Chapter 9.  Event Logging

Table of Contents

What to Log
Log Management

Logging is essential for providing key security information about a web application and its associated processes and integrated technologies. Generating detailed access and transaction logs is important for several reasons:

Failure to enable or design the proper event logging mechanisms in the web application may undermine an organization's ability to detect unauthorized access attempts, and the extent to which these attempts may or may not have succeeded.

What to Log

On a very low level, the following are groupings of logging system call characteristics to design/enable in a web application and supporting infrastructure (database, transaction server, etc.). In general, the logging features should include appropriate debugging information such as time of event, initiating process or owner of process, and a detailed description of the event. The following are recommended types of system events to log in the application:

  • Reading of data

  • Writing of data

  • Modification of any data characteristics should be logged, including access control permissions or labels, location in database or file system, or data ownership.

  • Deletion of any data object should be logged

  • Network communications should be logged at all points, (bind, connect, accept, etc.)

  • All authentication events (logging in, logging out, failed logins, etc.)

  • All authorization attempts should include time, success/failure, resource or function being authorized, and the user requesting authorization.

  • All administrative functions regardless of overlap (account management actions, viewing any user's data, enabling or disabling logging, etc.)

  • Miscellaneous debugging information that can be enabled or disabled on the fly.