Skip to content

Add OpenTelemetry trace-log correlation gates#1697

Open
yanziwei wants to merge 1 commit into
UnitOneAI:mainfrom
yanziwei:improve/log-analysis-otel-correlation
Open

Add OpenTelemetry trace-log correlation gates#1697
yanziwei wants to merge 1 commit into
UnitOneAI:mainfrom
yanziwei:improve/log-analysis-otel-correlation

Conversation

@yanziwei
Copy link
Copy Markdown

@yanziwei yanziwei commented Jun 8, 2026

Skill Improvement ($50-150 Bounty)

Skill

skills/secops/log-analysis/SKILL.md

Closes #1696.

What Was Wrong

log-analysis had general cross-source correlation guidance, but it did not require evidence for OpenTelemetry trace-log joins. In application/API investigations, analysts can overstate cross-service confidence when logs only have ad hoc request IDs, traces are sampled away, resource attributes disagree, or vendor log fields are not mapped to OpenTelemetry TraceId / SpanId semantics.

This is separate from telemetry integrity / ingestion-loss work: this PR focuses on observability correlation fields and trace-context evidence, not collector health.

What This PR Fixes

  • Adds Step 7.1: OpenTelemetry Trace-Log Correlation Evidence.
  • Requires evidence for log format, TraceId, SpanId, TraceFlags, vendor field mapping, resource context, instrumentation scope, sampling policy, missing-span expectation, semantic attributes, and join confidence.
  • Adds rules for ad hoc request_id / correlation_id values, SpanId without TraceId, sampled traces, resource-context mismatches, non-OTLP field mapping, and missing semantic attributes.
  • Adds an OpenTelemetry Trace-Log Correlation output table.
  • Adds a common pitfall warning against treating request IDs as distributed trace proof.
  • Adds official OpenTelemetry references for logs, log correlation, semantic conventions, and non-OTLP trace context.

Test Cases

  • Application logs include only request_id: report should treat this as local correlation only unless mapped to trace context.
  • Logs include SpanId but no TraceId: join confidence should be Low or Not Evaluable.
  • Error logs exist but traces are sampled away: missing spans should be recorded as expected sampling gaps, not proof that the event did not execute.
  • Vendor logs use traceparent or x-b3-traceid: reviewer should document the mapping before claiming OpenTelemetry correlation.

Validation

  • git diff --check
  • Confirmed the diff is scoped to skills/secops/log-analysis/SKILL.md.
  • Verified required markers are present: OpenTelemetry Trace-Log Correlation Evidence, TraceId, SpanId, TraceFlags, OpenTelemetry Trace-Log Correlation, and Assuming Request IDs Prove Trace-Log Correlation.
  • Checked Markdown code fence balance.

Bounty Tier

Moderate ($100) - adds focused evidence gates that reduce false correlation confidence for modern application observability investigations.

Bounty Info

  • I have read and agree to CONTRIBUTING.md bounty terms.
  • Preferred payment method: PayPal 1005150221@qq.com

@yanziwei yanziwei mentioned this pull request Jun 8, 2026
Open
1 task
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

[REVIEW] log-analysis: add OpenTelemetry trace-log correlation evidence gates

1 participant

@yanziwei