Logging Guidelines

Recommendations based on recommendations Middleware Security Audit Logging Guidelines by David Groep. That talk was aimed to developers of middleware, were log entries of multiple processes (and potential different log mechanisms as syslog and Java logger) on multiple machines must be examined by security officers.

I replicated part of those advises here, since it is also relevant to other programs. One thing I liked was the short guideline on what log level to use.

Where to log
Use of the syslog(3) facility must be supported. Most software libraries like Python logging and Java log4j support writing to syslog, so use those.

Facility
Facility to log to:

Tips

 * use ‘name=value’ pairs in the log message
 * restrict characters set to visible characters, length<1024
 * standard place for message tag, identifier, and time
 * additional time stamping if more accuracy is needed
 * linking identifiers per session/request

example: daemon:notice   jss-serv[5241]: event=NewConnection ts=2006-09-28T10:09:23.021Z remoteHost=192.16.199.115:28773 DN="/DC=org/DC=example/CN=Pietje Puk“

Python logging
My personal preference is to create an app that both runs as daemon as well as from the command-line. If an application is daemonized, syslog is used, if it is run from the command line, it simply writes to stderr. By default, it writes warnings and higher, with one -v or --verbose, it includes info, with -vv (very verbose, or --verbose --verbose), it logs debug as well. A -q or --quiet decreases the loglevel to only log errors.

Note that the python logging module has no "NOTICE" loglevel. Nevertheless, since it can be easily reconfigured, I prefer it over the syslog module. If you really like the notice loglevel, add it using: logging.addLevelName(25, "NOTICE")