Web API audit logging

Question

I need to audit log calls to my Web API, ideally I'd like to use an Attribute, something like:

    [HttpPost, Auditing]
    public dynamic MyAPICall()

The Attribute should be able to intercept the API call before and after execution in order to log the parameters and also, how long the API call took to run.

With MVC I could create an ActionFilterAttribute derivative and override OnActionExecuted and OnActionExecuting.

Is the equivalent possible in the Web API world?

http://stackoverflow.com/questions/10307333/asp-net-mvc-4-webapi-actionfilter-example — BNL, Sep 06 '12 at 12:48

score 17 · Accepted Answer · answered Sep 06 '12 at 12:50

I would use a message handler rather than attributes.

public class LoggingHandler : DelegatingHandler
{
    protected override Task<HttpResponseMessage> SendAsync(HttpRequestMessage request, CancellationToken cancellationToken)
    {
        LogRequest(request);

        return base.SendAsync(request, cancellationToken).ContinueWith(task =>
        {
            var response = task.Result;

            LogResponse(response);

            return response;
        });
    }

    private void LogRequest(HttpRequestMessage request)
    {
        (request.Content ?? new StringContent("")).ReadAsStringAsync().ContinueWith(x =>
        {
            Logger.Info("{4:yyyy-MM-dd HH:mm:ss} {5} {0} request [{1}]{2} - {3}", request.GetCorrelationId(), request.Method, request.RequestUri, x.Result, DateTime.Now, Username(request));
        });
    }

    private void LogResponse(HttpResponseMessage response)
    {
        var request = response.RequestMessage;
        (response.Content ?? new StringContent("")).ReadAsStringAsync().ContinueWith(x =>
        {
            Logger.Info("{3:yyyy-MM-dd HH:mm:ss} {4} {0} response [{1}] - {2}", request.GetCorrelationId(), response.StatusCode, x.Result, DateTime.Now, Username(request));
        });
    }

    private string Username(HttpRequestMessage request)
    {
        var values = new List<string>().AsEnumerable();
        if (request.Headers.TryGetValues("my-custom-header-for-current-user", out values) == false) return "<anonymous>";

        return values.First(); 
    }
}

how can i analysis that logs? create dashboards and define kpi list in sharepoint? — saber tabatabaee yazdi, Aug 25 '14 at 15:27
this is simply capturing the information for logging. the details of how/what is logged or even how to view the logs is a different matter. One that is independent of this issue. — Jason Meckley, Dec 17 '14 at 20:50
@JasonMeckley how do you make use of the `LoggingHandler` in your `api` `controller`? — codegrid, Sep 25 '15 at 17:22
This implementation is designed to log the request/response. If you need a logger in the controller pass another logger to the controller, There are a variety of options on how to accomplish that. — Jason Meckley, Sep 28 '15 at 14:26

score 17 · Answer 2 · edited Jun 17 '14 at 08:58

Http message handler should be a good extensible point for such purposes. Be careful though, there can be some issues with concurrent request content reading. For instance, Model Binder may try to read request content while LoggingHandler is reading it and fail to deserialize a model. To prevent such issues just add Wait call to the LogRequestLoggingInfo method.

public class LoggingHandler : DelegatingHandler
{
    protected override Task<HttpResponseMessage> SendAsync(HttpRequestMessage request, CancellationToken cancellationToken)
    {
        // Log the request information
        LogRequestLoggingInfo(request);

        // Execute the request
        return base.SendAsync(request, cancellationToken).ContinueWith(task =>
        {
            var response = task.Result;
            // Extract the response logging info then persist the information
            LogResponseLoggingInfo(response);
            return response;
        });
    }

    private void LogRequestLoggingInfo(HttpRequestMessage request)
    {
        if (request.Content != null)
        {
            request.Content.ReadAsByteArrayAsync()
                .ContinueWith(task =>
                    {
                        var result = Encoding.UTF8.GetString(task.Result);
                        // Log it somewhere
                    }).Wait(); // !!! Here is the fix !!!
        }
    }

    private void LogResponseLoggingInfo(HttpResponseMessage response)
    {
        if (response.Content != null)
        {
            response.Content.ReadAsByteArrayAsync()
                .ContinueWith(task =>
                {
                    var responseMsg = Encoding.UTF8.GetString(task.Result);
                    // Log it somewhere
                });
        }
    }
}

You can read more about it here.

It happened to me... So I really apreciate your answer, it saved me a lot of time. — Javier Suero Santos, Jul 25 '13 at 10:34
@k0stya how do you apply the `LoggingHandler` in your `api` `controller`? — codegrid, Sep 25 '15 at 17:24
Link is dead, here is a wayback link https://web.archive.org/web/20160229083551/http://homenko.net/post/2013/04/22/Common-issue-with-Web-Api-RequestResponse-logging — ogrim, Dec 20 '18 at 06:40

score 5 · Answer 3 · answered Oct 19 '12 at 22:46

I think you will be interested to take a look at Web API tracing http://www.asp.net/web-api/overview/testing-and-debugging/tracing-in-aspnet-web-api. It allows you to look into the internal mechanism of Web API.

In your case, I assume you're particularly interested in what's the input and output of actions. So you can right your TraceWriter like following sample to filter out the redundant information:

public class ActionAuditor : ITraceWriter
{
    private const string TargetOperation = "ExecuteAsync";
    private const string TargetOpeartor = "ReflectedHttpActionDescriptor";

    public void Trace(HttpRequestMessage request, string category, TraceLevel level, Action<TraceRecord> traceAction)
    {
        var rec = new TraceRecord(request, category, level);
        traceAction(rec);

        if (rec.Operation == TargetOperation && rec.Operator == TargetOpeartor)
        {
            if (rec.Kind == TraceKind.Begin)
            {
                // log the input of the action
            }
            else
            {
                // log the output of the action
            }
        }
    }
}

thepirat000 · Answer 4 · 2019-02-09T23:28:22.940

5

I've worked on a library that allows you to log interactions with ASP.NET Web API Controllers by using Action Filters.

It can record action method calls with caller info, arguments, output, duration, exceptions and more.

Take a look at Audit.WebApi.

You can quickly create a sample project that uses this library with the following commands:

> dotnet new -i Audit.WebApi.Template
> dotnet new webapiaudit

edited Feb 09 '19 at 23:28

answered Sep 17 '16 at 05:50

thepirat000

12,362
4
46
72

Web API audit logging

4 Answers4

Linked