Logging Best Practices and Implementation

Logging will done using Winston and Morgan. Winston: Documentation Winston is a popular and powerful logging tool that we can use to log to various transports and log the way we want. Currently, we will output Morgan logging to the Winston file transport(console and file).

Later, we could look into implementing logger with a Log management(analysis, management, etc) tool such as Loggly.

This contains what should be logged for our application based on best practices from the following sites.

Suggested by TA:

• https://security.stackexchange.com/questions/33997/what-are-the-parameters-to-be-logged-in-a-web-application
• https://www.owasp.org/index.php/Logging_Cheat_Sheet#Which_events_to_log
• https://dzone.com/articles/application-logging-what-when

Others:

• https://www.digitalocean.com/community/tutorials/how-to-use-winston-to-log-node-js-applications

Important: Don't log credentials, passwords or any sensitive information.

Currently logging the following on server:

OWASP

Which events to log

• Input validation failures
• Database failures
• Authentication successes and failures
• Authorization (access control) failures
• Session management failures
• Application errors and system events.

Event Attributes

• Code location e.g. script name, module name

StackExchange

• Timestamp
• IP address.
• Full originalrequested URL.

Format of message similar to apache format, the fields are:

Format: ip method url httpVersion status referrer customMessage errorMessage

In js: ${timestamp} ${req.ip} \"${req.method} ${req.originalUrl} HTTP/${httpVersion}\" ${req.status} ${req.referrer} \"${customMessage}\" \"${errorMessage}\";`

Example: 2018-11-13T04:39:55.316Z : debug: ::ffff:127.0.0.1 [13/Nov/2018:04:39:55 +0000] "GET /api/friend/getfriendslist HTTP/1.1" 304 "http://localhost:3000/main"