An slides about importance of logging, one of OWASP recommendation as security practice.

1. Logging
Security Practices

2. Why Log
• OWASP Top 10 - A09:2021 – Security Logging and Monitoring
 https://owasp.org/Top10/A09_2021-Security_Logging_and_Monitoring_Failures/
• OWASP Top Ten Proactive Controls 2018 - C9: Implement Security Logging and
Monitoring
 https://owasp.org/www-project-proactive-controls/v3/en/c9-security-logging
• OWASP Log Cheet-sheet
 https://cheatsheetseries.owasp.org/cheatsheets/Logging_Cheat_Sheet.html

3. Why Log
• Identifying security incidents
• Anomaly Detection
• Forensics
• Identifying Application Security Problems
• Also has non-security benefits:
• Identifying Performance Pitfalls
• Application Perfomance Analysis Use Cases
• Business Use Cases

4. Unstructured Logging

5. What to Log
• Application Logs (Web, Mobile, Desktop …)
• Network Appliances Logs
• WAF, Db Firewalls, Proxies… Logs
• Databases Logs
• Monitoring Systems Logs
• Operating System Logs
• EVERYTHING!!!!!!!

6. Structured Logging

7. Elastic

8. Structured Logging

9. Log Management Systems
• Microservices Era
• Tons of logs
• Forensics
• Alerts
• Identify Problems

10. Log Management Systems

11. Splunk

12. Splunk - Structured Logging

13. Elastic

14. Attributes To Log
• The application logs must record "when, where, who and what" for each event.
 When
 Where
 Who
 What

15. Attributes To Log (When)
 Event date and time
 Interaction identifier
 Method of linking all (relevant) events for a single user interaction (e.g.
desktop application form submission, web page request, mobile app button
click, web service call)

16. Attributes To Log (Where)
 Application Name and Address
 Geolocation
 Client IP
 Request Path
 Application Module

17. Attributes To Log (Who)
 Source Device, Address, IP or any identifier
 User Identity such as Username or any other identifier

18. Attributes To Log (What)
 Event Severity Level
 Event Type / Event Id
 Action
 Object
 Description
 Request/Response
 Http Status Code (Success/Failure)
 Headers
 User Agent
 Error (Exception, Stack Trace or any error description)

19. Data to Not Log
• Credentials
 Tokens
 Passwords
• Sensitive Application Data
 Database Connection Strings
• Sensitive personal data
 Bank Card Number or Iban
 …

21. Logging Demo (.NET Core)

23. Logging Demo

25. Splunk Demo
• Structured Logging
• Sensitive Data Masking
• Search
• Forensics
• Analysis
• Alerts

26. Log Configuration Demo

27. Some logging advices
• Log as much as you can
 Maybe logging millions of event in few minutes
• Log everything in structured manner
• Log Interaction Identifier (User Id, Request Id, or any unique identifier)
 Allow you to track user interaction between systems or Service to Service Communication
• Do not hard-code log configuration
• Do not log sensitive Information (Exceptions, Personal Data…)
• Log Request/Response details Automatically using Middleware
• It make it easy for you to troubleshoot problems between micro-services

28. Performance Considerations
• Logs will be sent to asynchronous log management system
• Maybe milliseconds latency
• No problem for scalable apps
• A little load on CPU
• Logs may be better to store on another disk (each disk has own write queue)
• You can test performance with/without logs using browser Request Timings
or any other tool

29. Some useful libs (.NET)
• AutoWrapper
 Wrap application responses in standard format
 Automatically log request/responses and errors
 Prevent to expose sensitive information on errors to clients
• Serilog
 Structured Logging
 Many sinks
 Async batch log emitting
 Userful Enrichers