Logging
When logging is known in the computer science the automatic creation of a protocol ( English log ) of software processes.
Logging is used to record and trace error states in the software process. Since an evaluation by administrators and software developers is planned and the content is subject to legal restrictions, no confidential information may be included. In addition, the software application should be able to continue working without problems even if logging fails.
The recording can take place, for example, on the command line , in a log file , the event log under Windows or syslogd and klogd under Linux , a specialized database or a web service . In the server environment, recording in a log file is particularly common. These can be collected using a log scraper and evaluated centrally. In the case of distributed and mobile applications, however, it is common to address a central web service.
Some logging frameworks also support recording in multiple destinations ( sinks ) at the same time. In addition, some logging frameworks also optionally support auditing by issuing write guarantees.
Demarcation
- Auditing
- Used for security-critical information, such as user logins and logoffs, expansion of rights , and access to and changes to sensitive data.
- Monitoring
- Used to analyze application behavior, especially performance, in real time. (e.g. Performance Counters and collectd ( system statistics collection daemon ) under Linux)
- Tracing
- Serves the traceability of the program flow. Since a great deal of information is recorded here in a short time, tracing is not suitable for permanent recording in a file or database, but is used to monitor the process in real time. (e.g. Event Tracing for Windows (ETW) on Windows)
- Operations monitoring
- Used for the analysis of cross-application business processes.
Logging as auditing
Auditing is about the automatic logging of data sets by services that indicate which user or person in computer systems did what at what time. The data records to be saved relate to security-relevant events in IT systems. Logging can be implemented by an audit monitor or by business logic. The backup of the audit data must, however, take place on an external and suitably secured system.
Security aspects
Since auditing records security-critical operations of software processes, the operation must be aborted if auditing fails.
In addition, the audit must be cryptographically secured by means of encryption , electronic signing and, if necessary, cryptographic chaining , if it contains confidential data. Individual entries can be transmitted and secured as security event tokens (SET), for example . If the data is cryptographically chained, it cannot be deleted. Instead, however, the cryptographic key can be deleted so that the data can no longer be decrypted.
Since the data for auditing sometimes has to be stored for years, it has to be kept safe in contrast to log files .
Use
- Enables research into the historical versions of a data record that were saved with every change (special form of the log file )
- Enables the processing of security incidents in the context of IT forensics .
- The knowledge gained from auditing can prevent security incidents.
- Monitoring (i.e. monitoring in real time) of access to security-relevant functions or data, if appropriate monitoring is provided.
Examples
- Creating or deleting a user in a directory
- Changes to a customer's bank details in an application
See also
- Information technology auditing
- Logging and recovery for databases
References
- ↑ syslogd daemon. In: IBM Knowledge Center. Accessed May 2, 2017 .
- ^ M. Jones: Kernel logging: APIs and implementation. October 30, 2010, accessed May 2, 2017 .
- ↑ Logstash. Centralize, Transform & Stash Your Data. elastic, accessed May 2, 2017 .
- ↑ a b Michael T. Nygard: Release It! Design and Deploy Production-Ready Software. O'Reilly, 2007, ISBN 978-0-9787392-1-8 (English, 326 pages).