WebApp Sec: Auditing user session activity

["Koniszewski, Jeffrey" <JKoniszewski () Kronos com>]

We are being asked by our customers to audit session activity so that customers can answer the question, "Who is doing 
what?". Our current implementation for this is to write audit records to the database. However, I am having some second 
thoughts about this. This requires a database hit for every non static URL access to the system. I'm not sure of the 
overall runtime performance impact. Further, for enterprise class customers the audit records are likely to exceed 2G 
per month. This creates a lot of data cleanup to manage. In addition, reporting on this data may require a lot of 
overhead from the system. Any thoughts on likely retention policies for such audit data?
 
Users must log in to our application and we maintain session state. We do integrate with Single Sign On products like 
Netegrity.
 
I am rolling around a couple of ideas:
 
One is that session audit is not a primary application problem and not application data. Can this capability (session 
audit) be delivered by an external application (IDS?, SSO product?) that is dedicated to do this type of work. Then the 
customers that want the capability install it, probably get a more professional implementation, and use it for other 
applications as well. What security applications can provide this type of audit? Web server logs can provide URL access 
information but don't know users. It seems that whatever writes the audit would need to manage user logon as well to be 
able to associate the user with the activity.
 
The second idea is,  would I be better off using a file for the audit information? This introduces a bunch of file 
management headaches in a multiserver system but takes a load off the database, which is already our bottleneck.