Hello
Tomcat Experts,
I'm trying to devise a way to properly configure tomcat access log to track malicious hacking activity occurring on tomcat deployed within a production environment. I've identified the following settings, which can be altered to try and expose xss and sql injection techniques, but wanted to confirm this is the best practice to implement this logging to try and catch hackers in the tomcat access log.
Propose changing default tomcat valve setting from:
TO:
Is this the best way to do this? Is there any performance overhead with making this change? Am I correct in understanding that most of this malicious activity will not be caught with the tomcat default valve settings? I found
this site helpful in advising on the above changes, but wanted to see if any other tomcat admins here have any further guidance in critical area for ensuring tomcat is running as secure as possible.
Thanks in advance, because I can see this benefiting the tomcat community as a whole, whether you're on windows or linux, perhaps it will help someone else when advising on changes to be made to show malicious activity happening on web servers we've helped to deploy.