What we would like to do is to monitor access patterns to our extranet to spot intrusions, intrusion attempts. So far we are goind this by analyzing the logs of our central inbound proxy server and correlating users, source IP domains and other information.
With CROWD we gained a central authetication point that records all authentication requests which is great.
However there are a few things that could be improved:
- It would be nice if CROWD could write a simple audit trail that just records: username, requesting IP (the IP of the applications user, not the application), application and possibly requested information. Preferably in a format a la common log format so that it can be easily processed.
- We can extract this from the current logs (it is a little bit more complicated, but for this god gave us Perl). However what CROWD does not log is the IP of the reuqesting user. Looking at the SOAP API, this information is never given to CROWD. So I suggest to extend the API. This would also allow (possible) CROWD plugins that can enforce IP ranges.