The Release Notes for Information Centric Analytics (ICA) 6.6 lists Enhanced Logging under the What's New in Symantec ICA Version 6.6 heading, with the following description:
Enhanced authentication and account modification logging has been added to the ActivityLog table as well as added history tables to the PortalUser and PortalRoles areas.
Does ICA log portal authentication attempts and logoff events?
Release : 6.x
Because ICA runs as a web application on top of Microsoft Internet Information Services (IIS), it relies on IIS to process user authentication attempts by way of Integrated Windows Authentication. Successful and unsuccessful authentication attempts are logged in the IIS logs and include both account names and client IP addresses; however, it's not possible to "logoff" of IIS, so there are no logoff events to log.
When a user attempts to access the Risk Fabric console, IIS first validates the user's Windows credentials and, if they're valid, they're then passed on to ICA. At that point, ICA checks the account against the list of portal users and privileges and grants the user access to those elements for which they have sufficient privileges (either explicitly granted to the portal user or inherited via portal group or portal role membership). Beginning with ICA version 6.6, logging for this has been added to the ActivityLog
table in the RiskFabric
relational database.
The following basic query will return a list of all users who have logged-in to the Risk Fabric console within the past 24 hours:
USE RiskFabric;
GO
SELECT DISTINCT pu.Username
FROM dbo.ActivityLog AS al WITH (NOLOCK)
INNER JOIN dbo.PortalUsers AS pu
ON al.PortalUserID = pu.PortalUserId
WHERE al.[Type] = 'SUCCESSFUL LOGIN' AND
al.DateStamp >= GETDATE()-1;
This query will list the dates and times at which users have logged-in over the past n
days (modify the integer passed to the GETDATE()
function to adjust the number of days; the following query is passing -7
on line 10):
USE RiskFabric;
GO
SELECT pu.Username,
al.DateStamp
FROM dbo.ActivityLog AS al WITH (NOLOCK)
INNER JOIN dbo.PortalUsers AS pu
ON al.PortalUserID = pu.PortalUserId
WHERE al.[Type] = 'SUCCESSFUL LOGIN' AND
al.DateStamp >= GETDATE()-7
ORDER BY al.DateStamp DESC;