Wednesday, December 02, 2015

On BI: Spring Tomcat Impersonation audit

The amount of intelligence you can pull from logs is unlimited. In a typical log like the below we see a session but we have no idea who is editing the employee. Furthermore the employee might be edited under impersonation.
2015-11-07 22:15:05,845 INFO [com.sample.web.filter.LoggingFilter doFilter] - AD3A60A51885B74F2AC2B02F5BDD3AC0.node1 /employee/204187
We can easily see filtering by the sessionid if a user was impersonated and list both the real user and the impersonated user with the below awk script: We get now something like:
2015-11-07 22:15:05,845 AD3A60A51885B74F2AC2B02F5BDD3AC0.node1 /employee/204187
Note that if you are logging all params as part of the URL regardless if it is POST or GET you could be saving a lot of time. If you are using JSON payload most likely things will get a little more complicated as you might want to extract specific fields from the payload but overall you could extract a lot of business intelligence from logs just using the veteran awk.

No comments: