I'm curious about the best practices for monitoring on-prem or hybrid network traffic. In environments with various components like bare-metal servers, VMs, or Kubernetes, is it standard to capture and log network traffic for specific communications? For instance, would it be advisable to track all TCP packets (SYN, ACK, FIN, RST) for critical user requests, convert those traces into JSON format, and store them in a log aggregator? I wonder if this approach actually provides actionable insights or if it's overkill. Also, if it's beneficial, what tools would you recommend for this? I'm thinking of options like eBPF, but I'd love to hear your thoughts!
1 Answer
The approach really depends on your regulations and the specific sector you work in. Where I am, we log everything that hits our main components, which means we end up with a lot of data. We had some issues with Prometheus for scaling, so we switched to ClickHouse, but we're considering moving to VictoriaLogs now. This comprehensive logging helped us catch a vulnerable endpoint quickly, and we were able to block it before any real damage. Just remember to store older data in colder storage unless you need that granularity for analysis.
Interesting! What made you decide to consider VictoriaLogs instead of sticking with ClickHouse?