Create Your Own Security Logs

[Tech Manager]

Here is a tutorial I wrote about creating a custom security log using PHP. It includes definitions for all the terms, $_SERVER, REMOTE_ADDR, REQUEST_METHOD, PHP_SELF, QUERY_STRING,REQUEST_TIME fopen, fclose, fwrite, etc., an explanation for the function/script and the complete finished code with instructions on how to use it.

Create Your Own Security Logs

[danlefree]

The script could be useful for auditing login attempts and other application-level tasks, however, relying upon one's own PHP-generated logs for all activity would add significant overhead for each page request and defeat the purpose of existing log analysis tools.

[Tech Manager]

Quote:

Originally Posted by danlefree

The script could be useful for auditing login attempts and other application-level tasks, however, relying upon one's own PHP-generated logs for all activity would add significant overhead for each page request and defeat the purpose of existing log analysis tools.

It really depends on how much data you are logging. Based on the limited amount of data in this tutorial the overhead is slight not significant. There are many log analysis tools that provide an excellent resource for viewing and interpreting log data. However, many webmasters and site owners do not have access to their logs or want to be able to monitor specific types of traffic.

Thank you for responding.

[wige]

The one drawback to this method that I see (other than the above mentioned overhead) is that this script requires that the malicious user attempt to access a dynamic page that has the scripting enabled. If you are not able to add custom PHP code to error documents, this system would be almost useless. In addition, it creates a blind spot for images, scripts, media files, libraries and dynamic includes and other potential avenues of attack.

Generally speaking, if you have access to .htaccess, I would lean more toward creating a custom security log with a custom entry in the .htaccess file that will record the pertinent information. This method will allow all access attempts to be recorded with minimal overhead. The following .htaccess directive will generate a log similar to that explained in the tutorial. The log file will be created at /location/log.txt.

Code:

LogFormat "%h|%t|\"%r\"|%>s" security
CustomLog /location/log.txt security

[Tech Manager]

I agree with you Wige. Good post. However, your .htaccess directive is not going to work on every system. Again we get into configuration differences, whether .htaccess is available to the site owner, etc.

Quote:

you must have access to your virtual host configuration because the CustomLog and LogFormat directives can’t be specified in the .htaccess file but only at server config or virtual host level.

Source

I have tested your solution and received errors. I have not tested the solution mentioned in the quote above. But will do so.

The best solution is to have all log entries available, and use log analysis tools as mentioned by danlefree.

[zbatia]

After trying various add-on scripts I found that "The best solution is to have all log entries available, and use log analysis tools" as it was mentioned above. I'd recommend the inexpensive but comprehensive and easy-to-interpret tool:
Easy Web Traffic Analysis. Understanding Web Site Visitors and SEO. Web Analytics for Business Owners. Get better ROI!
I use it successfully for the last 1 year. I love auto-reporting feature since I am busy and can forget to download the report for comparison with previous weeks.