Breakout discussions: TRE monitoring and activity logging#
Prompts#
What tools do people use for monitoring (e.g. Grafana, Prometheus, Loki, Mimir etc.)? To what extent do people monitor?
To what extent do people actively monitor / alert on logging activity (vs collecting for incident / post-incident management)
Notes#
Essentially logging everything (with AWS). Previous group was talking about logging all the way to individual VMs etc.
Pushing within EPCC for more application layer logging rather than just at the hardware layer, lots of pushback for monitoring of user activity (e.g. anonymisation of logs)
Logs primarily used for monitoring our own systems rather than proactively checking behaviour of users.
Often simply the fact that you’re logging is really just a comfort factor for data providers, often they may not be used/read at all and deleted at some stage - but the point is more that if you need it then you’ve got it.
To what extent do people monitor/alert logged data, rather than just access it for incident management/review?
Consensus is that in many TREs we don’t pro-actively monitor alert on logging, but there is value in having it for incident management/review and for giving confidence to data owners.
When is low level data access logging/monitoring appropriate?
Consensus that it’s required when identifiable individual level data is accessible.
Ran out of time to determine to discuss whether/how much value it adds when data is de-identified and research is analysing the full dataset.
Based on experience, there is a general disregard from users for the details of data governance.