TL;DR
Without proper logging, you can't detect attacks, investigate incidents, or prove compliance. Log security-relevant events (logins, failures, permission changes) but never log sensitive data (passwords, tokens, PII). Use a logging service like LogTail, Datadog, or Sentry for easy searching and alerting.
What Is Insufficient Logging?
Insufficient logging means your application doesn't record enough information to detect attacks or investigate security incidents. When something goes wrong, you're left guessing what happened.
What Should You Log?
| Log This | Don't Log This |
|---|---|
| Login attempts (success/failure) | Passwords (even failed ones) |
| Permission changes | Full credit card numbers |
| Access to sensitive resources | Session tokens |
| Configuration changes | API keys |
| Error conditions | Personal data (SSN, etc.) |
Example Logging Implementation
// Log authentication events
logger.info('auth.login.success', {
userId: user.id,
ip: req.ip,
userAgent: req.headers['user-agent'],
timestamp: new Date().toISOString()
});
logger.warn('auth.login.failed', {
email: maskEmail(email), // user@e*****.com
ip: req.ip,
reason: 'invalid_password',
timestamp: new Date().toISOString()
});
Never log: Passwords, tokens, API keys, credit cards, SSNs, or other sensitive data. If logs are compromised, this data could be exposed.
Setting Up Alerts
Logs are only useful if someone looks at them. Set up alerts for:
- Multiple failed login attempts (brute force detection)
- Admin actions from new IP addresses
- Unusual error rates
- Access patterns outside business hours
How long should I keep logs?
Depends on compliance requirements, but 90 days to 1 year is common. Security incidents are often discovered weeks after they occur, so short retention limits your investigation ability.
What logging service should I use?
For vibe-coded apps, services like LogTail, Sentry, or Datadog are easy to integrate. They provide searching, alerting, and dashboards without managing infrastructure.