Logging within web applications are crucial for supporting cyber security monitoring and incident response requirements, but also can enhance troubleshooting, debugging and performance monitoring capabilities. Here are 5 things that all applications should capture in their logs.
Time
Date and time are critical to understanding timelines and correlating against other events or activities. Applications should get their time from the operating system which should be configured to use a Teck or Cloud Service Provider authorized NTP server. Time zone misconfigurations can cause confusion, so be sure that your application logs standardize to UTC or to the local time zone.
The Who
Understanding who or what was involved in the event will help increase context of the log. Logging data about “the who” can be about a human, an asset or an object and is intended to support identifying and separating events based on who or what initiated the event and if there is a second party receiving the event. Common values for “the who” would be username, user ID, email address, asset or API identifier, but also can be hostname or IP address.
What Happened
Next is understanding what happened to trigger the log to be created. This may include what command was run, tracking a transaction, a user logging in, a password change or literally anything else that happens in the application which is worth remembering.
What was the Outcome
Second to last and a subset of the “What Happened” is the outcome. Was the request successful or did it fail and why did it fail? This data point can help understand if there is a misconfiguration or business logic error all the way up to detecting active reconnaissance and attacks against the application.
Other Relevant Particulars and Nice to Haves
This is admittedly a bit of a catch all section about capturing other relevant data which does not fall into the other sections. First, contextual data about the type of log it is such as a transaction, administrative change or request/response can help troubleshooters and cyber security professionals better understand the nature of the event. Second, metrics such as usage data and system telemetry can help better understand application performance and potentially detect abuse.
Last and certainly not least is including the priority or criticality of the event in the log. This contextual information allows troubleshooters, debuggers and cyber security teams to sift through millions of logs and focus on what is most important.
COMMENTS