
Beyond uptime, what should I be monitoring on my web site? - AussieCoder
I have uptime monitoring in place, but I’m worried that there are other things I should be checking regularly to make sure my site is working as expected.<p>What would anyone recommend I monitor?
======
davismwfl
For a site that is commercial and not just a fun thing I think you should
always be monitoring the basics and watching the trends which they produce. So
CPU, Memory, I/O, Non 2XX HTTP responses, server logs, nginx/apache logs, # of
sessions, traffic by hour and traffic by day. If you are running a wordpress
site or similar I'd also be putting watchers on new file creation & updates on
the upload directory and the themes. This just helps you see if there is any
activity happening you didn't trigger or expect.

Any outbound calls your site makes to 3rd party services should be logged and
reported on, set up triggers and alerts for non 2XX codes again. You want to
know if something breaks before you have support requests coming in.

SSL certs have already been mentioned by watching those and setting up
reminders for renewals is important, same with any plug-ins or other licenses
you need to renew on a recurring basis.

This at least covers all the basics IMO. Obviously some of what I mentioned
can be done from proper monitoring of the log files, like non 200 responses,
traffic, sessions etc. Also, don't reinvent the wheel, plenty of tools in open
source that can help you do all this with just some setup and configuration.

~~~
AussieCoder
I'm hosting on Microsoft Azure, so Application Insights gives me most of the
server monitoring, but you make a good point about checking 3rd party services
that I have dependencies on and tracking license expiration dates, which I
have no process for at the moment. I'll check in to that.

------
Iwillgetby
This medium post is long, but has a lot of great insight about security.

[https://medium.com/cloud-security/how-network-traffic-got-
me...](https://medium.com/cloud-security/how-network-traffic-got-me-into-
cybersecurity-94796bb78c92)

"After I figured out how to turn off the malware, I went back to my hosting
company. I didn’t bother to tell them what I discovered because at this point
it seemed futile. I just asked them to deny outbound network access I didn’t
need. My computer didn’t initiate outbound connections to anything. It only
replied to requests it received. I only wanted to allow the most minimal
traffic required for my applications to run correctly. They argued with me!
They said no one checks outbound traffic. I said I didn’t care what everyone
else does. I wanted to block it. I figured out how to do it myself. I had very
restrictive network rules in my firewall settings that only allowed what the
applications on my server required."

Of course you don't want to block your web servers ability to get updates. But
it is important to understand that web servers are web SERVERS. This means
that they rarely initiate a new connection, they receive new connections from
web browsers.

~~~
AussieCoder
That post makes really interesting reading. I'm hosting on Microsoft Azure, so
I'm hoping they have a lot of that stuff covered, but I guess I need to dive
in and make sure.

------
mtmail
Expiry of the SSL certificate.

~~~
gop1
Your uptime monitoring service can do this.
[https://webmonitoring.online](https://webmonitoring.online) also check of SSL
certificate expiry.

