Why to log centrally?

And how is it changing?

Peter Czanik

Playlists: 'osc24' videos starting here / audio

Why is central logging so important? Convenience, availability and security. Convenience, as you have a single place to check instead of many. Availability, as you can check log messages, even if the sending host is unavailable. Security, as logs leave hosts as soon as they are produced, so an attacker has no chance to modify them. Developers, operators, and security have a single view of the whole network and can easily correlate events from multiple hosts.

Often, the various tools to analyze log messages provide you with their own agents to forward logs to SIEM or other analytics tools. However, this is inefficient for several reasons. Most importantly, it is a waste of computing resources. You install multiple applications to do the same job: forwarding log messages. And these messages then travel through your network multiple times.

So, what you should do instead is build a dedicated log management layer for central log collection. This ensures that log messages are collected only once.

Using the OpenTelemetry protocol, logs, traces and metrics can be collected together, simplifying the architecture of collecting data about your infrastructure even further.

From this talk, you can learn how to implement central logging using syslog-ng and how OpenTelemetry changes logging. Syslog-ng in openSUSE Tumbleweed already supports the OpenTelemetry protocol.

Why is central logging so important? Convenience, availability and security. Convenience, as you have a single place to check instead of many. Availability, as you can check log messages, even if the sending host is unavailable. Security, as logs leave hosts as soon as they are produced, so an attacker has no chance to modify them. Developers, operators, and security have a single view of the whole network and can easily correlate events from multiple hosts.

Often, the various tools to analyze log messages provide you with their own agents to forward logs to SIEM or other analytics tools. However, this is inefficient for several reasons. Most importantly, it is a waste of computing resources. You install multiple applications to do the same job: forwarding log messages. And these messages then travel through your network multiple times.

So, what you should do instead is build a dedicated log management layer for central log collection. This ensures that log messages are collected only once.

Using the OpenTelemetry protocol, logs, traces and metrics can be collected together, simplifying the architecture of collecting data about your infrastructure even further.

From this talk, you can learn how to implement central logging using syslog-ng and how OpenTelemetry changes logging. Syslog-ng in openSUSE Tumbleweed already supports the OpenTelemetry protocol.

Download

Embed

Share:

Tags