...
Matrix representation of the three categories of log management (generation, monitoring, alerting) and the two categories of run-time logs (logs of ONAP events, logs of events from services orchestrated by ONAP).
| ONAP | ONAP | Service | Service | |
| Application | Infrastructure | Application | Infrastructure | |
|---|---|---|---|---|
| generation | ||||
| collection | ||||
| monitoring | ||||
| alerting | ||||
| response |
Phase 1 will focus on logs of ONAP events.
...
- Generation
- Within ONAP both containers and infrastructure generate raw data that have security concerns.
- Containers (xNFs)
- There currently is a SECCOM proposal that specifies what type of data should be logged where it should be logged to. [REQ-374] ONAP shall use STDOUT for logs collection - ONAP JIRA
- That is documented here: https://wiki.onap.org/download/attachments/100895473/2021-02-22_LoggingRequirementEvents_v9.pptx?version=1&modificationDate=1619018452000&api=v2
- Infrastructure (Docker and K8S)
- There are a set of logs that both Docker and K8S generate that relate to security monitoring.
- That is documented here: https://wiki.onap.org/download/attachments/103419713/Logging%20-%20ATTACK%20to%20SECCOM_v3.pptx?version=1&modificationDate=1622560207000&api=v2
- Containers (xNFs)
- Within ONAP both containers and infrastructure generate raw data that have security concerns.
- Collection
- There currently is a SECCOM proposal that specifies what type of data should be logged where it should be logged to.
- How these logs would be collected and aggregated is specified by the ONAP NextGen Presentation by Byung.
- ONAP Next Generation Security & Logging Architecture#ONAPLogging
- old presentation slide deck (see the above link for the latest on) https://wiki.onap.org/download/attachments/103416997/ONAP-Next-Generation-Security-Logging-2021-5-25-v1.pptx?version=1&modificationDate=1621953519000&api=v2
- Monitoring
- Includes Enrichment, Analysis, and Reporting.
- It is expected that this function out of scope for ONAP. A CSP / MNO will make used of a SIEM. ONAP's role is to provide a means to export security event data. This is where analytics are stored and applied to the data the is ingested from ONAP.
- Presentation by Fabian pertaining to Analysis: ONAP Logs Security Managment1.pptx
- Alerting
- Possibly to include mitigation and actions.
- If we expect ONAP to respond to security events in a closed loop manner, then there needs to be a way for events generated by the SIEM to be ingested back into ONAP.
- Response
Comments from Chakar, paraphrased, (7/20/2021 SECCOM Meeting)
...