Well a lot of what you are logging can already be found in your apache access logs. You might want to log the page referrer if you’re interested to see where the user came from to get to that page.
If you’re talking forensically just to have a record of what’s happening, I’ve been keeping track of logins/logouts, when records are deleted, when new ones are added, and when they are edited (and by whom).
For example, I might use a blurb like this: user ID 5 (Force) deleted user ID 12 (testuser)
Using the word “forensics” suggests you will be going back looking for evidence of crime.
Define why you are logging things and then you will have a better idea of what to log.
The danger of logging everything just because you can is that you end up with log files so huge that they obfuscate important data because of their very size.
You can log to numerous different files, so make sure you name these files very carefully otherwise you will forget what each one is for.
Consider using a proper logging library (PEAR::Log, ZF logging) because then you end up with just single lines of code that you have granular control over at runtime - allowing you to switch logging on and off up set the level of log up or down.
There is another source of logging you should remember is available and that is your database log. There are plenty of options there. General log might be of interest, but could slow you db server.
I just came off a project using SOAP to connect 5 different servers and logging was the only way to figure out what was happening.hence the importance of granular control, ease of access, naming conventions and relevance of data are fresh in my mind.
Don’t forget you can also log to a db, sqlite is ideal for this kind of thing (I created an Sqlite driver for PEAR::Log if anyone wants it, shout out).
Once your logging is set up and if you are logging to files, then an hour spent reading about logrotate would be good.
