Observability

This is a beta test.

Before covering the topic of observability and monitoring, it's important to mention that this is a beta test. Bulwark is not currently recommended for production use-cases.

Logs

Bulwark currently relies on a mix of its own logs and metrics and also Envoy's metrics for observability. Bulwark supports both Prometheus-compatible metrics scraping and StatsD for metrics collection. There are a number of future roadmap items related to improving Bulwark's capabilities in this area. Since Bulwark is intended to function as a security observability tool in its own right, this is a development area that will receive significant attention.

Bulwark currently offers two log formats. The first is a structured newline-delimited JSON format that implements the Elastic Common Schema (ECS) specification and is intended for use with centralized log stores and other consumers of high-cardinality event data. The second is a human-readable multi-line log format intended for debugging use-cases. Other log formats will be introduced in the future, as needed.

{
  "@timestamp": "2023-05-04T22:17:22.174144Z",
  "message": "GET /hello [403]",
  "log": {
    "level": "info"
  },
  "http": {
    "request": {
      "method": "GET"
    },
    "response": {
      "status": 403
    }
  },
  "url": {
    "original": "/hello"
  },
  "user_agent": {
    "original": "curl/7.79.1"
  },
  "event": {
    "kind": "event",
    "category": [
      "web"
    ],
    "type": [
      "denied"
    ]
  },
  "risk": {
    "calculated_level": "restricted",
    "calculated_risk_score": 1
  },
  "bulwark": {
    "plugins": {
      "example_plugin": {
        "accept": 0,
        "restrict": 1,
        "score": 1,
        "unknown": 0
      }
    }
  }
}

The output above has been piped to jq -r for readability. It is emitted as a condensed single line by the Bulwark process.

Last updated