Logging is essential for providing key security information about a web application and its associated processes and integrated technologies. Generating detailed access and transaction logs is important for several reasons:
Logs are often the only record that suspicious behavior is taking place, and they can sometimes be fed real-time directly into intrusion detection systems.
Logs can provide individual accountability in the web application system universe by tracking a user's actions.
Logs are useful in reconstructing events after a problem has occurred, security related or not. Event reconstruction can allow a security administrator to determine the full extent of an intruder's activities and expedite the recovery process.
Logs may in some cases be needed in legal proceedings to prove wrongdoing. In this case, the actual handling of the log data is crucial.
Failure to enable or design the proper event logging mechanisms in the web application may undermine an organization's ability to detect unauthorized access attempts, and the extent to which these attempts may or may not have succeeded.
On a very low level, the following are groupings of logging system call characteristics to design/enable in a web application and supporting infrastructure (database, transaction server, etc.). In general, the logging features should include appropriate debugging information such as time of event, initiating process or owner of process, and a detailed description of the event. The following are recommended types of system events to log in the application:
Reading of data
Writing of data
Modification of any data characteristics should be logged, including access control permissions or labels, location in database or file system, or data ownership.
Deletion of any data object should be logged
Network communications should be logged at all points, (bind, connect, accept, etc.)
All authentication events (logging in, logging out, failed logins, etc.)
All authorization attempts should include time, success/failure, resource or function being authorized, and the user requesting authorization.
All administrative functions regardless of overlap (account management actions, viewing any user's data, enabling or disabling logging, etc.)
Miscellaneous debugging information that can be enabled or disabled on the fly.