This site is the archived OWASP Foundation Wiki and is no longer accepting Account Requests.
To view the new OWASP Foundation website, please visit

Difference between revisions of "Practical Logging In Web Applications"

Jump to: navigation, search
Line 12: Line 12:
===What to Log===
===What to Log===
date and time
*date and time
server IP
*server IP
-source IP
-URL requested
source IP
-module/action/class responsible
URL requested
-user ID
module/action/class responsible
-description of the event
user ID
-severity level
description of the event
severity level

Revision as of 01:46, 8 August 2007

The Problem

Identity Flow Through Application Layers

All web application security experts will tell you how important logging is [1][2][3][4]. How else can you detect attacks, successful or otherwise? Logs should allow you to replay a user's request lifecycle. In an enterprise web application, this is a lot of work and I'm not happy to tell you not many people are doing it right.

There's generally two things development teams have to figure out when architecting a logging strategy; what to log and when to log.

When to Log

There's sdfsdf sdfsdfsdf sdfsdfsdf

What to Log

  • date and time
  • server IP

source IP URL requested module/action/class responsible user ID description of the event severity level