Application Logging and Monitoring

People who manage applications often want to do the right thing when it comes to logging and log monitoring, but they also often do not know what to log and what to monitor. This is a quick write-up outlining the minimum level of what needs to be logged and some examples about what to monitor. If you are responsible for log monitoring, I recommend that you have a written outline of what you are logging and what it is that you are monitoring. This helps you manage the process better and it shows that you have a formal procedure.

What to log:

I think we should apply the Four Ws rule - at a minimum - when it comes to ‘what do I need to log?’. The logging should provide enough information to answer the following questions:

1. Who did it? Think usernames and accounts.
2. What was the action done? Think read, write, copy, delete, number of records, description of records, etc.
3. When did it happen? Think date and time.
4. Where did it happen – on what systems? Think IP addresses, computer names, network IDs, servers, etc.

What to monitor and how often:

This depends on the nature of the system and the potential for abuse. There should be a formal list that shows the questionable events that are being monitored and how often.  For example, for an Electronic Health Records (EHR) system the list could look like this:

1. Unauthorized access to VIP patients: monitored weekly.
2. View/download of an unusually high number of records: monitored daily.
3. View of a dummy – water marked – record that is used as a honey pot to trigger abuse: monitored daily or triggers a real-time alert. A dummy record is something no one should need to access during the course of legitimate work, thus an access event of such record is a good indication of suspicious activity.
4. High number of failed logon attempts from one account – a sign of brute force password attack: monitored daily or triggers a real-time alert.
5. High number of logon attempts from one workstation with multiple accounts -- a sign of reconnaissance to discover valid account names, which is usually followed by a brute force password attack: monitored daily or triggers a real-time alert.
6. Random review of all activities – or summary of activities – associated with 10%, or any other percentage you see fit, of the total number of system users to look for unauthorized or suspicious actions. This is analogous to the random drug tests that some employers conduct: monitored quarterly.
7. Random review of all activities – or summary of activities – associated with 5%, or any other percentage you see fit, of the total number of patients to look for unauthorized or suspicious actions: monitored annually.