Implementing Secure Logging Practices in Go

Understanding Secure Logging

Secure logging involves not only capturing relevant information but also ensuring that sensitive data is protected and that logs are resistant to tampering. Here are some key principles to follow:

1. Avoid Logging Sensitive Data: Ensure that personally identifiable information (PII), passwords, and other sensitive data are not logged.
2. Use Structured Logging: Structured logs (e.g., JSON format) allow for easier parsing and searching, which can enhance security monitoring.
3. Implement Log Rotation: Regularly rotate logs to prevent excessive disk usage and reduce the risk of log file tampering.
4. Control Access to Logs: Ensure that only authorized personnel can access log files.
5. Monitor Logs for Anomalies: Implement monitoring solutions to detect suspicious patterns in log data.

Setting Up Secure Logging in Go

Step 1: Use a Structured Logger

Go's standard library provides a simple logging package, but for structured logging, we can use third-party libraries like logrus or zap. Here, we will use logrus as an example.

First, install the logrus package:

go get github.com/sirupsen/logrus

Next, set up a structured logger:

package main

import (
    "github.com/sirupsen/logrus"
    "os"
)

func main() {
    // Create a new logger instance
    logger := logrus.New()

    // Set output to a file
    file, err := os.OpenFile("app.log", os.O_CREATE|os.O_WRONLY|os.O_APPEND, 0666)
    if err != nil {
        logger.Fatal(err)
    }
    logger.SetOutput(file)

    // Set log format to JSON
    logger.SetFormatter(&logrus.JSONFormatter{})

    // Log an example message
    logger.WithFields(logrus.Fields{
        "event": "user_login",
        "user":  "john_doe",
    }).Info("User logged in")
}

Step 2: Avoid Logging Sensitive Information

In the above example, we logged a user event. However, we must ensure that sensitive data, such as passwords or credit card numbers, are never logged. Implement a function to sanitize log messages:

func sanitizeLogMessage(message string) string {
    // Replace sensitive data patterns
    return strings.ReplaceAll(message, "sensitive_data", "[REDACTED]")
}

Use this function to sanitize any log messages before logging them:

logger.Info(sanitizeLogMessage("User entered sensitive_data during login"))

Step 3: Implement Log Rotation

To implement log rotation, you can use the lumberjack package, which automatically handles file rotation based on size and age.

Install lumberjack:

go get gopkg.in/natefinch/lumberjack.v2

Set up the logger with lumberjack:

package main

import (
    "github.com/sirupsen/logrus"
    "gopkg.in/natefinch/lumberjack.v2"
)

func main() {
    logger := logrus.New()
    logger.SetOutput(&lumberjack.Logger{
        Filename:   "app.log",
        MaxSize:    10, // megabytes
        MaxBackups: 3,  // number of backups
        MaxAge:     28, // days
        Compress:   true,
    })
    logger.SetFormatter(&logrus.JSONFormatter{})

    logger.Info("Application started")
}

Step 4: Control Access to Logs

Ensure that log files have appropriate permissions set. You can set file permissions when creating the file:

file, err := os.OpenFile("app.log", os.O_CREATE|os.O_WRONLY|os.O_APPEND, 0600) // Read/write for owner only

Additionally, consider using a centralized logging solution (e.g., ELK stack, Splunk) that can enforce access controls.

Step 5: Monitor Logs for Anomalies

Integrate your logging solution with monitoring tools that can analyze logs in real-time. Use tools like Prometheus or Grafana to visualize log data and set up alerts for suspicious activity.

Summary of Best Practices

By following these best practices, you can implement secure logging in your Go applications, protecting sensitive information while still gaining valuable insights into application behavior.

Learn more with useful resources

• Logrus Documentation
• Lumberjack Documentation
• Go Logging Best Practices