Logging and monitoring

Configuring loggers is security-sensitive.

Logs are also a target for attackers because they might contain sensitive information. Configuring loggers has an impact on the type of information logged and how they are logged.

In case of a successful attack, logs should contain enough information to understand what damage an attacker may have inflicted.

Services

Logging

Logs entries are written in JSON format, one entry per line, according to the structure defined by IAS.
Logs are written to stdout of the containers.
Filebeat collects these log entries, parses them, and forwards them to Elasticsearch.
No further integration with Elasticsearch is provided in current implementation.

Monitoring

There are probes for liveness and readiness checks that are polled periodically by Kubernetes environment.

Liveness probe: GET /health/live.
- if response is OK 200 with content of being healthy, then the container is alive.
- Liveness checks if the container is started and in running state.
- If liveness check fails, the container will be restarted.
Readiness probe: GET /health/startup
- If response is OK 200 with content of being healthy, then the container is ready.
- Readiness checks if the container is actually ready to serve traffic.
- If readiness check fails, then it will not serve traffic.

Desktop client

The Desktop Client uses Microsoft.Extension.Logging (https://learn.microsoft.com/en-us/dotnet/core/extensions/logging?tabs=command-line) together with the NLog extensions (https://nlog-project.org/) to log messages. The configuration is done in LoggingConfig.json in the ~/Config-Directory.

Listing 1. Logging configuration in LoggingConfig.json

"Logging": {
    "LogLevel": {
      "Default": "Information",
      "Microsoft": "Warning",
      "Microsoft.Hosting.Lifetime": "Information"
    }
  }

In the preceding JSON: Logging configuration is commonly provided by the Logging section. The Logging property can have LogLevel and log provider properties. The LogLevel specifies the minimum level to log for selected categories. In the preceding JSON, Information and Warning log levels are specified. LogLevel indicates the severity of the log and ranges from 0 to 6: Trace = 0, Debug = 1, Information = 2, Warning = 3, Error = 4, Critical = 5, and None = 6.

For more information on configuration, please refer to the Microsoft.Extension.Logging-documentation: https://learn.microsoft.com/en-us/dotnet/core/extensions/logging?tabs=command-line#configure-logging.

NLog.Extensions.Logging makes it possible to use NLog together with Microsoft ILogger-abstraction and Dependency Injection.

Listing 2. NLog configuration in LoggingConfig.json

  "NLog": {
    "autoReload": true,
    "throwConfigExceptions": true,
    "variables": {
      "layout": "${longdate}|${level}|${logger}|${event-properties:EventId:whenEmpty=0}|${message}|${all-event-properties}${exception:format=tostring}"
    },
    "extensions": [
      {"assembly": "NLog.WindowsEventLog"}
    ],
    "targets": {
      "async": true,
      "eventlog": {
        "type": "EventLog",
        "log": "ReworkControl",
        "eventId": "${event-properties:EventId:whenEmpty=0}",
        "layout": "${message}${newline}${newline}${all-event-properties}${newline}${newline}${exception:format=tostring}",
        "source": "${logger}",
        "onOverflow": "Truncate"
      },
      "console": {
        "type": "Console",
        "layout": "${var:layout}"
      },
      "file": {
        "type": "File",
        "encoding": "utf-8",
        "layout": "${var:layout}",
        "fileName": "${specialfolder:folder=UserProfile}/Logs/ReworkControl.log",
        "archiveFileName": "${var:LOG_PATH}/${date:format=yyyy-MM}/log.{#}.txt",
        "archiveEvery": "Day",
        "archiveNumbering": "Date",
        "archiveAboveSize": 5000000,
        "archiveDateFormat": "yyyy-MM-dd",
        "maxArchiveDays": 90,
        "openFileCacheTimeout": 30
      }
    },
    "rules": [
      {
        "logger": "*",
        "minLevel": "Debug",
        "writeTo": "eventlog,file,console",
        "enabled": true
      }
    ]
  }

3 targets are preconfigured: eventlog, console and file
file target will store ASCII log files under user home, e.g.: C:\Users\%USERNAME%. New logfiles will be created when a logfile reaches the size of 5MB. Files will be archived for a maximum of 90 days.
eventlog will use the Windows EventLog for named "ReworkControl" as log target. If a log message reaches the max size of 1kb, the message will be truncated. The Windows eventlog will only work if the application is run with administrative privileges or if the Log and the required EventSources are already existing.
console is the default logger that will log events to the applications stdout

The preceding JSON shows a sample configuration for the Nlog extension. The individual parameters can be taken from the Nlog documentation. Important at this point is the rules section. Here you specify which of the defined providers is to be used. There is a parameter `enabled' to globally switch logging on or off.

Recommended Practices

Check that your production deployment doesn’t have its loggers in "debug" mode as it might write sensitive information in logs.
Production logs should be stored in a secure location which is only accessible to system administrators.
Check that the permissions of the log files are correct.
Add limits to the size of the logs and make sure that no user can fill the disk with log. (e.g. 5 Megabytes log size with "archiveAboveSize"=5000000)
When using Windows EventLog, start the application with administrative rights for the first time (NOT possible with ClickOnce client)

For more information on configuration, please refer to the NLog-documentation: https://github.com/NLog/NLog.Extensions.Logging.