It seems clear to everyone that availability and performance are the main concerns when monitoring a platform.
But... what happens if suddenly you discover that you were hacked some weeks ago and you have intruders on your servers?
It has been always scary, from long time ago, but now it might affect personal data and the GDPR fine can be much more than "scary".
Do not ask "if" your servers can be hacked, ask "when" will happen instead. And my question is... how long will it take you to get notice that you are being or were hacked?
In this talk we want to show the architecture we have in place to monitor several different platforms from several different websites (such as Infojobs, Fotocasa, Milanuncios, Vibbo...), with distributed teams, diverse technologies, using a pragmatic approach for investing a very reasonable effort and money. We will explain the options when using an opensource but mature component such as ossec, combined with commercial software such as Splunk, heavily optimizing the costs. We will also approach the components that AWS provides to detect attacks and intrusions, both the success cases as the not-so-successful ones. We will address monitoring live HTTP requests, log analysis, intrusion detection on servers and also on the network.
Our global approach: monitor good-quality events, not gathering big quantity of "simple" logs.
All this with an expense lower than 1K per month, monitoring platforms with millions of monthly users. So it can work for both big and small pockets!