LogLogic/Chuvakin Log Checklist
Anton A. Chuvakin, www.chuvakin.org, June 9th, 2008
Editor’s note: I asked Anton A. Chuvakin, of LogLogic, to review my Log4J Best Practices page. He responded with his own list of general logging best practices. His own list blew mine away, and so, with his permission, I’m posting it here!
Here’s a link to the checklist straight from the horse’s mouth.
Best Logs:
- Tell you exactly what happened: when, where, and how.
- Suitable for manual, semi-automated, an automatated analysis.
- Can be analyzed without having the application that produced them at
hand. - Don’t slow the system down.
- Can be proven reliable (if used as evidence).
Events To Log
- Authentication/Authorization Decisions (including logoff)
- System Access, Data Access
- System/Application Changes (especially privilege changes)
- Data Changes:
-Add Data
-Edit Data
-Delete Data - Invalid Input (possible badness/threats)
- Resources (RAM, Disk, CPU, Bandwidth, any other hard or soft limits)
- Health/Availibility
-Startups/Shutdowns
-Faults/Errors
-Delays
-Backups success/failure
What To Log - Every Event Should Have:
- Timestamp + TZ (when)
- System, Application, or Component (where)
- IP’s and contemporaneous DNS lookups of involved parties
-Names/Roles of involved systems (what servers are we talking to?)
-Name/Role of local application (what is this server?) - User (who)
- Action (what)
- Status (result)
- Priority (severity, importance, rank, level, etc)
- Reason
Here’s a fictional log example that tries to adhere to Anton’s checklist.
