-1

What data should be logged in a web application? From all the perspective such as security, user access, data modification, path traveled by a user in application and anything that matters.

Ashutosh Singh
  • 111
  • 1
  • 2
    Welcome. This is too broad as a question. You need to be more specific. You may read [How do I ask a good question?](http://security.stackexchange.com/help/how-to-ask) –  Sep 01 '15 at 10:09

2 Answers2

2

This depends on the type of web application and the features it contains, so we'd need more information to provide more specific feedback. However, from a general information security standpoint, make sure to log anything that relates to:

  1. confidentiality
  2. integrity
  3. availability

e.g.

  • authentication attempts (both successful and faillures!),

  • user x (trying to) accessing/modifying resource y -- in this case, when you're periodically reviewing you can verify if user x was indeed authorized to access resource y and if not - further access control measures can be taken.

Just try to log anything that you believe might be useful in later debugging and analyzing possible application exploits (hopefully none). It's better to log too much than too little.
Btw, you may want to work with different logging levels (normal, error, verbose, ...)

Stef Heylen
  • 1,726
  • 1
  • 14
  • 16
0

I would be more specific about Web app logging. If it's a clinical Web app - that needs to be 21 CFR Part 11 compliant then it has to log every change to data by a Web app transaction.

In general, having that kind of log is a great debugging tool as well as security monitoring tool

Doing this in a scripting language like PHP can be tedious but it can be implemented in a fairly straightforward way if you're using PostgreSQL using a stored procedures before/after trigger on your tables.

That way you don't have to touch your Web app code and you get great logging for (almost) free

Danny Lieberman
  • 388
  • 2
  • 6
  • To be clear, there's no reason you couldn't use any other SQL variant (SQL Server, MySQL, etc). All SQL variants implements triggers in some way. – Chris Murray Sep 01 '15 at 10:09
  • of course. I was just using PG as an example. SQL server would be fine. Personally - I think the MySQL SP language is really weak in comparison with PG but your mileage will vary. ;-) – Danny Lieberman Sep 01 '15 at 10:12