Morgan

HTTP request logger middleware for Node.js. Logs HTTP request details (method, URL, status, response time, content length) to stdout or a stream in configurable formats. Part of the expressjs GitHub organization. Built-in formats: combined (Apache-style), common, dev (colored console), short, tiny. Custom format tokens available. Essential for access logging in Express applications during development and production.

Evaluated Mar 06, 2026 (0d ago) v1.x
Homepage ↗ Repo ↗ Developer Tools logging http express middleware request-logging node access-log
⚙ Agent Friendliness
69
/ 100
Can an agent use this?
🔒 Security
94
/ 100
Is it safe for agents?
⚡ Reliability
94
/ 100
Does it work consistently?

Score Breakdown

⚙ Agent Friendliness

MCP Quality
--
Documentation
90
Error Messages
82
Auth Simplicity
100
Rate Limits
100

🔒 Security

TLS Enforcement
100
Auth Strength
100
Scope Granularity
100
Dep. Hygiene
90
Secret Handling
80

Logging middleware — may inadvertently log sensitive URL parameters. Logs are stored locally or piped to streams. No network surface. Well-maintained by expressjs organization.

⚡ Reliability

Uptime/SLA
95
Version Stability
95
Breaking Changes
95
Error Recovery
90
AF Security Reliability

Best When

You need HTTP access logging in an Express.js application with minimal configuration — morgan('dev') for development, morgan('combined') for production logs.

Avoid When

You need structured JSON access logs (use pino-http), distributed tracing (use OpenTelemetry), or application-level logs (use winston/pino).

Use Cases

  • Log all HTTP requests to Express.js applications in development with colored output using morgan('dev')
  • Write Apache-style access logs to a log file rotation stream using morgan('combined') with a write stream
  • Log API request metadata (method, path, status, response time) for performance monitoring and debugging
  • Filter request logging by status code or path using the skip option to reduce log noise in production
  • Integrate HTTP access logging with log aggregation systems by piping morgan output to a structured logger stream

Not For

  • Application-level logging (errors, events) — use winston, pino, or structlog for application logs
  • Distributed tracing — use OpenTelemetry for request tracing across services
  • Non-Express frameworks — for Fastify use @fastify/access-log; for Koa use koa-logger

Interface

REST API
No
GraphQL
No
gRPC
No
MCP Server
No
SDK
Yes
Webhooks
No

Authentication

Methods: none
OAuth: No Scopes: No

No authentication — logging middleware.

Pricing

Model: open_source
Free tier: Yes
Requires CC: No

Fully free, MIT licensed.

Agent Metadata

Pagination
none
Idempotent
Full
Retry Guidance
Not documented

Known Gotchas

  • Morgan logs to stdout by default in dev format — production deployments should use morgan('combined') or a file stream with log rotation via rotating-file-stream
  • morgan('dev') outputs ANSI color codes — pipe to file or non-TTY will include escape codes; use morgan('combined') for file output
  • Sensitive data in URLs (query params with tokens/passwords) will appear in morgan logs — use a custom token or skip function to redact sensitive paths
  • Request body is NOT logged by morgan — if you need to log request bodies, implement a custom middleware; be cautious about logging PII or secrets
  • morgan must be registered before route handlers for accurate timing — app.use(morgan()) before app.use(router) ensures response time includes route processing
  • High-traffic applications should use stream: rotating-file-stream to prevent log file growth — without rotation, access logs can fill disk storage

Alternatives

pino-http-api winston-api log4js-node-api

Full Evaluation Report

Detailed scoring breakdown, competitive positioning, security analysis, and improvement recommendations for Morgan.

$99
API endpoint ↗ Agent guide ↗ Report inaccuracy

Scores are editorial opinions as of 2026-03-06.

5208
Packages Evaluated
26151
Need Evaluation
173
Need Re-evaluation
Community Powered