RequestLogsFeature and logging

I wish to write out every request coming into my API, to a log (via ILogging abstraction), and have those logs sent off to Application Insights.

Obviously, I could do this myself with any number of built-in extensibility mechanisms, like a GlobalFilter, and just use the ILogger interface.
(I have already configured the logs to go to AI in production).

I do NOT want to enable the RequestLogsFeature in production, as having that endpoint available in production would be considered a data breach potential, should a person be able to read those requests in production.
BUT, it already does most of what I need to do with request logging, such as sanitizing certain requests types, etc.

Is it feasible to use the RequestLogsFeature, and disable its endpoint (AtRestPath=null), and not bother storing any past requests.

Does the feature already send the requests and responses to the ILogger abstraction, once they have run through the filters configured in the feature (ie. the RequestLogFilter and ExcludeRequestDtoTypes and HideRequestBodyForRequestDtoTypes)?

AtRestPath is just a user-defined route you’d need to disable all requests with a GlobalRequestFilter that rejects requests where req.Dto is RequestLogs.

But the RequestLogsFeature is only limited to Admin users so I don’t see the issue with having it enabled. If your Admin user account is compromised you’ll have bigger problems as they’ll be able to access any protected service.

It logs requests with the IRequestLogger abstraction with all existing CSV and Redis inheriting from InMemoryRollingRequestLogger.cs for their implementations, you could do one that logs to your Logging provider or you can pull out the parts you want from RequestLogsFeature and RequestLogsService for your custom impl.

Thanks, so, just to clarify, since I can’t find the infrastructure code that actually calls the IRequestLogger to do its thing, nor does InMemoryRollingRequestLogger make any calls to any logging service.

  • we are saying that no call to the ILogger is made anywhere in this infrastructure? correct?

The Request Logs feature doesn’t log its requests to the logging provider, it captures the requests in a rolling in memory collection that can be queried from the built-in Logging UI or it publishes the logs to external CSV Files or Redis when configured to use those request logging impls.

1 Like