OSDU and platform logging requirements

All OSDU logs need to go to a specific, well-known location. That means:

Logs must exist

• OSDU service logs (e.g., load service, search service, etc.)
• application platform logs (e.g., kubernetes, tomcat, nginx, apache, whatever)
• operating system level logs for VMs
• cloud service provider logs

Logs must be protected

Logs go one of two ways:

1. They leave OSDU and go to an operator-provided location. In that case, security and management of logs is the operator's responsibility.
2. They remain in an OSDU-specific location (e.g., a log server, an S3 bucket, a cloud-native log aggregation service). In that case additional security requirements apply.

• Logs must be encrypted at rest
• Logs must be protected from unauthorised modification
• Logs must be protected from unauthorised access
• ConocoPhillips identified RBAC for log access

Log Locations

• Chevron: Azure Log Analytics
• Total: Azure Monitor
• Petronas: LogRhythm
• ConocoPhillips: Splunk
• Equinor: Azure EventHub

Log Retention

• BP highlighted data retention as a security concern. Logs are the one place where the platform itself produces data. Do we activate some automatic cloud-native log deletion?
• Repsol Log integrity measures are mandatory as well as a retention period of 13 months of the logs.

Definition of Done

1. Log formats need to be documented and defined for each service and component at each of these levels (OSDU, app, OS, cloud).
2. Log locations are documented for each cloud provider choice.
3. The operator can indicate their preference for logs to either remain in an OSDU-specific location or be exported to another system.