This site is the archived OWASP Foundation Wiki and is no longer accepting Account Requests.
To view the new OWASP Foundation website, please visit

Practical Logging In Web Applications

Revision as of 02:08, 8 August 2007 by Arshan (talk | contribs)

Jump to: navigation, search

The Problem

Identity Flow Through Application Layers

All web application security experts will tell you how important logging is [1][2][3][4]. How else can you detect attacks, successful or otherwise? Logs should allow you to replay a user's request lifecycle. In an enterprise web application, this is a lot of work and I'm not happy to tell you not many people are doing it right.

There's generally two things development teams have to figure out when architecting a logging strategy; what to log and when to log.

When to Log

There's sdfsdf sdfsdfsdf sdfsdfsdf

What to Log

Whether you're investigating your log files as part of a regular monitoring program or incident response, there's a general consensus on what kind of information an application log message should contain:

  • date and time
  • server IP
  • source IP
  • URL requested
  • module/action/class responsible
  • user ID
  • description of the event
  • severity level