LogLogic/Chuvakin Log Checklist

Anton A. Chuvakin, www.chuvakin.org, June 9th, 2008

Editor's note: I asked Anton A. Chuvakin, of LogLogic, to review my Log4J Best Practices page. He responded with his own list of general logging best practices. His own list blew mine away, and so, with his permission, I'm posting it here!

Here's a link to the checklist straight from the horse's mouth.

Best Logs:

Events To Log

  1. Authentication/Authorization Decisions (including logoff)
  2. System Access, Data Access
  3. System/Application Changes (especially privilege changes)
  4. Data Changes:
    1. Add Data
    2. Edit Data
    3. Delete Data
  5. Invalid Input (possible badness/threats)
  6. Resources (RAM, Disk, CPU, Bandwidth, any other hard or soft limits)
  7. Health/Availibility
    1. Startups/Shutdowns
    2. Faults/Errors
    3. Delays
    4. Backups success/failure

What To Log - Every Event Should Have:

  1. Timestamp + TZ (when)
  2. System, Application, or Component (where)
    1. IP's and contemporaneous DNS lookups of involved parties
    2. Names/Roles of involved systems (what servers are we talking to?)
    3. Name/Role of local application (what is this server?)
  3. User (who)
  4. Action (what)
  5. Status (result)
  6. Priority (severity, importance, rank, level, etc)
  7. Reason

Here's a fictional log example that tries to adhere to Anton's checklist.