Logging in Secure Coding

Questions and Answers

What is the primary purpose of logging in an application?

To document the steps leading up to an error

To gain insights and detect problems of an application (correct)

To detect and resolve bugs in an application

To simplify the process of tracking and detecting issues

What type of data is typically logged in a large system?

Only timestamp and log entry

Timing data, request endpoint data, and IP of the requesting party

Exceptions and security audits only

All of the above and more (correct)

What is the name of the HTTP request logger middleware for Node.js?

Log4JS

Winson

Morgan (correct)

SecureCodi

What is the purpose of the format argument in the Morgan API?

To specify the format of the log entry (D)

What is the purpose of the tokens object in the Morgan format function?

To store all defined tokens (A)

What is the purpose of the :date token in Morgan?

To log the current date and time in UTC (B)

How do you install Morgan using npm?

npm install morgan --save (D)

What is the purpose of the morgan(format, options) API?

To create a new logger middleware function (C)

What does the :remote-addr token represent in a Morgan log format?

The remote address (ip) of the request (C)

Which of the following predefined log formats is a color-coded log format by request status?

dev (C)

What does the :response-time token represent in a Morgan log format?

The time between the request coming into morgan and when the response headers are written, in milliseconds (D)

How do you specify the tokens you want in your log format when using Morgan?

By passing a string with the tokens separated by spaces to the Morgan function (C)

What is the purpose of the :req[header] token in a Morgan log format?

To log the request headers (D)

What does the :total-time token represent in a Morgan log format?

The time between the request coming into morgan and when the response has finished being written out to the connection, in milliseconds (D)

What is the purpose of the 'flags: a' option when creating a file stream using the fs library?

To append to the existing file (C)

What is the main advantage of using the rotating-file-stream module for log file rotation?

It helps in managing log files of very large sizes (A)

What is the purpose of the 'interval: 1d' option when creating a rotating write stream using the rotating-file-stream module?

To rotate the log files daily (A)

What is the correct syntax for applying a custom token in a morgan logger?

app.use(morgan(':myToken :method :url :date')); (D)

What is the purpose of the 'path.join(__dirname, 'log')' option when creating a rotating write stream using the rotating-file-stream module?

To specify the directory where the log files will be stored (B)

What is the correct way to define a custom token in morgan?

morgan.token('myToken', function(req, res) { … }); (D)

Study Notes

Logging

• Logging is the collection and storing of data over a time period for analysis, used to gain insights, resolve bugs, and detect problems in an application.
• Simplest form of logging is using console.log to log data to the command line for debugging.

Importance of Logging

• Debugging: document steps leading up to an error
• Security Audits: detect and log suspicious activities or important events

What to Log

• Timestamp or log entry
• Timing data for the request
• Request endpoint data (e.g. paths: "/users" or verbs: GET, POST, PUT, DELETE)
• IP of the requesting party
• Exceptions

How to Log

• Manually write code to log required info to console, file, or database
• Use libraries like Morgan, Winson, or Log4JS

Morgan Library

• HTTP request logger middleware for Node.js
• Simplifies logging requests to an application
• Can be installed using npm install morgan --save
• Import with var morgan = require('morgan')

Using Morgan

• Create a new Morgan logger middleware function using format and options
• Format argument can be a string of a predefined name, a string of a format string, or a function that produces a log entry
• Tokens can be used to customize log format

Morgan Pre-defined Tokens

• :date - current date and time in UTC
• :http-version - HTTP version of the request
• :method - HTTP method of the request
• :referrer - Referrer header of the request
• :remote-addr - remote address (IP) of the request
• :remote-user - user authenticated as part of Basic auth for the request
• :req[header] - given header of the request
• :res[header] - given header of the response
• :response-time - time between request and response headers being written (in milliseconds)
• :status - status code of the response
• :total-time - time between request and response being written (in milliseconds)
• :url - URL of the request
• :user-agent - User-Agent header of the request

Predefined Log Formats

• combined - Apache standard combined format
• common - Apache standard common format
• dev - color-coded log format by request status
• short - shorter than default format
• tiny - even shorter, just response time and a few items

Creating Custom Tokens

• morgan.token('myToken', function(req, res) { ... return ...; })
• Custom token name and function that returns value representing token output in log

Applying Custom Token

• app.use(morgan(':myToken :method :url :date'));
• Apply and test the code to observe output in console

Applying Logging to File

• Use fs library to create a file stream and apply it to Morgan
• var fs = require('fs');
• const appLogStream = fs.createWriteStream(path.join(__dirname, 'app.log'), { flags: 'a' })
• app.use(morgan("combined", { stream: appLogStream }));

Log File Rotation

• Log file can grow to a large size, need to create multiple log files (e.g. one each day)
• Use rotating-file-stream module
• npm install rotating-file-stream --save
• var rfs = require('rotating-file-stream');
• Create a rotating write stream
• var appLogStream = rfs.createStream('access.log', { interval: '1d', // rotate daily path: path.join(__dirname, 'log') // write to a subdir log })
• app.use(morgan("combined", { stream: appLogStream }));

Description

This quiz covers the concepts of logging in secure coding, including collecting and storing data for analysis, debugging, and security audits.