Skip to main content
Version: 4.3.0

Enable Auditing

note

This topic only describes how to enable auditing on the Administrator site. For information about logging user activity in an iCore system, see Auditing.

To be able to follow the instructions in this topic, you need to have a basic understanding of .NET Serilog authoring.

To enable auditing on the Administrator site, the web.config file needs to be updated with a sink. Assemblies for a default file sink that writes to the iCore data folder are included by default when the site is deployed or upgraded. The actions that are currently logged are login and logout.

To enable the file sink

  1. Open the web.config file for the site and uncomment the section under configuration -> appsettings
  2. Update the value for the settings with the key "serilog:audit-to:File.path" and set the desired location/file path (if needed).
    note

    If you have multiple Administrator sites and use the provided file sink, the site should use separate log files due to limitations of the sink.

The supplied formatter writes the log entries in a JSON format.

Enabling auditing (example)

    <add key="serilog:using:File" value="Serilog.Sinks.File" />
<add key="serilog:audit-to:File.path"
value="%ProgramData%/iCore Solutions/SInTest_WebAdmin/auditLog.txt" />
<add key="serilog:audit-to:File.formatter" value="Serilog.Formatting.Compact.CompactJsonFormatter, Serilog.Formatting.Compact" />

Log level

Successful login attempts are logged on the "information" level, while failed attempts are logged on the "error" level.

Disabling logging of failed login attempts

Logging failed login attempts can cause the audit log to grow rapidly if no other restrictions on failed login attempts are configured on the site. To exclude these entries, you can apply a log event filter in the web.config file by adding the section below. The referred assembly is supplied with the site.

Filtering failed login attempts (example)

    <add key="serilog:using:FilterExpressions" value="Serilog.Filters.Expressions" />
<add key="serilog:filter:ByExcluding.expression" value="@Level = 'Error'" />

Properties added to log entries

The Administrator site adds properties to each log entry that can be used when using custom sinks for logging.

PropertyDescription
ActionThe action performed by the user.
ActorNameThe name of the current site user.
ApplicationActorIdThe domain ID of the user executing the application pool for the site.
ApplicationActorNameThe domain name of the user executing the application pool for the site.
ApplicationNameThe name of the process running the site.
GlobalActorIdThe ID of the user when the identity is retrieved from another authentication service (e.g. Windows Authentication).
GlobalActorNameThe name of the user when the identity is retrieved from another authentication service (e.g. Windows Authentication).
GroupNameThe name of the site user group the current user is assigned to.
MessageUser friendly description of the action.
ServerThe name of the machine running the site.
TargetThe name of the site.
TimestampThe timestamp for the log entry.

See Also

Technical architecture & Runtime

Auditing