Hi, and welcome back. Today, we're going to talk
about logging and monitoring. We're going to briefly discuss why we want to log events from our server side application
and then we're going to discuss what
to log and then, I'm going to give
a brief introduction to what an example logging infrastructure might look like for your server. By the end of this lesson, you'll be able to evaluate
a system to determine if it performs sufficient security
logging. So let's go. The reason why we
would want to log is, well one reason would be to provide incident
handling information. For example, if there was some security event or security incident
that has occurred, you want to be able to look
through your logs in order to perform an investigation to eventually remediate
the incident. One other reason why you
would want to log is to be able to add
non-repudiation controls. Basically, add the ability to
have it such that a user or some entity cannot deny that they've performed or not
performed an action. One last reason why
we would want to log is to be able to allow us to detect attacks when
they occur and to identify if there
are any threat actors out there that are trying
to take advantage of vulnerabilities that we
may not even know we have. Now, we are going to look at what kinds of things
we want to log. At the very least, you
want to log things like authentication
successes and failures. Authorization. So access control failures. Session management failures like cookie session identification
value modification, and we also want
to make sure that all account lockouts are
logged and reviewed. Here is a diagram of a very simple logging
infrastructure that you could have setup for your system that's running on
the server side application. For example, on the node running the server
side application, which is the square on the left, you could have some
logging daemon running and that logging daemon would be responsible
for sending logs to a central logging system
on a regular cadence. You could have your server
side app logging to the application
systems file system and on this file system, you could set up
a daily rotation. For example, retain
one day's worth of logs and this file system logs
would get sent over a secure channel like TLS to
a central logging system. The central logging
system will have a longer retention period
than the application server. For example, one year. It really depends on
things like compliance needs and needs that
backend engineers or security engineers
will need for how long you want to retain your logs in the
central logging system. To summarize, we
chatted about why we would want to
log and we quickly did a brief overview
of what kinds of things at the very least
we would want to log, and then I gave
a very brief introduction to an example logging infrastructure that you could set up for
your server-side system. Thank you. That's all for now.