Insufficient Logging (CWE-778) - Security Vulnerability

Insufficient Logging

When a security-critical event occurs, the product either does not record the event or omits important details about the event when logging it.

Insufficient logging makes it difficult to detect attacks in progress, investigate security incidents, or establish accountability. Logs should capture who did what, when, and from where.

Prevalence

High

Frequently exploited

Impact

Medium

Review recommended

Prevention

Documented

3 fix examples

2 Prevention

How to fix this vulnerability

Prevention strategies for Insufficient Logging based on 3 Shoulder detection rules.

🟨 JavaScript View all JavaScript details →

Avoid console.log when logging library exists low

Replace console.log with a structured logging library like winston or pino

+1 -1 javascript

- console.log('User logged in', userId);
+ logger.info('User logged in', { userId });

🐍 Python View all Python details →

Avoid print() when logging module exists low

Replace print() with the logging module for structured, level-aware output

+8 -4 python

- def process_request(data):
-     print(f"Processing request: {data}")
-     result = handle(data)
-     print(f"Result: {result}")
+ import logging
+ 
+ logger = logging.getLogger(__name__)
+ 
+ def process_request(data):
+     logger.info("Processing request: %s", data)
+     result = handle(data)
+     logger.debug("Result: %s", result)
      return result

Insufficient Security Event Logging MEDIUM

Log authentication attempts, failures, and admin actions with user/IP context

+15 -9 python

- from flask import request
- from flask_login import login_user
- 
- @app.route('/login', methods=['POST'])
- def login():
-     user = User.query.filter_by(username=request.form['username']).first()
-     if user and check_password(user.password, request.form['password']):
-         login_user(user)
-         return redirect('/dashboard')
+ import logging
+ from flask import request
+ from flask_login import login_user
+ 
+ logger = logging.getLogger('security')
+ 
+ @app.route('/login', methods=['POST'])
+ def login():
+     username = request.form['username']
+     user = User.query.filter_by(username=username).first()
+     if user and check_password(user.password, request.form['password']):
+         login_user(user)
+         logger.info(f"Login success: {username} from {request.remote_addr}")
+         return redirect('/dashboard')
+     logger.warning(f"Login failed: {username} from {request.remote_addr}")
      return 'Invalid credentials', 401

Key Practices

reviewed: - They bypass structured logging - They don't respect log levels - They can't be easily filtered in production - They go to stdout, not stderr (may interfere with output parsing)

3 Detection

Find vulnerabilities in your code

Use Shoulder to scan your codebase for Insufficient Logging patterns. 3 rules.

terminal

# Scan with Shoulder CLI
npx @shoulderdev/cli trust --cwe=778

# Or scan entire project
npx @shoulderdev/cli trust .

Detection Rules (3)

🐍 Python 2 rules

Avoid print() when logging module exists low

Detects print() calls when the logging module is used in the codebase. CAPABILITY-GATED: This rule only fires when Python's logging module or a logging library (loguru, structlog) is detected. If the project only uses print(), that's an architectural choice - not a violation. When logging infrastructure exists, print() calls are outliers that should be reviewed: - They bypass structured logging - They don't respect log levels - They can't be easily filtered in production - They go to stdout, not stderr (may interfere with output parsing)

Insufficient Security Event Logging MEDIUM

Detects security-critical operations (authentication, authorization failures, admin actions) without proper logging. Insufficient logging prevents detection of attacks and hinders incident response. This rule only triggers on files containing security-critical patterns like: - Authentication (login, logout, authenticate, check_password) - Authorization decorators (@login_required, @permission_required) - Privilege checks (is_staff, is_superuser, is_admin, has_perm) - Session management with auth/user/token data NOTE: This rule only applies to authentication/authorization related code. Not every view needs audit logging - focus on security-critical operations.

🟨 Javascript 1 rules

Avoid console.log when logging library exists low

Detects console.log calls when a logging library exists. Only fires when winston, pino, bunyan, or log4js is detected.

🔷 Typescript 1 rules

Avoid console.log when logging library exists low

Detects console.log calls when a logging library exists. Only fires when winston, pino, bunyan, or log4js is detected.

4 Warning Signs

What to watch for in code reviews

These patterns indicate potential Insufficient Logging vulnerabilities. Look for these during code reviews and security audits.

🟡

Security-critical operation lacks audit logging python-insufficient-logging

🟡

security-critical operations (authentication, authorization failures, admin actions) without proper python-insufficient-logging

console javascript-avoid-console-log

print() calls when the logging module is used in the codebase python-avoid-print-logging

🔍

Scan your codebase for Insufficient Logging

Shoulder CLI finds vulnerable patterns across your entire codebase.

npx shoulder trust Browse all rules