Enable Auditing
note
This topic only describes how to enable auditing on the Administrator site. For information about logging user activity in an iCore system, see Auditing.
To be able to follow the instructions in this topic, you need to have a basic understanding of .NET Serilog authoring.
To enable auditing on the Administrator site, the web.config file needs to be updated with a sink. Assemblies for a default file sink that writes to the iCore data folder are included by default when the site is deployed or upgraded. The actions that are currently logged are login and logout.
To enable the file sink
- Open the web.config file for the site and uncomment the section under configuration -> appsettings
- Update the value for the settings with the key
"serilog:audit-to:File.path" and set the desired location/file
path (if needed).
note
If you have multiple Administrator sites and use the provided file sink, the site should use separate log files due to limitations of the sink.
The supplied formatter writes the log entries in a JSON format.
Enabling auditing (example)
<add key="serilog:using:File" value="Serilog.Sinks.File" />
<add key="serilog:audit-to:File.path"
value="%ProgramData%/iCore Solutions/SInTest_WebAdmin/auditLog.txt" />
<add key="serilog:audit-to:File.formatter" value="Serilog.Formatting.Compact.CompactJsonFormatter, Serilog.Formatting.Compact" />
Log level
Successful login attempts are logged on the "information" level, while failed attempts are logged on the "error" level.
Disabling logging of failed login attempts
Logging failed login attempts can cause the audit log to grow rapidly if no other restrictions on failed login attempts are configured on the site. To exclude these entries, you can apply a log event filter in the web.config file by adding the section below. The referred assembly is supplied with the site.
Filtering failed login attempts (example)
<add key="serilog:using:FilterExpressions" value="Serilog.Filters.Expressions" />
<add key="serilog:filter:ByExcluding.expression" value="@Level = 'Error'" />
Properties added to log entries
The Administrator site adds properties to each log entry that can be used when using custom sinks for logging.
Property | Description |
---|---|
Action | The action performed by the user. |
ActorName | The name of the current site user. |
ApplicationActorId | The domain ID of the user executing the application pool for the site. |
ApplicationActorName | The domain name of the user executing the application pool for the site. |
ApplicationName | The name of the process running the site. |
GlobalActorId | The ID of the user when the identity is retrieved from another authentication service (e.g. Windows Authentication). |
GlobalActorName | The name of the user when the identity is retrieved from another authentication service (e.g. Windows Authentication). |
GroupName | The name of the site user group the current user is assigned to. |
Message | User friendly description of the action. |
Server | The name of the machine running the site. |
Target | The name of the site. |
Timestamp | The timestamp for the log entry. |