The OWASP Security Logging project provides developers and ops personnel with functionality for logging security-related events. The aim is to let developers use the same set of logging APIs they are already familiar with from over a decade of experience with Log4J and its successors, while also adding powerful security features.
The API is completely code compatible with existing Log4J/SLF4J/Logback logging statements. All of the existing logging statements in your code will continue to work:
Developers can also tag security-related log events using a standard set of markers:
log.info(SecurityMarkers.SECURITY_FAILURE, "Access control check just failed"); log.info(SecurityMarkers.SECURITY_AUDIT, "This must be saved in the audit log as well as the application log"); log.info(SecurityMarkers.SECRET, "This needs to be encrypted before it gets logged"); //etc
In addition the OWASP Security Logging API offers features that can be implemented in configuration like:
- MarkerFilters to decide which logs get written to based on their Markers
- J2EE Filters that automatically add the (hashed) session ID, username, remote IP, etc
- Layouts like CEF to enable output to logging formats used by other systems
All of these are implementable in an application's configuration so no code at all needs to be touched to get those benefits.