Security

Is there a way to capture wrong attempts which logs in tomcat server?

New Member

Is it possible to capture username and password using tomcat logs? We have tomcat logs and a web application which has a dynamic database, however, the database does not store any logs. Is there a way capture the wrong attempts using splunk? We are trying to identify SQL injections and cross site scripting using splunk

0 Karma

Champion

Splunk (on its own) does not "capture" something that is not already available, what it does (with the help of apps and add ons) is collect data that is produced somewhere. If you want to capture the events of a server, you would point splunk to the logfiles of that server. If you want to monitor the status of a firewall, you would have that firewall send syslog data to your splunk.

So if you want to capture what's happening on your system, you need to go where that is logged; the place to start would be your tomcat logs I suspect. If all your traffic goes though there, and if your system does proper logging, you will find all you need in those logfiles. If you are in a situation where logfiles (or some other logging mechanisms) don't yet exist, you need to find a way to produce them. Eventually, identifying what you are looking for (failed login attempts, sql injections) is then a matter of finding how to look for those your data once you index it with splunk.

Hope I could clear things up generally, feel free to ask further 🙂