Covers operating system and application logging architecture, log collection, parsing, analysis, and security monitoring workflows. Topics include where logs are stored on Linux systems, system logging daemons and their configuration such as rsyslog, using the systemd journal and journalctl, and log rotation and retention strategies. Skills include parsing and inspecting logs with command line tools and regular expressions, extracting key fields such as timestamps, user identifiers, internet protocol addresses, actions performed, and error codes, and working with structured log formats such as JavaScript Object Notation. Also includes forwarding logs to centralized systems and agents, transport protocols and collectors, and upstream processing pipelines. For security and monitoring, this covers log aggregation, normalization, event correlation, alerting and thresholding, building searches and dashboards, and deriving forensic and operational insights for incident response and troubleshooting. Candidates may be evaluated on practical configuration tasks, example queries, interpreting log entries, designing log pipelines for reliability and scale, and applying best practices for retention, privacy, and performance.
MediumTechnical
68 practiced
Compare command-line and runtime parsing approaches (grep, awk, sed, perl, Python, Go, Rust, simdjson) for log processing. For each approach, describe trade-offs in throughput, CPU vs I/O, memory usage, developer productivity, and maintainability. Given a target of 500k log lines/sec per host, which technology choices would you consider and why?
MediumSystem Design
44 practiced
Design a logging approach for containerized applications that write JSON to stdout/stderr in Kubernetes. Decide between node-level collectors (Fluent Bit) vs sidecar collectors, describe how to attach pod metadata (labels/annotations), handle multiline logs and backpressure, and avoid duplicate ingestion. Explain how you would ensure logs from short-lived pods are reliably captured.
MediumTechnical
44 practiced
How do you configure systemd-journald to persist logs across reboots but limit disk consumption? Explain key options in /etc/systemd/journald.conf such as Storage, SystemMaxUse, RuntimeMaxUse, ForwardToSyslog, and MaxFileSec. Also describe how to export journal entries to a remote collector.
EasyTechnical
49 practiced
You need to deploy Filebeat on 2,000 hosts to forward /var/log/*.log to a central cluster. Describe the Filebeat configuration choices you'd make for prospectors (inputs), handling multiline logs (stack traces), backoff and backpressure, sending to Logstash vs Elasticsearch, TLS configuration, and how you'd monitor agent health centrally.
MediumTechnical
34 practiced
You ingest ~1 TB/day of logs. Propose a retention and cost-optimization strategy that reduces storage cost by ~60% while preserving forensic ability for critical security events. Consider compression, sampling, tiered storage (hot/warm/cold), selective indexing, redaction, and rehydration costs. Provide a concrete policy for different log classes (security, access, debug).
Unlock Full Question Bank
Get access to hundreds of Logging and Log Analysis interview questions and detailed answers.
