Logging and auditing relationship with your security/auditors
makst at upenn.edu
Mon May 18 21:18:10 UTC 2020
Here is an example of a need:
"We would like to see failed login attempts by username outside of the process log."
Now I saw you answer that it would be impossible for that to show up in an audit log because of how late audit log processing happens, but is it possible to create a completely separate log, call is the security log, and have bad logins, plus some audit log extractions, show up in a custom security log?
The failed logins in the process log are useless to the security team because they only have timestamp + username. They need the JSESSIONID and would like IP so they can coalesce other log lines from other log files.
Is your audit log the only log you offer for your mentioned use cases? Are your customizations limited to everything at post-response.
I don't believe we have any need to log attribute values at this time, but I'm curious about other things you've logged and which auth state the log data comes from.
More information about the users