Core REST API should log requests, for debugging and analysis.
Action API does this via ApiMain::logRequest. See https://gerrit.wikimedia.org/g/mediawiki/core/+/9d456b429d8b5265f1e134c9eca46f99318ee083/includes/api/ApiMain.php#1626
Calls are logged to api.log (unstructured message) and api-request.log (structured message). Sensitive information (such as csrf tokens) is redacted from the log (by being replaced with the string "[redacted]".
For Core REST API, we will need to:
- decide to what file(s) calls be logged
- if this involves new files, determine what, if anything needs to be done for these files to exist in our production infrastructure and be properly mapped to logstash/kibana
- implement logging
- ensure that sensitive information is redacted