Covers operating system and application logging architecture, log collection, parsing, analysis, and security monitoring workflows. Topics include where logs are stored on Linux systems, system logging daemons and their configuration such as rsyslog, using the systemd journal and journalctl, and log rotation and retention strategies. Skills include parsing and inspecting logs with command line tools and regular expressions, extracting key fields such as timestamps, user identifiers, internet protocol addresses, actions performed, and error codes, and working with structured log formats such as JavaScript Object Notation. Also includes forwarding logs to centralized systems and agents, transport protocols and collectors, and upstream processing pipelines. For security and monitoring, this covers log aggregation, normalization, event correlation, alerting and thresholding, building searches and dashboards, and deriving forensic and operational insights for incident response and troubleshooting. Candidates may be evaluated on practical configuration tasks, example queries, interpreting log entries, designing log pipelines for reliability and scale, and applying best practices for retention, privacy, and performance.
MediumTechnical
0 practiced
When ingesting logs into Elasticsearch at scale, how would you design index lifecycle policies (ILM) and field mappings to avoid mapping explosion and optimize search? Provide a plan that includes index rollover thresholds, hot/warm/cold phases, shard sizing guidance, and mapping strategies for high-cardinality fields and large text blobs.
MediumTechnical
0 practiced
Define SLOs for a logging pipeline. For example, propose an SLO that 99.9% of logs are delivered to indexing within 30 seconds. List the metrics you would instrument (ingest latency distribution, drop rate, queue length), how to measure success, what an error budget policy looks like for the logging pipeline, and remediation actions when the budget is exhausted.
MediumSystem Design
0 practiced
Design a reliable forwarding pipeline where rsyslog on each host forwards structured JSON logs to Kafka, which then feeds Elasticsearch for indexing. Include:- a short rsyslog configuration snippet using omkafka or appropriate module and JSON template- how to ensure retry/backpressure behavior when Kafka is overloaded- partitioning and keying strategy to preserve ordering per flow- how to detect and handle message lossExplain the trade-offs of using Kafka as the buffer layer.
HardTechnical
0 practiced
Design a forensic-grade log collection system that ensures chain-of-custody and tamper-evidence. Discuss: signing logs at source, append-only immutable storage (WORM / S3 Object Lock), time-stamping, audit trails for access, key management for signing, and verification procedures during incident response. Include trade-offs for scalability and cost.
HardSystem Design
0 practiced
Design a logging agent for IoT/edge devices with intermittent connectivity and only 128MB of persistent storage. Requirements:- Buffer up to 24 hours of logs locally- Compress and rotate buffers safely on power loss- Authenticate and encrypt to central collector- Gracefully handle long disconnects and resume without duplicationDiscuss storage format, backoff strategy, key management for credentials, and OTA update considerations.
Unlock Full Question Bank
Get access to hundreds of Logging and Log Analysis interview questions and detailed answers.
