In Enterprise Tester 4.10, we are introducing a security audit logging mechanism. It is currently in BETA and defaults to be turned off for now, but for those interested in this feature we would love for you to give it a try and give us your feedbackThe audit logging feature allows administrators to record and track activity for the supported events. The output format can be configured and the audit logging can be integrated with Syslog.
Supported Events
For the BETA in 4.10, the The following events are supported by the audit logging feature:
- Log on via username/password in browser
- Log on via previously created remember-me cookie
- Log on without username/password (single sign-on with crowd)
- Log on - attaching to existing session (java applet for pasting screen shots)
- Log on - failure due to username/password incorrect
- Log on - failure due to license limit exceeded
- Log on - failure due to account being disabled
- Log on - failure due to exception
- Log on via username/password (basic auth) for API call
- Log on using apikey for API call
- Log on using OAuth for API call
- Log on - unauthorized because of invalid scheme or credentials for API call
- Log on - OAuth validation failure (invalid signature, revoked token etc.) for API call
- Session Started
- Session End
- User changed password (UI)
- User failed to change password (UI)
- User requests password reset
- User completes password reset
- Password reset URL has expired
- Create a user
- Delete a user
- Enable user account
- Disable user account
- Create group
- Delete group
- Rename group
- Add user to project
- Remove user from project
- Add user to group
- Remove user from group
- Set users for a group
- Set groups for project
- Set groups for user
- Set global permissions on a user
- Set global permissions on a group
- set project-level permissions on a user
- Set project-level permissions on a group
- Insufficient permissions for API Request (Forbidden)
- Insufficient permissions to access front-end page
- Entity Viewed by front-end user
Turn it On!
To turn security audit logging you need to edit your logging.config file. Typically you can find the logging.config file with your installation files : C:\Program Files (x86)\Catch Limited\Enterprise Tester\Web\logging.config.
...
<!-- security audit logging (Beta) --> <!-- Un-comment the following section to enable security audit logging, which is currently in beta for v4.10 of ET. This includes a default configuration of text file and syslog appenders. --> <!-- <appender name="securityAuditFile" type="log4net.Appender.RollingFileAppender,log4net" > <param name="File" value="App_Data\security-audit.txt" /> <param name="AppendToFile" value="true" /> <param name="RollingStyle" value="Date" /> <param name="DatePattern" value="yyyy.MM.dd" /> <param name="StaticLogFileName" value="true" /> <layout type="log4net.Layout.PatternLayout,log4net"> <param name="ConversionPattern" value="%d %property{current-user} %property{session-id} [%t] %m%n" /> </layout> </appender> <appender name="securityAuditSyslog" type="log4net.Appender.RemoteSyslogAppender,log4net" > <facility value="local7" /> <identity value="EnterpriseTester" /> <RemoteAddress value="syslog" /> <layout type="log4net.Layout.PatternLayout" value="%property{current-user} %property{session-id} [%t] %m%n"/> <RemotePort value="516" /> <layout type="log4net.Layout.PatternLayout,log4net"> <param name="ConversionPattern" value="%property{current-user} %property{session-id} [%t] %m%n" /> </layout> </appender> <logger name="EnterpriseTester.Security.Audit" additivity="false"> <level value="DEBUG" /> <appender-ref ref="securityAuditFile" /> <appender-ref ref="securityAuditSyslog" /> </logger> -->
...
After saving changes the logging.config file, you must restart the Enterprise Tester application pool (or IIS) for the changes to take effect.
Reading the Audit Log
By default the security audit log events will be rendered like this:
...
The session and thread identifiers are specifically useful in correlating security events occurring for a specific user, browser or background process - as these may be logged out of order on a busy ET server which has many users accessing it concurrently.
Changing Output Format
For some Administrators, you may be looking to generate logs with either less information, or a different format, suitable for pushing into a 3rd party system - this is done by changing the conversion pattern.
...
Details of the conversion patterns available are here.
Integrating with syslog
Syslog is a standard for computer message logging - it's a way to separate software that generates log messages (such as Enterprise Tester's security audit logging) and tools/servers which can handle storage, reporting and analysis of those log messages (such as logstash).
...