Log security context

  • Overview
  • 4-min read

Dynatrace allows you to tweak your ingested log data by adding a dt.security_context attribute to specific log records. This enables you to set additional options, for example, permissions for individual records. See, Permissions in Grail.

To create a security context adjustment to your ingested log data, you need to create rules that:

  1. Filter the records that have the dt.security_context attribute added to them.
    Go to Logs and events page and create a DQL query using a log processing function. For example: 
    fetch logs
    | filter matchesValue(log.source, "dsfm")
    This allows you to filter the log records to which you will want to add the dt.security_context attribute. Once satisfied with the query result, copy the log processing function of the DQL query: matchesValue(log.source, "dsfm").
  2. Define the log security context rule using that function and specify the value of the dt.security_context attribute. The value of the dt.security_context attribute can be a literal value that you provide, or you can specify the name of another attribute of which the value will be used as the value of dt.security_context.

Create Log Security Context rule

Log Security Context is based on rules that contain a matcher and the dt.security_context attribute definition.

  • The matcher narrows down the available log records for executing this specific rule.
  • Value source type specifies the value of the dt.security_context attribute.

Go to Settings > Log Monitoring > Security context to view log processing security rules that are in effect, reorder the existing rules, and create new rules. Rules are executed in the order in which they're listed, from top to bottom. This order is critical because the first user-defined rule that matches is executed.

Expand Details to examine a rule definition. A log processing security rule consists of the following:

  • Rule name
    The name for the rule.
  • Matcher
    A log processing function that narrows down the available log data for executing this specific rule.
  • Select value source type
    • Field
      Value will be copied from field.
    • Literal
      Constant literal will be used as value.
  • Value
    Value of the source type.

To add a log security context rule:

  1. Select Add rule on the Log Security Context page.
  2. Add a Matcher to your rule by pasting the log processing function from your DQL query.
  3. Select value source type.
  4. Provide the Value for the source type.
    • If you selected Field, the value should be the name of the field used as a source to copy the value to the dt.security_context attribute.
    • If you selected Literal, the value should be the constant literal that will be used as the value in the dt.security_context attribute.

Example

Your log records contain attribute log.source with a value of dsfm. Only certain users or user groups should have access to them and you want to create a log security context rule that:

  • Filters all records that contain dsfm as a value of the log.source attribute.
  • Adds a dt.security_context attribute with the sec-lvl-7 value to all filtered log records.

  1. Go to Logs and events page and execute a DQL query using a log processing function:

    fetch logs
    | filter matchesValue(log.source, "dsfm")

  2. Copy the log processing function of the DQL query: matchesValue(log.source, "dsfm").

  3. Go to Settings > Log Monitoring > Security context and select Add rule on the Log Security Context page.

  4. For the Rule name enter: Level 7 - dsfm.

  5. For the Matcher enter: matchesValue(log.source, "dsfm").

  6. For the Select value source type select Literal.

  7. For the Value enter: sec-lvl-7.

  8. Select Save changes.

Once new log data arrives, it is processed by log security context rules and a new dt.security_context attribute is added with a value of sec-lvl-7. You can go to Logs and events page and check that new log records are processed by your Level 7 - dsfm log security context rule. Use the DQL to view all log records containing sec-lvl-7 value in dt.security_context attribute:

fetch logs
| filter matchesValue(dt.security_context, "sec-lvl-7")

Based on this attribute, you can now create security-related user and group policies. See, Permissions in Grail.

Related tags
Log Analytics