Logging Strategy Guidelines provide best practices to create efficient logging systems, ensuring consistency, security, and easy analysis throughout an application or organization.
Logging levels are crucial for categorizing log messages by severity and importance, aiding developers and support teams in filtering and analyzing logs more efficiently.
- DEBUG: Variable values, internal states, execution flow
- INFO: Application start-up/shutdown, significant events/ops, No sensitive information
- WARN: Configuration issues, deprecated API usage, Performance-related concerns
- ERROR: Exception details, stack traces, relevant context data
- FATAL: Critical issues that require immediate attention
Standardize the log message format, which should include, but not be limited to:
- Timestamp (ISO 8601 format)
- Log level
- Application or module name
- IP address (if applicable)
- Transaction ID
- Message (with clear and concise descriptions)
- Any relevant contextual data (e.g., user ID, request parameters)
The timestamp format in the provided examples is in ISO 8601 format, which is a widely used international standard for date and time representations. The format is as follows:
YYYY-MM-DDTHH:mm:ssZ
Example format:
| Format | Description | Example |
|---|---|---|
yyyy-MM-ddTHH:mm:ssZ |
ISO 8601 format with a time zone offset expressed in hours | 2023-05-08T14:30:15+09:00 |
yyyy-MM-ddTHH:mm:ss.SSSZ |
ISO 8601 format with milliseconds and a time zone offset in hours | 2023-05-08T14:30:15.123+09:00 |
Including local time in logs isn't advised, as it may cause confusion when correlating events. However, if needed, add a field like "japan_time" to log entries.
{ "timestamp": "2023-05-08T14:35:10.123Z", "japan_time": "2023-05-08T23:35:10.123+09:00", "level": "INFO", "message": "User login successful", "userId": "12345", "ipAddress": "192.168.1.1" }
Two tables clarify logging levels and environments. Table A details levels, logged info, and actions; Table B shows common levels for development, testing, staging, and production.
Table A
| Level | Information to be logged | Action to be taken |
|---|---|---|
| DEBUG | Variable values, internal states, execution flow | Diagnose and debug issues |
| INFO | Application start-up/shutdown, significant events/ops, No sensitive information | Monitor app state and behavior |
| WARN | Configuration issues, deprecated API usage, Performance-related concerns | Investigate potential problems |
| ERROR | Exception details, stack traces, relevant context data | Resolve errors and exceptions |
| FATAL | Critical issues that require immediate attention | Address critical failures |
Table B
| Environment | Level |
|---|---|
| DEV | Free to use any level. DEBUG or INFO level is commonly set up. |
| TEST | Free to use any level. DEBUG or INFO level is commonly set up. |
| STG | Free to use any level. INFO level is appropriate, DEBUG is optional. |
| PROD | INFO, WARN, ERROR, and FATAL levels. DEBUG level is generally disabled in production. |
The application or module name in logs helps identify the source of log messages, improving traceability and facilitating troubleshooting.
The IP address in logs, when applicable, provides information about the client or server involved in an event, aiding in the identification of potential security issues or debugging network-related problems.
Using a standard transaction ID for log entries related to one request or operation aids tracing, debugging, and monitoring. Here's more on transaction IDs' importance and implementation.
Table summarizing the key aspects of using a standard transaction ID across all log entries related to a single request or operation.
| Aspect | Description | Why/What/How to do | Example | Sample Patterns | Summary Description |
|---|---|---|---|---|---|
| Transaction ID | A unique identifier assigned to each request or operation | Allows for correlation and tracing of logs related to a single transaction | UUID, GUID, or a custom format | c1a89a5b-2075-4e72-a9a1-0e6cddbf0a21 |
UUID as a transaction ID |
| Propagate ID | Ensure the transaction ID is passed between internal and external API calls, services, and components | Helps maintain the traceability of logs across distributed systems | Pass the transaction ID in HTTP headers, message queues, or other communication methods | X-Request-ID: c1a89a5b-2075-4e72-a9a1-0e6cddbf0a21 |
Transaction ID passed via HTTP header |
| Include ID in logs | Include the transaction ID in each log entry related to the request or operation | Allows logs to be filtered and aggregated based on the transaction ID | Add the transaction ID to the log entry structure | "transactionId": "c1a89a5b-2075-4e72-a9a1-0e6cddbf0a21" |
Transaction ID in log entry |
| Use standard format | Use a consistent format for transaction IDs across all applications and systems | Facilitates log correlation and analysis, regardless of the application or system generating the logs | Stick to a standardized format like UUID or GUID | - | Consistent ID format |
| Log analysis | Use log analysis tools that support transaction ID-based filtering and correlation | Simplifies the process of tracing logs related to a single request or operation | Configure Splunk or Kibana to recognize and filter logs based on the transaction ID | - | Log filtering by transaction ID |
Message: The main content of a log entry that describes the event or action, usually in a clear and concise manner. For example, "User logged in" or "File upload failed."
Contextual Data: Additional information that accompanies the message to provide context and help in understanding the event. It includes details like user ID, request parameters, file name, or transaction amount. For example, for a "User logged in with ID" message, the contextual data could be the user's ID and login timestamp. Such as, "User logged in with ID 123", "File 'report.pdf' not found", or "Payment of $50 processed successfully for user 456".
| Aspect | Sample Pattern | Summary Description |
|---|---|---|
| API Request | {"timestamp": "2023-05-08T15:45:30.123Z", "level": "INFO", "transactionId": "c1a89a5b-2075-4e72-a9a1-0e6cddbf0a21", "message": "GET /api/v1/users", "ipAddress": "192.168.1.100"} |
API GET request with transaction ID and IP address |
| API Response | {"timestamp": "2023-05-08T15:45:30.567Z", "level": "INFO", "transactionId": "c1a89a5b-2075-4e72-a9a1-0e6cddbf0a21", "message": "API response", "statusCode": 200, "responseTime": 444} |
API response with status code and response time |
| Database Query | {"timestamp": "2023-05-08T15:45:30.678Z", "level": "DEBUG", "transactionId": "c1a89a5b-2075-4e72-a9a1-0e6cddbf0a21", "message": "SELECT * FROM users", "dbTime": 111} |
Database query with query execution time |
| User Login | {"timestamp": "2023-05-08T15:45:30.789Z", "level": "INFO", "transactionId": "c1a89a5b-2075-4e72-a9a1-0e6cddbf0a21", "message": "User login", "userId": "12345", "ipAddress": "192.168.1.100"} |
User login event with user ID and IP address |
| External API Call | {"timestamp": "2023-05-08T15:45:30.987Z", "level": "INFO", "transactionId": "c1a89a5b-2075-4e72-a9a1-0e6cddbf0a21", "message": "Calling external API", "url": "https://api.example.com/data"} |
External API call with API URL |
| Exception | {"timestamp": "2023-05-08T15:45:31.234Z", "level": "ERROR", "transactionId": "c1a89a5b-2075-4e72-a9a1-0e6cddbf0a21", "message": "Exception occurred", "error": "NullPointerException", "stackTrace": "..."} |
Exception with error type and stack trace |
| Performance Warning | {"timestamp": "2023-05-08T15:45:31.345Z", "level": "WARN", "transactionId": "c1a89a5b-2075-4e72-a9a1-0e6cddbf0a21", "message": "Slow query", "query": "SELECT * FROM large_table", "duration": 2000} |
Performance warning with slow query and duration |
| Configuration Issue | {"timestamp": "2023-05-08T15:45:31.456Z", "level": "WARN", "transactionId": "c1a89a5b-2075-4e72-a9a1-0e6cddbf0a21", "message": "Deprecated configuration option used", "option": "old_setting"} |
Configuration issue with deprecated |
| Cache Hit | {"timestamp": "2023-05-08T15:45:32.345Z", "level": "DEBUG", "transactionId": "c1a89a5b-2075-4e72-a9a1-0e6cddbf0a21", "message": "Cache hit", "key": "user_12345"} |
Cache hit event with cache key |
| Cache Miss | {"timestamp": "2023-05-08T15:45:32.456Z", "level": "DEBUG", "transactionId": "c1a89a5b-2075-4e72-a9a1-0e6cddbf0a21", "message": "Cache miss", "key": "user_67890"} |
Cache miss event with cache key |
| File Upload | {"timestamp": "2023-05-08T15:45:32.567Z", "level": "INFO", "transactionId": "c1a89a5b-2075-4e72-a9a1-0e6cddbf0a21", "message": "File upload", "userId": "12345", "fileName": "document.pdf", "fileSize": 1048576} |
File upload event with user ID, file name, and file size |
| Scheduled Task | {"timestamp": "2023-05-08T15:45:32.678Z", "level": "INFO", "transactionId": "c1a89a5b-2075-4e72-a9a1-0e6cddbf0a21", "message": "Scheduled task started", "taskName": "daily_cleanup"} |
Scheduled task started with task name |
| Task Completion | {"timestamp": "2023-05-08T15:45:32.789Z", "level": "INFO", "transactionId": "c1a89a5b-2075-4e72-a9a1-0e6cddbf0a21", "message": "Task completed", "taskName": "daily_cleanup", "duration": 3000, "result": "success"} |
Task completion event with task name, duration, and result |
Avoid logging personal data, implicit secrets, and unstructured data, as these anti-patterns can lead to privacy violations, exposed sensitive information, and difficult log analysis.
| Aspect | Sample Anti-Pattern | Summary Description |
|---|---|---|
| Sensitive Info | {"timestamp": "2023-05-08T15:45:32.345Z", "level": "INFO", "transactionId": "c1a89a5b-2075-4e72-a9a1-0e6cddbf0a21", "message": "User logged in", "username": "johndoe", "password": "myp@ssw0rd"} |
Logging sensitive information like passwords |
| Large Payload | {"timestamp": "2023-05-08T15:45:32.456Z", "level": "DEBUG", "transactionId": "c1a89a5b-2075-4e72-a9a1-0e6cddbf0a21", "message": "HTTP response received", "response": "{...large JSON payload...}"} |
Logging very large payloads that can impact performance and storage |
| Verbose Log | {"timestamp": "2023-05-08T15:45:32.567Z", "level": "DEBUG", "transactionId": "c1a89a5b-2075-4e72-a9a1-0e6cddbf0a21", "message": "Step 1 completed", "details": "Very long and detailed explanation of step 1..."} |
Logging excessively verbose messages that can make it hard to find relevant information |
| Stack Trace as Message | {"timestamp": "2023-05-08T15:45:32.678Z", "level": "ERROR", "transactionId": "c1a89a5b-2075-4e72-a9a1-0e6cddbf0a21", "message": "Exception: NullPointerException, Stack Trace: ...long stack trace..."} |
Logging stack traces as part of the log message instead of using a separate field for it |
| Missing Context | {"timestamp": "2023-05-08T15:45:32.789Z", "level": "ERROR", "message": "File not found"} |
Logging error messages without sufficient context, such as a transaction ID or related data |
| Hardcoded Log Level | {"timestamp": "2023-05-08T15:45:32.890Z", "level": "INFO", "transactionId": "c1a89a5b-2075-4e72-a9a1-0e6cddbf0a21", "message": "DEBUG: Variable value changed", "variableName": "counter", "newValue": 5} |
Hardcoding log levels in log messages, making it harder to filter logs based on level |
| SQL Queries | {"timestamp": "2023-05-08T15:45:32.901Z", "level": "DEBUG", "transactionId": "c1a89a5b-2075-4e72-a9a1-0e6cddbf0a21", "message": "Executing SQL query", "query": "SELECT * FROM users WHERE username='johndoe' AND password='myp@ssw0rd'"} |
Logging raw SQL queries, which can expose sensitive information and increase the risk of SQL injection attacks |
| Aspect | Sample Anti-Pattern | Summary Description |
| ------- | --------------------- | ------------------- |
| Personal Data | {"timestamp": "2023-05-08T15:45:32.912Z", "level": "INFO", "transactionId": "c1a89a5b-2075-4e72-a9a1-0e6cddbf0a21", "message": "New user registered", "name": "John Doe", "email": "[email protected]", "address": "123 Main St", "ssn": "123-45-6789"} |
Logging personally identifiable information (PII) which may violate privacy laws and regulations |
| Implicit Secrets | {"timestamp": "2023-05-08T15:45:32.923Z", "level": "INFO", "transactionId": "c1a89a5b-2075-4e72-a9a1-0e6cddbf0a21", "message": "API call", "url": "https://api.example.com/v1/users?apiKey=abc123"} |
Logging URLs or other data containing sensitive information like API keys or access tokens |
| Unstructured Data | {"timestamp": "2023-05-08T15:45:32.934Z", "level": "INFO", "message": "2023-05-08 15:45:32 [INFO] User logged in: johndoe"} |
Logging unstructured data, which can make it difficult to parse and analyze the logs |
Logging standards for API calls can vary depending on the organization and the project. However, the general guidelines to follow when logging request and response data for GET and POST API calls.
| Request Type | Description | Sample Pattern | About Sample Pattern |
|---|---|---|---|
| GET Request | Log request parameters and metadata | {"timestamp": "2023-05-08T15:30:00.000Z", "level": "INFO", "message": "GET request", "url": "/api/v1/resource", "queryParams": {"id": "1234"}, "headers": {"User-Agent": "Mozilla/5.0"}} |
Example of a log entry for a GET request, including request metadata, URL, query parameters, and headers |
| GET Response | Log response body, status code, and metadata | {"timestamp": "2023-05-08T15:30:00.200Z", "level": "INFO", "message": "GET response", "url": "/api/v1/resource", "statusCode": 200, "responseBody": {"data": {"id": "1234", "name": "example"}}} |
Example of a log entry for a GET response, including response metadata, status code, and response body |
| POST Request | Log request body, request parameters, and metadata | {"timestamp": "2023-05-08T15:32:00.000Z", "level": "INFO", "message": "POST request", "url": "/api/v1/resource", "requestBody": {"id": "1234", "name": "example"}, "headers": {"Content-Type": "application/json"}} |
Example of a log entry for a POST request, including request metadata, URL, request body, and headers |
| POST Response | Log response body, status code, and metadata | {"timestamp": "2023-05-08T15:32:00.300Z", "level": "INFO", "message": "POST response", "url": "/api/v1/resource", "statusCode": 201, "responseBody": {"result": "success", "id": "1234"}} |
Example of a log entry for a POST response, including response metadata, status code, and response body |
In logging, no strict casing standard exists. However, common conventions and best practices help maintain consistency and readability. Table summarizing the lowercase/uppercase conventions for various aspects of logging:
| Aspect | Convention | Example |
|---|---|---|
| Log Levels | Uppercase | "INFO", "DEBUG", "WARN", "ERROR", "FATAL" |
| JSON Keys | camelCase/snake_case | "responseTimeMs", "response_time_ms" |
| Component Names | PascalCase/camelCase/snake_case | "Auth", "apiRequest", "api_request" |
| Log Messages | Sentence case | "User successfully logged in" |
These are general guidelines, and the most important aspect is to maintain consistency throughout the log messages and follow the conventions used within the project.
- JSON format
- Plain text format
Logging Storage Rules cover storage location, retention, rotation, and backup/archiving for effective log management.
The storage location is vital for log data security, accessibility, and manageability. Various options, each with pros and cons, exist for storing log data.
Table summarizing various storage locations for log data:
| Storage Location | Description | Pros | Cons |
|---|---|---|---|
| Local Disk | Store logs on the system where they're generated | Easy to set up, low cost | Limited space, single point of failure |
| Centralized Log Server | Send logs to a dedicated server | Simplified management, better security | Increased network traffic, setup complexity |
| Cloud-based Storage | Store logs on cloud platforms like AWS, GCP | Scalable, high availability | Costs, potential latency |
| Database | Store logs in a relational or NoSQL database | Structured data, easy querying | Complexity, performance impact |
| Log Management Service | Use third-party services like Splunk, ELK | Scalable, feature-rich | Costs, vendor lock-in |
Here's a table summarizing the factors to consider when choosing a storage location for your logs:
| Factor | Description |
|---|---|
| Security | Ensure the storage location provides adequate protection against unauthorized access, tampering, or loss of log data. |
| Accessibility | The storage location should be easily accessible to developers, support teams, and log management tools. |
| Scalability | Choose a storage location that can handle your log data volume and scale as your logging needs grow. |
| Retention & Archiving | Consider log retention and archiving policies required by your organization or regulations, and ensure compatibility. |
| Cost | Factor in storage and maintenance costs, including hardware, software, and operational expenses. |
Retention period refers to the length of time that log data is stored and maintained before it is either deleted or archived.
Table summarizing the aspects to consider when determining a retention period for your logs:
| Aspect | Description | Example | About Example |
|---|---|---|---|
| Regulatory Compliance | Legal requirements and industry regulations may dictate the retention period | GDPR requires log data containing personal data to be retained for no longer than necessary | In the EU, organizations must comply with GDPR's data retention requirements |
| Operational Needs | Retention period should align with the operational needs and use cases for log data | Retaining logs for 30 days to support troubleshooting, root cause analysis, and trend analysis | A company may decide 30 days is sufficient for their operational needs |
| Performance & Storage | Balancing the need for longer retention periods with the cost and performance implications of storing large volumes of log data | Storing logs for 6 months on a dedicated storage server, then archiving them offsite | A compromise between retaining logs and managing storage costs and performance |
| Security & Incident Response | Longer retention periods may be necessary for detecting and responding to security incidents | Retaining logs for 90 days to support the detection of slow, low-volume attacks | This allows security teams to identify patterns and trends over an extended period |
| Business Requirements | Retention period should meet any specific business requirements or policies | An organization may require logs to be retained for 1 year for auditing and compliance purposes | The organization's policy dictates a specific retention period based on their unique needs |
Log rotation or log rolling, is a technique used to manage log files by periodically renaming, compressing, or deleting them as they grow in size or age.
Table summarizing the common log rotation techniques and considerations:
Here's the revised table summarizing the common log rotation techniques with their descriptions, pros, and cons:
| Technique | Description | Pros | Cons |
|---|---|---|---|
| Time-based Rotation | Rotate log files based on time intervals (e.g., daily, weekly, monthly) | Predictable rotation schedule, easy to manage | May result in large log files if log generation rate is high |
| Size-based Rotation | Rotate log files when they reach a specific size limit | Prevents excessive disk space usage | Frequent rotations if log generation rate is high or size limit is low |
| Log File Count | Maintain a specified number of log files, deleting or archiving the oldest when the limit is reached | Controls disk space usage, recent log data readily available | May lose older log data if file count is low or log generation rate is high |
| Compression | Compress older log files to save disk space while retaining data for future reference | Saves disk space while retaining log data | Increases time required to access and analyze compressed log data |
| Deletion or Archiving | Delete or archive log files that exceed a specific age or size limit to enforce retention policies | Enforces retention policies, controls disk space usage | May lose historical log data if not properly managed |
| Manual Intervention | Administrators periodically review and manage log files | Greater control over log management | Time-consuming, prone to errors |
While the previous descriptions focused on log rotation and retention, backup and archiving policies are broader concepts that encompass the entire process of preserving log data for long-term storage and access.
Table summarizing the key aspects to consider when defining backup and archiving policies for log data:
| Aspect | Description |
|---|---|
| Data Integrity | Ensure authenticity and integrity of stored data through checksums, digital signatures, etc. |
| Storage Media | Choose durable, accessible, and cost-effective storage media (e.g., tape, HDDs, cloud). |
| Redundancy | Protect against data loss with multiple copies, different locations, or storage media. |
| Security | Use encryption, access controls, and other security measures to protect stored data. |
| Disaster Recovery | Integrate policies with disaster recovery and business continuity plans. |
| Regular Testing | Periodically test backup and archiving processes to verify effectiveness and data retrieval. |
| Compliance | Comply with relevant regulations, legal requirements, and contractual obligations. |
| Documentation | Document policies, procedures, and responsibilities; provide guidance and training. |
Excluding critical or sensitive information from logs is crucial for ensuring data security, privacy, and compliance with various regulations.
Table summarizing the key aspects to consider when excluding critical or sensitive information from logs:
| Aspect | Description | What/How to do it |
|---|---|---|
| Identify sensitive data | Determine types of data considered sensitive or critical in your context | Define a list of sensitive data types (Personally Identifiable Information [PII], financial data, credentials, etc.) |
| Data masking or redaction | Hide or remove sensitive information from log entries | Replace sensitive data with placeholders, asterisks, or other non-revealing characters |
| Log sanitization | Ensure third-party libraries/components don't log sensitive information | Configure logging settings of components or implement custom log sanitization logic |
| Access controls | Limit who can view or modify log data containing sensitive information | Implement strict access controls; grant access only to authorized personnel |
| Encryption | Protect log data from unauthorized access or tampering | Encrypt log data at rest and in transit |
| Auditing and monitoring | Detect and respond to unauthorized access or data leakage incidents | Regularly audit and monitor log data; establish clear incident response procedures |
| Compliance | Comply with relevant industry standards and legal requirements | Follow data security and privacy regulations; retain log data for specific periods |
| Employee training | Ensure employees understand and follow rules for handling sensitive data | Provide training on logging, data management, and security best practices |
Using a standard transaction ID across all log entries related to a single request or operation is a best practice that helps in tracing, debugging, and monitoring application activities.
Table summarizing the key aspects of using a standard transaction ID across all log entries related to a single request or operation:
| Aspect | Description | Why/What/How to do it |
|---|---|---|
| Purpose | Correlate log entries across components, services, systems for a specific request/operation | Trace, debug, and monitor application activities |
| Generation | Create a unique identifier for each request or operation | Use UUIDs, timestamps, or combinations of unique identifiers (e.g., user/request ID) |
| Propagation | Ensure consistent usage of transaction ID throughout the execution path | Pass ID as a parameter, use request headers, or store in a context object |
| Logging | Include transaction ID in every related log entry | Add the transaction ID as a field in log entry structure or as part of the log message |
| Searching & correlation | Quickly search and filter log entries related to a specific request or operation | Improve troubleshooting, performance analysis, and incident response; correlate log entries from different sources |
Log injection attacks occur when an attacker manipulates log entries by injecting malicious data, often through user input fields, to gain unauthorized access, alter system behavior, or cause other security issues. Sanitizing log data is crucial for preventing log injection attacks and maintaining the integrity and security of your application.
Table summarizing the key aspects of sanitizing log data to prevent log injection attacks:
| Aspect | Description | Why/What/How to do it |
|---|---|---|
| Input validation | Ensure user input and external data meet expected format, length, and content requirements | Prevent injection of malicious data; reject or sanitize non-conforming input |
| Encoding & escaping | Encode or escape unsafe characters or strings in log data | Avoid execution of malicious scripts/commands; protect log integrity |
| Parameterized logging | Separate log messages from data values | Reduce log injection risk; use placeholders in log messages & pass data as arguments |
| Log data filtering | Remove or replace known malicious patterns, keywords, or characters from log data | Prevent malicious data from being written to logs; maintain log security |
| Monitoring & alerting | Monitor log data for signs of log injection attacks and set up alerts | Detect unusual patterns, unexpected data, or suspicious activity; notify relevant personnel |
| Updates & security patches | Keep logging libraries, frameworks, and components up to date with security patches | Protect against known log injection vulnerabilities; follow best practices |
Input validation should be performed at multiple levels to ensure maximum security and protection against log injection attacks or other potential threats. Table summarizing the key places where input validation should be done to prevent log injection attacks or other potential threats:
| Level | Description | Why/What/How to do it |
|---|---|---|
| Client-side | Validate input using JavaScript or other client-side scripting languages | Prevent malformed/malicious data submission; not to be relied on exclusively |
| Server-side | Perform validation in each application that receives user input or external data | More secure than client-side validation; validate in controllers, services, or middleware |
| Web Application Firewall (WAF) | Security layer between client and server to filter and monitor HTTP traffic | Validate input data, block malicious requests; adds extra security layer |
| Logging component | Validate any data received before writing it to log files | Prevent log injection attacks; ensure only valid data is recorded |
Encoding and escaping transform unsafe characters in log data into a safe format, preventing log injection attacks and maintaining log data security and integrity.
Table summarizing the key aspects of encoding and escaping unsafe characters or strings in log data:
| Aspect | Description | Why/What/How to do | Example |
|---|---|---|---|
| HTML encoding | Transform unsafe HTML characters | Prevent script execution in logs | <script> becomes <script> |
| URL encoding | Encode special characters in URLs | Maintain log data structure/integrity | "key=value&test" becomes "key%3Dvalue%26test" |
| Escaping control characters | Escape control characters like newline, carriage return | Prevent formatting issues in logs | "User logged in\nUser ID: 123" becomes "User logged in\nUser ID: 123" |
Parameterized logging uses placeholders in messages and separates data values, ensuring clean log format, easier parsing, and reduced risk of log injection attacks.
Table summarizing the key aspect of parameterized logging:
| Aspect | Description | Why/What/How to do | Example |
|---|---|---|---|
| Parameterized logging | Separate log messages from data values using placeholders | Maintain log format, reduce log injection risk | "User {} has a balance of ${}." for log message, then use .format(username, balance) to insert data values. This format "User " + username + " has a balance of $" + str(balance) + "." is not recommended. |
Log data filtering refers to the practice of sanitizing log data by identifying and handling potentially harmful content before writing it to logs. This approach helps prevent log injection attacks, maintain log data integrity, and improve application security.
| Aspect | Description | Why/What/How to do | Example | Script Pattern |
|---|---|---|---|---|
| Log data filtering | Remove or replace known malicious patterns, keywords, or characters from log data | Prevent log injection attacks and protect sensitive data | { "message": "User <script>alert(1)</script> login failed" } |
{ "message": "User [REMOVED] login failed" } |
{ "message": "File <img src=x onerror=alert(1)> deleted" } |
{ "message": "File [REMOVED] deleted" } |
Monitoring and alerting involve scanning log data to identify patterns, keywords, or characters that may indicate a log injection attack. By setting up alerts, enabling security teams to quickly respond and maintain application security and integrity.
| Aspect | Description | Why/What/How to do | Example |
|---|---|---|---|
| Regular expressions and pattern matching | Identify log injection patterns and keywords | Efficiently search and detect malicious patterns in log data | Regular expression to match common script tags: <\s*script.*> |
| Log analysis tools | Automated log scanning and detection | Tools like Splunk and ELK Stack can analyze logs for suspicious patterns | Setting up log parsing rules in Splunk to detect log injection attempts |
| Threshold-based alerting | Set up alerts based on thresholds | Trigger alerts when a certain number of log injection attempts are detected | Alert when more than 10 log injection attempts occur within an hour |
| Real-time monitoring | Continuously monitor log data | Immediate detection and response to log injection attacks | Real-time log monitoring dashboard showing injection attempts and response times |
| Incident response plan | Develop a plan for responding to log injection attacks | Ensure timely and effective response to detected threats | Plan includes steps for investigating, mitigating, and reporting log injection incidents |
Regularly update logging libraries and frameworks to protect against known security vulnerabilities, mitigating log injection attacks and unauthorized access.
Table summarizing the key aspects of keeping logging libraries, frameworks, and components up to date with security patches:
| Aspect | Description | Why/What/How to do | Example |
|---|---|---|---|
| Regular updates | Schedule regular updates of logging libraries, frameworks, and components | Ensure latest versions with recent security patches | Update logging libraries every month or as patches are released |
| Security advisories | Subscribe to security advisories and updates related to logging components | Stay informed about new vulnerabilities and patches | Subscribe to mailing lists or RSS feeds for used logging libraries |
| Vulnerability scanning | Use vulnerability scanning tools to identify outdated or vulnerable components | Detect vulnerable logging components in your application | Use tools like OWASP Dependency-Check to scan your application |
| Dependency management | Implement a dependency management process to track and manage logging components | Ensure all components are up to date and secure | Use package managers like npm, Maven, or Gradle to manage dependencies |
| Automated testing | Verify application functionality after updating logging components | Catch compatibility issues or bugs introduced by updates | Set up automated tests using tools like JUnit or Selenium |
Testing log patterns ensures consistency, accuracy, and proper formatting, helping to meet quality standards for debugging, monitoring, and auditing.
| Aspect | Description | Why/What/How to do | Example |
|---|---|---|---|
| Log format validation | Verify the log format is consistent with the defined log structure and pattern | Test logs against a predefined schema or structure | Test a log entry against a predefined schema to ensure it contains the required fields |
| Content validation | Check that log entries contain necessary information and context; no sensitive data is logged | Test log entries for different scenarios and verify the required information | Test log entries for successful transactions, failed login attempts, and application errors |
| Timestamp accuracy | Ensure timestamp is accurate, precise (includes milliseconds), and follows a consistent format | Generate log entries at known times and compare the logged timestamps | Generate log entries at known times and compare the logged timestamps against actual times |
| Log level correctness | Validate log entries are generated at the correct log level, based on severity and importance | Test different scenarios with varying severity levels and verify log levels | Test scenarios with severity levels (debug, info, warn, error, fatal) and verify log levels |
| Log rotation & retention | Test log rotation and retention policies to ensure logs are properly rotated, archived, and purged | Simulate log growth over time and verify log rotation and retention policies | Simulate log growth over time and verify log rotation occurs, and older logs are archived |
Design a logging strategy with Splunk and Kibana compatibility for easy log aggregation, filtering, and analysis, enabling your team to efficiently extract insights.
| Aspect | Description | Why/What/How to do | Example | Sample Log Entry Patterns | Summary Description about Sample Pattern |
|---|---|---|---|---|---|
| Log format (JSON) | Use JSON for log output to ensure structured logging and easy parsing. | JSON format allows for better organization and parsing of log data, making it easier to work with in Splunk & Kibana. | User login successful | { "timestamp": "2023-05-08T14:35:10.123Z", "level": "INFO", "message": "User login successful", "userId": "12345", "ipAddress": "192.168.1.1" } | JSON structure makes logs easily parsable by Splunk and Kibana. |
| Field naming | Use consistent and recognizable field names in log data. | Consistent field names make it easier to aggregate, filter, and analyze log data in Splunk & Kibana. | User login successful | { "timestamp": "2023-05-08T14:35:10.123Z", "level": "INFO", "message": "User login successful", "userId": "12345", "ipAddress": "192.168.1.1" } | Recognizable field names improve log data management in Splunk and Kibana. |
| Timestamp format (ISO 8601) | Use ISO 8601 format for timestamps in log data. | ISO 8601 timestamps are easily recognizable and supported by Splunk & Kibana. | User login successful | { "timestamp": "2023-05-08T14:35:10.123Z", "level": "INFO", "message": "User login successful", "userId": "12345", "ipAddress": "192.168.1.1" } | ISO 8601 timestamps ensure compatibility with Splunk and Kibana. |
| Structured logging | Include additional context and metadata in log data as separate fields. | Structured logging improves the ability to search, filter, and analyze log data in Splunk & Kibana. | User login successful | { "timestamp": "2023-05-08T14:35:10.123Z", "level": "INFO", "message": "User login successful", "userId": "12345", "ipAddress": "192.168.1.1", "apiEndpoint": "/login", "httpMethod": "POST", "responseCode": 200 } | Structured logging enhances log data analysis capabilities in Splunk and Kibana. |
| Indexing and source types | Configure log indexing and source types in Splunk and Kibana. | Proper indexing and source type configurations improve log data management and analysis in Splunk & Kibana. | User login successful | { "timestamp": "2023-05-08T14:35:10.123Z", "level": "INFO", "message": "User login successful", "userId": "12345", "ipAddress": "192.168.1.1" } |
React
Typescript
Django
Laravel
Facebook
Microsoft
Google
Alibaba
D3
Tencent