1. Core responsibilities of logs
The core task of logging isRecord system operations and events, for subsequent audits, analysis and troubleshooting. Specifically including:
- Operation record: Record user operations (such as login, data modification, file upload).
- System Events: Record the operating status of the system (such as startup, shutdown, and error).
- Security Events: Record security-related events (such as login failure, permission change).
The function of the log is to provideTraceabilityandtransparency, instead of filtering directly or blocking malicious behavior.
2. Things to note in logs
In order to ensure the validity and security of the log, the following things need to be paid attention to:
2.1 The integrity of log content
- Record key information: Including time, user ID, operation type, operation object, operation description, operation result, etc.
- Avoid leaking of sensitive information: Do not record sensitive information (such as passwords, credit card numbers) in the log.
2.2 Log storage and protection
- Centralized storage: Store logs in a centralized manner to avoid scattering on multiple servers.
- Access control: Restrict access to logs to prevent logs from being tampered with or deleted.
- Encrypted storage: Encrypt the logs to prevent leakage.
2.3 Log retention and cleaning
- Retention period: Set the retention period of logs according to regulations and business needs.
- Regular cleaning: Clean out expired logs regularly to avoid taking up too much storage space.
2.4 Log monitoring and analysis
- Real-time monitoring: Monitor logs in real time and detect abnormal behaviors in a timely manner.
- Automated analysis: Use tools (such as ELK Stack, Splunk) to analyze the logs and identify potential security threats.
3. The relationship between logs and filtering and security protection
Although the main responsibility of a log is recording, it is closely related to filtering and security protection, mainly reflected in the following aspects:
3.1 Logs provide data support for filtering and security protection
- Input filtering: When filtering user input, the filter results can be recorded in the log (such as "SQL injection attempt was detected").
- Intrusion detection: By analyzing the log, potential attack behaviors can be identified (such as multiple login failures and exception queries).
3.2 Logs are used for post-event analysis and auditing
- Attack traceability: The source and process of attacks can be tracked through logs.
- Responsibility determination: The log can determine who performed what operations at what time.
3.3 The combination of logs and real-time alarms
- Real-time monitoring: By analyzing the log in real time, security alarms can be triggered (such as "XSS attack attempt was detected").
- Automated response: Combined with SOAR (Security Orchestration, Automation and Response) tools, automated security responses (such as blocking IP addresses).
4. Division of labor between logs and filtering
- filter:yesreal timesecurity protection measures, responsible for verification and filtering before user input enters the system.
- log:yesafterwardsThe recording and analysis tool is responsible for recording system operations and events, and provides data support for security protection.
For example:
-
filter: When user input
' OR 1=1 --When , the system will directly reject the request and return an error message. - log: The system will record "SQL injection attempt detected, user: guest, IP: 192.168.1.1, time: 2023-10-01 12:00:00".
5. Contents that should be recorded in the specific log
| category | Subcategory | Record content |
|---|---|---|
| User operation log | Login and authentication | Login succeeded/failed, logged out, password modification/reset. |
| Data operation | Data addition, deletion, modification and query (CRUD), import/export, backup/restore. | |
| Permission Management | Permission assignment/modification/revocation, role creation/modification/deletion, permission change history. | |
| Other operations | File upload/download/delete, system configuration modification, sensitive operations (such as deleting important data). | |
| Security log | Login security | Continuous login failure, abnormal login behavior (foreign IP, etc. login): Account lock/unlock. |
| Permission change | Administrators and privileged users perform permission changes to ordinary users. | |
| Security Events | Attack behavior (such as SQL injection, cross-site forgery scripts, buffer overflow caused by user excessive input). | |
| Audit log | Sensitive data access records; important configuration modification records; system audit operation records. | |
| Third-party service log | API calls | Third-party API request/response; call success/failure status; time-consuming/error information. |
| Payment and Transaction | Payment request/result; transaction status/details; refund/revoke operation record. | |
| Messages and notifications | SMS/mail/push send record; send status/error message. | |
| Database log | Query log | SQL query execution record; query time/result/error information. |
| Transaction log | Transaction start/commit/rollback record; transaction detailed operation steps. | |
| Data change log | Data insertion/update/delete records; before and after changes (for audit). | |
| Custom business logs | Business operations | User orders/payments/refunds. |
Logging, best practices
- Avoid sensitive information: Do not record passwords, credit card numbers, etc.
- Structured logs: Use JSON and other formats to facilitate parsing.
- Log level control: Adjust log level according to the environment.
- Log sampling: Sampling and recording at high traffic to avoid excessive log volume.
- Record incoming and outgoing registries: Record the incoming and outgoing parameters, which facilitates quick positioning of problems.
- if branch log: The log should be printed on the first line of each branch to facilitate clarification of program operation logic.