This document describes the structured logging and monitoring system implemented in the server.
The application now uses Winston for structured logging with:
- Request ID tracking for tracing requests across the system
- Authentication event logging for security monitoring
- Error tracking with full context
- Response time monitoring
- CloudWatch integration (production)
- File-based logging (optional)
All logs are in JSON format in production, with human-readable format in development.
Log Levels:
error- Errors that need immediate attentionwarn- Warning conditionsinfo- Informational messages (default in production)http- HTTP requestsverbose- Verbose outputdebug- Debug messages (development only)silly- Very detailed debug output
Every request gets a unique request ID that:
- Is included in all log entries for that request
- Is returned in the
X-Request-IDresponse header - Can be passed from upstream proxies via
X-Request-IDheader - Enables tracing a request through the entire system
All authentication events are logged with security context:
- Login attempts
- Login success/failure
- Logout events
- Session expiration/invalidation
- Authorization failures
Every HTTP request is logged with:
- Request method, path, query parameters
- User context (if authenticated)
- IP address and user agent
- Response status code
- Response time (duration)
- Error details (if applicable)
Errors are logged with:
- Full stack traces
- Request context (request ID, user, path, etc.)
- Error metrics for monitoring
The system tracks:
- Request metrics (response times, status codes)
- Error rates
- Authentication metrics
Add these to your .env file:
# Logging
LOG_LEVEL=info # Log level: error, warn, info, http, verbose, debug, silly
LOG_FILE_ENABLED=false # Enable file-based logging
LOG_FILE_PATH=logs/combined.log # Path for log files
# CloudWatch (Production)
AWS_REGION=us-east-1 # AWS region for CloudWatch
AWS_CLOUDWATCH_LOG_GROUP=/aws/partial/server # CloudWatch log group name
AWS_CLOUDWATCH_LOG_STREAM_PREFIX=server # Prefix for log stream names
# Service
SERVICE_NAME=partial-server # Service name in logs
NODE_ENV=production # Environment (affects log format)-
Create a CloudWatch Log Group:
aws logs create-log-group --log-group-name /aws/partial/server --region us-east-1
-
Set IAM permissions for the server to write to CloudWatch:
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "logs:CreateLogGroup", "logs:CreateLogStream", "logs:PutLogEvents" ], "Resource": "arn:aws:logs:*:*:*" } ] } -
Set environment variables in your deployment environment.
To enable file logging:
LOG_FILE_ENABLED=true
LOG_FILE_PATH=logs/combined.logMake sure the logs/ directory exists or logs will fail to write.
import { logger } from './lib/logger';
// Info log
logger.info('User created', { userId: 123, email: 'user@example.com' });
// Error log
logger.error('Database connection failed', { error: error.message, stack: error.stack });
// Warning log
logger.warn('Rate limit approaching', { userId: 123, requests: 95, limit: 100 });The logger automatically includes request context if set via middleware:
// Request ID is automatically included
logger.info('Processing request');
// User context is automatically included after authentication
logger.info('User action performed');import { logAuthEvent, AuthEventType, getAuthContext } from './lib/authLogger';
// Log login success
logAuthEvent({
eventType: AuthEventType.LOGIN_SUCCESS,
...getAuthContext(req),
email: userInfo.email,
cognitoId: userInfo.sub,
});
// Log login failure
logAuthEvent({
eventType: AuthEventType.LOGIN_FAILURE,
...getAuthContext(req),
error: 'Invalid credentials',
reason: 'Authentication failed',
});For logs with additional context:
import { createChildLogger } from './lib/logger';
const childLogger = createChildLogger({
requestId: 'abc-123',
userId: 456,
operation: 'update_user',
});
childLogger.info('User updated'); // Includes all context2024-01-15 10:30:45.123 [info] [abc-123-def] [user:456] [org:789]: Request completed successfully
Method: GET
Path: /api/users
Status Code: 200
Duration: 45ms
{
"level": "info",
"message": "Request completed successfully",
"timestamp": "2024-01-15T10:30:45.123Z",
"service": "partial-server",
"environment": "production",
"requestId": "abc-123-def",
"userId": 456,
"organizationId": 789,
"method": "GET",
"path": "/api/users",
"statusCode": 200,
"duration": 45
}{
"level": "info",
"message": "Auth event: login_success",
"timestamp": "2024-01-15T10:30:45.123Z",
"eventType": "login_success",
"eventCategory": "authentication",
"securityEvent": true,
"requestId": "abc-123-def",
"userId": 456,
"organizationId": 789,
"email": "user@example.com",
"cognitoId": "us-east-1:abc-123",
"ip": "192.168.1.100"
}Logs can be queried in CloudWatch Insights:
fields @timestamp, @message, requestId, userId, statusCode, duration
| filter statusCode >= 500
| stats count() by requestId
- Error Rate: Count of logs with
level = "error" - Response Times: Average
durationfield by endpoint - Authentication Failures: Count of
eventType = "login_failure" - Rate Limit Violations: Logs with
securityEvent = trueand rate limit messages
High Error Rate:
fields @timestamp
| filter level = "error"
| stats count() by bin(5m)
Slow Requests:
fields @timestamp, path, duration
| filter duration > 1000
| stats avg(duration), max(duration) by path
Authentication Failures:
fields @timestamp, ip, email
| filter eventType = "login_failure"
| stats count() by ip, bin(1h)
-
Use appropriate log levels:
error- Only for actual errors that need attentionwarn- Warning conditions that might need investigationinfo- Important events and state changesdebug- Detailed debugging information
-
Include context:
- Always include relevant IDs (requestId, userId, etc.)
- Include error details with errors (message, stack)
- Add metadata for complex operations
-
Don't log sensitive data:
- Never log passwords, tokens, or secrets
- Be careful with PII (Personally Identifiable Information)
- Use structured logging to make it easy to filter sensitive fields
-
Monitor production logs:
- Set up CloudWatch alarms for error rates
- Monitor authentication events for security issues
- Track response times to identify performance problems
-
Use request IDs for debugging:
- When a user reports an issue, ask for the request ID
- Search logs by request ID to trace the entire request flow
- Check AWS credentials are configured
- Verify IAM permissions for CloudWatch Logs
- Check that
AWS_REGIONandAWS_CLOUDWATCH_LOG_GROUPare set - Look for initialization errors in console logs
- Verify
LOG_FILE_ENABLED=true - Check directory permissions for
logs/directory - Ensure
LOG_FILE_PATHis set correctly
- Adjust
LOG_LEVELto reduce verbose logging - Use CloudWatch log retention policies
- Consider log sampling for high-traffic endpoints
The system has been integrated with:
- ✅ Authentication middleware
- ✅ Auth routes
- ✅ Error handlers
- ✅ Request logging middleware
- ✅ Rate limiter
You can gradually replace remaining console.log statements with logger.info() calls throughout the codebase.