FortiSIEM Discussions
AliHaider
New Contributor

Integrating Web App logins

Hello Guys,


we are deploying a number of web applications for internal users and would like to log all the login details and timings (for compliance reporting). 

what is the source of logging in this case, the backend db? Are they are any SIEM integration guidelines for web apps?

2 REPLIES 2
HenryHernandez

I had a great deal of experience in this space. The real answer is that you need everything. You want; the firewalls that originally source the connection [FortiGate], the load balancers that hand off to web farms [FortiADC] , the web servers,  the WAFs that protect the web apps [FortiWeb], the middle tier systems, and the backend DBMS. The reason is that you need to track the session from end to end. That way you can see how far the session is getting. Especially during an attack, you want to know such things as; did the WAF catch it, did the server respond with a 200/300/400/500 series response, did the DBMS send any data back at any point, etc. 

I'd also like to point out that you want to make sure that's setting the web servers to log ALL fields. This is commonly overlooked in web apps. Most web servers don't record things like the forwarder for value by default. As such, all attacks/ connections show up as the load balancer in logs.

Hope this helps.

-------------------------------------------
Original Message:
Sent: Dec 21, 2020 01:45 PM
From: Ali Haider
Subject: Integrating Web App logins

Hello Guys,


we are deploying a number of web applications for internal users and would like to log all the login details and timings (for compliance reporting). 

what is the source of logging in this case, the backend db? Are they are any SIEM integration guidelines for web apps?

DusanTomic
Staff
Staff

Hi Ali,

Logins would be visible in the web server. Like Henry suggested, enable logging on all fields. Depending on the webserver you may need to install an agent to forward the logs to FortiSIEM (if the webserver stores the logs in a file and isn't able to send them via syslog). 

Also as explained, if there is a load balancer in front of the webserver(s), you won't see the original client ip address. To obtain the client ip address in this scenario you need to enable the X-Forwarded-For HTTP header. Depending on the webserver the procedure will vary.

It also depends how the apps were developed, if they had detailed logging to a database, you'd be able to get all these details directly from the database.. but since you mention there are a "number of web applications", then likely the web server is the best choice to get those logs you're after.

Kind Regards,



------------------------------
Dušan Tomić - Consulting Systems Engineer INTL
Fortinet
------------------------------
-------------------------------------------
Original Message:
Sent: Dec 21, 2020 01:45 PM
From: Ali Haider
Subject: Integrating Web App logins

Hello Guys,


we are deploying a number of web applications for internal users and would like to log all the login details and timings (for compliance reporting). 

what is the source of logging in this case, the backend db? Are they are any SIEM integration guidelines for web apps?

Announcements

Welcome to your new Fortinet Community!

You'll find your previous forum posts under "Forums"