Audit Logging

The audit logging feature allows administrators to record and track activity for the supported events.  The output format can be configured and the audit logging can be integrated with Syslog.

Supported Events

The following events are supported by the audit logging feature:

  • Log on via username/password in browser
  • Log on via previously created remember-me cookie
  • Log on without username/password (single sign-on with crowd)
  • Log on - attaching to existing session (java applet for pasting screen shots)
  • Log on - failure due to username/password incorrect
  • Log on - failure due to license limit exceeded
  • Log on - failure due to account being disabled
  • Log on - failure due to exception
  • Log on via username/password (basic auth) for API call
  • Log on using apikey for API call
  • Log on using OAuth for API call
  • Log on - unauthorized because of invalid scheme or credentials for API call
  • Log on - OAuth validation failure (invalid signature, revoked token etc.) for API call
  • Session Started
  • Session End
  • User changed password (UI)
  • User failed to change password (UI)
  • User requests password reset
  • User completes password reset
  • Password reset URL has expired
  • Create a user
  • Delete a user
  • Enable user account
  • Disable user account
  • Create group
  • Delete group
  • Rename group
  • Add user to project
  • Remove user from project
  • Add user to group
  • Remove user from group
  • Set users for a group
  • Set groups for project
  • Set groups for user
  • Set global permissions on a user
  • Set global permissions on a group
  • set project-level permissions on a user
  • Set project-level permissions on a group
  • Insufficient permissions for API Request (Forbidden)
  • Insufficient permissions to access front-end page
  • Entity Viewed by front-end user

Turn it On!

To turn security audit logging you need to edit your logging.config file.  Typically you can find the logging.config file with your installation files :  C:\Program Files (x86)\Catch Limited\Enterprise Tester\Web\logging.config.

 

Once you have located and opened your file, you will find a commented out section like this:

<!-- security audit logging -->

<!-- 

Un-comment the following section to enable security audit logging.

This includes a default configuration of text file and syslog appenders. 

-->

<!--

<appender name="securityAuditFile" type="log4net.Appender.RollingFileAppender,log4net" >
	<param name="File" value="App_Data\security-audit.txt" />
	<param name="AppendToFile" value="true" />
	<param name="RollingStyle" value="Date" />
	<param name="DatePattern" value="yyyy.MM.dd" />
	<param name="StaticLogFileName" value="true" />
	<layout type="log4net.Layout.PatternLayout,log4net">
	  <param name="ConversionPattern" value="%d %property{current-user} %property{session-id} [%t] %m%n" />
	</layout>
</appender>

<appender name="securityAuditSyslog" type="log4net.Appender.RemoteSyslogAppender,log4net" >
	<facility value="local7" />
	<identity value="EnterpriseTester" />
	<RemoteAddress value="syslog" />
	<layout type="log4net.Layout.PatternLayout" value="%property{current-user} %property{session-id} [%t] %m%n"/>
	<RemotePort value="516" />
	<layout type="log4net.Layout.PatternLayout,log4net">
	  <param name="ConversionPattern" value="%property{current-user} %property{session-id} [%t] %m%n" />
	</layout>
</appender>

<logger name="EnterpriseTester.Security.Audit" additivity="false">
	<level value="DEBUG" />		
	<appender-ref ref="securityAuditFile" />
	<appender-ref ref="securityAuditSyslog" />		
</logger>

-->

To enable logging of audit events to just a text file, replace the commented out section (including the comment start/end) with this:

<appender name="securityAuditFile" type="log4net.Appender.RollingFileAppender,log4net" >
	<param name="File" value="App_Data\security-audit.txt" />
	<param name="AppendToFile" value="true" />
	<param name="RollingStyle" value="Date" />
	<param name="DatePattern" value="yyyy.MM.dd" />
	<param name="StaticLogFileName" value="true" />
	<layout type="log4net.Layout.PatternLayout,log4net">
	  <param name="ConversionPattern" value="%d %property{current-user} %property{session-id} [%t] %m%n" />
	</layout>
</appender>

<logger name="EnterpriseTester.Security.Audit" additivity="false">
	<level value="DEBUG" />		
	<appender-ref ref="securityAuditFile" />		
</logger>

After saving changes the logging.config file, you must restart the Enterprise Tester application pool (or IIS) for the changes to take effect.

Reading the Audit Log

By default the security audit log events will be rendered like this:

2014-02-05 10:48:19,938 administrator e2oqpa0come5441h4yhdeuhg [50] ViewEntity: Requirement 'Mahjong/User Stories/Requirement' (6fbdede7-7243-4534-acc3-a2ba016d01b6) in project 'Mahjong' was viewed.

Breaking down the line, we can see the following information is being logged:

  • Date & Time
  • The currently logged in user (or 'anonymous' if no user is logged in)
  • A string of characters and numbers, representing the browser "session"
  • A value inside square brackets, representing the "Thread ID" for this event
  • A compound word followed by a colon, representing the type of event (in this case 'ViewEntity').
  • And finally a message, representing what has happened - in this case somebody has viewed a requirement within the ET UI

The session and thread identifiers are specifically useful in correlating security events occurring for a specific user, browser or background process - as these may be logged out of order on a busy ET server which has many users accessing it concurrently.

Changing Output Format

For some Administrators, you may be looking to generate logs with either less information, or a different format, suitable for pushing into a 3rd party system - this is done by changing the conversion pattern.

For the "out of the box" audit logging to a text file, the conversion pattern used is:

<param name="ConversionPattern" value="%d %property{current-user} %property{session-id} [%t] %m%n" />

This breaks down into:

  • %d - Date and time
  • %property{current-user} - Current user property
  • %property{session-id} - Session ID property
  • [%t] - Thread ID (surrounded by square brackets)
  • %m - The message to log
  • %n - A new-line character (without this, your log file will read as one long line)

Details of the conversion patterns available are here.

Integrating with syslog

Syslog is a standard for computer message logging - it's a way to separate software that generates log messages (such as Enterprise Tester's security audit logging) and tools/servers which can handle storage, reporting and analysis of those log messages (such as logstash).

To enable syslog support for audit logging, you must edit your logging.config, replacing the config with this:

<appender name="securityAuditSyslog" type="log4net.Appender.RemoteSyslogAppender,log4net" >
	<facility value="local7" />
	<identity value="EnterpriseTester" />
	<RemoteAddress value="syslog" />
	<layout type="log4net.Layout.PatternLayout" value="%property{current-user} %property{session-id} [%t] %m%n"/>
	<RemotePort value="516" />
	<layout type="log4net.Layout.PatternLayout,log4net">
	  <param name="ConversionPattern" value="%property{current-user} %property{session-id} [%t] %m%n" />
	</layout>
</appender>

<logger name="EnterpriseTester.Security.Audit" additivity="false">
	<level value="DEBUG" />			
	<appender-ref ref="securityAuditSyslog" />		
</logger>

The syslog appender above will log messages to the server with hostname "syslog" on port 516. You can find more information about the log4net syslog appender in these articles/docs:

You will notice the conversion pattern for the syslog appender does not include the %d conversion pattern (date/time) - this is because the syslog server you are communicating will use the date/time the message is received as the time of the event.

Depending on the syslog server you may want to adjust the pattern to remove information you don't want or can't report on e.g. thread or session.