Why are we classifying logs?
Organize in a clear and efficient manner the records (logs) received from all client machines, so that consultation, analysis and follow-up of incidents are fast and intuitive.
Classification criteria
It has been decided to classify the logs primarily by machine and, within each machine, separate them by service or application that generated the log.
Thus, the information will be structured so that:
- It is easy to identify which machine generated a particular record.
- It is easy to analyze the behaviors of a specific service (eg sshd, systemd, sudo, etc.).
Storage structure
The log files will be organized following this hierarchy within the log server:
Real examples according to the project:
/var/log/remote/dhcp/sshd.log
Classification mechanism
This structure is defined using an rsyslog template configured on the server:
$template RemoteLogs,”/var/log/remote/%HOSTNAME%/%PROGRAMNAME%.log”
*.* ?RemoteLogs
Explanation:
- %HOSTNAME% ➔ Create a folder for each machine that sends logs.
- %PROGRAMNAME% ➔ Create a different file for each service/program within each machine.
Benefits of this classification
Ease of analysis: Allows you to quickly locate incidents by machine and service.
Clarity: Each system component has its own separate records, avoiding confusion.
Scalability: New customers can be added without altering the existing infrastructure.
Optimization of log rotation: Specific policies can be defined per machine or service if needed.