How to: Audit and Log Security Events in WCF Calling from Windows Forms

Applies to

• Microsoft Windows Communication Foundation (WCF) 3.5
• Microsoft Visual Studio 2008

Summary

This how-to article walks you through the process of auditing and logging security events. The article shows you how to configure a WCF service for Auditing, Message Logging, and Tracing, and how to use the SvcTraceViewer tool to view the log files.

Contents

• Objectives
• Overview
• Summary of Steps
• Step 1: Create a Sample WCF Service
• Step 2: Enable Auditing for Your WCF Service
• Step 3: Enable Logging and Tracing for Your WCF Service
• Step 4: Create a Windows Forms Test Client Application
• Step 5: Add a WCF Service Reference to the Client
• Step 6: Test the Client and WCF Service
• Step 7: Verify the Service Events in the Event Log
• Step 8: Trace the Log File Using the SvcTraceViewer
• Additional Resources

Objectives

• Learn how to configure Auditing.
• Learn how to configure Message Logging and Tracing.
• Learn how to log the service events in the Event Log.
• Learn how to use the SvcTraceViewer tool.

Overview

WCF Auditing allows you to audit security events such as authentication and authorization failures. WCF service auditing can allow you to detect an attack that has occurred or is in progress. In addition, auditing can help you debug security-related problems.

WCF Message Logging allows you to log malformed Simple Object Access Protocol (SOAP) messages or to trace incoming messages. It allows you to specify different logging levels that you can use to diagnose and analyze your applications in case of any problems.

In this How To article, you will create a sample WCF service in Visual Studio 2008. You will then configure the service to enable Auditing, Logging, and Tracing through the use of the WCF Configuration Editor. Next, you will create a test client to verify the security events in the Event Log. Finally, you will use the SvcTraceViewer tool to view and examine the log and trace files.

Summary of Steps

• Step 1: Create a Sample WCF Service
• Step 2: Enable Auditing for Your WCF Service
• Step 3: Enable Logging and Tracing for Your WCF Service
• Step 4: Create a Windows Forms Test Client Application
• Step 5: Add a WCF Service Reference to the Client
• Step 6: Test the Client and WCF Service
• Step 7: Verify the Service Events in the Event Log
• Step 8: Trace the Log File Using the SvcTraceViewer

Step 1: Create a Sample WCF Service

In this step, you create a WCF service in Visual Studio.

1. In Visual Studio, on the menu, click File -> New Web Site.

2. In the Templates section, select WCF Service. Make sure that the Location is set to Http and specify the virtual directory to be created in the Path (e.g., https://localhost/WCFTestService).

3. In the New Web Site dialog box, click OK to create a virtual directory and a sample WCF service.

4. Browse to your WCF service (i.e., https://localhost/WCFTestService/Service.svc).

   You should see details of your WCF service.

Step 2: Enable Auditing for Your WCF Service

In this step, you configure the WCF service to use Security Auditing.

1. In the Configuration Editor, expand the Advanced node and then expand the Service Behaviors folder.

2. Select the default behavior "ServiceBehavior".

3. In the Behavior: ServiceBehavior section, click Add.

4. In the Adding Behavior Element Extension Sections dialog box, select serviceSecurityAudit and then click Add.

5. In the Configuration section, under Service Behaviors, select the serviceSecurityAudit option.

6. Set the AuditLogLocation attribute to Application by choosing this option from the drop-down list.

7. Set the MessageAuthenticationAuditLevel attribute to SuccessOrFailure by choosing this option from the drop-down list.

8. Set the ServiceAuthorizationAuditLevel attribute to SuccessOrFailure by choosing this option from the drop-down list.

9. In the Configuration Editor, on the File menu, click Save.

10. In Visual Studio, verify your configuration. The configuration should look as follows:

    …
    <behaviors>
      <serviceBehaviors>
        <behavior name="ServiceBehavior">
          <serviceMetadata httpGetEnabled="true" />
          <serviceDebug includeExceptionDetailInFaults="false" />
            <serviceSecurityAudit auditLogLocation="Application" serviceAuthorizationAuditLevel="SuccessOrFailure"
             messageAuthenticationAuditLevel="SuccessOrFailure" />
        </behavior>
      </serviceBehaviors>
    </behaviors>
    …
    

Step 3: Enable Logging and Tracing for Your WCF Service

In this step, you configure the WCF service to use Message Logging and Tracing.

Configure Logging

1. In the Configuration Editor, select the Diagnostics node.

2. In the right pane, click Enable MessageLogging.

   This will create ServiceModelMessageLoggingListener and System.ServiceModel.MessageLogging nodes under the Listeners and Sources folders, respectively.

3. In the left pane, select MessageLogging under the Diagnostics node.

4. Set the LogMessagesAtServiceLevel attribute to True by choosing this option from the drop-down list.

5. In the left pane, select ServiceModelMessageLoggingListener under the Listeners node.

   Note the default value of the InitData attribute, which is set to c:\inetpub\wwwroot\WCFService\web_messages.svclog, the location where the message will be logged.

Configure Tracing

1. In the Configuration Editor, select the Diagnostics node.

2. In the right pane, click Enable Tracing.

   This will create ServiceModelTraceListener and System.ServiceModel nodes under the Listeners and Sources folders, respectively.

3. In the left pane, select ServiceModeTraceListener under the Listeners node.

   Note the default value of the InitData attribute, which is set to c:\inetpub\wwwroot\WCFService\web_tracelog.svclog, the location where the trace message will be logged.

4. In the Configuration Editor, on the File menu, click Save.

5. In Visual Studio, verify your configuration. The configuration should look as follows:

   …
   <configuration>
   <system.diagnostics>
     <sources>
      <source name="System.ServiceModel.MessageLogging" switchValue="Warning, ActivityTracing">
       <listeners>
        <add type="System.Diagnostics.DefaultTraceListener" name="Default">
         <filter type="" />
        </add>
        <add name="ServiceModelMessageLoggingListener">
         <filter type="" />
        </add>
       </listeners>
      </source>
      <source name="System.ServiceModel" switchValue="Warning, ActivityTracing"
       propagateActivity="true">
       <listeners>
        <add type="System.Diagnostics.DefaultTraceListener" name="Default">
         <filter type="" />
        </add>
        <add name="ServiceModelTraceListener">
         <filter type="" />
        </add>
       </listeners>
      </source>
     </sources>
     <sharedListeners>
      <add initializeData="c:\inetpub\wwwroot\WCFService\web_messages.svclog"
       type="System.Diagnostics.XmlWriterTraceListener, System, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089"
       name="ServiceModelMessageLoggingListener" traceOutputOptions="Timestamp">
       <filter type="" />
      </add>
      <add initializeData="c:\inetpub\wwwroot\WCFService\web_tracelog.svclog"
       type="System.Diagnostics.XmlWriterTraceListener, System, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089"
       name="ServiceModelTraceListener" traceOutputOptions="Timestamp">
       <filter type="" />
      </add>
     </sharedListeners>
   </system.diagnostics>
   </configuration>
   …
   …
   <system.serviceModel>
     <diagnostics>
      <messageLogging logEntireMessage="false" logMalformedMessages="true"
       logMessagesAtServiceLevel="true" logMessagesAtTransportLevel="true" />
     </diagnostics>
   …
   

Note

Although enabling Logging and Tracing is not a mandatory step for auditing security events, it will provide detailed information about every activity in an event.

Step 4: Create a Windows Forms Test Client Application

In this step, you create a Windows Forms application to test the WCF service.

1. Right-click your solution, click Add, and then click New Project.
2. In the Add New Project dialog box, in the Templates section, select Windows Forms Application.
3. In the Name field, type Test Client and then click OK.

Step 5: Add a WCF Service Reference to the Client

In this step, you add a reference to your WCF service.

1. Right-click your client project and then click Add Web Reference.

2. In the Add Web Reference dialog box, set the URL to your WCF service (e.g., https://localhost/WCFTestService/Service.svc), and then click Go.

3. In the Web reference name field, change ServiceReference1 to WCFTestService.

4. Click Add Reference.

   A reference to WCFTestService should now appear beneath Web References in your client project.

Step 6: Test the Client and WCF Service

In this step, you access the WCF service, pass the user credentials, and make sure that username authentication works.

1. In your client project, drag a Button control onto your form.

2. Double-click the Button control to show the underlying code.

3. Create an instance of the proxy and call the GetData operation of your WCF service. The code should look as follows:

   private void button1_Click(object sender, EventArgs e)
   {
         WCFTestService.ServiceClient myService = new
                       WCFTestService.ServiceClient();
         MessageBox.Show(myService.GetData(123));
         myService.Close();
   }
   

4. Right-click the client project and then click Set as Startup Project.

5. Run the client application by pressing F5 or Ctrl+F5. When you click the button on the form, the message “You entered: 123” should appear.

Step 7: Verify the Service Events in the Event Log

In this step, you verify the WCF service events in the application Event Log.

1. On your Service host machine, click Start and then click Run.

2. In the command line, type eventvwr and then click OK to open the Event Viewer window.

3. In the left pane, select the Application node, which shows the list of application events in the right pane.

4. In the list, search for Source ServiceModel Audit 3.0.0.0.

   You will find four event entries for your service, one with a ServiceAuthorization category and others with MessageAuthentication categories.

5. Open the event with the ServiceAuthorization category. You will see the following message if your service authorizes a client:

   Service authorization succeeded.
   Service: <<service URI>>
   Action: http://tempuri.org/<<your service method info>>
   Client Identity: <<domain\user-id>>;
   …
   

6. Similarly for the MessageAuthentication events, if your service authenticates a client, you will see the following message for Security Negotiation and Message Authentication events:

   Message authentication succeeded.
   Service: <<service URI>>
   Action: http://tempuri.org/<<your service method info>>
   Client Identity: <<domain\user-id>>;
   …
   

7. If you enabled Logging and Tracing (followed Step 3) for your service, you will see another event with the MessageLogging category in the application log:

   Message logging succeeded.
   Service: <<service URI>>
   Action: http://tempuri.org/<<your service method info>>
   Client Identity: <<domain\user-id>>;
   

Step 8: Trace the Log File Using the SvcTraceViewer

In this step, you verify the log file by using the Trace Viewer tool, SvcTraceViewe.exe, which enables you to view both the message log files and the trace files.

1. On your Service host machine, go to C:\Program Files\Microsoft SDKs\Windows\v6.0\Bin.

2. Open the SvcTraceViewe.exe tool.

3. On the tool's menu, click File, click Open, and then browse to the location of the message log file.

   The right pane shows the various activities that takes place during a host's life cycle. You can step through the activity messages by pressing F10 and F11.

Additional Resources

• For more information on WCF security auditing, see Auditing Security Events.
• For more information on auditing security events in WCF, see How To: Audit Windows Communication Foundation Security Events.
• For more information on auditing security concerns, see Security Concerns for Message Logging.