Cybersecurity Forum

This forum is for all security enthusiasts to discuss Fortinet's latest & evolving technologies and to connect & network with peers in the cybersecurity hemisphere. Share and learn on a broad range of topics like best practices, use cases, integrations and more. For support specific questions/resources, please visit the Support Forum or the Knowledge Base.

AliHaider
New Contributor

Integrating Web App logins

Hello Guys,


we are deploying a number of web applications for internal users and would like to log all the login details and timings (for compliance reporting). 

what is the source of logging in this case, the backend db? Are they are any SIEM integration guidelines for web apps?

2 REPLIES 2
HenrHern
Staff
Staff

I had a great deal of experience in this space. The real answer is that you need everything. You want; the firewalls that originally source the connection [FortiGate], the load balancers that hand off to web farms [FortiADC] , the web servers,  the WAFs that protect the web apps [FortiWeb], the middle tier systems, and the backend DBMS. The reason is that you need to track the session from end to end. That way you can see how far the session is getting. Especially during an attack, you want to know such things as; did the WAF catch it, did the server respond with a 200/300/400/500 series response, did the DBMS send any data back at any point, etc. 

I'd also like to point out that you want to make sure that's setting the web servers to log ALL fields. This is commonly overlooked in web apps. Most web servers don't record things like the forwarder for value by default. As such, all attacks/ connections show up as the load balancer in logs.

Hope this helps.

dtomic_FTNT
Staff
Staff

Hi Ali,

Logins would be visible in the web server. Like Henry suggested, enable logging on all fields. Depending on the webserver you may need to install an agent to forward the logs to FortiSIEM (if the webserver stores the logs in a file and isn't able to send them via syslog). 

Also as explained, if there is a load balancer in front of the webserver(s), you won't see the original client ip address. To obtain the client ip address in this scenario you need to enable the X-Forwarded-For HTTP header. Depending on the webserver the procedure will vary.

It also depends how the apps were developed, if they had detailed logging to a database, you'd be able to get all these details directly from the database.. but since you mention there are a "number of web applications", then likely the web server is the best choice to get those logs you're after.

Kind Regards,



------------------------------
Dušan Tomić - Consulting Systems Engineer INTL
Fortinet
------------------------------
Dušan Tomić - Consulting Systems Engineer INTL Fortinet
Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.