What data should be logged?

To expand upon Rory's recommendations, you really need to ask yourself what is the driver behind your logging, and what information you need to accomplish those goals.

For example, if you need user attribution then you probably need

  • Username
  • Timestamp
  • Source IP
  • GET string and possibly POST variables
  • Session IDs
  • Cookie information (expirations, tokens if appropriate, chocolate/sugar/gluten-free, etc)

Are you looking for unauthorized access attempts?

  • Timestamp
  • Source IP
  • Action Performed (login, data query, etc)
  • Related information to action, (username, query string, etc)

Do you have policy/contractual/regulatory/etc. requiring full session reconstruction? Well, that's a lot harder and will require all kinds of scary data on every request. This will likely require deep app integration and possibly need things like stack traces, variable dumps, packet captures, etc.


Really you need to look at this the other way round - what do you need logging for? That should drive your decision on what to log.

  • Are you checking for suspicious behaviour from an IP or range of IP's?
  • Are you trying to monitor usage or performance stats?
  • Do you need to be able to help your users with their session if something goes wrong?
  • Are you needing to work within a regulatory framework which specifies data handling?

etc.


There is certainly value in logging the HTTP headers. Exactly which ones to log vary highly depending on the specific web application.

Tags:

Logging