...
- There are many different types of logging formats that have been proposed and informally adopted across ONAP
- 2017 OpenECOMP Logging Specifications; ONAP Logging Specifications v1,1, v1,2 and v1.3. These are the ones that we know about. There may be others.
- Many different types of logging libraries EELF, PyLog, Log4J, logback, FLog, dropwizard-logging, log4js, logkit, clojure logging, jboss-logging, UnderscoreLog. Probably others. (See Nexus Report Here).
- It is not the place of SECCOM to define a logging format for ONAP Projects to follow.
- We should stay focused on proposing Security focused logging requirements and recommend to TSC to adopt as a Best Practice and subsequently adopting as a Global Requirement.
- When proposing requirements we should not be dictating implementation details BUT we should be cognizant of existing implementations and how our proposed requirements will impact those existing implementations.
- We should strive to reduce impact on existing implementations as much as possible.
- 10 of 16 proposed security requirements for log fields exist with existing logging specifications. This means that projects that are logging and following one of these then these requirements should not be a heavy lift. So my recommendation is that we just define the the requirement and refer back to the existing specifications for field definitions.
- The remaining proposed security requirements mostly deal with container identification. Project most likely are not logging this info. These we need to specify a format and a field description as well as the requirement. In addition, we may need to prototype something by adding something to an MDC that most loggers use.
...