Centralized logging
Overview
A Centralized logging(CL) architecture collects and merges log information from numerous servers, applications, and services spanning across cloud platform, channeling it to a singular location to facilitate straightforward analysis and administration.
It empowers infrastrucure and DevOps engineers to enhance their ability to identify, diagnose, and rectify issues with hightened efficiency, all while upholding security and compliance standards.
CL can retain the logs in a centralized place and can provide a retention of the logs as per the client's requirements.
Detailed Description
CL accumulates all type of logs in Azure Log Analytics Workspace (LAW) as shown in the high level diagram as below.
It facilitates the management of various log formats:
A type of diagnostic log in Azure that provide insights into the activities and events occurring within the Azure platform. They focus on capturing information related to the operation and health of Azure services and components rather than individual user or resource actions.
| Log Category | Details Regarding | Source | Destination |
|---|---|---|---|
| AAD Logs | User sign-in activities and system activity information about users and group management. | AAD | Log Analytics Workspace |
| Resource Logs 1. Audit Logs 2. Firewall logs |
Operations that were performed within an Azure resource (the data plane). Examples might be getting a secret from a key vault or making a request to a database. | Azure Resources | Event Hub to Log Analytics Workspace |
| Activity Logs (Role change logs) | Operations on each Azure resource in the subscription from the outside (the management plane) and updates on Service Health events. There's a single activity log for each Azure subscription. | Azure Resources | Event Hub to Log Analytics Workspace |
These logs contain valuable information about the activities and events occurring within the Virtual Machine, allowing administrators and developers to monitor and troubleshoot their VMs effectively. It can include System logs, Security logs, Application logs, Diagnostic logs, Azure monitor logs and Guest OS logs that are specific to VMs.
| Details Regarding | Source | Destination |
|---|---|---|
| Syslogs and data about the operating system on compute resources. | 1. Azure diagnostic extension 2. Log Analytics agent 3. VM insights |
VM (host os) |
NSG (Network Security Group) flow logs are a feature in Microsoft Azure that provides detailed visibility into network traffic flowing through Network Security Groups. NSGs act as virtual firewalls, allowing you to control inbound and outbound traffic to Azure resources such as virtual machines, subnets, and network interfaces.
| Details Regarding | Source | Destination |
|---|---|---|
| IP traffic flowing through an NSG. | NSG | Storage Account |
These are security-related logs generated by the Azure Defender service, which is a built-in security solution provided by Microsoft Azure. Azure Defender helps protect Azure resources by providing advanced threat protection, vulnerability management, and security alerts for various Azure services.
| Log Category | Details Regarding | Source | Destination |
|---|---|---|---|
| Processed Logs | To Provides security information and alerts from Azure Defender and Monitor. | Defender Alerts | via Event Hub to Log Analytics Workspace |
| Third Party Logs (Open IAM, MongoDB) | To provide insight into security logs of running instances. | OpenIAM, MongoDB |
Application logs in Azure refer to the logs generated by applications deployed in Azure services such as Azure Virtual Machines (VM) and Azure Kubernetes Service (AKS). These logs contain information about the application's behavior, events, errors, and other relevant details that help in monitoring, troubleshooting, and understanding application performance.
| Log Category | Details Regarding | Source | Destination |
|---|---|---|---|
| Application log 1. Ness logs 2. Regular App logs |
Application security logs. | Application | Event Hub to Log Analytics Workspace |
| AppInsights (Performance, TLS/SSL Certificate logs) | Application perfomance and proactive lifetime check of SSL Cert, from 1 day to 365 days. | Application logs on AppInsights | Log Analytics Workspace |
- Database Logs
These logs contain valuable information about the activities and events occurring within the databases, allowing administrators and developers to monitor and troubleshoot their databases effectively. Logs from various types of databases should be captured as and when necessary.
For more details, go to the detailed implementation document of each of the database logs:
- MSSQL
- MySQL
| Details Regarding | Source | Destination |
|---|---|---|
| Audit Logs of various kinds of databases | MSSQL,MySQL,PostgreSQL | Log Analytics Workspace |
Log types with respective LAW table names
| Tables | Log Type |
|---|---|
| AzureDiagnostics | Diagnostics logs |
| Application logs | |
| AzureActivity | Activity logs |
| VM logs | |
| SecurityEvent | Defender logs |
| AAD logs | |
| Netflow logs |
Benefits and Business Case
In everyday business operations of any application, various challenges arise, including
- Insufficient visibility
- Restricted troubleshooting capacities
- Compliance and security concerns
To address these concers and more, CL offers a variety of usage scenarios such as:
- Security and Compliance
To provide application and infrastructure security information along with event logging. Each application has numerous separate integrations which makes the system vulnerable. CL enables the user to track all the actions and event in order to provide a more robust application.
- Application Visibility
With the additional end-to-end responsibilities and increased accountability, the requirement for application issue troubleshooting has increased. The application log saves tremendous effort in debugging the issues and easy rectification.
- Business Intelligence
It provides insights about system performance, user interaction and business performance. Faster, more adaptable insights across the application value chain helps the business in understanding the efficieny and reliability of the product.
Responsibilities
Initial Setup
- Client has to submit the required information for the initial setup. Please fill the onboarding form and follow the section for more details.
Tier0 team will only be responsible for setting up all the logs except App Logs. For the configuration of App logs please visit the below links
- Explore Dummy app
- Explore Ness logging
- Explore FluentD integration with AKS
- Explore FluentD integration with VM
Once the client setup and handover is complete the responsibilities are defined as below -
Tier0
- The logs should be collected as expected.
- Handle any setup or connectivity related issues.
Client
- Setup of resources and services.