On Jun 8, 2012, at 11:51 AM, Graham Leggett wrote: > On 08 Jun 2012, at 5:45 PM, Joe Schaefer wrote: > >> Well not quite, we'd still have had a problem with storing and archiving >> those logs even if we hadn't made them available to committers, because >> they violate our password retention policies. > > Can you clarify if possible what purpose you were trying to solve by enabling > the forensic logs? > > Forensic logging is to answer the question "what is going wrong", and > shouldn't be enabled under normal operational circumstances unless there is > something genuinely going wrong, at which point you record what you need and > then switch it off again. > > A forensic log that has had a whole lot of filters applied to it is > counterproductive, because the forensic log no longer tells you exactly what > is going on, and when you're troubleshooting you need to know precisely that.
In my situation, we have them enabled so that when an issue arises, we have one more tool at our disposal to identify a root cause. When I get an alert that there is something wrong with one of our sites, it is usually too late to enable forensic logging at that point. Something has already happened. We need to mitigate and get everything back up to normal. The question is usually not "what IS going wrong?", but rather "what WENT wrong?", because it is often a short-lived event. Having the forensic logs available has proven extremely helpful in this scenario. Might the full, unfiltered forensic data be valuable? Yes, but I don't believe the security risk is worth it in my situation. The rare case where an Authorization header might be truly useful for debugging or RCA is vastly overshadowed by the usefulness of the rest of the request information stored in the forensic log. The key to the forensic log, obviously, is that we have some information about an incoming request before it is completed. We can't get this information from any of the standard or custom logs, and we don't have any control over the format. Perhaps, just like we have LogFormat and now ErrorLogFormat, we should have ForensicLogFormat? If we did, then everyone could have what they want/need, whether full or partial forensic data. - Jim
