Standardized Security Logging Fields - V1
- Robert Heinemann
Issue / No Issue | Field Name | Description | EELF Field | Log Spec Field | Reference |
|---|---|---|---|---|---|
Best Practice Proposal for Jakarta: Existing Fields Recommended | |||||
Timestamp | The container and container application MUST log the field “date/time” in the security audit logs. The value should be represented in UTC and formatted per ISO 8601, such as “2015-06-03T13:21:58+00:00”. The time should be shown with the maximum resolution available to the logging component (e.g., milliseconds, microseconds) by including the appropriate number of decimal digits. For example, when millisecond precision is available, the date-time value would be presented as, as “2015-06-03T13:21:58.340+00:00”. | BeginTimestamp Timestamp | LogTimeStamp | ||
Log Type Name | The container and container application MUST log the field "Log type" in security audit logs. This field will adhere to the following ENUM ::= "AUDIT" | "METRICS" | "ERROR" | "DEBUG" | "SECURITY" This is here for legacy purposes. Older projects used to generate 4 separate log files. *This is a proposed field that came out from discussion with 2 PTLs on 9/17/2021. This is meant to be a filter to distinguish from other types of logs that other projects are currently generating. 2/4/22 Proposed Changes
| N/A | p_marker | (4) | |
Log Level | The container and container application MUST use an appropriately configured logging level that can be changed dynamically. The intention of this field is to not cause performance degradation via excessive logging. This field will adhere to the following ENUM ::= "FATAL" | "ERROR" | "WARN" | "INFO" | "DEBUG" | "TRACE" The verbosity of the logging increases from left to right. PROPOSED CHANGED **Add that this adheres to SYSLOG RFC. | Category Log Level | Level | (4) | |
Transaction ID | The container and container application MUST log Transaction ID A transaction ID is a universally unique value that identifies a single transaction request within the ONAP platform. Its value is conformant to RFC4122 UUID. This value is readily and easily obtained in most programming environments. Proposed Changes The name of the field can lead to confusion as the term transaction may have different meanings. Provide more explanation. Trace ID may be a better term. Use the term that is in the referenced RFC. | Request ID | Transaction ID | (4) | |
Status Code | The container and container application MUST log a "status code" in the security audit logs. This field indicates the high level status for transactional or sub operational events. This field will adhere to the following ENUM ::= "COMPLETE" | "ERROR" | "INPROGRESS"
Proposed Changes
| Status Code | Status Code | (4) | |
Severity | The container and container application MUST log the severity level of a processing event. This is to be used for error reporting in internal processing in conjunction with the status code field. This field will adhere to the following ENUM ::= "NONE" | "WARN" | "ERROR" | "FATAL" Proposed Changes 2/11/2022 - CONTINUE HERE. Unfinished discussion on this field. Group has agreed to remove severity because we are encoding this information with an expanded enum in Status Code. | Severity | Severity | (4) | |
Principal ID | The container and container application MUST log the Principal identity of a requestor in the security audit logs. This field should contain the identification of the entity (user agent, client id, user, user id, login ID, non-person entity (NPE), Token, etc.) that made the request of the service or API indicated in the Service/Program Name field. For a serving API that is authenticating the request, this should be the authenticated username or equivalent. NOTE: For CPS, they are using a framework that provides this field. | N/A | User | R-89474 | |
Service / Program Name | The container and container application MUST log the field “service or program used for access” in the security audit logs. This intention is to capture the service name endpoint or an externally advertised API invoked, e.g., where are you connecting to. This is represented as a URI or URL. NOTE: For CPS, they are using a framework that provides this field. | ServiceName | ServiceName | (4) | |
Log Message | The free text payload of a log event. | detailMessage | p_message | ||
Develop POC and propose as a Best Practice for K Release: New Fields Recommendations | |||||
Container Image Name / Tag | The container and container application MUST log the Container Image Name/Tag. The image name/tag is as returned by the docker images command. NOTE: Images are not required to have tags | N/A | N/A | ||
Container Image Digest | The container and container application MUST log the container image digest. The digest is a cryptographic digest as returned by the docker images --digests command. | N/A | N/A | ||
Container ID | The container and container application MUST log the container ID. The container ID is the same that is returned by the docker ps -q command. NOTE: The container ID is unique for life time of the the container instance. Once the container is killed, this ID goes away. | N/A | N/A | ||
Role / Attribute ID | The container and container application MUST log the Role or Attribute ID of the Principal identity of the entity accessing the requested service or API. Note: The group ID is in reference to a Role or Attribute as part of a RBAC or ABAC scheme. | N/A | N/A | ||
Protocol | The container and container application MUST log the field “protocol” in the security audit logs. This refers to the communication mechanism for a request. The value of this field should be representative of the OSI application layer protocol. This is represented as a decimal formatted TCP/IP port number. | N/A | N/A | ||