API/Web Access Logs Requirements

[JasonCTang]

Describe the task Changes to logging to satisfy security audit requirements

Acceptance Criteria

• [ ] Stop logging health check log entries in the API logs (see additional context).
• [ ] Write the IP Address and GUID (same saved to the sims.users.user_name) of the user associated with any API call log entries.
  • [ ] Current IP address can be found in header http_x_forwarded_for. Similar log was also done for #18.
  • [ ] Review with the team the final suggested log format.

Additional context

• Current API health check logs.

• David Malcolm has confirmed that we are allowed to write the user guids to the logs.

[sslaws]

I've confirmed that web was already recording the x_forwarded_for and I updated the configuration to filter out the health checks. The API needs to read the x_forwarded_for and write it and the guid of the user to the associated logs.

[andrewsignori-aot]

@sslaws I would say the first AC below would be no longer needed after your last commit, right? During the call we were able to see the client IP correctly logged. Would you agree to remove the below AC?

Make necessary changes to the web app access logs to write the actual address of the end user as the requesting IP address.

[andrewsignori-aot]

@JasonCTang the second AC mentioned "Web" but we believe that it meant "SIMS API", does it make sense?

Stop logging health check log entries in Web access logs

[sslaws]

@andrewsignori-aot I think it did mean web and I resolved that already but I do see that it applies to the API as well as they are overly verbose.

[andrewsignori-aot]

• Make necessary changes to the web app access logs to write the actual address of the end user as the requesting IP address. (Stephen Laws)

  Create an issue with the title Make necessary changes to the web app access logs to write the actual address of the end user as the requesting IP address. (Stephen Laws). Press Enter to convert to an issue instantly. Press Alt-Enter to open the create new issue form in the current tab. Press Shift-Enter to open the create new issue form.

• [ ] Stop logging health check log entries in Web access logs (probably should be targeting API, right?).

  Create an issue with the title Stop logging health check log entries in Web access logs (probably should be targeting API, right?).. Press Enter to convert to an issue instantly. Press Alt-Enter to open the create new issue form in the current tab. Press Shift-Enter to open the create new issue form.

• [ ] Write the IP Address and GUID (same saved to the sims.users.user_name) of the user associated with any API call log entries.

Yes @sslaws the APIs ones should be removed. Since the web part is handled, can we adjust the ACs as below?

• [ ] Stop logging health check log entries in SIM API.
• [ ] Write the IP Address and GUID (same saved to the sims.users.user_name) of the user associated with any API call log entries.

[andrewsignori-aot]

As discussed with @JasonCTang we are removing the below ACs related to the Web POD that are already implemented.

• [ ] Make necessary changes to the web app access logs to write the actual address of the end user as the requesting IP address. (Stephen Laws)
• [ ] Stop logging health check log entries in Web access logs (probably should be targeting API, right?).