Apache Security

8.4. Logging Strategies

After covering the mechanics of logging in detail, one question remains: which strategy do we apply? That depends on your situation and no single perfect solution exists. Use Table 8-8 as a guideline.

Table 8-8. Logging strategy choices

Logging strategy

Situations when strategy is appropriate

Writing logs to the filesystem

  • When there is only one machine or where each machine stands on its own.

  • If you are hosting static web sites and the web server is not viewed as a point of intrusion.

Database logging

  • You have a need for ad hoc queries. If you are afraid the logging database might become a bottleneck (benchmark first), then put logs onto the filesystem first and periodically feed them to the database.

Syslog logging

  • A syslog-based log centralization system is already in place.

Syslog logging with Syslog-NG (reliable, safe)

  • Logs must be transferred across network boundaries and plaintext transport is not acceptable.

Manual centralization (SCP, SFTP)

  • Logs must be transferred across network boundaries, but you cannot justify a full Syslog-NG system.

Spread toolkit

  • You have a cluster of servers where there are several servers running the same site.

  • All other situations that involve more than one machine.

Here is some general advice about logging:

  • Think about what you want from your logs and configure Apache accordingly.

  • Decide how long you want to keep the logs. Decide at the beginning instead of keeping the logs forever or making up the rules as you go.

  • You will be storing the logs on a filesystem somewhere, so ensure the filesystem does not overflow. To do this, delete the logs regularly.

  • At the same time, put the log files on their own partition. That way, even if the partition overflows, the rest of the system will continue to function.

    Related

    Категории