We have 5xx.json available in logstash (and on file on centrallog hosts in /srv/weblog/webrequest, which is useful to debug/investigate errors.
With ELK7 and in general more capacity (and headroom) I (Filippo) think we should be ingesting the sampled (1/1000) webrequest stream, specifically for:
- Access to dashboards to debug/investigate abuse incidents
- Sharing dashboards and findings during incidents
The data has PII, however I don't think it is at a greater risk than PII already in kafka/logstash (e.g. ip addresses and user agent)
Implementation wise, we currently funnel 5xx as such:
kafkatee -> grep/jq/logger -> rsyslog -> kafka -> logstash
The easy (not necessarily simple) thing to do is to replicate the same with sampled-1000 kafkatee output, (i.e. an additional load of max ~200 logs/s)