Date: Fri, 29 Mar 2024 10:21:08 +0000 (UTC) Message-ID: <95661130.11811.1711707668807@catch-kbase-p> Subject: Exported From Confluence MIME-Version: 1.0 Content-Type: multipart/related; boundary="----=_Part_11810_1291344259.1711707668806" ------=_Part_11810_1291344259.1711707668806 Content-Type: text/html; charset=UTF-8 Content-Transfer-Encoding: quoted-printable Content-Location: file:///C:/exported.html
The audit logging feature allows administrators to record and tr= ack activity for the supported events. The output format can be confi= gured and the audit logging can be integrated with Syslog.
The following events are supported by the audit logging feature:
To turn security audit logging you need to edit your logging.config file= . Typically you can find the logging.config file with your installati= on files : C:\Program Files (x86)\Catch Limited\Enterprise Tester\Web= \logging.config.
Once you have located and opened your file, you will find a commented ou= t section like this:
<!-- security audit logging --> <!--=20 Un-comment the following section to enable security audit logging. This includes a default configuration of text file and syslog appenders.=20 --> <!-- <appender name=3D"securityAuditFile" type=3D"log4net.Appender.RollingFil= eAppender,log4net" > =09<param name=3D"File" value=3D"App_Data\security-audit.txt" /> =09<param name=3D"AppendToFile" value=3D"true" /> =09<param name=3D"RollingStyle" value=3D"Date" /> =09<param name=3D"DatePattern" value=3D"yyyy.MM.dd" /> =09<param name=3D"StaticLogFileName" value=3D"true" /> =09<layout type=3D"log4net.Layout.PatternLayout,log4net"> =09 <param name=3D"ConversionPattern" value=3D"%d %property{current-use= r} %property{session-id} [%t] %m%n" /> =09</layout> </appender> <appender name=3D"securityAuditSyslog" type=3D"log4net.Appender.RemoteSy= slogAppender,log4net" > =09<facility value=3D"local7" /> =09<identity value=3D"EnterpriseTester" /> =09<RemoteAddress value=3D"syslog" /> =09<layout type=3D"log4net.Layout.PatternLayout" value=3D"%property{curr= ent-user} %property{session-id} [%t] %m%n"/> =09<RemotePort value=3D"516" /> =09<layout type=3D"log4net.Layout.PatternLayout,log4net"> =09 <param name=3D"ConversionPattern" value=3D"%property{current-user} = %property{session-id} [%t] %m%n" /> =09</layout> </appender> <logger name=3D"EnterpriseTester.Security.Audit" additivity=3D"false">= ; =09<level value=3D"DEBUG" />=09=09 =09<appender-ref ref=3D"securityAuditFile" /> =09<appender-ref ref=3D"securityAuditSyslog" />=09=09 </logger> -->
To enable logging of audit events to just a text file, replace the comme= nted out section (including the comment start/end) with this:
<appender name=3D"securityAuditFile" type=3D"log4net.Appender.Rolli= ngFileAppender,log4net" > =09<param name=3D"File" value=3D"App_Data\security-audit.txt" /> =09<param name=3D"AppendToFile" value=3D"true" /> =09<param name=3D"RollingStyle" value=3D"Date" /> =09<param name=3D"DatePattern" value=3D"yyyy.MM.dd" /> =09<param name=3D"StaticLogFileName" value=3D"true" /> =09<layout type=3D"log4net.Layout.PatternLayout,log4net"> =09 <param name=3D"ConversionPattern" value=3D"%d %property{current-use= r} %property{session-id} [%t] %m%n" /> =09</layout> </appender> <logger name=3D"EnterpriseTester.Security.Audit" additivity=3D"false">= ; =09<level value=3D"DEBUG" />=09=09 =09<appender-ref ref=3D"securityAuditFile" />=09=09 </logger>
After saving changes the logging.config file, you must restart the Enter= prise Tester application pool (or IIS) for the changes to take effect.
By default the security audit log events will be rendered like this:
2014-02-05 10:48:19,938 administrator e2oqpa0come5441h4yhdeuhg [50] Vi= ewEntity: Requirement 'Mahjong/User Stories/Requirement' (6fbdede7-7243-453= 4-acc3-a2ba016d01b6) in project 'Mahjong' was viewed.
Breaking down the line, we can see the following information is being lo= gged:
The session and thread identifiers are specifically useful in correlatin= g security events occurring for a specific user, browser or background proc= ess - as these may be logged out of order on a busy ET server which has man= y users accessing it concurrently.
For some Administrators, you may be looking to generate logs with either= less information, or a different format, suitable for pushing into a 3rd p= arty system - this is done by changing the conversion pattern.
For the "out of the box" audit logging to a text file, the conversion pa= ttern used is:
<param name=3D"ConversionPattern" value=3D"%d %property{current-use= r} %property{session-id} [%t] %m%n" />
This breaks down into:
Details of the conversion patterns available are here= a>.
Syslog is a stan= dard for computer message logging - it's a way to separate software that ge= nerates log messages (such as Enterprise Tester's security audit logging) a= nd tools/servers which can handle storage, reporting and analysis of those = log messages (such as logstash).= p>
To enable syslog support for audit logging, you must edit your logging.c= onfig, replacing the config with this:
<appender name=3D"securityAuditSyslog" type=3D"log4net.Appender.Rem= oteSyslogAppender,log4net" > =09<facility value=3D"local7" /> =09<identity value=3D"EnterpriseTester" /> =09<RemoteAddress value=3D"syslog" /> =09<layout type=3D"log4net.Layout.PatternLayout" value=3D"%property{curr= ent-user} %property{session-id} [%t] %m%n"/> =09<RemotePort value=3D"516" /> =09<layout type=3D"log4net.Layout.PatternLayout,log4net"> =09 <param name=3D"ConversionPattern" value=3D"%property{current-user} = %property{session-id} [%t] %m%n" /> =09</layout> </appender> <logger name=3D"EnterpriseTester.Security.Audit" additivity=3D"false">= ; =09<level value=3D"DEBUG" />=09=09=09 =09<appender-ref ref=3D"securityAuditSyslog" />=09=09 </logger>
The syslog appender above will log messages to the server with hostname = "syslog" on port 516. You can find more information about the log4net syslo= g appender in these articles/docs:
You will notice the conversion pattern for the syslog appender does not = include the %d conversion pattern (date/time) - this is because the syslog = server you are communicating will use the date/time the message is received= as the time of the event.
Depending on the syslog server you may want to adjust the pattern to rem= ove information you don't want or can't report on e.g. thread or session.= p>