MON-003 critical general

HTTP request logging and analysis

HTTP requests are logged (any source: app, CDN, LB, APM). Logs include timestamp, method, path, status code, response time. Analysis tool exists to query/visualize. Can filter by status code and see traffic patterns.

Question to ask

"Could you tell me how many 4xx errors hit you yesterday?"

Related items

MON-004 HTTP error alerting Section 13

Verification guide

Severity: Critical

Check automatically:

  1. Check application logging configuration:

    # Look for HTTP logging middleware/config
grep -riE "morgan|winston|pino|express.*logger|http.*log|request.*log|access.*log" . --include="*.js" --include="*.ts" --include="*.py" --include="*.rb" --include="*.go" 2>/dev/null | head -20

# Check for structured logging
grep -riE "json.*log|structured.*log|log.*format.*json" . --include="*.yml" --include="*.yaml" --include="*.json" 2>/dev/null

  2. Check CDN/Load Balancer logging:

    Cloudflare:

    # Check if Logpush is configured (requires API token)
curl -s -X GET "https://api.cloudflare.com/client/v4/zones/ZONE_ID/logpush/jobs" \
  -H "Authorization: Bearer $CF_API_TOKEN" | jq '.result'

    AWS ALB:

    # Check ALB access logs enabled
aws elbv2 describe-load-balancer-attributes --load-balancer-arn LB_ARN --query 'Attributes[?Key==`access_logs.s3.enabled`]'

    GCP Load Balancer:

    # Logging is automatic for HTTP(S) LB, check logs exist
gcloud logging read 'resource.type="http_load_balancer"' --limit=5

  3. Check APM/observability tools:

    # Look for APM configuration
grep -riE "datadog|newrelic|dynatrace|appdynamics|honeycomb|lightstep" . --include="*.yml" --include="*.yaml" --include="*.json" --include="*.env*" 2>/dev/null | head -10

  4. Verify analysis capability:

    # Check for log analysis tools references
grep -riE "kibana|grafana|loki|elasticsearch|splunk|sumo.?logic|logtail|papertrail" . --include="*.yml" --include="*.yaml" --include="*.md" 2>/dev/null

Ask user if no logging found: "Could not automatically detect HTTP logging configuration.

Please confirm:

  1. Where are HTTP requests logged? (App logs, CDN, Load Balancer, APM)
  2. What tool is used to analyze logs? (Kibana, Grafana, CloudWatch Insights, etc.)
  3. Can you filter by: status code, endpoint, response time?
  4. Can you see traffic patterns over time?
  5. Is there a separate view/filter for 4xx and 5xx errors?"

Cross-reference with:

  • MON-004 (HTTP error alerting) - alerts need logs to trigger from
  • Section 13 (Infrastructure Security) - logs should show requests after Cloudflare

Pass criteria:

  • HTTP requests are logged (any source: app, CDN, LB, APM)
  • Logs include: timestamp, method, path, status code, response time
  • Analysis tool exists to query/visualize logs
  • Can filter by status code
  • Can see traffic patterns over time
  • 4xx/5xx errors are visible (not buried)

Fail criteria:

  • No HTTP request logging
  • Logs exist but no analysis capability
  • Cannot filter by status code
  • Cannot see traffic patterns
  • Errors buried in noise with no way to surface

Evidence to capture:

  • Logging source(s) in use
  • Log format (fields captured)
  • Analysis tool in use
  • Screenshot of log analysis interface
  • Example query for 5xx errors

Section

12. Monitoring

Observability

← Previous

MON-002

Database performance monitoring

 Next →

MON-004

HTTP error alerting