Portal authentication logging
search cancel

Portal authentication logging

book

Article ID: 261721

calendar_today

Updated On:

Products

Information Centric Analytics

Issue/Introduction

The Release Notes for Information Centric Analytics (ICA) 6.6 lists Enhanced Logging under the What's New in Symantec ICA Version 6.6 heading, with the following description:

Enhanced authentication and account modification logging has been added to the ActivityLog table as well as added history tables to the PortalUser and PortalRoles areas.

Does ICA log portal authentication attempts and logoff events?

Environment

Release : 6.x

Resolution

Because ICA runs as a web application on top of Microsoft Internet Information Services (IIS), it relies on IIS to process user authentication attempts by way of Integrated Windows Authentication. Successful and unsuccessful authentication attempts are logged in the IIS logs and include both account names and client IP addresses; however, it's not possible to "logoff" of IIS, so there are no logoff events to log.

When a user attempts to access the Risk Fabric console, IIS first validates the user's Windows credentials and, if they're valid, they're then passed on to ICA. At that point, ICA checks the account against the list of portal users and privileges and grants the user access to those elements for which they have sufficient privileges (either explicitly granted to the portal user or inherited via portal group or portal role membership). Beginning with ICA version 6.6, logging for this has been added to the ActivityLog table in the RiskFabric relational database.

Additional Information

The following basic query will return a list of all users who have logged-in to the Risk Fabric console within the past 24 hours:

USE RiskFabric;
GO

SELECT   DISTINCT pu.Username
FROM     dbo.ActivityLog AS al WITH (NOLOCK)
INNER JOIN dbo.PortalUsers AS pu
ON al.PortalUserID = pu.PortalUserId
WHERE   al.[Type] = 'SUCCESSFUL LOGIN' AND
al.DateStamp >= GETDATE()-1;

This query will list the dates and times at which users have logged-in over the past n days (modify the integer passed to the GETDATE() function to adjust the number of days; the following query is passing -7 on line 10):

USE RiskFabric;
GO

SELECT   pu.Username,
        al.DateStamp
FROM     dbo.ActivityLog AS al WITH (NOLOCK)
INNER JOIN dbo.PortalUsers AS pu
ON al.PortalUserID = pu.PortalUserId
WHERE     al.[Type] = 'SUCCESSFUL LOGIN' AND
al.DateStamp >= GETDATE()-7
ORDER BY al.DateStamp DESC;