Is there any documentation about the details of a given logger,
e.g. org.xwiki.notifications.filters.internal.UserAddedEventListener
- How is the logger configured?
- What is it logging at each Log-Level?
You might want to look at https://www.xwiki.org/xwiki/bin/view/Documentation/AdminGuide/Logging#HConfiguringLogging. By default, all loggers are configured in logback.xml, and you can see in the Log administration what is the level of each logger.
I think in most cases you will have to look at the class to know this (each logger is a class or a package which contains classes). And in this specific case, the answer is that it only has one error log, so not much to configure.
Thank you for your response, but the AdminGuide wasn’t what I was looking for.
Let’s use ISO/IEC 27002 as an example of a set of requirements for logging. ISO/IEC 27002 states as guidance for A.8.15. Logging:
The following events should be considered for logging:
a) successful and rejected system access attempts;
b) successful and rejected data and other resource access attempts;
c) changes to system configuration;
d) use of privileges;
e) use of utility programs and applications;
f) files accessed and the type of access, including deletion of important data files;
g) alarms raised by the access control system;
h) activation and de-activation of security systems, such as anti-virus systems and intrusion detection systems;
i) creation, modification or deletion of identities;
j) transactions executed by users in applications. In some cases, the applications are a service or product provided or run by a third party.
In the log administration, there are about 2500 loggers, each with five log levels. However, it’s unclear what a specific logger actually logs when it’s configured. This can’t be a trial-and-error process to find an answer what to configure to be compliant to the ISO/IEC 27002 requirements, can it?
The same problem occurs with any other list of requirements, whether contractual or regulatory.
2 Likes
There is no central exhaustive documentation of all the logs that exist right now (and there probably never will be), if that’s what you are asking.
That being said, it’s extremely rare to have the need to know what a logger is about. It’s usually the other way around: some feature documentation mentioning some debug log you can enable on some logger to get more information about what happen (a typical example of that is https://extensions.xwiki.org/xwiki/bin/view/Extension/OpenID%20Connect/OpenID%20Connect%20Authenticator/#HEnableDEBUGlog).
As I said, pretty all loggers (except for a couple of them, I think) are classes, so you can also generally find what they log by looking at the code. But of course, it implies that you understand Java code a little bit.
Monitoring XWiki from a security perspective is not straightforward 
At least there should be some kind of compliance or mapping to the events provided in the OWASP Logging Vocabulary Cheat Sheet: Logging Vocabulary - OWASP Cheat Sheet Series This is the list of events I would be interested in.
I do not agree
From a security perspective (and, of course, privacy perspective), this is the usual and only need to know, isn’t it?
I set up a draft documentation page:
Application Security Logging
It is set up as a compliance mapping to the OWASP Logging Vocabulary Cheat Sheet: Logging Vocabulary - OWASP Cheat Sheet Series
It includes a <logger name="xxx" level="xxx"/> code snippet for each logger configuration that needs to be set in the logback.xml file to comply with the OWASP recommendations.
What could be nice in the future, is to have a lot more events; for authentication (with a status code: success, fail, etc), logging out, access to resources, etc.
This would allow extensions or custom code to register to these events and do what they want: log, send an alert to an external system, etc.