...

Muddasar put your thoughts here :Adding metadata or label tags close to log source or by the log source is a good practice.  Tags can be added by a local driver for Service and Container ID/name (fqdn) as logs received by logging driver.  As ONAP XNF containers will log to stdout/stderr I/O streams, a host or sidecar based collector should be able to add tags for sending source prior to moving the logs to centralized collection location. 

As part of log generation other information elements can be added by the application.  we should consider what needs to be a requirement:  Event_Type (Access, Operation, Error).  Logging enahncement project in the past listed format and options, see Logging Enhancements Project Proposal.

Collection

• There currently is a SECCOM proposal that specifies what type of data should be logged where it should be logged to.  
  • [REQ-374] ONAP shall use STDOUT for logs collection - ONAP JIRA
• How these logs would be collected and aggregated is specified by the ONAP NextGen Presentation by Byung.
  • ONAP Next Generation Security & Logging Architecture#ONAPLogging  
  • old presentation slide deck (see the above link for the latest on) https://wiki.onap.org/download/attachments/103416997/ONAP-Next-Generation-Security-Logging-2021-5-25-v1.pptx?version=1&modificationDate=1621953519000&api=v2

Proposed Collection of Container Logs

[CON-LOG-REQ-13] The container MUST have security logging for the container and container application active from initialization. [Reference: R-84160]

[CON-LOG-REQ-20] The container and container application MUST use the STDOUT for security logs collection [Reference: REQ-374]

Data Stewardship

What is the data life cycle within ONAP?

...

Archival data vs live data

Monitoring

• Includes Enrichment, Analysis, and Reporting.
• It is expected that this function out of scope for ONAP.  A CSP / MNO will make used of a SIEM.  ONAP's role is to provide a means to export security event data.  This is where analytics are stored and applied to the data the is ingested from ONAP.
• Presentation by Fabian pertaining to Analysis: ONAP Logs Security Managment1.pptx 

 Alerting

• Possibly to include mitigation and actions.   
• If we expect ONAP to respond to security events in a closed loop manner, then there needs to be a way for events generated by the SIEM to be ingested back into ONAP.

Response

Comments from Chakar, paraphrased, (7/20/2021 SECCOM Meeting)

• We need to disambiguate "Logging" vs "Data Collection".
• Logging from ONAP and Logging from xNF are not the same.

There are two types of responses to consider.

...

Terms

This is place where we can standardize our language.

...