Challenge Overview
Project Background
- Need to develop Logging library to support of general operational and security logging for Java projects
- Ensure logging information is configurable for security standard’s such as PCI, PII
Technology Stack
- Java 8
- SLF4J
- Splunk
Individual Requirements
Create an architecture to cover the following requirements. Note that we will provide you the complete requirement documents from the client, and your architecture needs to cover all the requirements (The javascript library and REST API server are not in scope, and everything else is in scope).Here are some brief overview of the requirements. The client has created some interfaces to describe their requirements, but you don’t need to follow them exactly, and you should do some necessary refactoring and renaming to ensure it follows the best practice. The only thing that matters is that all requirements are properly addressed.
1. Create TMOLogger. We will need a factory class as well, just like any java logging framework. It should be implemented as a wrapper of the SLF4J library.
2. Create the TMOLogFormatter. Both XML and JSON implementations should be provided.
3. Output Targets
The logging library should be able to write records to: Output Stream, System Console, Files, API/Service. Most likely we will just reuse the Appenders from the logging libraries, and add custom Appender implementations if necessary.
Refer to this library: https://github.com/damiendallimore/SplunkJavaLogging for a bit more details about logging to Splunk. And the best practice for Splunk integration is to use a Splunk Universal Forwarder(UF) monitoring local log files wherever possible.
Support the following transport methods:
- Splunk forwarder
- Syslog
- REST API
4. Security and Compliance requirements
It is imperative to lower exposure by not logging sensitive data or by scrubbing it before it leaves the network.
The logging library must support this by having ‘compliance’ parameter built in the configuration. So, that when it is turned on the logger must scrub and in some occasions, not log sensitive data as per following rules.
Logging mechanisms must not allow injection of fake log entries and malicious code. So all data coming from outside the system must be encoded before being logged (e.g. urlencoded). This includes all user input, headers (content- type, referrer, user-agent etc.) and parameters. Typical log injection attacks include, but are not limited to, extra line feed/carriage returns to inject fake log entries and javascript to run when administrators are viewing log entries
Final Submission Guidelines
Deliverable
Class Diagram / Sequence Diagram- The implementation details of each class should be provided
- You can find a template here: https://apps.topcoder.com/wiki/display/tc/Module+Architecture+Tutorial+-+Deliverables#ModuleArchitectureTutorial-Deliverables-Toc333878863)
- Besides the standard sections, the requirement mappings should also be provided