Beyond uptime, what should I be monitoring on my web site?

For a site that is commercial and not just a fun thing I think you should always be monitoring the basics and watching the trends which they produce. So CPU, Memory, I&#x2F;O, Non 2XX HTTP responses, server logs, nginx&#x2F;apache logs, # of sessions, traffic by hour and traffic by day. If you are running a wordpress site or similar I&#x27;d also be putting watchers on new file creation &amp; updates on the upload directory and the themes. This just helps you see if there is any activity happening you didn&#x27;t trigger or expect.<p>Any outbound calls your site makes to 3rd party services should be logged and reported on, set up triggers and alerts for non 2XX codes again. You want to know if something breaks before you have support requests coming in.<p>SSL certs have already been mentioned by watching those and setting up reminders for renewals is important, same with any plug-ins or other licenses you need to renew on a recurring basis.<p>This at least covers all the basics IMO. Obviously some of what I mentioned can be done from proper monitoring of the log files, like non 200 responses, traffic, sessions etc. Also, don&#x27;t reinvent the wheel, plenty of tools in open source that can help you do all this with just some setup and configuration.

This medium post is long, but has a lot of great insight about security.<p><a href="https:&#x2F;&#x2F;medium.com&#x2F;cloud-security&#x2F;how-network-traffic-got-me-into-cybersecurity-94796bb78c92" rel="nofollow">https:&#x2F;&#x2F;medium.com&#x2F;cloud-security&#x2F;how-network-traffic-got-me...</a><p>&quot;After I figured out how to turn off the malware, I went back to my hosting company. I didn’t bother to tell them what I discovered because at this point it seemed futile. I just asked them to deny outbound network access I didn’t need. My computer didn’t initiate outbound connections to anything. It only replied to requests it received. I only wanted to allow the most minimal traffic required for my applications to run correctly. They argued with me! They said no one checks outbound traffic. I said I didn’t care what everyone else does. I wanted to block it. I figured out how to do it myself. I had very restrictive network rules in my firewall settings that only allowed what the applications on my server required.&quot;<p>Of course you don&#x27;t want to block your web servers ability to get updates. But it is important to understand that web servers are web SERVERS. This means that they rarely initiate a new connection, they receive new connections from web browsers.

Expiry of the SSL certificate.