Question
· Aug 25, 2023

Why does audit report "login" events for static resources?

I have enabled Audit in Portal for monitoring license usage. 

When the system is under load, this event appears quite often :  

Event Source Event Type Event User Web Session Description
%System %Login Login UnknownUser     %Service_WebGateway 

It does not seems to cause issue with licensing , still, I am wondering why it's there and how it works (what cause such events).

After some tests (on a non production environment, not under load), here is what I have found out :

  • this event can occurs when accessing static resources like a CSS or JS file. I don't get that. I understand a login need to be done (explicitly by code or implicitly by the system) when accessing some services, a Web Application (eg: CSP page), but not a static file.
  • the event does not always occurs. For example, a few requests for static files might trigger it, but same requests repeat later on might not trigger it again. Caching was disabled.
  • it seems user need to have been logged at least once (eg: using %session.Login()) to start triggering that event later on. There is no need of providing session cookies to trigger (is it IP based ?)

Here is what documentation says about that service. 

EDIT : it seems those events are generated from %SYS.cspServer2. Here is the relevant lines from %ISCLOG :

SuperServer    Incoming connection from xxx.xxx.xxx.xxx|53040, slave started       %SYS
CSPServer [LOGIN]      %SYS
CSPServer [LOGIN] Gateway login username:       %SYS

I might be wrong but it seems such logins are done every time new IRIS worker processes are spawned to handle incoming requests.

Product version: IRIS 2021.1
$ZV: IRIS for Windows (x86-64) 2021.1 (Build 215U) Wed Jun 9 2021 09:39:22 EDT
Discussion (4)3
Log in or sign up to continue

That means improper configuration for the webserver. Anything that goes through a CSP application goes this way.

Properly configured webserver, should take care of static files without IRIS, just process them itself.

In this case, IRIS will not even know about requests to the static files.

Remember, that you should not use a private Webserver in the production at all, and have to have something manually configured. And any newest IRIS non-community versions since 2023.2 will not even install a private webserver anymore unless the IRIS is updated from some previous version.

Following the answer of Dmitry you can check this documentation about the Apache configuration to pass file types to the web gateway:

https://docs.intersystems.com/healthconnectlatest/csp/docbook/DocBook.UI...

As you can read in the doc the Apache server has to pass static files if you want to access to the portal manager, maybe that is the problem with your configuration. 

Thanks for you help. I took a look at Apache and I couldn't find anything wrong with it. Here is a summary of it :

LoadModule csp_module_sa /opt/webgateway/bin/CSPa24.so
CSPFileTypes csp cls zen cxw
CSPModulePath /opt/webgateway/bin/
CSPConfigPath "/opt/webgateway/bin/"

<Location "/csp/bin/Systems/">
    SetHandler cspsys-handler-sa
</Location>

<Location "/csp/bin/RunTime/">
    SetHandler csp-handler-sa
</Location>

Alias /iris/csp/ "/opt/webgateway/iris/csp/"
Alias /csp/ "/opt/webgateway/iris/csp/"

<Directory "/opt/webgateway/iris/csp">
    CSPFileTypes csp cls zen cxw
    AllowOverride None
    Options MultiViews FollowSymLinks ExecCGI
    Require all granted
    <FilesMatch ".(log|ini|pid|exe)$">
        Require all denied
    </FilesMatch>
</Directory>

<Directory "/opt/webgateway/bin/">
    AllowOverride None
    Options None
    Require all granted
    <FilesMatch ".(log|ini|pid|exe)$">
        Require all denied
    </FilesMatch>
</Directory>

<Location "/csp/">
    Require all granted
</Location>

<Location "/csp/bin/Systems/">
    SetHandler cspsys-handler-sa
    Require ip xxx.xxx.xxx.xxx
</Location>

<Location "/csp/bin/RunTime/">
    SetHandler csp-handler-sa
    Require ip xxx.xxx.xxx.xxx
</Location>

<LocationMatch "/csp/(sys|user|samples|docbook|documatic)/">
    Require all denied
</LocationMatch>