Is there any reason to keep logging for a very high volume site? What valuable data is there to be had in the raw logs.
We do keep the logs today for "just in case" could someone provide an answer for "Just in case What?"
SnapOverflow
Is there any reason to keep logging for a very high volume site? What valuable data is there to be had in the raw logs.
We do keep the logs today for "just in case" could someone provide an answer for "Just in case What?"
Try keeping your logs for at least 1/2 weeks. You can use tools like OSSEC to analyze them in real time and only store what is security relevant (multiple 400's, 500's error codes, scans, etc).
Take a look at this document for some ideas on the security value of keeping these logs:
http://www.infosecwriters.com/texts.php?op=display&id=453
You want to keep your logs, but possibly look at aggregating. I use Analog to produce weekly and monthly reports that are archived. Some historic comparisons of 404's has lead to fixing a broken change to my site.
I keep several months of IIS logs, but I've got years of montly Analog reports that have been produced from them.
Total size of my logs + reports is trivial - under 50 MB.
Assuming you track traffic elsewhere, I would suggest your most important use would be to backtrack unusual activity that may not be readily seen in pure traffic monitors. For example, many requests to the login page from one IP, or a large number of 404 errors to /admin, /administration, /config, etc.
Logs can really come in handy in certain situations. On-going situations are trending reports which can show you page view or traffic growth or referrer traffic (which search engine is sending traffic to you). If you have really large log files, it's useful to process these often and just retain the summary that your reporting tool retains.
The other thing that is useful is historical data if you need to look it up. This comes in handy if you have a sql injection attack, any other type of attack or even a DDOS where you want to track down when it started and if the zombie computers are coming from a certain region. In these situations, you'll be very thankful that you keep the logs around.
Additionally, if you have PCI or other compliance requirements, it may be a requirement to retain a certain amount of logging data.
You can turn off logging for certain folders. For example if you have a load balancer or monitoring software, you can turn off logging on the folder that it tests against. You can also turn off your \images folder or other folders that may get a lot of traffic but that don't need to be logged.