Skill Review ($25 Bounty)
Skill
skills/secops/log-analysis/SKILL.md
What needs improvement
log-analysis has strong source taxonomy and cross-source correlation guidance, but it does not require evidence for OpenTelemetry trace-log correlation. Modern application investigations often rely on TraceId, SpanId, resource context, and semantic attributes to pivot from application logs to traces and backend spans. Without a specific gate, the report can overstate correlation confidence when logs lack trace context, traces are sampled away, resource attributes disagree, or non-OTLP log formats map trace fields inconsistently.
This is distinct from the broader telemetry integrity / ingestion-loss issue because it focuses on application observability correlation fields, not collector health or event-time vs. ingest-time pipeline loss.
Coverage gaps
- Logs contain
request_id or ad hoc correlation IDs but not OpenTelemetry TraceId / SpanId, so analysts cannot reliably join logs to traces across services.
- Traces are sampled while error/security logs are retained, creating one-way joins that should reduce confidence instead of being treated as complete correlation.
- Resource context differs between logs and spans (
service.name, service.namespace, deployment environment), making cross-service pivots ambiguous.
- Non-OTLP logs carry trace context under vendor-specific names (
trace_id, traceId, x-b3-traceid, traceparent) with no documented mapping to OpenTelemetry fields.
- HTTP or messaging semantic attributes needed for security investigation are absent or unstable, so trace pivots lose method, route, status, peer, topic, or queue context.
Suggested fix
Add a focused OpenTelemetry correlation evidence gate to log-analysis:
- capture whether log records include
TraceId, SpanId, TraceFlags, resource attributes, and instrumentation scope;
- record trace sampling status and whether missing spans are expected or evidence gaps;
- map vendor/log-format trace fields to OpenTelemetry fields for non-OTLP logs;
- require resource-context consistency checks for service and environment joins;
- add output fields for trace-log correlation confidence and missing-context reasons.
References
Bounty Info
Skill Review ($25 Bounty)
Skill
skills/secops/log-analysis/SKILL.mdWhat needs improvement
log-analysishas strong source taxonomy and cross-source correlation guidance, but it does not require evidence for OpenTelemetry trace-log correlation. Modern application investigations often rely onTraceId,SpanId, resource context, and semantic attributes to pivot from application logs to traces and backend spans. Without a specific gate, the report can overstate correlation confidence when logs lack trace context, traces are sampled away, resource attributes disagree, or non-OTLP log formats map trace fields inconsistently.This is distinct from the broader telemetry integrity / ingestion-loss issue because it focuses on application observability correlation fields, not collector health or event-time vs. ingest-time pipeline loss.
Coverage gaps
request_idor ad hoc correlation IDs but not OpenTelemetryTraceId/SpanId, so analysts cannot reliably join logs to traces across services.service.name,service.namespace, deployment environment), making cross-service pivots ambiguous.trace_id,traceId,x-b3-traceid,traceparent) with no documented mapping to OpenTelemetry fields.Suggested fix
Add a focused OpenTelemetry correlation evidence gate to
log-analysis:TraceId,SpanId,TraceFlags, resource attributes, and instrumentation scope;References
Bounty Info
1005150221@qq.com