Access logging is the practice of system monitoring via a file or a collection of files that detail all of the various activities on a system. Composed of various events and metadata, good access logging practices will help you stay informed on exactly what is happening in your infrastructure, and exactly who is carrying out these various activities. Logging can help system administrators and security engineers identify threats and discover vulnerabilities, and is critical to passing security audits.
The bottom line is that if you are maintaining any kind of infrastructure, whether it’s cloud-hosted virtual servers or local bare-metal boxes, access logging should be a key part of your infra-management. It’s important to know who did what, on which systems and why.
Access logs usually contain information like:
It’s incredibly important to understand what types of data are being radiated and recorded by your system so that you can stay on top of your infrastructure.
Access logs are typically present on most web servers by default. Depending on the operating system of the server, the architecture and various other configuration settings, access logs can be recorded in many different places.
Here is an example of different default web server logging locations:
OpenSSH | `var/log/auth` |
RDP | TerminalService-LocalSessionManager Operational log |
Debian-based systems | `/var/log/apache2` |
Rhel-based systems | `/var/log/httpd` |
Nginx servers | `/var/log/nginx` |
Information Services (IIS) on Windows | `C:\inetpub\logs\LogFiles\W3SVC` |
Aggregating discrete resources’ audit log collections makes it much easier to sift through access data at scale. Teleport centralizes all of your audit logging, across your entire infrastructure ecosystem all in one place, allowing you to easily keep a bird’s eye view of your network. Let’s take a look at an example log event recorded by a Teleport cluster when a user starts a database session:
{ "cluster_name": "teleport-cluster.example.com", "code": "TDL01I", "db_name": "postgres", "db_protocol": "postgres", "db_service": "aurora", "db_uri": "postgres.cluster-example.us-west-2.rds.amazonaws.com:", "db_user": "shared-dev", "ei": 0, "event": "db.session.start", "namespace": "default", "server_id": "example-id-4200912345", "success": true, "time": "2023-01-27T16:54:19.391Z", "uid": "example-user-id-41728512OU212", "user": "teleport-user-james-gandolfini" }
Here you can find a lot of useful information.
A rich audit log can tell you a lot about the state of your infrastructure and help you keep your resources safe and secure for your users. Fields like `uid` and `user` are extremely important in a case like this where a user is impersonating a shared database user like “shared-dev”. In the database log itself you may see queries executed by “shared-dev” but in this case where the database user is shared by multiple team members, it can be difficult to pinpoint exactly who is accessing your system and what they are doing on it.
With solutions like Teleport Database Access, you are easily able to tie shared resource users to individual engineers’ identities. This is why it can be important to delve deeper than the resource default logging that is present on the resources natively.
Overall if you follow the above guidelines as well as the specific logging policy implementations recommendations for your web servers, you will have much deeper insight into your networking infrastructure.
This is only the first step however in maintaining a secure and compliant network. A good third-party SIEM tool like Splunk or Datadog in conjunction with a Zero-Trust Identity-Native Infrastructure Access platform like Teleport will help you take that extra step to reach your compliance and security goals. You can try Teleport for free today.