security_events
Security logging, monitoring, and tamper-evident audit trail (OWASP C9). Part of the SunLit Security Libraries workspace.
When to reach for this crate
- You need strongly-typed security events instead of free-form log lines, so SIEMs, redactors, and policy engines can reason about them.
- You need a tamper-evident audit chain (HMAC-sealed events) for compliance contexts.
- You're shipping events to multiple sinks (stdout JSON, OpenTelemetry, HTTP collector) and want one schema to feed them.
- You want PII redaction and rate-limiting at the event layer rather than scattered across call sites.
Install
[]
= "0.1.2"
# OpenTelemetry integration:
# security_events = { version = "0.1.2", features = ["otel"] }
What's inside
| Module | Use it for |
|---|---|
event::SecurityEvent |
The strongly-typed event record (kind, outcome, severity, classification). |
kind::EventKind |
Standardized event categories (auth, authz, data access, network, etc.). |
event::EventOutcome |
Success, Failure, Blocked, Unknown. |
event::EventValue::Classified |
Field values carrying their DataClassification so sinks can redact. |
audit_chain::AuditChain |
Hash-chained, tamper-evident audit log. Each event commits to its predecessor. |
hmac::HmacEventSigner |
HMAC-seal events for integrity-verified shipping to a remote collector. |
correlation |
Parent/child correlation IDs (with_parent, attach_parent, filter_by_parent). |
redact::RedactionEngine |
Programmatic redaction policy for PII fields. |
mobile_redaction::MobileRedactionEngine |
Stricter mobile-OS log-level enforcement. |
rate_limit |
Drop or aggregate noisy event sources without losing high-severity signals. |
sink |
Pluggable event sinks (stdout, JSON, OTel, HTTP). |
layer |
tracing Layer so events flow alongside spans. |
Quick example
use ;
use EventKind;
use DataClassification;
use SecuritySeverity;
// Build a typed authentication-failure event for the audit log.
let event = builder
.kind
.outcome
.severity
.field
.build;
// Emit to whichever sink(s) you've configured.
// (See `security_events::sink` for stdout / JSON / OTel / HTTP sinks.)
Feature flags
| Flag | Default | Purpose |
|---|---|---|
otel |
off | OpenTelemetry-tracing integration via tracing-opentelemetry and opentelemetry. |
http-sink |
off | Ship events to an HTTP collector via reqwest. |
Compatibility
- MSRV: 1.78
#![forbid(unsafe_code)]and#![deny(missing_docs)]- Async-friendly but does not require an async runtime in core paths
Status
Alpha.
Related crates
Part of the SunLit Security Libraries workspace:
| Crate | Purpose |
|---|---|
security_core |
Shared types, identity, classification, severity, redaction. |
secure_errors |
Three-layer error model with redaction-safe public errors. |
secure_output |
Context-aware output encoders (HTML, JSON, URL, JS, CSS, XML, LDAP, shell). |
secure_data |
Secrets, envelope encryption, Argon2id, FIPS, mobile storage. |
secure_network |
TLS policy, SPKI pinning, mTLS, cleartext detection. |
secure_device_trust |
Native-client device trust and session certificates. |
secure_resilience |
RASP and environment-detection policy. |
secure_privacy |
PII classification, consent, retention, pseudonymization. |
secure_boundary |
Input validation, security headers, boundary protections. |
secure_identity |
JWT/OIDC, MFA, sessions, biometric step-up. |
secure_authz |
Typed deny-by-default authorization with device-trust predicates. |
Getting help
- Questions, ideas, design discussions — open a GitHub Discussion.
- Bug reports — use the bug-report template in GitHub Issues.
- Security issues — please do not open a public issue. See SECURITY.md for the responsible-disclosure process.
Contributing
Contributions are welcome. Please read CONTRIBUTING.md and the Code of Conduct before opening a PR.
License
Dual-licensed under MIT or Apache-2.0 at your option.