The Release Notes for Information Centric Analytics (ICA) 6.6 lists Enhanced Logging under the What's New in Symantec ICA Version 6.6, with the following description:
Enhanced authentication and account modification logging has been added to the ActivityLog table as well as added history tables to the PortalUser and PortalRoles areas.
Does ICA now log portal authentication attempts and logoff events?
Release : 6.x
Because ICA runs as a web application on top of Microsoft Internet Information Services (IIS), it relies on IIS to process user authentication attempts by way of Integrated Windows Authentication. Successful and unsuccessful authentication attempts are logged in the IIS logs and include both account names and client IP addresses; however, it's not possible to "logoff" of IIS, so there are no logoff events to log.
When a user attempts to access the ICA portal, IIS first validates the user's Windows credentials and, if they're valid, they're then passed on to ICA. At that point, ICA checks the account against the list of portal users and privileges and grants the user access to those elements for which they have sufficient privileges (either explicitly granted to the portal user or inherited via portal group or portal role membership). Beginning with ICA version 6.6, logging for this has been added to the ActivityLog table in the RiskFabric database, as shown in this example:
SELECT TOP 5 * FROM RiskFabric.dbo.ActivityLog WHERE [Type] LIKE '%LOGIN' ORDER BY 1 DESC;
The following basic query will return a list of all users who have logged-in to the ICA portal within the past 24 hours:
SELECT DISTINCT pu.Username
FROM RiskFabric.dbo.ActivityLog AS al WITH (NOLOCK)
JOIN RiskFabric.dbo.PortalUsers AS pu
ON al.PortalUserID = pu.PortalUserId
WHERE al.[Type] = 'SUCCESSFUL LOGIN'
AND al.DateStamp > GETDATE()-1
;
This query will list the dates and times at which users have logged-in over the past n days (modify the integer passed to the GETDATE() function to adjust the number of days; the following query is passing '-7' on line 7):
SELECT pu.Username,
al.DateStamp
FROM RiskFabric.dbo.ActivityLog AS al WITH (NOLOCK)
JOIN RiskFabric.dbo.PortalUsers AS pu
ON al.PortalUserID = pu.PortalUserId
WHERE al.[Type] = 'SUCCESSFUL LOGIN'
AND al.DateStamp > GETDATE()-7
ORDER BY al.DateStamp DESC
;