Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

The web server activity screen covers the general activity analysis of the web server logs, including Web error codes, web protocols in use, Activity by source system and web activity by end user system and web data usage. All of the details can help with understanding what actions are being performed on the web sites and in helping to detect malicious activity. 

The key components are:

  • Web Log Activity - This widget shows the web log activity for today. Most environments will have a normal processing pattern and state as things ramp up from quiet times to busy times of the day. Seeing unusual patterns may indicate systems being scanned or attacked.

  • Web Log Types - this will show a summary of the weblog types coming from IIS, Apache, and other sources.

  • Web Activity by System - this allows the administrators to monitor which sites are having activity and when there are spikes or other anomalous activity on systems.

  • Web protocols - protocols used such as GET, PUT, POST etc functions on the web site indicating that actions were either read from the web site or data was pushed to the website. 

  • Web Error Codes - each web request will generate a log entry covering the action being requested. Some codes like a 200 are normal operations, There can be many other codes for errors on the pages including errors for pages not found, redirection problems, attempts for SQL and XSS attacks, access for resources that dont exist. So be ensuring that the logs are reviewed for unusual errors and malicious activity the security team can manage the risks the actions performed on the web sites. Some examples of error codes that can be reported are:

    • 1xx - Informational.

    • 2xx - Success.

    • 3xx - Redirection.

    • 4xx - Client error.

    • 5xx - Server error.

  • Web Activity by source address. - this allows the admins to monitor who is requesting information from the web site and is causing most of the activity with the source IP or FQDN. An end point system that scans the site or performs other malicious actions will generally result in a spike of activity what will show up in the log data.

...