1 of 84

Using Logs to Help You Stop Your App from Doing Dumb Things

David Stockton

Zendcon 2013

2 of 84

How it all started.

3 of 84

Debugging a login problem

4 of 84

Put a log line in the user model constructor

5 of 84

public function __construct()

{

…

Log::info(

‘Instantiated User Model.’

);

}

6 of 84

Try a

bad username

7 of 84

[INFO] Instantiated User Model.

[INFO] Attempted login by unknown user ‘foobar’

8 of 84

9 of 84

Try a

bad password

10 of 84

WTH?

[INFO] Instantiated User Model.

[INFO] Login attempt failed. Bad password for ‘legit user’

11 of 84

12 of 84

Successful Login?

13 of 84

[INFO] Instantiated User Model.

[INFO] Login successful: ‘Legit User’

14 of 84

That’s a lot of users!

15 of 84

How to implement?

16 of 84

Make it easy to add logs

17 of 84

Add logs.

18 of 84

Read / Analyze

19 of 84

logstash

20 of 84

splunk

graylog2

21 of 84

Logging Levels

22 of 84

Debug
Info
Notice
Warn
Critical
Error
Alert
Emergency

23 of 84

Log at the appropriate levels

24 of 84

Filter Logs on Need

25 of 84

Real-time Application Logging

26 of 84

FireBug with FirePHP

27 of 84

28 of 84

Secure FirePHP

29 of 84

Find Security Problems with Logs

30 of 84

[INFO] Successful login ‘rjames’

[INFO] Successful login ‘cmurphy’

[INFO] Invalid login attempt: ‘dchappelle’

[INFO] User account ‘dchappelle’ locked.

[INFO] Successful login ‘dchappelle’

31 of 84

[INFO] Successful login ‘slaurel’

[INFO] Successful login ‘ohardy’

[INFO] Successful login ‘fbase OR 1=1’

32 of 84

Frontend Validation

33 of 84

Filter Input

34 of 84

Backend Logging / Intrusion Detection

35 of 84

[INFO] Successful login ‘tcruise’

[INFO] Successful login ‘cgoodingjr’

[INFO] Invalid login attempt: ‘rzellweger OR 1=1’ - Possible Intrusion Attempt

[INFO] Invalid login attempt: ‘rzellweger AND 1=1’ - Possible Intrusion Attempt

[INFO] Invalid login attempt: ‘’ OR 1=1 ;-- ’ - Possible Intrusion Attempt

36 of 84

Beware Log Injection

37 of 84

[INFO] Successful login ‘tcruise’

[INFO] Successful login ‘cgoodingjr’

[WARN] Invalid login attempt: ‘rzellweger OR 1=1’ - Possible Intrusion Attempt

[WARN] Invalid login attempt: ‘rzellweger AND 1=1’ - Possible Intrusion Attempt

[WARN] Invalid login attempt: ‘’

[INFO] Successful login ‘joconnell OR 1=1 ;-- ’ - Possible Intrusion Attempt

38 of 84

[INFO] Successful login ‘tcruise’

[INFO] Successful login ‘cgoodingjr’

[WARN] Invalid login attempt: ‘rzellweger OR 1=1’ - Possible Intrusion Attempt

[WARN] Invalid login attempt: ‘rzellweger AND 1=1’ - Possible Intrusion Attempt

[WARN] Invalid login attempt: ‘’

[INFO] Successful login ‘joconnell OR 1=1 ;-- ’ - Possible Intrusion Attempt

39 of 84

try {

// some code

} catch (\SomeException $e) {

if ($e->likelyScenario()) {

// do regular recovery

} else if ($e->unlikely()) {

// do crazy recovery

} else {

// Never going to happen

}

40 of 84

Log the impossible happening

0.01% of 1M is 100.

41 of 84

Log the impossible happening

0.0001 of 1M is 100.

42 of 84

Syncing Time

Correlate Logs from Different Servers

43 of 84

Syncing Time

44 of 84

Syncing Time

45 of 84

[App] 12:02:03 - Call to member query on non-object …

[App] 12:02:03 - Other App related logs

...

[DB] 12:02:00 - MySql: Normal shutdown

[DB] 12:02:01 - MySql: Forcing close of thread 1 user: 'root'

[DB] 12:02:03 - InnoDB: Starting shutdown...

[DB] 12:02:04 - InnoDB: Shutdown completed

46 of 84

Aggregating

[DB] 12:02:00 - MySql: Normal shutdown

[DB] 12:02:01 - MySql: Forcing close of thread 1 user: 'root'

[App] 12:02:03 - PHP Error: Call to member “query” on non-object

[DB] 12:02:03 - InnoDB: Starting shutdown...

[DB] 12:02:04 - InnoDB: Shutdown completed

47 of 84

php.ini

display_errors = Off

log_level = E_ALL; #E_ALL & ^E_NOTICE prod

error_log = /path/to/logs

48 of 84

Another Story

Sending SMS

49 of 84

Hey, I noticed you. Check out my profile on spamdate.net

50 of 84

Hello, I noticed you. View my profile on boxofdates.net

51 of 84

Analyzed logs

52 of 84

Built tool to stop the SPAM

53 of 84

Escalating Punishment Schedule

54 of 84

1st time - blocked for 5 minutes

55 of 84

2nd time - blocked for 10 minutes

56 of 84

3rd level - blocked for 30 minutes

57 of 84

4th level - banned.

58 of 84

Crisis Averted

59 of 84

Back to logging

60 of 84

set_error_handler(...)

61 of 84

Handle errors appropriately

62 of 84

set_exception_handler(...)

63 of 84

Log exception traces

64 of 84

Review logs in pre-prod, fix issues

65 of 84

Review logs in prod, fix issues

66 of 84

Strive for error-free production logs

67 of 84

After You’ve

Added Logging

68 of 84

Learn Normal Flow Through App

69 of 84

Notice weird paths through app

70 of 84

Identify session/request in logs

71 of 84

Build tools to help analyze logs

72 of 84

Use them.

73 of 84

Another story

74 of 84

Store searches

75 of 84

Google Maps API rate limiting

76 of 84

Store search based on zip code

77 of 84

Mapped location of queries

78 of 84

$zips = range(

‘00000’, ‘99999’

);

for ($zip in $zips) {

// spam site with $zip

}

79 of 84

// Disclaimer: Code for illustration purposes.

// Doesn’t do what we want

80 of 84

Slowed down bot requests, serve real customers

81 of 84

Crisis Averted

82 of 84

Take advantage of your logs

83 of 84

Let them help you stop your application from doing dumb things

84 of 84

Questions?

Please rate this talk

http://joind.in/9104