nhost icon indicating copy to clipboard operation
nhost copied to clipboard

Published 20 hours ago verified publisher icon nhost

Enable access to server logs, setup monitoring / alerting functionalities

Open MaxSchilling opened this issue 2 years ago • 1 comments

To increase self-efficacy and security, access to the server logs and auditing files should be enabled + options for alerting functionalities (DDoS attacks, ...) should be added, basically utilising what AWS offers in terms of operations / monitoring and alerting.

This will be needed for security audits and certifications - plus there should at least be transparency about allowed request limits, etc. Although it would be even better of course to improve those settings by oneself if possible.

MaxSchilling avatar Feb 22 '22 12:02 MaxSchilling

Here are a lot of feature requests in this issue. I'll try to list them:

  • [x] Access logs for all services (Postgres, Hasura, Auth, Storage, Functions)
  • [ ] Auditing files (@MaxSchilling What specifically do you mean with this one?)
  • [ ] Alerting - (e.g. Alert me if more than 10,000 requests in less than 1 minute).
  • [ ] Request limits - Kind of like alerting but instead of alert the service should return a 429 - Too Many Requests?

@MaxSchilling Let me know if you have any comments or feedback on my specifications. If possible, please provide as much detail as possible for each request. This makes it easier for us to prioritize and understand your needs. It also makes it easier for other customers to add their thoughts too.

elitan avatar Feb 23 '22 09:02 elitan

Logs are now available: https://nhost.io/blog/nhost-logs.

elitan avatar Oct 06 '22 05:10 elitan

Sorry just saw that I forgot about this one - in our case the logs will have done the biggest part - in case they also log when admin users change anything via console / hasura directly. So if all database changes and accesses are logged, that should be sufficient for audit trails. The question behind that is simply, can you tell for every field when and by whom it has been changed the last time. And plus points for also logging everything admin related, e.g. when admin users logged into hasura directly.

In addition @elitan - the too many request part you mentioned, will like pretty certainly popup during pen-testing, as they will also pentest the backend url itself.

MaxSchilling avatar Oct 06 '22 06:10 MaxSchilling

As the logs dashboard has been shipped to the production dashboard, I will close this down. @MaxSchilling feel free to open any other isolated issue for a more specific request (e.g. alerts) explaining the ideal UX and use-case... from our standpoint we can parse individual logs and check for specific keywords but want to get feedback as how useful it would be for users.

guicurcio avatar Nov 02 '22 19:11 guicurcio