in production code, what's the log level when failing to validate request parameters or format

Question

as titled. in production code, what's the log level when failing to validate request parameters or format ?

I confuse this puzzle base on two points:

(1) if I log it to error. I concern if one hacker to send too many error requests will cause our APP log two many error log.

(2) but if I log it to debug or lower levels. I concern I can't track issue effectively due to in production app, log will be setted to warn.

So what's my choose?

Answer 1

If its a validation failure due to no system error, but invalid input data, I would log as info or warning. If you have a problem such as a system exception, for example a db connection failure or a null pointer, then log error. Otherwise, an input validation isn't necessarily constituted as an Error and is a business-as-usual type of occurrence, hence Info level.

In the case of a hacker running a script over and over sending "too many requests", this may be categorized as a Denial-of-service attack. In this case you need to ensure your firewall software is set to filter those, and I wouldn't worry about it in the app log.

Finally, if a hacker isn't bombarding your system quite at the denial-of-service threshold, then you may need to write some logic to catch this kind of "bad validation" and log an error with a clear error message which you'll know to look for, i.e. a special kind of error. One such example would be a sql injection attack, which form validation may catch (and some layer in your app must definitely catch).

Depending on the kind of logging framework that you use, you may be able to define your own error level or error category for this scenario.

Answer 2

In my programs, I used the error log level (or the word "error" in a message) to indicate that the program failed to do "what it has been instructed to do". So, is this a failure to do "as instructed"? I use the warning log level to report unusual things that are likely (but not certain) to indicate a problem somewhere.

Where are these "request parameters" coming from? If this is a client-server system (a web application?), and the requests are coming from clients, the server has been instructed to "serve clients". What is the server meant (specified/designed) to do if a client sends an invalid request? Probably, to reject the request and return a rejection message to the client. In that case, the server would be in error only if it failed to reject the request or to return the message. That is, only a bug in the server would count as an "error". Would I report invalid request parameters at the warning level? If I also provided the client programs, then an invalid request would suggest a bug in the client program, so I log it as a warning. If clients are uncontrolled (web browsers, for example), I would not report it as a warning.