We are being asked by our customers to audit session activity so that customers
can answer the question, "Who is doing what?". Our current implementation for
this is to write audit records to the database. However, I am having some
second thoughts about this. This requires a database hit for every non static
URL access to the system. I'm not sure of the overall runtime performance
impact. Further, for enterprise class customers the audit records are likely to
exceed 2G per month. This creates a lot of data cleanup to manage. In addition,
reporting on this data may require a lot of overhead from the system. Any
thoughts on likely retention policies for such audit data?
Users must log in to our application and we maintain session state. We do
integrate with Single Sign On products like Netegrity.
I am rolling around a couple of ideas:
One is that session audit is not a primary application problem and not
application data. Can this capability (session audit) be delivered by an
external application (IDS?, SSO product?) that is dedicated to do this type of
work. Then the customers that want the capability install it, probably get a
more professional implementation, and use it for other applications as well.
What security applications can provide this type of audit? Web server logs can
provide URL access information but don't know users. It seems that whatever
writes the audit would need to manage user logon as well to be able to
associate the user with the activity.
The second idea is, would I be better off using a file for the audit
information? This introduces a bunch of file management headaches in a
multiserver system but takes a load off the database, which is already our
bottleneck.
