Query Regarding Log4j audit framework

classic Classic list List threaded Threaded
6 messages Options
Reply | Threaded
Open this post in threaded view
|

Query Regarding Log4j audit framework

Sushil Singh
Hi


I want to use log 4j audit for multiple applications but I have certain requirements

1) I want to add some function to logs such that hash of log messages can be sent along with log message itself
2) Is there a way to club same kind of Logs occuring frequently in a small window of time
3) Is there something we can use log api events to log to server also

please let me know how these can be achieved

Thanks,

Sushil

Reply | Threaded
Open this post in threaded view
|

Re: Query Regarding Log4j audit framework

Matt Sicker
Not sure about 1. For 2, there’s the burst filter in log4j2 which supports
that type of thing in general. As for 3, take a look at the various
appenders available like Syslog/Socket/HTTP/JDBC.

On Mon, Feb 24, 2020 at 00:26 Sushil Singh <[hidden email]>
wrote:

> Hi
>
>
> I want to use log 4j audit for multiple applications but I have certain
> requirements
>
> 1) I want to add some function to logs such that hash of log messages can
> be sent along with log message itself
> 2) Is there a way to club same kind of Logs occuring frequently in a small
> window of time
> 3) Is there something we can use log api events to log to server also
>
> please let me know how these can be achieved
>
> Thanks,
>
> Sushil
>
> --
Matt Sicker <[hidden email]>
Reply | Threaded
Open this post in threaded view
|

Re: Query Regarding Log4j audit framework

Sushil Singh
Thanks @Matt Sicker<mailto:[hidden email]> for your reply

But 2 of my problems remains unresolved

1) How can i add hash of the log itself and send it with log itself as a Log field so that we can verify it for tampering at a later stage
2) How can i aggregate log events for count along with log itself such that I can get the Log event and a count as a field in a window. So basically want to do windowed aggregation of logs before flushing

Burst filter was more of controlling logs rather than aggregating

Please let me know how it can be achieved

Thanks

Sushil Pratap Singh



________________________________
From: Matt Sicker <[hidden email]>
Sent: 24 February 2020 20:25
To: Log4J Users List <[hidden email]>
Subject: Re: Query Regarding Log4j audit framework

Not sure about 1. For 2, there’s the burst filter in log4j2 which supports
that type of thing in general. As for 3, take a look at the various
appenders available like Syslog/Socket/HTTP/JDBC.

On Mon, Feb 24, 2020 at 00:26 Sushil Singh <[hidden email]>
wrote:

> Hi
>
>
> I want to use log 4j audit for multiple applications but I have certain
> requirements
>
> 1) I want to add some function to logs such that hash of log messages can
> be sent along with log message itself
> 2) Is there a way to club same kind of Logs occuring frequently in a small
> window of time
> 3) Is there something we can use log api events to log to server also
>
> please let me know how these can be achieved
>
> Thanks,
>
> Sushil
>
> --
Matt Sicker <[hidden email]>
Reply | Threaded
Open this post in threaded view
|

Re: Query Regarding Log4j audit framework

Matt Sicker
Ah, I see what you mean. I don’t think we have any specific plugin for
that, though they sound like reasonable feature requests. Could you file
Jira tickets for them?

On Thu, Feb 27, 2020 at 03:09 Sushil Singh <[hidden email]>
wrote:

> Thanks @Matt Sicker <[hidden email]> for your reply
>
> But 2 of my problems remains unresolved
>
> 1) How can i add hash of the log itself and send it with log itself as a
> Log field so that we can verify it for tampering at a later stage
> 2) How can i aggregate log events for count along with log itself such
> that I can get the Log event and a count as a field in a window. So
> basically want to do windowed aggregation of logs before flushing
>
> Burst filter was more of controlling logs rather than aggregating
>
> Please let me know how it can be achieved
>
> Thanks
>
> Sushil Pratap Singh
>
>
>
> ------------------------------
> *From:* Matt Sicker <[hidden email]>
> *Sent:* 24 February 2020 20:25
> *To:* Log4J Users List <[hidden email]>
> *Subject:* Re: Query Regarding Log4j audit framework
>
> Not sure about 1. For 2, there’s the burst filter in log4j2 which supports
> that type of thing in general. As for 3, take a look at the various
> appenders available like Syslog/Socket/HTTP/JDBC.
>
> On Mon, Feb 24, 2020 at 00:26 Sushil Singh <[hidden email]>
> wrote:
>
> > Hi
> >
> >
> > I want to use log 4j audit for multiple applications but I have certain
> > requirements
> >
> > 1) I want to add some function to logs such that hash of log messages can
> > be sent along with log message itself
> > 2) Is there a way to club same kind of Logs occuring frequently in a
> small
> > window of time
> > 3) Is there something we can use log api events to log to server also
> >
> > please let me know how these can be achieved
> >
> > Thanks,
> >
> > Sushil
> >
> > --
> Matt Sicker <[hidden email]>
>
--
Matt Sicker <[hidden email]>
Reply | Threaded
Open this post in threaded view
|

Re: Query Regarding Log4j audit framework

Ralph Goers
Log4j Audit uses Log4j so anything built into Log4j can be used. So I can think of a couple of ways to inject a hash:
1. Add the hash to your layout. If you used the PatternLayout you could implement a HashConverter to create it. In general, I suspect you should create a Jira issue for whichever Layout you want to use, such as JSONLayout, to have Log4j add one automatically.
2. I will be modifying the ContextDataInjector to add support for ContextDataProviders. This would allow you to create a provider that adds a hash to the ContextData.

If I understand your second item you simply want to do batching?  You would handle that in the Appender. For example, the FlumeAppender handles batching.

Ralph

> On Feb 27, 2020, at 8:43 AM, Matt Sicker <[hidden email]> wrote:
>
> Ah, I see what you mean. I don’t think we have any specific plugin for
> that, though they sound like reasonable feature requests. Could you file
> Jira tickets for them?
>
> On Thu, Feb 27, 2020 at 03:09 Sushil Singh <[hidden email]>
> wrote:
>
>> Thanks @Matt Sicker <[hidden email]> for your reply
>>
>> But 2 of my problems remains unresolved
>>
>> 1) How can i add hash of the log itself and send it with log itself as a
>> Log field so that we can verify it for tampering at a later stage
>> 2) How can i aggregate log events for count along with log itself such
>> that I can get the Log event and a count as a field in a window. So
>> basically want to do windowed aggregation of logs before flushing
>>
>> Burst filter was more of controlling logs rather than aggregating
>>
>> Please let me know how it can be achieved
>>
>> Thanks
>>
>> Sushil Pratap Singh
>>
>>
>>
>> ------------------------------
>> *From:* Matt Sicker <[hidden email]>
>> *Sent:* 24 February 2020 20:25
>> *To:* Log4J Users List <[hidden email]>
>> *Subject:* Re: Query Regarding Log4j audit framework
>>
>> Not sure about 1. For 2, there’s the burst filter in log4j2 which supports
>> that type of thing in general. As for 3, take a look at the various
>> appenders available like Syslog/Socket/HTTP/JDBC.
>>
>> On Mon, Feb 24, 2020 at 00:26 Sushil Singh <[hidden email]>
>> wrote:
>>
>>> Hi
>>>
>>>
>>> I want to use log 4j audit for multiple applications but I have certain
>>> requirements
>>>
>>> 1) I want to add some function to logs such that hash of log messages can
>>> be sent along with log message itself
>>> 2) Is there a way to club same kind of Logs occuring frequently in a
>> small
>>> window of time
>>> 3) Is there something we can use log api events to log to server also
>>>
>>> please let me know how these can be achieved
>>>
>>> Thanks,
>>>
>>> Sushil
>>>
>>> --
>> Matt Sicker <[hidden email]>
>>
> --
> Matt Sicker <[hidden email]>



---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]

Reply | Threaded
Open this post in threaded view
|

Re: Query Regarding Log4j audit framework

Sushil Singh
In reply to this post by Matt Sicker
Hi

I have created 2 JIRA TICKETS

https://issues.apache.org/jira/browse/LOG4J2-2797

https://issues.apache.org/jira/browse/LOG4J2-2798

Thanks

Sushil Pratap Singh
________________________________
From: Matt Sicker <[hidden email]>
Sent: 27 February 2020 21:13
To: Sushil Singh <[hidden email]>
Cc: Log4J Users List <[hidden email]>; Rajat Goel <[hidden email]>
Subject: Re: Query Regarding Log4j audit framework

Ah, I see what you mean. I don’t think we have any specific plugin for
that, though they sound like reasonable feature requests. Could you file
Jira tickets for them?

On Thu, Feb 27, 2020 at 03:09 Sushil Singh <[hidden email]>
wrote:

> Thanks @Matt Sicker <[hidden email]> for your reply
>
> But 2 of my problems remains unresolved
>
> 1) How can i add hash of the log itself and send it with log itself as a
> Log field so that we can verify it for tampering at a later stage
> 2) How can i aggregate log events for count along with log itself such
> that I can get the Log event and a count as a field in a window. So
> basically want to do windowed aggregation of logs before flushing
>
> Burst filter was more of controlling logs rather than aggregating
>
> Please let me know how it can be achieved
>
> Thanks
>
> Sushil Pratap Singh
>
>
>
> ------------------------------
> *From:* Matt Sicker <[hidden email]>
> *Sent:* 24 February 2020 20:25
> *To:* Log4J Users List <[hidden email]>
> *Subject:* Re: Query Regarding Log4j audit framework
>
> Not sure about 1. For 2, there’s the burst filter in log4j2 which supports
> that type of thing in general. As for 3, take a look at the various
> appenders available like Syslog/Socket/HTTP/JDBC.
>
> On Mon, Feb 24, 2020 at 00:26 Sushil Singh <[hidden email]>
> wrote:
>
> > Hi
> >
> >
> > I want to use log 4j audit for multiple applications but I have certain
> > requirements
> >
> > 1) I want to add some function to logs such that hash of log messages can
> > be sent along with log message itself
> > 2) Is there a way to club same kind of Logs occuring frequently in a
> small
> > window of time
> > 3) Is there something we can use log api events to log to server also
> >
> > please let me know how these can be achieved
> >
> > Thanks,
> >
> > Sushil
> >
> > --
> Matt Sicker <[hidden email]>
>
--
Matt Sicker <[hidden email]>