Logging Guidelines

From Exterior Memory
Jump to: navigation, search
This article is unfinished.

Recommendations based on recommendations Middleware Security Audit Logging Guidelines by David Groep. That talk was aimed to developers of middleware, were log entries of multiple processes (and potential different log mechanisms as syslog and Java logger) on multiple machines must be examined by security officers.


I replicated part of those advises here, since it is also relevant to other programs. One thing I liked was the short guideline on what log level to use.

Where to log

Use of the syslog(3) facility must be supported. Most software libraries like Python logging and Java log4j support writing to syslog, so use those.

Facility

Facility to log to:

AUTHPRIV messages that could contain re-usable private data
DAEMON others
LOG4 optional for Middleware software

Level

Level Action What to log?
ERROR Terminal errors
WARN failed service access source IP/subject name if available
denied service access action, rept. source IP address*
NOTICE Start, termination, reconfig configuration used
service access attempt source IP/socket owner, subject
allowed service access action, local IDs if any
action completion session identifier
INFO service access list of all names and attributes
external requests that modify persistent state action and operands
important internal actions
DEBUG all other information will not usually be retained
External requests that do not modify the persistent state and complete successfully
other internal actions

Tips

  • use ‘name=value’ pairs in the log message
  • restrict characters set to visible characters, length<1024
  • standard place for message tag, identifier, and time
  • additional time stamping if more accuracy is needed
  • linking identifiers per session/request

example:

daemon:notice    jss-serv[5241]: event=NewConnection ts=2006-09-28T10:09:23.021Z 
   remoteHost=192.16.199.115:28773  DN="/DC=org/DC=example/CN=Pietje Puk“

Python logging

My personal preference is to create an app that both runs as daemon as well as from the command-line. If an application is daemonized, syslog is used, if it is run from the command line, it simply writes to stderr. By default, it writes warnings and higher, with one -v or --verbose, it includes info, with -vv (very verbose, or --verbose --verbose), it logs debug as well. A -q or --quiet decreases the loglevel to only log errors.

Note that the python logging module has no "NOTICE" loglevel. Nevertheless, since it can be easily reconfigured, I prefer it over the syslog module. If you really like the notice loglevel, add it using:

logging.addLevelName(25, "NOTICE")

Syslog-NG

This article is unfinished.