Questions on submitting changes to the Log4j2 code base

[Bryan Krol <br...@technergetics.com>]

Hello all,

As part of some other work I have been doing, our team has decided that it
would be worth extending the Log4j2 library in such a way as to better
support logging of security events.  We also thought what we did would be
of interest to the larger Apache community, mostly because the need for
application-level security auditing is growing to help mitigate the
increase of application security incidents. In order to facilitate better
auditing practices, developers now have a need to include better security
logging practices in the development process.  Application logs provide
valuable data for:

   -

   Identifying security threats
   -

   Monitoring policy violations
   -

   Providing details about problems and unusual conditions
   -

   Contributing application-specific data for auditing which is lacking in
   other sources
   -

   Helping defend against vulnerability identification and exploitation
   through attack detection.

​I have attached a document that more thoroughly explains what we have done
and what "problems" we were looking to solve with our changes.
I am looking for some guidance on how I should go about submitting these
changes back to the Apache Log4j 2.x team for inclusion in the code base. I
have implemented both the functionality and the appropriate JUnit code for
testing of the additions.

If anyone could respond with some information to help, I would greatly
appreciate it.

Thank you,

-- 
Bryan Krol
Software Engineer
Technergetics, LLC
bryan.krol@technergetics.com
Phone: (315) 271-2096
Fax: (886) 307-4382

Re: Questions on submitting changes to the Log4j2 code base

[Ralph Goers <ra...@dslextreme.com>]

FWIW, I have plans to create a log4j-audit subproject that could be used to implement what you have described, although it will be done differently than what you have done and won’t need any extensions to Log4j 2.  I implemented a framework similar to what I have in mind at one of my former employers and was actually the basis for several features that are part of log4j 2.

Ralph

> On Jan 8, 2016, at 9:13 AM, Bryan Krol <br...@technergetics.com> wrote:
> 
> Hello all,
> As part of some other work I have been doing, our team has decided that it would be worth extending the Log4j2 library in such a way as to better support logging of security events.  We also thought what we did would be of interest to the larger Apache community, mostly because the need for application-level security auditing is growing to help mitigate the increase of application security incidents. In order to facilitate better auditing practices, developers now have a need to include better security logging practices in the development process.  Application logs provide valuable data for:
> Identifying security threats
> Monitoring policy violations
> Providing details about problems and unusual conditions
> Contributing application-specific data for auditing which is lacking in other sources
> Helping defend against vulnerability identification and exploitation through attack detection.
> ​I have attached a document that more thoroughly explains what we have done and what "problems" we were looking to solve with our changes. 
> I am looking for some guidance on how I should go about submitting these changes back to the Apache Log4j 2.x team for inclusion in the code base. I have implemented both the functionality and the appropriate JUnit code for testing of the additions.
> 
> If anyone could respond with some information to help, I would greatly appreciate it.
> 
> Thank you,
> 
> -- 
> Bryan Krol
> Software Engineer
> Technergetics, LLC
> bryan.krol@technergetics.com <ma...@technergetics.com>
> Phone: (315) 271-2096
> Fax: (886) 307-4382
> <Security Logging as part of Log4j-v4-20160108_160213.pdf>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: log4j-dev-unsubscribe@logging.apache.org
> For additional commands, e-mail: log4j-dev-help@logging.apache.org

Re: Questions on submitting changes to the Log4j2 code base

[Gary Gregory <ga...@gmail.com>]

Hello Bryan,

Thank you for sharing your documentation.

I'll get right in the meat of it:

"Problem 1: currently, many applications use the standard provided logging
levels from frameworks such as Apache Log4j to provide basic logging
functionality for their application. However, by using the standard
provided levels, there is no way to easily distinguish security related
events from the other events that are being logged for the application
(e.g., Debug, Warnings, etc.)."

This is exactly what "markers" are designed to address. Please see
https://logging.apache.org/log4j/2.x/manual/markers.html

Since you document implementing a custom "SECURITY" level, I have to say
that this feels quite wrong to me for what amounts to a cross-cutting
concern.

Log4j does have a nice facility for defining custom levels though, which I
guess have used in this case, or did you do it a different way? But how
does SECURITY relate to other levels? Is it more or less detailed than
DEBUG for example? It just does not fit in for me. As a marker on the other
hand, it fits perfectly, and you can have more than one, and they can be
hierarchical to boot! Without extending Log4j with custom levels!

Can we talk about that first before we get deeper in with events?

Gary


On Fri, Jan 8, 2016 at 8:13 AM, Bryan Krol <br...@technergetics.com>
wrote:

> Hello all,
>
> As part of some other work I have been doing, our team has decided that it
> would be worth extending the Log4j2 library in such a way as to better
> support logging of security events.  We also thought what we did would be
> of interest to the larger Apache community, mostly because the need for
> application-level security auditing is growing to help mitigate the
> increase of application security incidents. In order to facilitate better
> auditing practices, developers now have a need to include better security
> logging practices in the development process.  Application logs provide
> valuable data for:
>
>    -
>
>    Identifying security threats
>    -
>
>    Monitoring policy violations
>    -
>
>    Providing details about problems and unusual conditions
>    -
>
>    Contributing application-specific data for auditing which is lacking
>    in other sources
>    -
>
>    Helping defend against vulnerability identification and exploitation
>    through attack detection.
>
> ​I have attached a document that more thoroughly explains what we have
> done and what "problems" we were looking to solve with our changes.
> I am looking for some guidance on how I should go about submitting these
> changes back to the Apache Log4j 2.x team for inclusion in the code base. I
> have implemented both the functionality and the appropriate JUnit code for
> testing of the additions.
>
> If anyone could respond with some information to help, I would greatly
> appreciate it.
>
> Thank you,
>
> --
> Bryan Krol
> Software Engineer
> Technergetics, LLC
> bryan.krol@technergetics.com
> Phone: (315) 271-2096
> Fax: (886) 307-4382
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: log4j-dev-unsubscribe@logging.apache.org
> For additional commands, e-mail: log4j-dev-help@logging.apache.org
>



-- 
E-Mail: garydgregory@gmail.com | ggregory@apache.org
Java Persistence with Hibernate, Second Edition
<http://www.manning.com/bauer3/>
JUnit in Action, Second Edition <http://www.manning.com/tahchiev/>
Spring Batch in Action <http://www.manning.com/templier/>
Blog: http://garygregory.wordpress.com
Home: http://garygregory.com/
Tweet! http://twitter.com/GaryGregory

Re: Questions on submitting changes to the Log4j2 code base

[Bryan Krol <br...@technergetics.com>]

All,

Thanks for the replies.

The short answer to why we made these changes instead of using markers, an
extended logger, etc. is that we were looking to simply what a developer
would need to do in order to log and audit security events. I and others
have worked on a lot of projects in the past where logging wasn't done in
the development phase due to time constraints and the need to get the
functionality working in a timely manner. Going back after the fact and
adding in the logging of security events in a large code base can also be
quite expensive. So the main concepts around which we made our changes was
to make it so that a developer could utilize a single function within a
commonly used logging framework and also have a standardized means for
security events to be logged in order to provide uniformity across a
system.

To sum up the process that we went through, we first explored the option of
creating our own "extension" on top of Log4j that utilized an
ExtendedLogger with a custom Security level and then a SecurityLogger class
in which we implemented the single method idea in order to simplify and
standardize the use of the security level. After this, we realized that it
would make more sense for this to be included within the log4j2 code base
as opposed to being provided as a layer on top of it. Essentially, we
utilized the code from the ExtendedLogger to modify the areas inside the
code base where other levels were defined and the functionality
implemented. We then modified our SecurityLogger class to act in a similar
manner to the EventLogger class that currently exists in the log4j code to
provide another level of uniformity and familiarity for current users.

Gary, as for your question about where the SECURITY level falls in the
hierarchy, I've had some discussions with others and have had a fairly
difficult time determining where exactly it would fit in. Currently we have
it as being more specific than FATAL.

I hope that helps explain what we have done a bit better and does not cause
more confusion.

Thanks,

Bryan

On Fri, Jan 8, 2016 at 3:14 PM, Gary Gregory <ga...@gmail.com> wrote:

> Bryan,
>
> For a more concrete and low-level answer, there are two ways you can
> contribute code:
>
> - Create a JIRA (https://issues.apache.org/jira/browse/log4j2/) and
> attach your code as a diff file based on our Git master:
> https://logging.apache.org/log4j/2.x/source-repository.html
> - Do it the GitHub way from https://github.com/apache/logging-log4j2
>
> Gary
>
> On Fri, Jan 8, 2016 at 8:13 AM, Bryan Krol <br...@technergetics.com>
> wrote:
>
>> Hello all,
>>
>> As part of some other work I have been doing, our team has decided that
>> it would be worth extending the Log4j2 library in such a way as to better
>> support logging of security events.  We also thought what we did would be
>> of interest to the larger Apache community, mostly because the need for
>> application-level security auditing is growing to help mitigate the
>> increase of application security incidents. In order to facilitate better
>> auditing practices, developers now have a need to include better security
>> logging practices in the development process.  Application logs provide
>> valuable data for:
>>
>>    -
>>
>>    Identifying security threats
>>    -
>>
>>    Monitoring policy violations
>>    -
>>
>>    Providing details about problems and unusual conditions
>>    -
>>
>>    Contributing application-specific data for auditing which is lacking
>>    in other sources
>>    -
>>
>>    Helping defend against vulnerability identification and exploitation
>>    through attack detection.
>>
>> ​I have attached a document that more thoroughly explains what we have
>> done and what "problems" we were looking to solve with our changes.
>> I am looking for some guidance on how I should go about submitting these
>> changes back to the Apache Log4j 2.x team for inclusion in the code base. I
>> have implemented both the functionality and the appropriate JUnit code for
>> testing of the additions.
>>
>> If anyone could respond with some information to help, I would greatly
>> appreciate it.
>>
>> Thank you,
>>
>> --
>> Bryan Krol
>> Software Engineer
>> Technergetics, LLC
>> bryan.krol@technergetics.com
>> Phone: (315) 271-2096
>> Fax: (886) 307-4382
>>
>>
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail: log4j-dev-unsubscribe@logging.apache.org
>> For additional commands, e-mail: log4j-dev-help@logging.apache.org
>>
>
>
>
> --
> E-Mail: garydgregory@gmail.com | ggregory@apache.org
> Java Persistence with Hibernate, Second Edition
> <http://www.manning.com/bauer3/>
> JUnit in Action, Second Edition <http://www.manning.com/tahchiev/>
> Spring Batch in Action <http://www.manning.com/templier/>
> Blog: http://garygregory.wordpress.com
> Home: http://garygregory.com/
> Tweet! http://twitter.com/GaryGregory
>



-- 
Bryan Krol
Software Engineer
Technergetics, LLC
bryan.krol@technergetics.com
Phone: (315) 271-2096
Fax: (886) 307-4382

Re: Questions on submitting changes to the Log4j2 code base

[Gary Gregory <ga...@gmail.com>]

Bryan,

For a more concrete and low-level answer, there are two ways you can
contribute code:

- Create a JIRA (https://issues.apache.org/jira/browse/log4j2/) and attach
your code as a diff file based on our Git master:
https://logging.apache.org/log4j/2.x/source-repository.html
- Do it the GitHub way from https://github.com/apache/logging-log4j2

Gary

On Fri, Jan 8, 2016 at 8:13 AM, Bryan Krol <br...@technergetics.com>
wrote:

> Hello all,
>
> As part of some other work I have been doing, our team has decided that it
> would be worth extending the Log4j2 library in such a way as to better
> support logging of security events.  We also thought what we did would be
> of interest to the larger Apache community, mostly because the need for
> application-level security auditing is growing to help mitigate the
> increase of application security incidents. In order to facilitate better
> auditing practices, developers now have a need to include better security
> logging practices in the development process.  Application logs provide
> valuable data for:
>
>    -
>
>    Identifying security threats
>    -
>
>    Monitoring policy violations
>    -
>
>    Providing details about problems and unusual conditions
>    -
>
>    Contributing application-specific data for auditing which is lacking
>    in other sources
>    -
>
>    Helping defend against vulnerability identification and exploitation
>    through attack detection.
>
> ​I have attached a document that more thoroughly explains what we have
> done and what "problems" we were looking to solve with our changes.
> I am looking for some guidance on how I should go about submitting these
> changes back to the Apache Log4j 2.x team for inclusion in the code base. I
> have implemented both the functionality and the appropriate JUnit code for
> testing of the additions.
>
> If anyone could respond with some information to help, I would greatly
> appreciate it.
>
> Thank you,
>
> --
> Bryan Krol
> Software Engineer
> Technergetics, LLC
> bryan.krol@technergetics.com
> Phone: (315) 271-2096
> Fax: (886) 307-4382
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: log4j-dev-unsubscribe@logging.apache.org
> For additional commands, e-mail: log4j-dev-help@logging.apache.org
>



-- 
E-Mail: garydgregory@gmail.com | ggregory@apache.org
Java Persistence with Hibernate, Second Edition
<http://www.manning.com/bauer3/>
JUnit in Action, Second Edition <http://www.manning.com/tahchiev/>
Spring Batch in Action <http://www.manning.com/templier/>
Blog: http://garygregory.wordpress.com
Home: http://garygregory.com/
Tweet! http://twitter.com/GaryGregory

Re: Questions on submitting changes to the Log4j2 code base

[Robin Coe <rc...@gmail.com>]

I'm curious whether you looked at the existing capabilities in log4j2 to
inject markers or context into your event?  With a Marker, you can trace
and filter events, as you can also do with the thread context.

Cheers,
Robin.

On Fri, Jan 8, 2016 at 11:13 AM, Bryan Krol <br...@technergetics.com>
wrote:

> Hello all,
>
> As part of some other work I have been doing, our team has decided that it
> would be worth extending the Log4j2 library in such a way as to better
> support logging of security events.  We also thought what we did would be
> of interest to the larger Apache community, mostly because the need for
> application-level security auditing is growing to help mitigate the
> increase of application security incidents. In order to facilitate better
> auditing practices, developers now have a need to include better security
> logging practices in the development process.  Application logs provide
> valuable data for:
>
>    -
>
>    Identifying security threats
>    -
>
>    Monitoring policy violations
>    -
>
>    Providing details about problems and unusual conditions
>    -
>
>    Contributing application-specific data for auditing which is lacking
>    in other sources
>    -
>
>    Helping defend against vulnerability identification and exploitation
>    through attack detection.
>
> ​I have attached a document that more thoroughly explains what we have
> done and what "problems" we were looking to solve with our changes.
> I am looking for some guidance on how I should go about submitting these
> changes back to the Apache Log4j 2.x team for inclusion in the code base. I
> have implemented both the functionality and the appropriate JUnit code for
> testing of the additions.
>
> If anyone could respond with some information to help, I would greatly
> appreciate it.
>
> Thank you,
>
> --
> Bryan Krol
> Software Engineer
> Technergetics, LLC
> bryan.krol@technergetics.com
> Phone: (315) 271-2096
> Fax: (886) 307-4382
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: log4j-dev-unsubscribe@logging.apache.org
> For additional commands, e-mail: log4j-dev-help@logging.apache.org
>

Re: Questions on submitting changes to the Log4j2 code base

[Gary Gregory <ga...@gmail.com>]

Hm yeah, for "larger" contributions, a CLA is good. I'm not sure when
larger is large enough though.

Gary

On Tue, Jan 12, 2016 at 4:31 AM, Mikael Ståldal <mi...@magine.com>
wrote:

> > I am looking for some guidance on how I should go about submitting these
> changes back to the Apache Log4j 2.x team for inclusion in the code base.
>
> You would need to sign and submit an Apache CLA, see here:
>
> http://www.apache.org/dev/new-committers-guide.html#cla
>
>
> On Fri, Jan 8, 2016 at 5:13 PM, Bryan Krol <br...@technergetics.com>
> wrote:
>
>> Hello all,
>>
>> As part of some other work I have been doing, our team has decided that
>> it would be worth extending the Log4j2 library in such a way as to better
>> support logging of security events.  We also thought what we did would be
>> of interest to the larger Apache community, mostly because the need for
>> application-level security auditing is growing to help mitigate the
>> increase of application security incidents. In order to facilitate better
>> auditing practices, developers now have a need to include better security
>> logging practices in the development process.  Application logs provide
>> valuable data for:
>>
>>    -
>>
>>    Identifying security threats
>>    -
>>
>>    Monitoring policy violations
>>    -
>>
>>    Providing details about problems and unusual conditions
>>    -
>>
>>    Contributing application-specific data for auditing which is lacking
>>    in other sources
>>    -
>>
>>    Helping defend against vulnerability identification and exploitation
>>    through attack detection.
>>
>> ​I have attached a document that more thoroughly explains what we have
>> done and what "problems" we were looking to solve with our changes.
>> I am looking for some guidance on how I should go about submitting these
>> changes back to the Apache Log4j 2.x team for inclusion in the code base. I
>> have implemented both the functionality and the appropriate JUnit code for
>> testing of the additions.
>>
>> If anyone could respond with some information to help, I would greatly
>> appreciate it.
>>
>> Thank you,
>>
>> --
>> Bryan Krol
>> Software Engineer
>> Technergetics, LLC
>> bryan.krol@technergetics.com
>> Phone: (315) 271-2096
>> Fax: (886) 307-4382
>>
>>
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail: log4j-dev-unsubscribe@logging.apache.org
>> For additional commands, e-mail: log4j-dev-help@logging.apache.org
>>
>
>
>
> --
> [image: MagineTV]
>
> *Mikael Ståldal*
> Senior software developer
>
> *Magine TV*
> mikael.staldal@magine.com
> Grev Turegatan 3  | 114 46 Stockholm, Sweden  |   www.magine.com
>
> Privileged and/or Confidential Information may be contained in this
> message. If you are not the addressee indicated in this message
> (or responsible for delivery of the message to such a person), you may not
> copy or deliver this message to anyone. In such case,
> you should destroy this message and kindly notify the sender by reply
> email.
>



-- 
E-Mail: garydgregory@gmail.com | ggregory@apache.org
Java Persistence with Hibernate, Second Edition
<http://www.manning.com/bauer3/>
JUnit in Action, Second Edition <http://www.manning.com/tahchiev/>
Spring Batch in Action <http://www.manning.com/templier/>
Blog: http://garygregory.wordpress.com
Home: http://garygregory.com/
Tweet! http://twitter.com/GaryGregory

Re: Questions on submitting changes to the Log4j2 code base

[Mikael Ståldal <mi...@magine.com>]

> I am looking for some guidance on how I should go about submitting these
changes back to the Apache Log4j 2.x team for inclusion in the code base.

You would need to sign and submit an Apache CLA, see here:

http://www.apache.org/dev/new-committers-guide.html#cla


On Fri, Jan 8, 2016 at 5:13 PM, Bryan Krol <br...@technergetics.com>
wrote:

> Hello all,
>
> As part of some other work I have been doing, our team has decided that it
> would be worth extending the Log4j2 library in such a way as to better
> support logging of security events.  We also thought what we did would be
> of interest to the larger Apache community, mostly because the need for
> application-level security auditing is growing to help mitigate the
> increase of application security incidents. In order to facilitate better
> auditing practices, developers now have a need to include better security
> logging practices in the development process.  Application logs provide
> valuable data for:
>
>    -
>
>    Identifying security threats
>    -
>
>    Monitoring policy violations
>    -
>
>    Providing details about problems and unusual conditions
>    -
>
>    Contributing application-specific data for auditing which is lacking
>    in other sources
>    -
>
>    Helping defend against vulnerability identification and exploitation
>    through attack detection.
>
> ​I have attached a document that more thoroughly explains what we have
> done and what "problems" we were looking to solve with our changes.
> I am looking for some guidance on how I should go about submitting these
> changes back to the Apache Log4j 2.x team for inclusion in the code base. I
> have implemented both the functionality and the appropriate JUnit code for
> testing of the additions.
>
> If anyone could respond with some information to help, I would greatly
> appreciate it.
>
> Thank you,
>
> --
> Bryan Krol
> Software Engineer
> Technergetics, LLC
> bryan.krol@technergetics.com
> Phone: (315) 271-2096
> Fax: (886) 307-4382
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: log4j-dev-unsubscribe@logging.apache.org
> For additional commands, e-mail: log4j-dev-help@logging.apache.org
>



-- 
[image: MagineTV]

*Mikael Ståldal*
Senior software developer

*Magine TV*
mikael.staldal@magine.com
Grev Turegatan 3  | 114 46 Stockholm, Sweden  |   www.magine.com

Privileged and/or Confidential Information may be contained in this
message. If you are not the addressee indicated in this message
(or responsible for delivery of the message to such a person), you may not
copy or deliver this message to anyone. In such case,
you should destroy this message and kindly notify the sender by reply
email.