Audit Logging & Redaction
Telemetry must balance diagnostic depth with compliance requirements. Sensitive data (PII, credentials, access tokens) must be redacted before it hits permanent storage, while audit logs must remain immutable and secure from tampering.
Core details
| Telemetry Type | Target | Security Controls |
|---|---|---|
| System Debug Logs | Developer triage, error tracking | High volume, automated redaction filters, temporary retention |
| Audit Logs | Security monitoring, compliance (SOC2) | Immutable storage (WORM), strict schema, cryptographic signing |
| User Access Logs | Threat detection, fraud analysis | Origin IP tracking, session mapping, tenant isolation checks |
Log Injection Vulnerability
If an application logs raw user input (e.g., logger.info("User not found: " + username)), an attacker can supply carriage return and line feed (CRLF) characters to forge log entries, or inject payload patterns that trigger execution in log processors (e.g., Log4Shell).
[!IMPORTANT] Never log raw, unvalidated strings directly. Use structured logs (JSON formatting) and sanitize string parameters to strip control characters before logging them.
Understanding
Automated Redaction Pipeline
Log redaction should occur as early as possible in the logging lifecycle (preferably at the client logger level within the application memory space) before serialization. This prevents raw data from entering logging agents (FluentBit, Logstash) or transit queues (Kafka).
Common targets for redaction include:
- API authorization headers (
Bearer/Basicauth tokens) - Credit card numbers (PANs)
- Email addresses and social security numbers
- Session cookies
Senior understanding
Structured Logger with Redaction (Node.js Pino Example)
Using Pino's built-in redaction engine to automatically scrub keys:
import pino from 'pino';
// 1. Define sensitive keys to be redacted
const logger = pino({
level: 'info',
redact: {
paths: [
'req.headers.authorization',
'req.headers.cookie',
'user.password',
'user.ssn',
'card.pan'
],
censor: '[REDACTED]'
},
// 2. Ensure structured output format
formatters: {
level(label) {
return { level: label.toUpperCase() };
}
}
});
// Example usage
function logUserRequest(req: any, user: any) {
// Pass object context rather than raw string concatenation
logger.info({ req, user }, 'User request processed');
}
// ❌ The password and authentication headers will be automatically scrubbed:
// Output: {"level":"INFO","time":1700000000000,"req":{"headers":{"authorization":"[REDACTED]"}},"user":{"username":"alice","password":"[REDACTED]"},"msg":"User request processed"}Immutable Audit Trail Schema
An audit event must record:
- Actor: User ID or system identity initiating the request.
- Action: State change event (e.g.,
user.mfa.disabled). - Target: Resource affected (e.g.,
account_id). - Metadata: Origin IP, User-Agent, request ID.
- Outcome:
successorfailure.
Diagram
See also
Mark this page when you finish learning it.
Spotted something unclear or wrong on this page?