ----- DEMO 1 - show that logging code
  • #13 Add heavy lifting guy ----- Meeting Notes (12/3/14 05:45) ----- so we have a wrapper class it starts with basic event logging sts, wrote to event log, etw trace, event source today cloud, use what comes naturally
  • #14 Without it, you have no visibility If trying to “get it right” is preventing you from logging, you’re already in trouble Just log, worry about improvements later
  • #15 We don’t know how you do it We don’t care how you do it We do need to know where it goes (devops)
  • #16 Add heavy lifting guy
  • #18 The technical details will be platform dependent Inheritance Dependency injection, these are details The point is, auditing is intentional; you call it out It goes to a different place;
  • #19  ----- Meeting Notes (12/3/14 07:53) ----- DEMO 2 - show doc db classes, show results add a field?
  • #21  ----- Meeting Notes (12/3/14 07:53) ----- these logs are only good if you actually review them
  • #22 Add heavy lifting guy
  • #23  ----- Meeting Notes (12/3/14 07:59) ----- sql logs not helpful to surface to apps helpful for forensics, not accessible to many
  • #24  ----- Meeting Notes (12/3/14 07:59) ----- DEMO 3 - ??? look at history? any object works?
  • #32 Add heavy lifting guy
  • #37 You are collecting logs Now what, site is down, how do you know what’s up? What kinds of exceptions are being thrown? Where in the code are there uncaught exceptions tossing up the chain? Are you catching and logging those?
  • #42 You are collecting logs Now what, site is down, how do you know what’s up? What kinds of exceptions are being thrown? Where in the code are there uncaught exceptions tossing up the chain? Are you catching and logging those?