| SPDX-FileCopyrightText | SPDX-License-Identifier | title | author | footer | description | keywords | color | class | style | ||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
© 2024 Menacit AB <[email protected]> |
CC-BY-SA-4.0 |
Logging course: Best and worst practices |
Joel Rangsmo <[email protected]> |
© Course authors (CC BY-SA 4.0) |
Description of some best and worst logging practices |
|
#ffffff |
|
section.center {
text-align: center;
}
table strong {
color: #d63030;
}
table em {
color: #2ce172;
}
|
There's lots more to learn about successfully implementing logging.
The following (opinionated) slides cover some of these lessons.
No one (but the NSA) can afford to store logs forever.
Before ingesting a new log source, make sure to check and communicate retention requirements/policy.
Backup log data whenever required, but be aware of the cost.
Backups are provided by the "Scheduled snapshots" feature.
While possible to delete specific documents (log events) in OpenSearch, the most straight forward way is to rotate (delete) whole indicies.
Don't store log events with different retention requirements in the same index.
Retention/Rotation/Storage tier migration is handled by "State management policies".
Grouping log sources commonly searched together.
Spend the time before everything is burning during an incident.
In OpenSearch, we can utilize "index patterns" (sometimes) or "index aliases".
While just scratching the surface, I hope these topics gave you some insights!
