"安全日志与审计（可观测性与合规）实施指南与最佳实践"

安全日志与审计（可观测性与合规）实施指南与最佳实践概述通过统一的事件模型与字段脱敏策略，结合追踪ID与集中化采集，可满足安全可观测与合规审计要求。事件模型type SecurityEvent = { type: string actorId?: string resource?: string action?: string outcome: 'success' | 'deny' | 'error' ip?: string userAgent?: string traceId: string timestamp: string metadata?: Record<string, any> } function nowIso(): string { return new Date().toISOString() } function genTraceId(): string { const bytes = crypto.getRandomValues(new Uint8Array(16)) return Array.from(bytes).map(b => b.toString(16).padStart(2, '0')).join('') } 字段脱敏function redact(input: Record<string, any>, keys: string[]): Record<string, any> { const out: Record<string, any> = {} for (const k of Object.keys(input)) { out[k] = keys.includes(k) ? '***' : input[k] } return out } 结构化日志class AuditLogger { sinks: Array<(e: SecurityEvent) => Promise<void>> = [] async log(event: Omit<SecurityEvent, 'traceId' | 'timestamp'>): Promise<void> { const full: SecurityEvent = { ...event, traceId: genTraceId(), timestamp: nowIso() } for (const s of this.sinks) await s(full) } } const consoleSink = async (e: SecurityEvent) => { process.stdout.write(JSON.stringify(e) + '\n') } 指标与告警type Counter = { inc: (labels?: Record<string, string>) => void } class MetricCollector { authFailures: Counter deniedRequests: Counter constructor(c1: Counter, c2: Counter) { this.authFailures = c1; this.deniedRequests = c2 } record(event: SecurityEvent) { if (event.type === 'auth' && event.outcome === 'deny') this.authFailures.inc({}) if (event.outcome === 'deny') this.deniedRequests.inc({}) } } SIEM对接async function sendToSiem(endpoint: string, token: string, batch: SecurityEvent[]): Promise<boolean> { const res = await fetch(endpoint, { method: 'POST', headers: { 'Authorization': `Bearer ${token}`, 'Content-Type': 'application/json' }, body: JSON.stringify(batch) }) return res.ok } 运维要点定义事件词典与字段脱敏清单并在CI校验全链路注入追踪ID以支持跨系统审计指标与告警与日志同源，统一采集与留存周期通过事件模型与统一采集，可在成本可控的前提下实现可观测与合规落地。