Writing to the Audit Log

Coordinator
Jun 8, 2007 at 6:02 PM
We have had a couple of questions about writing to the audit log using SecPAL's audit logging capability - so I figured I would summarize how this capability works - including how to view the audit log using the audit log viewer.

#1 AuditLogSample - The best place to start is by running the sample called "AuditLogScenario". This sample includes the following audit rule within an audit policy. This rule specifies that all requests based on an ActionVern of "read" should be written to the audit log when a successful authorization decision occurs. The audit log should also incorporate the proof and the authorization context that was used to support the authorization claim.

{"
auditRules.Add(
new AuditRule(
new ProofTarget[] {
new ProofTarget(
ActionVerbs.read,
new Resource(
ResourceType.digitalContent,
new Uri("file:///public/"))) },
1 /* eventId */,
AuditAction.log,
EventType.success,
true /* includeProof */,
true /* includeContext */));

policies.Add(
new Policy(
new PrincipalIssuer(new LocalAuthorityPrincipal()),
claims,
auditRules,
null /* authorizationQueryTemplate */,
null /* description */ ));
"}

#2 Viewing the Audit Logs - Once you have run this sample (or modified your code, or any of our other samples to include a policy similar to above) you are then ready to take a look at the audit logs. You can do this by looking at the XML file yourself - but noone likes looking at XML - so we have included a tool for doing this. Click on the start menu / programs / secpal / and run the audit log viewer. This tool will now allow you to see all the audit entries that have been logged. Plus for each audit entry you can see:
    • The SecPAL statements that were actually evaluated vs all the SecPAL statements that were in the AC
    • A hierarchical view of the proof graph that lead to an authorization decision
    • A graphical view of the proof graph (see below)
    • A translation of your SecPAL into Datalog (as per our formal model)

#3 Using the Graphical Proof Graph Viewer (1) - This is one of the hidden secrets and in my opinion one of the coolest features in the Audit log viewer. To use the graphical proof graph viewer you must: click on the Answers tab for an audit record you are interesed in seeing. Expand the Answers root node until you see the child (or children) of the "Proof" node. Right click on any of the children of the proof node and select view proof graph. You will then get a graphical representation of the deduction process that lead to your authorization decision being granted.

#4 Where are the audit logs stored? - On Vista the logs will be stored inside C:\Users\YOURNAME\AppData\Roaming\Microsoft\SecurityPolicyStore, whereas on earlier versions of Windows the logs will be stored in C:\Documents and Settings\YOURNAME\Application Data\Microsoft\SecurityPolicyStore. Note that the audit log viewer is currently a little sensitive to changes in the schema, so you are probably best not to modify the file, especially the actual schema.

(1) - Note - The initial release of our bits does have a bug using the Graphical Proof Graph Viewer - so until around June 18th (at which time we hope to have released a minor point release to SecPAL) assume this capability will not work. I