Observability Requirements

The Observability requirements define how the system will report events to external systems, and track both security- and performance-critical data.

Definitions

Common WTI log requirements
The enterprise-wide logging requirements for HTTP-connected systems as defined in the Wilcox Technologies Inc. Network Handbook, 4th Edition.
Runtime error
An error condition that raises an exception that is not handled, or a condition that is caught but is still determined by the implementation team to deem a log message necessary. These conditions will be determined as features are developed and implemented.

Goals

  1. To accurately report events that occur in the Mall on Rails system.
  2. To be able to gain insights into how to maintain Mall on Rails in the most efficient and error-free manner.
  3. To have sufficient actionable evidence in the event of potential or actual breaches of security to effectuate recovery and prosecution.

Exclusions

  1. The system shall not cause any customer PII to be written to logs that are not explicitly managed for PII. This includes payment information, name, password, address(es), and phone number(s). As email addresses are a type of login information, these may be required to be logged for the purposes of intrusion detection and authentication.

Requirements

  1. The system shall log all incoming HTTP requests using the common WTI log requirements, including IP anonymisation after 30 days.
  2. The system shall log all runtime errors to an external reporting system.
  3. The system shall log client runtime errors to an external reporting system.
  4. The system shall write a log message when storage is at 90% and 95% full.
  5. The system shall emit an alert when storage is at 98% and 100% full.
  6. The system shall write a log message for any attempted customer login, including all of the following information:
    1. The remote IP of the computer where the login attempt originated.
    2. The email address of the account attempting to be logged in.
    3. Whether the login attempt was successful or failed.
    4. All request headers (including User-agent, Referer, and X-Forwarded-For).
  7. The system shall write a log message for any attempted store owner login, including all of the following information:
    1. The remote IP of the computer where the login attempt originated.
    2. The login name (whether username, email, or other) that was attempted.
    3. Whether the login attempt was successful or failed.
    4. All request headers (including User-agent, Referer, and X-Forwarded-For).