Research
Security News
Quasar RAT Disguised as an npm Package for Detecting Vulnerabilities in Ethereum Smart Contracts
Socket researchers uncover a malicious npm package posing as a tool for detecting vulnerabilities in Etherium smart contracts.
Morgan is a middleware for Node.js that enables HTTP request logging. It is commonly used with Express.js applications to log information about incoming requests, which can be helpful for debugging, monitoring, and analytics purposes.
Logging HTTP requests
This code sets up an Express server and uses Morgan to log all incoming HTTP requests in the 'combined' Apache format.
const express = require('express');
const morgan = require('morgan');
const app = express();
app.use(morgan('combined'));
app.get('/', (req, res) => {
res.send('Hello World!');
});
app.listen(3000, () => {
console.log('Server running on port 3000');
});
Customizing log formats
This code demonstrates how to customize the log format to include specific details such as the HTTP method, URL, status code, content length, and response time.
const express = require('express');
const morgan = require('morgan');
const app = express();
app.use(morgan(':method :url :status :res[content-length] - :response-time ms'));
app.get('/', (req, res) => {
res.send('Hello World!');
});
app.listen(3000, () => {
console.log('Server running on port 3000');
});
Creating custom tokens
This code shows how to create a custom token 'id' that can be used in the log format. The token function returns a value from the request object, which is then logged.
const express = require('express');
const morgan = require('morgan');
const app = express();
morgan.token('id', function getId(req) {
return req.id;
});
app.use(morgan(':id :method :url'));
app.get('/', (req, res) => {
req.id = 'abc123';
res.send('Hello World!');
});
app.listen(3000, () => {
console.log('Server running on port 3000');
});
Writing logs to a file
This code snippet demonstrates how to configure Morgan to write logs to a file named 'access.log' instead of outputting to the console.
const fs = require('fs');
const express = require('express');
const morgan = require('morgan');
const path = require('path');
const app = express();
const accessLogStream = fs.createWriteStream(path.join(__dirname, 'access.log'), { flags: 'a' });
app.use(morgan('combined', { stream: accessLogStream }));
app.get('/', (req, res) => {
res.send('Hello World!');
});
app.listen(3000, () => {
console.log('Server running on port 3000');
});
Winston is a versatile logging library for Node.js. Unlike Morgan, which is specifically designed for HTTP request logging, Winston can be used for general-purpose application logging. It supports multiple transports (e.g., console, file, database) and is highly configurable.
Pino is a very low-overhead Node.js logger. It is designed for speed and can be significantly faster than other logging solutions like Morgan, especially in high-throughput scenarios. Pino focuses on JSON logging and offers different log levels and custom serializers.
Bunyan is a simple and fast JSON logging library for Node.js services. Like Pino, it focuses on JSON logging. Bunyan provides a set of standard log levels and includes a CLI tool for pretty-printing log files. It is more similar to Winston in terms of features but with a focus on JSON.
HTTP request logger middleware for node.js
Named after Dexter, a show you should not watch until completion.
var morgan = require('morgan')
Create a new morgan logger middleware function using the given format
and options
.
The format
argument may be a string of a predefined name (see below for the names),
a string of a format string, or a function that will produce a log entry.
The format
function will be called with three arguments tokens
, req
, and res
,
where tokens
is an object with all defined tokens, req
is the HTTP request and res
is the HTTP response. The function is expected to return a string that will be the log
line, or undefined
/ null
to skip logging.
morgan('tiny')
morgan(':method :url :status :res[content-length] - :response-time ms')
morgan(function (tokens, req, res) {
return [
tokens.method(req, res),
tokens.url(req, res),
tokens.status(req, res),
tokens.res(req, res, 'content-length'), '-',
tokens['response-time'](req, res), 'ms'
].join(' ')
})
Morgan accepts these properties in the options object.
Write log line on request instead of response. This means that a requests will be logged even if the server crashes, but data from the response (like the response code, content length, etc.) cannot be logged.
Function to determine if logging is skipped, defaults to false
. This function
will be called as skip(req, res)
.
// EXAMPLE: only log error responses
morgan('combined', {
skip: function (req, res) { return res.statusCode < 400 }
})
Output stream for writing log lines, defaults to process.stdout
.
There are various pre-defined formats provided:
Standard Apache combined log output.
:remote-addr - :remote-user [:date[clf]] ":method :url HTTP/:http-version" :status :res[content-length] ":referrer" ":user-agent"
Standard Apache common log output.
:remote-addr - :remote-user [:date[clf]] ":method :url HTTP/:http-version" :status :res[content-length]
Concise output colored by response status for development use. The :status
token will be colored green for success codes, red for server error codes,
yellow for client error codes, cyan for redirection codes, and uncolored
for information codes.
:method :url :status :response-time ms - :res[content-length]
Shorter than default, also including response time.
:remote-addr :remote-user :method :url HTTP/:http-version :status :res[content-length] - :response-time ms
The minimal output.
:method :url :status :res[content-length] - :response-time ms
To define a token, simply invoke morgan.token()
with the name and a callback function.
This callback function is expected to return a string value. The value returned is then
available as ":type" in this case:
morgan.token('type', function (req, res) { return req.headers['content-type'] })
Calling morgan.token()
using the same name as an existing token will overwrite that
token definition.
The token function is expected to be called with the arguments req
and res
, representing
the HTTP request and HTTP response. Additionally, the token can accept further arguments of
it's choosing to customize behavior.
The current date and time in UTC. The available formats are:
clf
for the common log format ("10/Oct/2000:13:55:36 +0000"
)iso
for the common ISO 8601 date time format (2000-10-10T13:55:36.000Z
)web
for the common RFC 1123 date time format (Tue, 10 Oct 2000 13:55:36 GMT
)If no format is given, then the default is web
.
The HTTP version of the request.
The HTTP method of the request.
The Referrer header of the request. This will use the standard mis-spelled Referer header if exists, otherwise Referrer.
The remote address of the request. This will use req.ip
, otherwise the standard req.connection.remoteAddress
value (socket address).
The user authenticated as part of Basic auth for the request.
The given header
of the request. If the header is not present, the
value will be displayed as "-"
in the log.
The given header
of the response. If the header is not present, the
value will be displayed as "-"
in the log.
The time between the request coming into morgan
and when the response
headers are written, in milliseconds.
The digits
argument is a number that specifies the number of digits to
include on the number, defaulting to 3
, which provides microsecond precision.
The status code of the response.
If the request/response cycle completes before a response was sent to the
client (for example, the TCP socket closed prematurely by a client aborting
the request), then the status will be empty (displayed as "-"
in the log).
The time between the request coming into morgan
and when the response
has finished being written out to the connection, in milliseconds.
The digits
argument is a number that specifies the number of digits to
include on the number, defaulting to 3
, which provides microsecond precision.
The URL of the request. This will use req.originalUrl
if exists, otherwise req.url
.
The contents of the User-Agent header of the request.
Compile a format string into a format
function for use by morgan
. A format string
is a string that represents a single log line and can utilize token syntax.
Tokens are references by :token-name
. If tokens accept arguments, they can
be passed using []
, for example: :token-name[pretty]
would pass the string
'pretty'
as an argument to the token token-name
.
The function returned from morgan.compile
takes three arguments tokens
, req
, and
res
, where tokens
is object with all defined tokens, req
is the HTTP request and
res
is the HTTP response. The function will return a string that will be the log line,
or undefined
/ null
to skip logging.
Normally formats are defined using morgan.format(name, format)
, but for certain
advanced uses, this compile function is directly available.
Simple app that will log all request in the Apache combined format to STDOUT
var express = require('express')
var morgan = require('morgan')
var app = express()
app.use(morgan('combined'))
app.get('/', function (req, res) {
res.send('hello, world!')
})
Simple app that will log all request in the Apache combined format to STDOUT
var finalhandler = require('finalhandler')
var http = require('http')
var morgan = require('morgan')
// create "middleware"
var logger = morgan('combined')
http.createServer(function (req, res) {
var done = finalhandler(req, res)
logger(req, res, function (err) {
if (err) return done(err)
// respond to request
res.setHeader('content-type', 'text/plain')
res.end('hello, world!')
})
})
Simple app that will log all requests in the Apache combined format to the file
access.log
.
var express = require('express')
var fs = require('fs')
var morgan = require('morgan')
var path = require('path')
var app = express()
// create a write stream (in append mode)
var accessLogStream = fs.createWriteStream(path.join(__dirname, 'access.log'), { flags: 'a' })
// setup the logger
app.use(morgan('combined', { stream: accessLogStream }))
app.get('/', function (req, res) {
res.send('hello, world!')
})
Simple app that will log all requests in the Apache combined format to one log
file per day in the log/
directory using the
rotating-file-stream module.
var express = require('express')
var morgan = require('morgan')
var path = require('path')
var rfs = require('rotating-file-stream') // version 2.x
var app = express()
// create a rotating write stream
var accessLogStream = rfs.createStream('access.log', {
interval: '1d', // rotate daily
path: path.join(__dirname, 'log')
})
// setup the logger
app.use(morgan('combined', { stream: accessLogStream }))
app.get('/', function (req, res) {
res.send('hello, world!')
})
The morgan
middleware can be used as many times as needed, enabling
combinations like:
Sample app that will log all requests to a file using Apache format, but error responses are logged to the console:
var express = require('express')
var fs = require('fs')
var morgan = require('morgan')
var path = require('path')
var app = express()
// log only 4xx and 5xx responses to console
app.use(morgan('dev', {
skip: function (req, res) { return res.statusCode < 400 }
}))
// log all requests to access.log
app.use(morgan('common', {
stream: fs.createWriteStream(path.join(__dirname, 'access.log'), { flags: 'a' })
}))
app.get('/', function (req, res) {
res.send('hello, world!')
})
Sample app that will use custom token formats. This adds an ID to all requests and displays it using the :id
token.
var express = require('express')
var morgan = require('morgan')
var uuid = require('node-uuid')
morgan.token('id', function getId (req) {
return req.id
})
var app = express()
app.use(assignId)
app.use(morgan(':id :method :url :response-time'))
app.get('/', function (req, res) {
res.send('hello, world!')
})
function assignId (req, res, next) {
req.id = uuid.v4()
next()
}
FAQs
HTTP request logger middleware for node.js
The npm package morgan receives a total of 4,492,686 weekly downloads. As such, morgan popularity was classified as popular.
We found that morgan demonstrated a not healthy version release cadence and project activity because the last version was released a year ago. It has 1 open source maintainer collaborating on the project.
Did you know?
Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.
Research
Security News
Socket researchers uncover a malicious npm package posing as a tool for detecting vulnerabilities in Etherium smart contracts.
Security News
Research
A supply chain attack on Rspack's npm packages injected cryptomining malware, potentially impacting thousands of developers.
Research
Security News
Socket researchers discovered a malware campaign on npm delivering the Skuld infostealer via typosquatted packages, exposing sensitive data.