What is logging?

While operating, computer systems perform a complex series of highly interdependent tasks to fulfil the needs of their users. All these tasks generate information in the form of events which can be recorded to allow the system administrator to observe the state of the system and ensure continued, reliable, operation.

Logging is generally the name given to the process of filtering and recording the events produced by the system as it functions. A typical logging system will receive events from the kernel, as well as the running services, separate them according to type and priority, and record them in files, or send them to another machine for processing and storage, as appropriate.

Why do I need to log events?

There are many reasons why maintaining detailed and consistent system logs is desirable, if not required, on a production system however two reasons stand out above all others. The first is to enable issues to be detected, and hopefully prevented, before they become serious. The second is to assist in the resolution of any such issues by allowing the administrator to make use of the diagnostic information contained therein.

Issue detection and prevention

When operating a production installation the availability and reliability of services, especially those deemed mission-critical, is of primary importance. Most failures, when analysed after the event, could have been prevented had adequate system logging and reporting systems been in place to ensure that the conditions leading up to the failure were noted and remedial action taken. Such automated log analysis tools can only operate effectively if they have a reliable and consistent set of log files to work from.

Issue resolution

Computer systems, like many other complex systems, can often fail in such a way that it is difficult, if not impossible, to determine the cause of the failure from behaviour alone. If this should happen detailed system logs can be the only way to determine the cause of the problem.

Should a security breach occur then good logs, assuming they have been logged to an uncompromised server, can be extremely useful in determining how the attacker gained access. Without this information securing the system against future attacks of the same type will be considerably more difficult, if not impossible.