| title | MCP-LOG-01 — Comprehensive Audit Logging |
|---|---|
| weight | 61 |
Level: L3 Domain: LOG
MCP servers MUST log security-relevant events including tool invocations, authentication attempts, authorization decisions, and errors with sufficient detail for forensic analysis.
Audit logs enable detection of misuse, support incident response, and satisfy compliance requirements.
All production deployments (L2+).
- Log entries showing: timestamp, user/client ID, tool name, result (success/failure)
- Logs stored in immutable or tamper-evident storage
- Sample log query demonstrating ability to answer: "Who accessed what resource at what time?"
# Example
logger.info({
"timestamp": datetime.utcnow().isoformat(),
"user_id": request.user_id,
"tool": "read_file",
"args_hash": hashlib.sha256(str(args).encode()).hexdigest()[:16],
"result": "success",
"ip": request.remote_addr
})- Invoke tool → verify log entry appears
- Check log includes user attribution
- Verify sensitive args are hashed/redacted (see MCP-LOG-02)
- OWASP Top 10: A09:2021 – Security Logging and Monitoring Failures
- OWASP MCP Top 10: MCP-08 (Lack of Audit & Telemetry)
- OWASP ASVS: V7.1 (Log Content Requirements)
NOT_APPLICABLE: L1 development environments may use minimal logging.
- OWASP Logging Cheat Sheet
- Trend Micro / WorkOS articles on audit requirements