# Insufficient Logging (CWE-778) When a security-critical event occurs, the product either does not record the event or omits important details about the event when logging it. - Prevalence: High Frequently exploited - Impact: Medium Review recommended - Prevention: Documented 3 fix examples **OWASP:** Security Logging and Monitoring Failures (A09:2021-Security Logging and Monitoring Failures) - #9 ## Description Insufficient logging makes it difficult to detect attacks in progress, investigate security incidents, or establish accountability. Logs should capture who did what, when, and from where. ## Prevention Prevention strategies for Insufficient Logging based on 3 Shoulder detection rules. ### Key Practices - reviewed: - They bypass structured logging - They don't respect log levels - They can't be easily filtered in production - They go to stdout, not stderr (may interfere with output parsing) ### Node.js Replace console.log with a structured logging library like winston or pino ### Python Replace print() with the logging module for structured, level-aware output Log authentication attempts, failures, and admin actions with user/IP context ## Warning Signs - [MEDIUM] Security-critical operation lacks audit logging - [MEDIUM] security-critical operations (authentication, authorization failures, admin actions) without proper - [low] console - [low] print() calls when the logging module is used in the codebase ## Consequences - Hide Activities - Bypass Protection Mechanism ## Mitigations - Log all security-relevant events (authentication, authorization, data access) - Include sufficient context (user, timestamp, IP, action, outcome) - Implement centralized log management and monitoring ## Detection - Total rules: 3 - Languages: javascript, typescript, python ## Rules by Language ### Python (2 rules) - **Avoid print() when logging module exists** [low]: Detects print() calls when the logging module is used in the codebase. CAPABILITY-GATED: This rule only fires when Python's logging module or a logging library (loguru, structlog) is detected. If the project only uses print(), that's an architectural choice - not a violation. When logging infrastructure exists, print() calls are outliers that should be reviewed: - They bypass structured logging - They don't respect log levels - They can't be easily filtered in production - They go to stdout, not stderr (may interfere with output parsing) - Remediation: Replace print() with the logging module. ```python import logging logger = logging.getLogger(__name__) logger.info("User logged in: %s", user_id) logger.debug("Processing file: %s", filename) logger.error("Failed to connect: %s", error) ``` Learn more: https://shoulder.dev/learn/python/cwe-778/avoid-print-logging - **Insufficient Security Event Logging** [MEDIUM]: Detects security-critical operations (authentication, authorization failures, admin actions) without proper logging. Insufficient logging prevents detection of attacks and hinders incident response. This rule only triggers on files containing security-critical patterns like: - Authentication (login, logout, authenticate, check_password) - Authorization decorators (@login_required, @permission_required) - Privilege checks (is_staff, is_superuser, is_admin, has_perm) - Session management with auth/user/token data NOTE: This rule only applies to authentication/authorization related code. Not every view needs audit logging - focus on security-critical operations. - Remediation: Log authentication attempts, failures, and security-critical actions with user/IP context. ```python import logging from flask import request from flask_login import login_user logger = logging.getLogger('security') @app.route('/login', methods=['POST']) def login(): username = request.form['username'] user = User.query.filter_by(username=username).first() if user and check_password(user.password, request.form['password']): login_user(user) logger.info(f"Login success: {username} from {request.remote_addr}") return redirect('/dashboard') logger.warning(f"Login failed: {username} from {request.remote_addr}") return 'Invalid credentials', 401 ``` Learn more: https://shoulder.dev/learn/python/cwe-778/insufficient-logging ### Javascript (1 rules) - **Avoid console.log when logging library exists** [low]: Detects console.log calls when a logging library exists. Only fires when winston, pino, bunyan, or log4js is detected. - Remediation: Replace console.log with your logging library. ```javascript // winston logger.info('User logged in', { userId }); // pino logger.info({ userId }, 'User logged in'); ``` Learn more: https://shoulder.dev/learn/javascript/cwe-778/avoid-console-log ### Typescript (1 rules) - **Avoid console.log when logging library exists** [low]: Detects console.log calls when a logging library exists. Only fires when winston, pino, bunyan, or log4js is detected. - Remediation: Replace console.log with your logging library. ```javascript // winston logger.info('User logged in', { userId }); // pino logger.info({ userId }, 'User logged in'); ``` Learn more: https://shoulder.dev/learn/javascript/cwe-778/avoid-console-log