Configuring an Instance for Audit Logging

Audit logging is optional when adding an instance. Audit logging captures activity as it happens in Archer and you can enable it for an instance. Audit logging is not available for Archer SaaS environments.

The log records everything that happens in the user interface, from changes to records and fields (for example, in applications, iViews, workspaces, and solutions) down to simple mouse clicks and even communications with servers.

Audit logging requires a syslog listener (for example, WinSyslog), and uses Transmission Control Protocol (TCP) or User Datagram Protocol (UDP). You can configure the communication protocol for audit logging on the General tab. Audit logging does not support the RFC-5424 protocol.

For established TCP connections, data travels bidirectionally. UDP is a connectionless Internet protocol that sends multiple messages as packets in chunks. If the IP method is TCP and a transmission error occurs, the system records a message in the w3wp log file. Because of the unreliability of UDP, the system does not detect or log unsuccessful transmissions.

Activity is logged to a syslog as soon as audit logging is enabled. All messages are logged with the event ID of Log Alert. When you disable audit logging, logging stops immediately.

On this page

Disable audit logging for an instance

  1. On the General tab, go to the Audit section.

    1. Open the Archer Control Panel.
    2. Go to Instance Management and select All Instances.
    3. Select the instance for which you want to disable audit logging.
  2. In the Enable Audit Logging field, clear Enable Audit Logging for this instance.
  3. On the toolbar, click Save.

Enable audit logging for an instance

  1. On the General tab, go to the Audit section.

    1. Open the Archer Control Panel.
    2. From the Instance Management list, double-click the instance.
  2. In the Enable Audit Logging field, click Enable Audit Logging for this instance.
  3. In the Host Name or IP Address field, enter the syslog listener by its host name or IP address.
  4. In the Port field, enter the port number of the syslog listener.
  5. In the IP Version field, select IPv4 or IPv6t for the version of the Internet Protocol.
  6. In the IP Traffic Method field, select TCP or UDP for the Internet Protocol method.
  7. Click Test Connection to test the connection to the syslog listener. You cannot test the connection for UDP.
  8. On the toolbar, click Save.

Common class and method names

The following table contains the most common class and method names in an audit log file.
Name Description

Standard process for all code

Based on the active session associated with the current request. Permission checking is implied for all descriptions.

AuthorizationManager

Authorization to features of the Platform are determined.

ContentManager

Manipulation of content including retrieving, deleting, saving. Evaluating content relationships and/or states to determine processing activates.
Retrieving content history.

DataFeedHistoryManager

Maintains data feed history including retrieving, deleting, saving; Does not include data feeds themselves.

FieldDefinitionManager

Manipulation of field definitions, not content, including retrieving, deleting, saving; this includes items associated with the field, such as rules.
Validation of calculated field formula.
Retrieving calculated field.
Requesting recalculation of content based on calculated field formula changes.

ModuleManager

Manipulation of Archer applications including retrieving, deleting, saving, and requesting recalculation of content based on level.

SessionStateManager.Save

Writes session state to the database to maintain correct application state for the user.

SolutionManager

Manipulation of Archer solutions including retrieving, deleting, and saving.

TaskHitManager

Logging of user activities and actions that are taken against Archer related to database tables: tblPageHit, tblPage, tblPageClass, tblPageType.

TaskManager

Retrieving (read-only) system configuration of tasks. Tasks are system actions or activities that are related permissions in Archer.

UserManager

Administration of user in the system. Used for read-only purposes by numerous system functions.

Example: Activity logged to the syslog by the Data Feed Service

In the following example, the Data Feed Service generates activity that is logged to the syslog:

vendor:RSA, product:Archer, version:1.0, ArcherVersion:5.4.10000.1081,ArcherInstance:Audit2,LogSourceIdentifier:10.5.153.115:0,eventtime:8/7/2013 7:33:22 PM,eventid:14, ArcherLog:" UserId:189 UserName:"Data Feed Service, Archer" LogDate:8/7/2013 7:33:22 PM MethodName:DataFeedHistoryManager.Get InputParameter:dataFeedHistoryId<System.Int32>:<ROOT><V a="1367" /></ROOT> OutputValues:<ROOT><V a="1367" /></ROOT> Success:"True "

Use the values in the following table to decipher the message.

Message Segment

Value

Description

vendor:

RSA

Vendor name

product:

Archer

Product name

version:

1.0

Feature version

ArcherVersion:

5.4.10000.1081

Archer version

ArcherInstance:

Audit2

Instance name

LogSourceIdentifier:

10.5.153.115:0

IP address of the web server

eventtime:

8/7/2013 7:33:22 PM

Date and time activity occurred

eventid:

14

Log alert

UserId:

189

Identification of the user who initiated the activity

UserName:

"Data Feed Service, Archer"

Name of user who initiated the activity

LogDate:

8/7/2013 7:33:22 PM

Date and time activity was logged

MethodName:

DataFeedHistoryManager.Get

Name of the method called by the user

InputParameter:

dataFeedHistoryId<System.Int32>:<ROOT><V a="1367" /></ROOT>

Inputted data

OutputValues:

<ROOT><V a="1367" /></ROOT>

Outputted data

Success:

"True"

Message status

Note: The MethodName, InputParameter, and Output Values are different based on the method called for the type of activity being logged. The InputParameter and OutputValues are specific to each method. The values of InputParameter and OutputValues in this example are specific to the DataFeedHistoryManager.Get method.