Why log remotely?
As you move to better and more comprehensive and useful logs, you’ll find a need to run searches and maybe even alerting from these logs.
We’re probably all familiar with setting up a remote syslog server to keep the logs safe away from the server that made them.
Remote logging serves the following purposes:
- Secure the logs away from the server (helps in forensics as the logs can’t be wiped, or in case the server is unavailable)
- Aggregate logs over various machines (think access logs in clusters, or security warnings across servers)
- Perform searches and run analytics on these logs (like AWStat, security alerts, etc)
Number one is immediately helpful in diagnostics as it helps you figure out why a server just “disappeared” on you. (Am I looking at just a network glitch or did something break?)
As you move up to running multiple servers you want to correlate these logs and probably include alerting from one central location (so that you don’t have to define these over and over)
The main problem is obviously that you would need some kind of dedicated logging server to do this properly, preferably away from your current server farm.
While you could go out and spend more money to get a virtual server for this, I also found another interesting way..
How Papertrail gets you started on remote logging
While I’m not getting the most out of my logging yet (it’s a gradual process of refinement), Papertrail is very easy to get started and absolutely free up to 100 mb of logging per month.
Depending on how much you move into them you could put one or two servers there absolutely free.
Their next plan includes 1 GB of data per month for 7$, which is probably still cheaper than a virtual server and a lot cheaper than rolling your own.
You can read more about their product on the Papertrail website.
My favorite feature is that getting started is extremely easy, true to their 45 second promise you’ll be running remote syslog with them in a minute (maybe a bit more to set it up properly with TLS)
After that, adding a simple search and daily email allows to keep track of certain events (automated updates, rejected emails. etc) will take you maybe another 2 minutes.
This allows me to check on a daily basis what’s going on to my servers and change my security expectations based on that.
More advanced features are also available. Your alerts and events can be pushed to a webhook (POST), PagerDuty or Campfire for your alerting pleasure.
So in summary, super easy to get started. Very powerful in the future and reasonably priced (or even free depending on your log loads)
Go ahead and give it a try Papertrail and let me know if it works for you.