← [Раздел 08](README.md) · [Главная](../README.md) # Logging и audit trail ## Цель Научиться проектировать **security logging** и **audit trail**: какие события фиксировать, как не утекать PII в логи, retention, и зачем неизменяемое хранение для расследований. ## Предварительно - [README раздела 08](README.md). - Понимание: application log vs infrastructure log. ## Время ~30 минут чтения + составить logging spec для auth service --- ## Зачем security logs | Use case | Need | |----------|------| | Incident investigation | Who did what when | | Compliance (SOC2, ISO) | Evidence of controls | | Threat detection | Patterns → SIEM rules | | Post-mortem | Timeline reconstruction | **Без логов** incident response = guesswork. ## Типы логов | Source | Examples | |--------|----------| | **Application** | login, permission denied, payment | | **Infrastructure** | VPC flow, LB access | | **Cloud audit** | AWS CloudTrail, GCP Audit Logs | | **K8s audit** | kubectl apply, SA token use | | **Identity** | SSO login, MFA failure | | **Security tools** | WAF blocks, Falco alerts | Centralize → [SIEM](siem-i-alerty.md). ## Audit trail properties Good audit log entry: | Field | Example | |-------|---------| | **Timestamp** | ISO8601 UTC | | **Actor** | `user_id`, SA name, IP | | **Action** | `order.delete` | | **Resource** | `order_id=abc123` | | **Outcome** | success / failure / deny | | **Correlation ID** | trace across microservices | Immutable / append-only storage (WORM, S3 Object Lock) для critical audit — против tampering. ## Что логировать (security events) | Event | Why | |-------|-----| | Auth success/failure | Brute force, account takeover | | Password / MFA change | Account compromise | | Role / permission change | Privilege escalation | | Admin actions | Insider threat | | Access denied (authz) | Probing, misconfig | | API key create/revoke | Credential lifecycle | | Data export bulk | Exfiltration | | Config change | Misconfiguration | Mapping к [security requirements](../05-secure-sdlc/bezopasnye-trebovaniya.md). ## Что НЕ логировать | Never log | Why | |-----------|-----| | Passwords, OTP | Credential leak via logs | | Full credit card | PCI violation | | Session tokens / JWT full | Replay if logs compromised | | Unredacted PII без need | GDPR | Log **that** auth happened, not **secret** itself. ## Structured logging ```json { "ts": "2026-06-06T12:00:00Z", "level": "info", "event": "login_failed", "user_id": null, "email_hash": "sha256:...", "client_ip": "203.0.113.10", "request_id": "req-uuid" } ``` Structured → parseable → SIEM rules. ## Log levels vs security severity Don't rely on `ERROR` only — security events may be `INFO` (failed login is normal volume). Separate **security event type** field. ## Retention | Tier | Retention | Storage | |------|-----------|---------| | Hot (SIEM) | 30–90 days | Fast search | | Warm | 1 year | Compliance common | | Cold archive | 7 years (regulated) | Cheap, encrypted | Legal hold overrides deletion. ## Integrity and access | Control | Purpose | |---------|---------| | RBAC on log bucket | Prevent attacker deleting traces | | Separate account for logs | Compromise app ≠ delete audit | | Forward in near-real-time | Before attacker stops shipping | | Sign/hash critical streams | Non-repudiation (advanced) | ## Clock sync NTP on all nodes — skew breaks correlation. ## Common mistakes | Mistake | Fix | |---------|-----| | Logs only on disk pod | stdout → cluster collector → central | | No correlation ID | Middleware injects request_id | | Debug logs in prod | Environment-based log level | | 100% sample only | Always log security events | ## Pipeline architecture (concept) ``` App → stdout → Fluent Bit / Promtail → Loki/Elastic → SIEM CloudTrail ────────────────────────────────────────────┘ K8s audit ─────────────────────────────────────────────┘ ``` ## Checklist logging spec - [ ] Security event catalog documented - [ ] Structured JSON with required fields - [ ] No secrets/PII policy enforced (SAST/log review) - [ ] Central aggregation + RBAC - [ ] Retention meets compliance - [ ] Failed auth + admin actions always logged - [ ] Test: can you trace one user action end-to-end? --- ## Самопроверка 1. Чем audit log отличается от debug log? 2. Почему нельзя логировать JWT целиком? 3. Зачем correlation ID? 4. Что такое immutable audit storage? ## Дальше [SIEM и алерты](siem-i-alerty.md)