More About Logging (2)

By now it should be clear that using simple encoding/decoding is not a way to protect sensitive information in a log. Instead, it is better to use different techniques: not logging the data at all, blanking it out, or encrypting it with another shared secret.

There are a few more topics we might want to cover here:

• How to work with log-levels

• How to do Exception Handling

• How to use logging for other purposes

• Some resources to read up on.

Log Levels

Explain log levels.

Exception Handling

exception handling (maybe an example of logging exception towards the client with cryptography and why this is a bad idea)

Audit Logging, Security Event Monitoring, and Application Logs

Note that logging is often used for more than just application debugging. Application logs are often used as a feed for other purposes, think of:

• Audit logging: Specific events need to be recorded by your application log to create a trail that can be used to reconstruct the actions done on behalf of/by your user. This can later be used, for instance, in court to prove what happened in case of a dispute.

• Security Event Monitoring (SEM): Events generated by your application can often be used by your security department to understand what is going on in the application landscape of the organization. There are various types of events as well as various attributes that can play a role to detect whether the organization is in trouble. For instance: a privileged administrative logon that is only used as a break-glass procedure can already be a very valuable event for them. Another example: While frequently used administrative logons are good to record, they might not trigger an event at the security department by themselves, unless a completely different location is used for that administrative role. A threat model exercise with your security department can often help to understand which types of logs they require, and what they should trigger a security alert on immediately.

• Fraud Detection: your application logs can help in fraud detection. For instance: logs that show that someone is trying to move around more money than that they have, could indicate something is going wrong.

• Business Process Monitoring: your application logs can be used to see if the business processes are still progressing as they should. For instance: the lack of new events further down a process could indicate that the business process has stopped. This can be valuable information to the business when it comes to steering the company.

• And many more…​

Note that a lot of these logging purposes differ quite a lot from each other! Therefore it is best to separate your application (debug) logging, from your SEM, and audit logs in terms of output by your application, storage and processing of the logs within your organization.

More reading

• The OWASP Logging Cheat sheet