What data should be logged?

To expand upon Rory's recommendations, you really need to ask yourself what is the driver behind your logging, and what information you need to accomplish those goals.

For example, if you need user attribution then you probably need

  • Username
  • Timestamp
  • Source IP
  • GET string and possibly POST variables
  • Session IDs
  • Cookie information (expirations, tokens if appropriate, chocolate/sugar/gluten-free, etc)

Are you looking for unauthorized access attempts?

  • Timestamp
  • Source IP
  • Action Performed (login, data query, etc)
  • Related information to action, (username, query string, etc)

Do you have policy/contractual/regulatory/etc. requiring full session reconstruction? Well, that's a lot harder and will require all kinds of scary data on every request. This will likely require deep app integration and possibly need things like stack traces, variable dumps, packet captures, etc.


Really you need to look at this the other way round - what do you need logging for? That should drive your decision on what to log.

  • Are you checking for suspicious behaviour from an IP or range of IP's?
  • Are you trying to monitor usage or performance stats?
  • Do you need to be able to help your users with their session if something goes wrong?
  • Are you needing to work within a regulatory framework which specifies data handling?

etc.


There is certainly value in logging the HTTP headers. Exactly which ones to log vary highly depending on the specific web application.

Tags:

Logging

Related

Is accession number+service (CPT code)+date of service considered PHI (protected health information) under HIPAA? In Healthcare IT, is a "break glass" mode to bypass access controls commonly required? Does marketing data trigger HIPAA Privacy? When is it appropriate to SSL Encrypt Database connections? How to fix SSL 2.0 and BEAST on IIS Disadvantages of metasploit Framework for windows Would an unnecessarily long password degrade performance of a WPA2 wireless network? How does Team Viewer establish a Remote Desktop Connection? Multi-boot with full hard drive encryption and pre-boot authentication Does a CA need to have the same type of key as the certificates it is signing? RSA / Elliptic Curve (EC/ECDH/ECDSA) Do you require a special type of certificate for using Diffie Hellman as the key exchange protocol in SSL? Why is passing the session id as url parameter insecure?

Recent Posts