Log Enhancements Release Notes

Version: 5.0.1 El Alto Release

El Alto

• logging-analytics Version: 1.5.1

Release Date:

2019-10-04

New Features

None

Bug Fixes

• LOG-826 Vulnerability issue: removed jackson-databind

• LOG-1060 Vulnerability issue: Logging CLM: fix/address/red-flag jackson-databind-2.8.6 SEC

• LOG-836 Vulnerability issue: glassfish bean-validator-2.4.0-b34.jar SEC

• LOG-874 Vulnerability issue: fix/address/red-flag License org.json:json-20140107.jar

Known Issues

• LOG-1159 Vulnerability issue: logging-analytics version 5.0.9.RELEASE

Known Security Issues

• OJSI-200 Logging exposes unprotected APIs/UIs (CVE-2019-12125)

• OJSI-155 LOG demo target exposes plain text HTTP endpoint using port 30398

• OJSI-125 log-es exposes plain text HTTP endpoint using port 30254

• OJSI-124 log-kibana exposes plain text HTTP endpoint using port 30253

• LOG-1114 Need for “ReadWriteMany” access on storage when deploying on Kubernetes?

Quick Links:

• LOG project page

• Passing Badge information for LOG

• Project Vulnerability Review Table for LOG

Upgrade Notes

None

Deprecation Notes

None

Other

None

POMBA Release Notes

POMBA is sub-project of the Logging Enhancements Project.

El Alto

• pomba-audit-common Version: 1.5.1

• pomba-aai-context-builder Version: 1.5.1

• pomba-context-aggregator Version: 1.5.1

• pomba-network-discovery-context-builder Version: 1.5.1

• pomba-sdc-context-builder Version: 1.5.1

• pomba-sdnc-context-builder Version: 1.5.1

Release Date:

2019-10-04

New Features

• None

Bug Fixes

• LOG-826 Vulnerability issue: upgraded jackson-databind to version 2.9.9

• LOG-1067 Vulnerability issue: confirm rather or not commons-codec is needed for logging projects

• LOG-832 Vulnerability issue: removed jackson-databind-2.4.5.jar from pomba-audit-common

• LOG-831 Vulnerability issue: pomba-context-aggregator with javax.jms:jms-1.1.jar

• LOG-1061 Vulnerability issue: POMBA-AUDIT-COMMON fix/address/red-flag jackson-databind-2.4.5

• LOG-1063 Vulnerability issue: POMBA-SDNC-CONTEXT-BUILDER: upgraded plexus-utils to version 3.1.0

• LOG-1064 Vulnerability issue: POMBA-SDNC-CONTEXT-BUILDER: removed commons-beanutils : 1.9.3

• LOG-1116 Vulnerability issue: POMBA-SDNC-CONTEXT-BUILDER: removed commons-beanutils : 1.9.3

• LOG-1062 Vulnerability issue: POMBA-SDNC-CONTEXT-BUILDER: removed struts-core

• LOG-1121 Vulnerability issue: POMBA-CONTEXT-AGGREGATOR and POMBA-SDNC-CONTEXT-BUILDER: upgraded logback-classic to version 1.2.3

• LOG-830 Vulnerability issue: Logging/POMBA CLM: fix/address/red-flag License org.json:json-20140107.jar

Known Issues

• LOG-1017 Violations are thrown on attributes that are same (or missing)

• LOG-1016 When comparing attributes from multiple sources, violations thrown do not accurately show the issue.

• LOG-769 POMBA aai ctx pod reports HD full - but DF shows HD is OK

• LOG-827 Vulnerability issue: POMBA-SDNC-CONTEXT-BUILDER handlebars 2.0.0

• LOG-1118 Vulnerability issue: POMBA-SDNC-CONTEXT-BUILDER and POMBA-NETWORK-DISCOVERY-CONTEXT-BUILDER js-yaml

• LOG-1117 Vulnerability issue: POMBA-SDNC-CONTEXT-BUILDER and POMBA-NETWORK-DISCOVERY-CONTEXT-BUILDER uikit

• LOG-1160 Vulnerability issue: jackson-databind 2.9.9

• LOG-1016 When comparing attributes from multiple sources, violations thrown do not accurately show the issue.

• LOG-1017 Violations are thrown on attributes that are same (or missing)

• LOG-1051 pomba-data-router do not start due to wrong AAi configuration (with Dublin release of the data router but works with the Casablanca version)

• LOG-1084 Need authentication for pomba-kibana (node port = 30234)

• LOG-1085 Need authentication for logging-elasticsearch (node port = 30254)

• LOG-1086 Need authentication for logging-kibana (node port = 30253)

• LOG-1114 Need for “ReadWriteMany” access on storage when deploying on Kubernetes?

Known Security Issues

• OJSI-123 pomba-data-router exposes plain text HTTP endpoint using port 30249

• OJSI-115 pomba-kibana exposes plain text HTTP endpoint using port 30234

POMBA code has been formally scanned during build time using NexusIQ and all Critical vulnerabilities have been addressed, items that remain open have been assessed for risk and determined to be false positive. The LOG open Critical security vulnerabilities and their risk assessment have been documented as part of the project.

Quick Links:

• POMBA project page

Upgrade Notes

None

Deprecation Notes

None

Other

None

Version: 5.0.0 El Alto Early Drop Release

El Alto Early Drop

• logging-analytics Version: 1.5.0

Release Date:

2019-08-16

New Features

None

Bug Fixes

• LOG-1066 Vulnerability issue: upgrade org.apache.tomcat.embed.tomcat-embed-core to 8.5.42

• LOG-1067 Vulnerability issue: confirm rather or not commons-codec is needed for logging projects

Known Issues

Security Notes

LOG code has been formally scanned during build time using NexusIQ and all Critical vulnerabilities have been addressed, items that remain open have been assessed for risk and determined to be false positive. The LOG open Critical security vulnerabilities and their risk assessment have been documented as part of the project.

Quick Links:

• LOG project page

• Passing Badge information for LOG

• Project Vulnerability Review Table for LOG

Upgrade Notes

None

Deprecation Notes

None

Other

None

POMBA Release Notes

POMBA is sub-project of the Logging Enhancements Project.

El Alto Early Drop

• pomba-audit-common Version: 1.5.0

• pomba-aai-context-builder Version: 1.5.0

• pomba-context-aggregator Version: 1.5.0

• pomba-network-discovery-context-builder Version: 1.5.0

• pomba-sdc-context-builder Version: 1.5.0

• pomba-sdnc-context-builder Version: 1.5.0

Release Date:

2019-08-16

New Features

• None

Bug Fixes

• LOG-1066 Vulnerability issue: upgrade org.apache.tomcat.embed.tomcat-embed-core to 8.5.42

• LOG-1067 Vulnerability issue: confirm rather or not commons-codec is needed for logging projects

Known Issues

• LOG-1017 Violations are thrown on attributes that are same (or missing)

• LOG-1016 When comparing attributes from multiple sources, violations thrown do not accurately show the issue.

• LOG-836 Logging/POMBA CLM: fix/address/red-flag glassfish bean-validator-2.4.0-b34.jar SEC

• LOG-874 Logging CLM: fix/address/red-flag License org.json:json-20140107.jar

• LOG-832 Logging/POMBA CLM: fix/address/red-flag SEC jackson-databind-2.4.5.jar - auditcommon - even 2.9.7 is still red

• LOG-831 Logging/POMBA CLM: fix/address/red-flag License javax.jms:jms-1.1.jar

• LOG-769 POMBA aai ctx pod reports HD full - but DF shows HD is OK

• LOG-826 Logging/POMBA CLM: fix/address/red-flag jackson-databind-2.8.11.3 SEC

• LOG-1060 Logging CLM: fix/address/red-flag jackson-databind-2.8.6 SEC

• LOG-1061 POMBA-AUDIT-COMMON CLM: fix/address/red-flag jackson-databind-2.4.5 SEC

• LOG-1063 POMBA-SDNC-CONTEXT-BUILDER CLM: fix/address/red-flag plexus-utils : 3.0.22 SEC

• LOG-1064 POMBA-SDNC-CONTEXT-BUILDER CLM: fix/address/red-flag commons-beanutils : 1.9.3 SEC

• LOG-1062 POMBA-SDNC-CONTEXT-BUILDER CLM: fix/address/red-flag struts-core : 1.3.8-2.4.5 SEC

• LOG-827 Logging/POMBA CLM: fix/address/red-flag handlebars-2.0.0.js SEC - upgrade to 4.0.0+

• LOG-830 Logging/POMBA CLM: fix/address/red-flag License org.json:json-20140107.jar

Security Notes

• all nodeports for Kibana, context builders and data-router are open by default for now

POMBA code has been formally scanned during build time using NexusIQ and all Critical vulnerabilities have been addressed, items that remain open have been assessed for risk and determined to be false positive. The LOG open Critical security vulnerabilities and their risk assessment have been documented as part of the project.

Quick Links:

• POMBA project page

Upgrade Notes

None

Deprecation Notes

None

Other

None

Version: 4.0.0 Dublin Release

Dublin

• logging-analytics Version: 1.2.6

Release Date:

2019-06-18

New Features

Bug Fixes

Known Issues

Security Notes

• LOG code has been formally scanned during build time using NexusIQ and all Critical vulnerabilities have been addressed, items that remain open have been assessed for risk and determined to be false positive. The LOG open Critical security vulnerabilities and their risk assessment have been documented as part of the project.

Quick Links:

• LOG project page

• Passing Badge information for LOG

• Project Vulnerability Review Table for LOG

Upgrade Notes

None

Deprecation Notes

None

Other

None

POMBA Release Notes

POMBA is sub-project of the Logging Enhancements Project.

Dublin

• pomba-audit-common Version: 1.4.0

• pomba-aai-context-builder Version: 1.4.0

• pomba-context-aggregator Version: 1.4.0

• pomba-network-discovery-context-builder Version: 1.4.0

• pomba-sdc-context-builder Version: 1.4.0

• pomba-sdnc-context-builder Version: 1.4.0

Release Date:

2019-06-18

New Features

• Version 2 of the audit common model

• Initial release of SDNC context builder

Bug Fixes

Known Issues

• LOG-1017 Violations are thrown on attributes that are same (or missing)

• LOG-1016 When comparing attributes from multiple sources, violations thrown do not accurately show the issue.

• LOG-836 Logging/POMBA CLM: fix/address/red-flag glassfish bean-validator-2.4.0-b34.jar SEC

• LOG-874 Logging CLM: fix/address/red-flag License org.json:json-20140107.jar

• LOG-832 Logging/POMBA CLM: fix/address/red-flag SEC jackson-databind-2.4.5.jar - auditcommon - even 2.9.7 is still red

• LOG-831 Logging/POMBA CLM: fix/address/red-flag License javax.jms:jms-1.1.jar

• LOG-769 POMBA aai ctx pod reports HD full - but DF shows HD is OK

• LOG-826 Logging/POMBA CLM: fix/address/red-flag jackson-databind-2.8.11.3 SEC

• LOG-1060 Logging CLM: fix/address/red-flag jackson-databind-2.8.6 SEC

• LOG-1061 POMBA-AUDIT-COMMON CLM: fix/address/red-flag jackson-databind-2.4.5 SEC

• LOG-1063 POMBA-SDNC-CONTEXT-BUILDER CLM: fix/address/red-flag plexus-utils : 3.0.22 SEC

• LOG-1064 POMBA-SDNC-CONTEXT-BUILDER CLM: fix/address/red-flag commons-beanutils : 1.9.3 SEC

• LOG-1062 POMBA-SDNC-CONTEXT-BUILDER CLM: fix/address/red-flag struts-core : 1.3.8-2.4.5 SEC

• LOG-827 Logging/POMBA CLM: fix/address/red-flag handlebars-2.0.0.js SEC - upgrade to 4.0.0+

• LOG-830 Logging/POMBA CLM: fix/address/red-flag License org.json:json-20140107.jar

Security Notes

• all nodeports for Kibana, context builders and data-router are open by default for now

POMBA code has been formally scanned during build time using NexusIQ and all Critical vulnerabilities have been addressed, items that remain open have been assessed for risk and determined to be false positive. The LOG open Critical security vulnerabilities and their risk assessment have been documented as part of the project.

Quick Links:

• POMBA project page

Upgrade Notes

None

Deprecation Notes

None

Other

None

Version: 3.0.1 Casablanca Release

Casablanca

• logging-analytics Version: 1.2.6

Release Date:

2019-02-08

New Features

• kubernetes installation upped to 1.11.5 in the Rancher 1.6.25 RI

• NFS support for AWS EFS

Bug Fixes

• LOG-837 Logging/POMBA CLM: fix/address/red-flag spring-mvc-5.1.2 pulls in spring-web-5.0.9

Known Issues

• LOG-376 Logstash load balancing is asymmetric wherever AAI is run

• LOG-895 Upgrade Rancher to 1.6.25 to address CVE-2018-1002105 and move to Kubernetes 1.11.5 (server side)

Security Notes

LOG code has been formally scanned during build time using NexusIQ and all Critical vulnerabilities have been addressed, items that remain open have been assessed for risk and determined to be false positive. The LOG open Critical security vulnerabilities and their risk assessment have been documented as part of the project.

Quick Links:

• LOG project page

• Passing Badge information for LOG

• Project Vulnerability Review Table for LOG

Upgrade Notes

None

Deprecation Notes

None

Other

None

POMBA Release Notes

POMBA is sub-project of the Logging Enhancements Project.

Casablanca

• pomba-audit-common Version: 1.3.2

• pomba-aai-context-builder Version: 1.3.2

• pomba-context-aggregator Version: 1.3.4

• pomba-network-discovery-context-builder Version: 1.3.1

• pomba-sdc-context-builder Version: 1.3.2

Release Date:

2019-02-08

New Features

• Version 1 of the audit common model

• Initial release of context aggregator and 3 context builders

Bug Fixes

• LOG-892 PORT - POMBA Network Discovery Context Builder does not log

Known Issues

• LOG-913 POMBA: 1 of 11 pods failing on sequenced startup on 3.0.0-ONAP - pomba is 22 on the order - looks timing related

• LOG-950 LOG-950 upped the numbers from 10 to 30 - for intermittent deploy timing - this is an issue for several projects since 3.0.0-ONAP - the solution is a sequenced 5h deploy via cd.sh and/or better vms for now until the dependencies and jobs are refactored into helm hooks

Security Notes

• all three nodeports for kibana, context builder and data-router are open by default for now

POMBA code has been formally scanned during build time using NexusIQ and all Critical vulnerabilities have been addressed, items that remain open have been assessed for risk and determined to be false positive. The LOG open Critical security vulnerabilities and their risk assessment have been documented as part of the project.

Quick Links:

• POMBA project page

Upgrade Notes

None

Deprecation Notes

None

Other

None

Version: 1.2.2 Casablanca

Release Date:

2018-11-30

New Features

• Demo slf4j library with marker/mdc support along with kubernetes, docker, war support projects.

Bug Fixes

Known Issues

• Logstash load balancing is asymmetric wherever AAI is run

Security Notes

LOG code has been formally scanned during build time using NexusIQ and all Critical vulnerabilities have been addressed, items that remain open have been assessed for risk and determined to be false positive. The LOG open Critical security vulnerabilities and their risk assessment have been documented as part of the project.

Quick Links:

• LOG project page

• Passing Badge information for LOG

• Project Vulnerability Review Table for LOG

Upgrade Notes

None

Deprecation Notes

None

Other

None

POMBA Release Notes

POMBA is sub-project of the Logging Enhancements Project.

Casablanca

• pomba-audit-common Version: 1.3.1

• pomba-aai-context-builder Version: 1.3.1

• pomba-context-aggregator Version: 1.3.3

• pomba-network-discovery-context-builder Version: 1.3.0

• pomba-sdc-context-builder Version: 1.3.1

---

Release Date:

2018-11-15

New Features

• Version 1 of the audit common model

• Initial release of context aggregator and 3 context builders

Bug Fixes

Known Issues

Security Notes

• all three nodeports for kibana, context builder and data-router are open by default for now

POMBA code has been formally scanned during build time using NexusIQ and all Critical vulnerabilities have been addressed, items that remain open have been assessed for risk and determined to be false positive. The LOG open Critical security vulnerabilities and their risk assessment have been documented as part of the project.

Quick Links:

• POMBA project page

Upgrade Notes

None

Deprecation Notes

None

Other

None

Version: Beijing

Release Date:

2018-06-07

New Features

• Logstash is a daemonset (clustered at 1 container per VM)

• The following applications send logs to the ELK stack -

Bug Fixes

Known Issues

• Logstash load balancing is asymmetric

Security Notes

• all three nodeports for logstash, elasticsearch and kibana are open by default for now

LOG code has been formally scanned during build time using NexusIQ and all Critical vulnerabilities have been addressed, items that remain open have been assessed for risk and determined to be false positive. The LOG open Critical security vulnerabilities and their risk assessment have been documented as part of the project.

Quick Links:

• LOG project page

• Passing Badge information for LOG

• Project Vulnerability Review Table for LOG

Upgrade Notes

None

Deprecation Notes

None

Other

Note: there was no released artifacts under 1.2.2 for Beijing - release was pushed to Casablanca

Version: 1.0.0

Release Date:

2017-11-16

New Features

This release adds Elastic Stack analytics deployment to OOM, aligns logging provider configurations, and fixes issues with the propagation of transaction IDs and other contextual information.

• LOG-1 Transaction ID propagation.

• LOG-2 Standardized logging provider configuration.

• LOG-3 Elastic Stack reference analytics pipeline.

• LOG-4 Transaction ID conventions.

Bug Fixes

• LOG-64 Logger field has a length restriction of 36 which needs a fix.

• LOG-74 Extract componentName from the source path of log files.

Known Issues

• LOG-43 Unable to find logback xml for DMaaP component. Logging file for DMaaP is available in this jar “eelf-core-0.0.1.jar”.

• LOG-65 SO Logging Provider Config File need correction in Timestamp MDC. Logging provider configuration file for SO i.e. logback files requires correction in Timestamp MDC for correct MDC generation in log. The current pattern prints Timestamp as 2017-09-25 05:30:07,832. Expected pattern is - 2017-09-25T05:30:07.832Z.

• LOG-80 Kibana does not seem to show all the logs from application pods. The content of the log directories (/var/log/onap/mso) are not 100% reflected in Kibana.

• LOG-88 SO log format error during Health Check - blocking tracking jira for SO-246.

Security Issues

None

Upgrade Notes

None

Deprecation Notes

None

Other

None

---

End of Release Notes