Enhanced Logging

[tommathee]

Example: Currently, the OWASP Application Gateway effectively redirects HTTP requests to HTTPS as part of its security protocol. However, no logs are generated for these redirection events. Enhanced logging for these actions would greatly improve the ability to monitor and verify the redirection process.

Observed Behavior:

• HTTP requests are redirected to HTTPS.
• No logs are produced to confirm or detail the redirection process.

Expected Behavior:

• HTTP requests are redirected to HTTPS.
• Detailed logs should be generated for each redirection event, capturing information such as the original HTTP request and the HTTPS URL to which it was redirected.

Suggested Enhancement:

I propose implementing detailed logging not only for HTTP to HTTPS redirections within the gateway, but all possible functionalities. This would involve capturing and reporting key data about each redirection event in the gateway's logs.

Proposed Log Format for HTTPS redirection:
INFO - Response status code 301 Moved Permanently for GET http://xxx.com
INFO - Redirecting to https://xxx.com (HTTP to HTTPS Redirection Rule applied)

[Padi-owasp]

That should be possible to do in the next iteration -> around Q3/24.

[Padi-owasp]

This option is already available. In Fact logs are written on debug level (which is for most cases preferred in this case). To enable Redirect logging just add the following section to the application.yaml file:

logging:
  level:
    root: WARN
    org:
      owasp: INFO
    oag.filters.spring.HttpRedirectFilter: DEBUG

I'll add a documentation section for this.