User and Configuration Audit Logging

Audit logging tracks login attempts and changes made to select settings in Configuration.

Log these user activities in Configuration:

  • Login attempts
  • Logout attempts
  • Logout due to timeout
  • New user added
  • Existing user deleted
  • Changes made to an existing user:
    • First name
    • Last name
    • Username
    • Password
    • Access level
    • System Management access level
    • "User must change password at next login" setting
    • "Account locked" setting
    • "Password never expires" setting

Log these configuration changes made through the Configuration UI:

  • Application Settings
  • System Variables
  • Queue Variables
  • Segment Variables
  • Callback Offered
  • Callback Allowed

Information logged:

  • the source of the change, either the user or process
  • the type of change
  • the important identifiers for the change
  • the before and after values

Configure Audit Logging

Two scripts automatically installed with Callback are required to set up the audit logging:

  • VHT_Audit_Create_Tables.sql
  • VHT_Audit_Create_Connection.sql

They are written to the folder named SQL Server Database Installation Scripts. Edit and manually run these scripts to create tables and insert records for logging.

Configuration Audit

The AuditNHibernateConfig.xml file must be placed in the directory of the service that modifies the configuration database (VHQMWS and ConfigurationTranslationAPI).

If this file exists in the process directory or root of the virtual directory for web services, the audit records will be written.

<?xml version="1.0" encoding="utf-8" ?>
<hibernate-configuration xmlns="urn:nhibernate-configuration-2.2">
  <session-factory>
    <property name="dialect">NHibernate.Dialect.MsSql2012Dialect</property>
    <property name="connection.provider">NHibernate.Connection.DriverConnectionProvider</property>
    <property name="connection.connection_string">REPLACE_CONNECTION_STRING</property>
  </session-factory>
</hibernate-configuration>

Determine Database for Audit Logging

You have the option to write the audit records to one of the existing databases, or to a separate database.

Our recommendation, and industry best practice, is to keep audit records separate from configuration records.

If the database is on a different server from the configuration database, follow these steps:

Configure and Run Scripts

Important: If an entry exists in the ApplicationSettings table for the AuditDBConnectionString, all login/logout attempts to Launchpad and changes to users will be written to the AuditLogin and AuditUser tables.
  • In the server where audit tables will be stored, open the VHT_Audit_Create_Tables.sql script. Find ReplaceAuditDatabaseName and replace with the name of the database that will store the audit logging information.
  • In the same file, find all instances of ReplaceVHTConfigDatabaseName and replace with the name of the configuration database. The default is VHT_Config.
Note: If creating audit tables on a different server other than the one that holds the configuration database, perform these steps. Continue to step 3 if creating on the same server.

  • Create a linked server so that the two servers can share data.

  • In the VHT_Audit_Create_Tables.sql script, find all instances of ReplaceVHTConfigLinkedServerName and replace with the linked server name.

  • Continue to step 3.

For information on creating a linked server in SQL Server, please visit https://msdn.microsoft.com/en-us/library/ff772782.aspx.

  • Find the section denoted by -- If the audit tables exist on the same server as the VHT Config database, uncomment and run this section: and uncomment that section.

  • Run the VHT_Audit_Create_Tables.sql script.
  • Confirm the tables have been created in the database.
  • On the SQL Server where you have installed the configuration database, open the VHT_Audit_Create_Connection.sql script.
  • In this file, find ReplaceVHTConfigDatabaseName and replace with the name of the configuration database.
  • In this same file, find the following section:
SET @ServerName = N'<PleasePutAuditServerNameHere>';
SET @UserId = N'<PleasePutAuditDatabaseUserIdHere>';
SET @Password = N'<PleasePutAuditDatabaseUsersPasswordHere>';
SET @DatabaseName = N'<PleasePutAuditDatabaseNameHere>';
  • Replace each entry within the angle brackets (< >) with the appropriate value for the audit logging database.

For example:

SET @ServerName = N'VHT_Audit_Logging_Server';
SET @UserId = N'VHT_Audit_Database_Administrator';
SET @Password = N'Password';
SET @DatabaseName = N'VHT_Audit_Database';
Note: If you are using Windows integrated security, the UserId and Password entries can be blank.
  • If you are using SQL authentication, find the section -- For SQL Authentication, uncomment and run this section: and uncomment that section.
  • If you are using Windows integrated security, find -- For Windows Integrated Security, uncomment and run this section: and uncomment that section.
  • Run the VHT_Audit_Create_Connection.sql script.