An access log is a log file that tracks when one or more things were accessed. Access logs are an essential part of security and analytics in computing. Access logs are also an important security and safety tool in the physical world.
An access log tracks the date and time that something is accessed or attempted to be accessed. Generally by whom, as well as that is known. Access logs often include secondary information as well. This secondary information can provide context or further analytically useful data.
Access Logs and Digital Security
Access logs can track when someone attempts to access a privileged system. Or file and may be pretty straightforward. It may track data points such as, “was access successful?”, “who tried to access the file?”, “When did the attempt occur?”. In some cases, the access log may even track any changes made. This typically would be logged separately.
Access being denied is a state that should be logged. This provides direct insight into when someone is attempting to gain access to something they shouldn’t. Of course, there are potentially legitimate reasons for this. Perhaps the user made a typo in their password. Or maybe the user hasn’t been given the access they should have been.
The alternative is that an unauthorized user is trying to gain access. In the case of a web server, this could be an unauthenticated hacker attempting to gain access to a sensitive file. It could also be a legitimate user account trying to access a file they don’t have permission to. Assuming the legitimate user shouldn’t have access, the account could be compromised, or the user had gone rogue.
Tracking when access is successful is also useful. Access itself may not be an issue, but actions after that might be. For example, tracking which accounts access a website backend can enable a forensic follow-up if the site is defaced. Simply logging the username may not be enough for this use case. Combined with the IP address, it would be possible to see if the legitimate user defaced the site or if a hacker used their account. This could be determined because the source IP addresses would or would not match historically logged data.
Access Logs and Analytics
Access logs for public data can enable the analysis of general trends. For example, logging the access to every page on a website can allow you to see which pages are the most popular and which pages are the least popular. Extra information such as the visitor’s IP address can enable you to analyze the movement behavior of visitors to your website. You can see which page they were brought in by and what content kept them around.
Logging other information such as the referrer header can inform you which sites your visitors come from and potentially how successful specific advertising campaigns are. Keeping a log of the user agent string can allow you to view which browsers your userbase prefers and which browsers you should prioritize optimizations and compatibility for.
Logging when specific users perform specific actions can also allow you to build up a profile of legitimate activity patterns. It may then be helpful to know when these patterns are broken as that might indicate a security incident. There are, of course, many other legitimate explanations for a change in patterns and behavior, so this should not immediately be a cause for major concern.
Access Logs and Physical Security
Many companies practice physical security at their offices and data centers. Access logging here may be low-tech, such as using a sign-in book. High-tech options such as RFID door cards may also be used. Physical access logging is an excellent first line of physical defense. While a thief or hacker may be willing to just walk in and see what they can do, signing in, providing the name of who you’re there to see, and why you’re there complicate matters.
Access cards essentially lock all or a good number of doors. This makes it much harder for hackers or thieves to reliably move around the building. Not having a legitimate access card, they rely on honest employees opening the door and ignoring training regarding allowing people to tail-gate.
Of course, there are many ways to counter these physical security measures. Even with no other measures in place, they can be a reasonable deterrent. Would-be thieves and hackers need to be much more informed before trying anything. They would rely on social engineering skills and at least some luck.
Access Logs and Physical Safety
Performing access logging of physical access to a building has a potentially life-saving advantage. In the case of an emergency evacuation, because of a fire or some other reason, it may be possible to know precisely how many people were in the building. This information can then be combined with a headcount to determine if someone is trapped inside and needs the fire crew to try to locate and rescue them. Alternatively, it can inform the fire crew that there is no risk to life, allowing them to take less personal risks to quench the blaze.
Access logs can be both a blessing and a curse in some scenarios like this. For example, with a paper sign-in sheet, there may not necessarily be a sign-out sheet, making it impossible to know who needs to be accounted for. Digital systems are even more prone to a somewhat related issue. In many cases, if someone is following a colleague through a door, they may not bother to scan their pass, instead “tail-gating” their way through.
Furthermore, digital systems typically report to internal computers. These internal computers would be located inside the now evacuated building, making it awkward to check how many people need to be accounted for.
Additionally, other human factors can scupper the best-laid plans. In the case of a fire, everyone is supposed to go to the emergency meeting point. Some people, however, may take a different exit and wait in the wrong place. Others may take the opportunity to nip away for a smoke or go to the shops. Physical safety is hard to ensure like this and requires everyone to actually follow procedures, something that doesn’t always happen.
An access log is a file or document that tracks access or attempted access to a system. They can be used for physical systems like buildings and data centers or computer systems like websites or sensitive documents. Logs provide help to provide security tracking and, with the right data points, can enable useful analytics.