...
The App Logs setup is neither simple nor rocket science but was chosen with a bit of scalability in mind. This is why logs get written to a Storage Account via a Diagnostic setting. Instead of putting the logs into the clients database, producing unnecessary load to the database, the development debug applications logs (App Logs) are put into a Storage Account and get read back from there to display them in the App Repository.
Panel | ||||||||
---|---|---|---|---|---|---|---|---|
| ||||||||
Learn more about some of the architectural components below in https://unique-ch.atlassian.net/wiki/spaces/ |
...
SD/pages/545292322/App+Logs#Architecture and how they are secured in https://unique-ch.atlassian.net/wiki/spaces/ |
...
Get started
Pre-requisites
...
Or add it from beginning if the app is new | then Save | 🕐 Wait some minutes so something actually gets written and propagated |
Panel | ||||||||
---|---|---|---|---|---|---|---|---|
| ||||||||
The apps Note that the _ in the example changes with -. In case you made a mistake, you can simply rename your app in the UI itself via |
Deploying Action | In the App Repository | |||
---|---|---|---|---|
Works |
| Name: Azure Environment Name: | ||
Does not work 🤯 |
| Name: Azure Environment Name: | ||
Does not work 🤯 |
| Name: Azure Environment Name: | ||
Does not work 🤯 |
| Name: Azure Environment Name: Forgetting to set the correct account. |
Specs
The logs clear use case is debugging application insights and secure development of apps. A developer can consult them in the rare event of discovering an edge case only in production or when triaging an unseen issue.
Unique strongly discourages debugging in production (near live) and advocates for a proper SSDL (like its own Secure Software Development Lifecycle). These logs are not meant to be used for live-debugging, apps are to be properly tested before being deployed to production environments.
Logs
Naturally, the maximum duration of logs you can browse are limited by the Retention. The UI currently shows only the last 10 48 hours of logs in separate entries. If the feature matures, further improvements could be done on this behalf.
The logs are not live streams, it can take some worst case some minutes for them to appear (<10).Each hour a new file gets created by the Azure Monitor and Unique caches the last 10 hours (except the last one) refreshing them every hour (the latter nine). Unique does not offer real time log streaming. Clients requiring faster scrape intervals than Azure Monitors maximum 5 minute interval must self host apps.
The logs capture stdout
(the console), means they also show container or boot errors etc.
...
Azure Monitor is the only allowed writer to the account while the App Repository (via Workload Identity) is the sole reader (both via RBAC). No humans have access to the account, also not via PIM or privileged roles.
Secure Deployment
Panel | ||||||||
---|---|---|---|---|---|---|---|---|
| ||||||||
See Hosted SDK, only mentioned here for completeness. |
Log scrubbing
The setup does not scrub the logs or sanitize them. If developers log classified data, it will be present in the logs within the retention period. The Legal Amendment to the Co-Development Agreement holds more information about the logs and their use case (or not-use-case) and how developers must interact with them.
...