

App Sec: How do you monitor your application logs? - a_lifters_life

Whether you run nginx, apache, something else:<p>1) what webserver do you use? 
2) Do you monitor your logs?
3) How helpful do you find monitoring of your logs to detect intrusion attempts?<p>4) Anything else you want to tell me?<p>Thanks for your responses.
======
tomerlevy
ELK is a good option - I'm a fan of open source. You can build it on your own
([http://logz.io/blog/deploy-elk-production/](http://logz.io/blog/deploy-elk-
production/)) or you can use ELK as a service (disclaimer, I work for Logz.io
which offers such service).

We see customers use ELK to detect intrusion attempts by monitoring and
alerting on: \- Access from specific countries \- Internal connections to
specific countries \- SSH auth request \- Correlation between failed logins
across multiple machines \- kernel exceptions (which may be buffer overflow
attempts) \- AWS VPC Logs \- AWS Cloudtrail logs - we internally use it
extensively to audit access

HTH

------
jpgvm
Nginx and Apache

ELK stack - Elasticsearch + Logstash + Kibana.

Have some simple filters that look for attempted SQL injection etc, we also
run all SSH auth requests etc through same system so we do all of that sort of
stuff there.

~~~
a_lifters_life
Do you find what you do effective? How many attempts do you receive say in a
given month?

