Share via


<serviceSecurityAudit>

Specifies settings that enable auditing of security events during service operations.

Schema Hierarchy

<system.serviceModel>
  <behaviors>
    <serviceBehaviors>
      <behavior> of <serviceBehaviors>
        <serviceSecurityAudit>

Syntax

<serviceSecurityAudit 
   auditLogLocation="Default/Application/Security"
   messageAuthenticationAuditLevel= None/Success/Failure/SuccessAndFailure"   serviceAuthorizationAuditLevel="None/Success/Failure/SuccessAndFailure"
   suppressAuditFailure="Boolean"
/>

Attributes and Elements

The following sections describe attributes, child elements, and parent elements.

Attributes

Attribute Description

auditLogLocation

Specifies the location of the audit log. Valid values include the following:

  • Default: Security events are written to the application log on Windows XP, and to the Event Log on Windows Server 2003 and Windows Vista.

  • Application: Audit events are written to the Application Event Log.

  • Security: Audit events are written to the Security Event Log.

The default value is Default. For more information, see AuditLogLocation.

suppressAuditFailure

A Boolean value that specifies the behavior for suppressing failures of writing to the audit log.

Applications should be notified for failures of writing to the audit log. If your application is not designed to handle audit failures, you should use this attribute to suppress failures in writing to the audit log.

If this attribute is true, exceptions other than OutOfMemoryException, StackOverFlowException, ThreadAbortException, and ArgumentException that result from attempts to write audit events are handled by the system, and are not propagated to the application. If this attribute is false, all exceptions that result from attempts to write audit events are passed up to the application.

The default is true.

serviceAuthorizationAuditLevel

Specifies the types of authorization events that are recorded in the audit log. Valid values include the following:

  • None: No auditing of service authorization events is performed.

  • Success: Only successful service authorization events are audited.

  • Failure: Only failure service authorization events are audited.

  • SuccessAndFailure: Both success and failure service authorization events are audited.

The default value is None. For more information, see AuditLevel.

messageAuthenticationAuditLevel

Specifies the type of message authentication audit events logged. Valid values include the following:

  • None: No audit events are generated.

  • Success: Only successful security (full validation including message signature validation, cipher, and token validation) events are logged.

  • Failure: Only failure events are logged.

  • SuccessAndFailure: Both success and failure events are logged.

The default value is None. For more information, see AuditLevel.

Child Elements

None.

Parent Elements

Element Description

<behavior> of <endpointBehaviors>

Specifies a behavior element.

Remarks

This configuraton element is used to audit Windows Communication Foundation (WCF) authentication events. When auditing is enabled, either successful or failed authentication attempts (or both) can be audited. The events are written to one of three event logs: application, security, or the default log for the operating system version. The event logs can all be viewed using the Windows Event viewer.

For a detailed example of using this configuration element, see Service Auditing Behavior.

By default, on Windows XP the audit events can be seen in the Application Log; while on Windows Server 2003 and Windows Vista, the audit events can be seen in the Security Log. The location of audit events can be specified by setting the auditLogLocation attribute to 'Application' or 'Security'. For more information, see How To: Audit Security Events. If the events are written in the Security Log, the LocalSecurityPolicy-> Enable Object Access should be set for "Success" and "Failure".

When looking at the event log, the source of the audit events is "ServiceModel Audit 3.0.0.0". Message authentication audit records have a category of "MessageAuthentication" while service authorization audit records have a category of 'ServiceAuthorization'.

Message authentication audit events cover whether the message was tampered with, whether the message has expired and whether the client can authenticate to the service. They provide information about whether the authentication succeeded or failed along with the identity of the client and the endpoint the message was sent to along with the action associated with the message.

Service authorization audit events cover the authorization decision made by a service authorization manager. They provide information about whether authorization succeeded of failed along with the identity of the client, the endpoint the message was sent to, the action associated with the message, the identifier of the authorization context that was generated from the incoming message and the type of the authorization manager that made the access decision.

Example

<system.serviceModel>
   <serviceBehaviors>
      <behavior name="NewBehavior">
         <serviceSecurityAudit auditLogLocation="Application" 
             suppressAuditFailure="true"
             serviceAuthorizationAuditLevel="Success" 
             messageAuthenticationAuditLevel="Success" />
      </behavior>
   </serviceBehaviors>
</behaviors>

See Also

Reference

ServiceSecurityAuditElement
ServiceSecurityAuditBehavior

Other Resources

Security Behaviors in WCF
Auditing Security Events
How To: Audit Security Events
Service Auditing Behavior