Cybersecurity, Logging Practices for Application Developers

Security information from Technology Services Privacy and Information Security team.

About Security Events

The purpose of this document is to help development teams associated with the University of Illinois fulfill their responsibility to comply with Illinois Cybersecurity standards.

Properly logging security events helps comply with the Server Security Standard, Application Development Security Standard and Client Computer Security Standard.

A Security Event is defined as "An occurrence in a system that is relevant to the security of the system. (See: security incident.)" [RFC2828]

If applications that handle sensitive information follow good security event logging practices, the system logs can be a critical part of investigating a security incident.

Logging Security Events

Good security event logging makes sure to capture all events that could be critical to a future investigation.

All security events should be logged at the INFO level or higher.

For a full list of security events see section 4.6.1 of the IT Security Standard.

Some example security events are:

Creating Log Messages

Log messages should typically:

Log messages should typically include:

In each case, both successes and failures should be logged. 

If possible, failures should also contain a reason (e.g. "User's AD account is disabled," "Authentication failed," "User does not have permission," "User is administratively blocked," etc.)

Log messages should typically not include:

Additional Resources