Logging is a concept that most developers already use for debugging and diagnostic purposes.

• Security logging is an equally basic concept: to log security information during the runtime operation of an application.

• Monitoring is the live review of application and security logs using various forms of automation.

• The same tools and patterns can be used for operations, debugging and security purposes.

Security logging can be used for:

1. Feeding intrusion detection systems.

2. Forensic analysis and investigations.

3. Satisfying regulatory compliance requirements.

The following is a list of security logging implementation best practices.

1. Follow a common logging format and approach within the system and across systems of an organization.

   1. An example of a common logging framework is the Apache Logging Services which helps provide logging consistency between Java, PHP, .NET, and C++ applications.

2. Do not log too much or too little. For example, make sure to always log the timestamp and identifying information including the source IP and user-id, but be careful not to log private or confidential data.

3. Pay close attention to time syncing across nodes to ensure that timestamps are consistent.

Use logging to identify activity that indicates that a user is behaving maliciously. Potentially malicious activity to log includes:

• Submitted data that is outside of an expected numeric range.

• Submitted data that involves changes to data that should not be modifiable (select list, checkbox or other limited entry component).

• Requests that violate server-side access control rules.

When your application encounters such activity, your application should at the very least log the activity and mark it as a high severity issue.

• Ideally, your application should also respond to a possible identified attack, by for example invalidating the user’s session and locking the user's account.

• The response mechanisms allows the software to react in realtime to possible identified attacks.

Logging solutions must be built and managed in a secure way. Secure Logging design may include the following:

• Encode and validate any dangerous characters before logging to prevent log injection or log forging attacks.

• Do not log sensitive information.

  • For example, do not log password, session ID, credit cards, or social security numbers.

• Protect log integrity.

  • An attacker may attempt to tamper with the logs.

  • Therefore, the permission of log files and log changes audit should be considered.

• Forward logs from distributed systems to a central, secure logging service.

  • This will ensure log data cannot be lost if one node is compromised.

  • This also allows for centralized monitoring.

• OWASP Security Logging Project

• Apache Logging Services

• OWASP AppSensor Detection Points - Detection points used to identify a malicious user probing for vulnerabilities or weaknesses in application.

• OWASP Log injection

• OWASP Log Forging

• OWASP Cheat Sheet: Logging - How to properly implement logging in an application

• OWASP Development Guide: Logging

• OWASP Code Review Guide: Reviewing Code for Logging Issues