Logging Guidelines
Recommendations based on recommendations Middleware Security Audit Logging Guidelines by David Groep. That talk was aimed to developers of middleware, were log entries of multiple processes (and potential different log mechanisms as syslog and Java logger) on multiple machines must be examined by security officers.
I replicated part of those advises here, since it is also relevant to other programs. One thing I liked was the short guideline on what log level to use.
Where to log
Use of the syslog(3) facility must be supported. Most software libraries like Python logging and Java log4j support writing to syslog, so use those.
Facility
Facility to log to:
| AUTHPRIV | messages that could contain re-usable private data |
| DAEMON | others |
| LOG4 | optional for Middleware software |
Level
| Level | Action | What to log? |
|---|---|---|
| ERROR | Terminal errors | |
| WARN | failed service access | source IP/subject name if available |
| denied service access | action, rept. source IP address* | |
| NOTICE | Start, termination, reconfig | configuration used |
| service access attempt | source IP/socket owner, subject | |
| allowed service access | action, local IDs if any | |
| action completion | session identifier | |
| INFO | service access | list of all names and attributes |
| external requests that modify persistent state | action and operands | |
| important internal actions | ||
| DEBUG | all other information | will not usually be retained |
| External requests that do not modify the persistent state and complete successfully | ||
| other internal actions |
Tips
- use ‘name=value’ pairs in the log message
- restrict characters set to visible characters, length<1024
- standard place for message tag, identifier, and time
- additional time stamping if more accuracy is needed
- linking identifiers per session/request
example:
daemon:notice jss-serv[5241]: event=NewConnection ts=2006-09-28T10:09:23.021Z remoteHost=192.16.199.115:28773 DN="/DC=org/DC=example/CN=Pietje Puk“
Python logging
My personal preference is to create an app that both runs as daemon as well as from the command-line. If an application is daemonized, syslog is used, if it is run from the command line, it simply writes to stderr. By default, it writes warnings and higher, with one -v or --verbose, it includes info, with -vv (very verbose, or --verbose --verbose), it logs debug as well. A -q or --quiet decreases the loglevel to only log errors.
Note that the python logging module has no "NOTICE" loglevel. Nevertheless, since it can be easily reconfigured, I prefer it over the syslog module. If you really like the notice loglevel, add it using:
logging.addLevelName(25, "NOTICE")
