# Insufficient Logging (CWE-778)

When a security-critical event occurs, the product either does not record the event or omits important details about the event when logging it.

**Stack:** JavaScript

- Prevalence: 높음 자주 악용됨
- Impact: 보통 검토 권장
- Prevention: 문서화됨 3개의 수정 예시

**OWASP:** Security Logging and Monitoring Failures (A09:2021-Security Logging and Monitoring Failures) - #9

## Description

Insufficient logging makes it difficult to detect attacks in progress, investigate security incidents, or establish accountability. Logs should capture who did what, when, and from where.

## Prevention

1개의 Shoulder 탐지 규칙을 기반으로 한 Insufficient Logging 예방 전략.

### JavaScript

Replace console.log with a structured logging library like winston or pino

## Warning Signs

- [low] console

## Consequences

- 활동 은폐
- 보호 메커니즘 우회

## Mitigations

- 인증, 인가, 데이터 접근 등 보안 관련 모든 이벤트를 로그에 남기세요
- 충분한 컨텍스트(사용자, 타임스탬프, IP, 동작, 결과)를 포함하세요
- 중앙 집중식 로그 관리와 모니터링을 구현하세요

## Detection

- Total rules: 3
- Languages: javascript, typescript, python

## Rules by Language

### Javascript (1 rules)

- **Avoid console.log when logging library exists** [low]: Detects console.log calls when a logging library exists. Only fires when winston, pino, bunyan, or log4js is detected.
  - Remediation: Replace console.log with your logging library.

```javascript
// winston
logger.info('User logged in', { userId });

// pino
logger.info({ userId }, 'User logged in');
```

Learn more: https://shoulder.dev/learn/javascript/cwe-778/avoid-console-log

### Typescript (1 rules)

- **Avoid console.log when logging library exists** [low]: Detects console.log calls when a logging library exists. Only fires when winston, pino, bunyan, or log4js is detected.
  - Remediation: Replace console.log with your logging library.

```javascript
// winston
logger.info('User logged in', { userId });

// pino
logger.info({ userId }, 'User logged in');
```

Learn more: https://shoulder.dev/learn/javascript/cwe-778/avoid-console-log