Logging and Monitoring
Comprehensive logging and proactive monitoring are foundational to securing your Guidewire Cloud deployment. These practices provide visibility into system behavior, aid in the detection of anomalies, and ensure your applications meet compliance standards. You are responsible for the access, configuration, and review of all logging data generated within your environments.
This section outlines our recommended controls and best practices for effective logging and monitoring.
Principle 1: Implement Comprehensive and Secure Logging
A mature logging strategy captures all relevant events and integrates them into a centralized platform, while ensuring sensitive data is never exposed.
- Control Objective: All application logs should be accessed and reviewed through the provided Datadog platform. You are responsible for understanding how to search and filter within Datadog to isolate events for specific applications (for example, ClaimCenter, PolicyCenter, and BillingCenter).
- Example: If you're troubleshooting a Cloud API call, enable
DEBUGlogging onREST.ConfigandREST.Requestto capture authentication and request behavior.
- Example: If you're troubleshooting a Cloud API call, enable
- Control Objective: Production environments should enforce strict redaction policies to prevent Personally Identifiable Information (PII) from being written to any log.
- Control Objective: To centralize security visibility, you should configure log forwarding from the Guidewire Cloud Platform to your corporate Security Information and Event Management (SIEM) system. This is a platform-level configuration that enables you to route application logs to supported targets, such as Splunk or a customer-owned Datadog instance.
- Control Objective: All custom development, particularly within the Integration Gateway, should use designated logging frameworks such as
GwLoggeror structured logging. Using print statements (for example,print(),System.out.println()) for application logging is not a recommended practice. - Control Objective: Sensitive data, credentials, and secrets should never be written to logs.
Principle 2: Establish Proactive Monitoring and Alerting
Monitoring is not about passively collecting data; it is about actively detecting and responding to anomalies before they become security incidents.
- Control Objective: You should configure monitors and alerts in Datadog for critical security and operational events, including authentication failures, API errors, and message queue issues.
- Example: Configure an alert to trigger if the gw.pl.authenticate.fail metric exceeds a defined threshold within a short period, as this may indicate a brute-force attack.
- Leverage Advanced Observability Tools (APM/RUM): For organizations with mature monitoring practices, Application Performance Monitoring (APM) and Real User Monitoring (RUM) are powerful tools for tracking service-level performance and detecting anomalous behavior.
- Critical Considerations: Before enabling these features, you should:
- Assess Financial Impact: Be aware that APM and RUM are premium Datadog services that can have significant cost implications.
- Mitigate PII Exposure: Recognize that RUM, by default, can capture user inputs containing PII. You should work with Guidewire support and consult Datadog's documentation to ensure proper PII redaction controls are configured before enabling RUM in any environment handling sensitive data.
- Critical Considerations: Before enabling these features, you should:
Principle 3: Enforce Strict Log Governance
Logs are a critical asset for security and compliance. They should be categorized, reviewed, retained, and audited according to a defined policy.
- Control Objective: You should utilize log metadata, such as Datadog tags, to organize logs by application component and environment. This is essential for effective filtering, analysis, and alerting.
- Example: Use Datadog tags like
app:claimcenterorenv:prodto organize logs, which allows you to quickly isolate issues or set component-specific alerts.
- Example: Use Datadog tags like
- Control Objective: You should define and implement a retention policy for all streamed application logs that meets your organization's legal, regulatory, and business requirements.
- Control Objective: A formal log review schedule (for example, monthly) should be established, with clear ownership assigned for reviewing security-relevant log data.
- Control Objective: You should implement and utilize audit trails for all key user actions and administrative configuration changes to ensure transparency and accountability.
Resources
Guidewire Cloud Standards:
Guidewire Documentation:
- Application logging
- Business rule logging
- Intentional logging
- Logging data change operations
- Observability in InsuranceSuite applications
- Rule testing and debugging
- The Guidewire Profiler screens
- Using Datadog with InsuranceSuite
- Using the Observability plugin
- Workflow debugging, logging, and testing
Was this page helpful?