# Insufficient Logging (CWE-778)

When a security-critical event occurs, the product either does not record the event or omits important details about the event when logging it.

**Stack:** JavaScript

- Prevalence: 高 频繁被利用
- Impact: 中 建议审查
- Prevention: 已记录 3 个修复示例

**OWASP:** Security Logging and Monitoring Failures (A09:2021-Security Logging and Monitoring Failures) - #9

## Description

Insufficient logging makes it difficult to detect attacks in progress, investigate security incidents, or establish accountability. Logs should capture who did what, when, and from where.

## Prevention

基于 1 条 Shoulder 检测规则的 Insufficient Logging 预防策略。

### JavaScript

Replace console.log with a structured logging library like winston or pino

## Warning Signs

- [low] console

## Consequences

- 隐藏活动
- 绕过保护机制

## Mitigations

- 记录所有与安全相关的事件(身份验证、授权、数据访问)
- 包含足够的上下文(用户、时间戳、IP、操作、结果)
- 实施集中化的日志管理与监控

## Detection

- Total rules: 3
- Languages: javascript, typescript, python

## Rules by Language

### Javascript (1 rules)

- **Avoid console.log when logging library exists** [low]: Detects console.log calls when a logging library exists. Only fires when winston, pino, bunyan, or log4js is detected.
  - Remediation: Replace console.log with your logging library.

```javascript
// winston
logger.info('User logged in', { userId });

// pino
logger.info({ userId }, 'User logged in');
```

Learn more: https://shoulder.dev/learn/javascript/cwe-778/avoid-console-log

### Typescript (1 rules)

- **Avoid console.log when logging library exists** [low]: Detects console.log calls when a logging library exists. Only fires when winston, pino, bunyan, or log4js is detected.
  - Remediation: Replace console.log with your logging library.

```javascript
// winston
logger.info('User logged in', { userId });

// pino
logger.info({ userId }, 'User logged in');
```

Learn more: https://shoulder.dev/learn/javascript/cwe-778/avoid-console-log