Auditing and Logging
.png "patterns & practices Developer Center")
- How to: Audit Security Events
- How to: Enable WCF Message Logging
- How to: Enable WCF Tracing
- How to: Use Health Monitoring in WCF
- How to: Filter Sensitive Data from Your Logs
- How to: View Log Information
- How to: View Trace Information
- How to: Log Traces to a WMI Provider
- How to: Turn Off Audit Failure Suppression
How to: Audit Security Events
You can use the auditing feature in WCF to audit security events such as authentication and authorization failures. WCF service auditing can allow you to detect an attack that has occurred or is in progress. In addition, auditing can help you debug security-related problems. For example, if an error in the configuration of the authorization or checking policy accidentally denies access to an authorized user, you can discover and isolate the cause of this error by examining the auditing events in the event log.
Perform the following steps to enable auditing of authentication and authorization for your WCF service:
Open the web.config file of the WCF service by using the Configuration Editor tool (SvcConfigEditor.exe).
In the Configuration Editor, navigate to the Advanced node.
Select the Behavior: ServiceBehavior section and add a new service behavior extension element.
In the Adding Behavior Element Extension Sections dialog box, select serviceSecurityAudit and then click Add.
In the Configuration section, under Service Behaviors, select the serviceSecurityAudit option.
Set the MessageAuthenticationAuditLevel attribute to SuccessOrFailure by choosing this option from the drop-down list.
Set the ServiceAuthorizationAuditLevel attribute to SuccessOrFailure by choosing this option from the drop-down list.
In the Configuration Editor, on the File menu, click Save.
In Microsoft Visual Studio, verify your configuration. The configuration should look as follows.
… <behaviors> <serviceBehaviors> <behavior name="ServiceBehavior"> <serviceMetadata httpGetEnabled="true" /> <serviceDebug includeExceptionDetailInFaults="false" /> <serviceSecurityAudit messageAuthenticationAuditLevel="SuccessOrFailure" /> <serviceSecurityAudit serviceAuthorizationAuditLevel="SuccessOrFailure" /> </behavior> </serviceBehaviors> </behaviors> …
Additional Resources
- For more information on auditing, see Auditing Security Events.
- For more information on auditing in WCF, see How to: Audit Windows Communication Foundation Security Events.
- For auditing guidelines, see the Auditing and Logging section of WCF Security Guidelines.
You can enable message logging to log the messages processed by your service. Message logging can be used to diagnose your applications and analyze the root cause of problems. Message logging is not turned on by default; turn on message logging by setting attributes on the <messagelogging> element in your configuration file and then add a trace listener to log the events to a file.
How to: Enable WCF Message Logging
Perform the following steps to enable WCF message logging:
Open the web.config file of the WCF service by using the Configuration Editor tool (SvcConfigEditor.exe).
In the Configuration Editor, navigate to the Diagnostics node and then click the Enable Message Logging link.
This enables message logging for your service and also creates a listener (ServiceModelMessageLoggingListener) and a source (System.ServiceModel.MessageLogging) under the Listeners and Sources folders, respectively.
Configuring Message Logging Levels
You can configure message logging levels at both the service and transport levels. Perform the following steps to configure the message logging levels:
In the left pane of the Configuration editor, select MessageLogging under the Diagnostics node.
Set the LogMessagesAtServiceLevel attribute to True by choosing this option from the drop-down list.
The LogMessagesAtTransportLevel attribute is True by default.
Determining Where Messages Will Be Logged
Perform the following step to determine where the messages will be logged:
Select ServiceModelMessageLoggingListener under the Listeners node and note the value of the InitData attribute. The default location where messages are logged is c:\inetpub\wwwroot\WCFService\web_messages.svclog.
The configuration file should look as follows:
<system.diagnostics> <sources> <source name="System.ServiceModel.MessageLogging" switchValue="Warning, ActivityTracing"> <listeners> <add type="System.Diagnostics.DefaultTraceListener" name="Default"> <filter type="" /> </add> <add name="ServiceModelMessageLoggingListener"> <filter type="" /> </add> </listeners> </source> </sources> <sharedListeners> <add initializeData="c:\inetpub\wwwroot\auditingwcf\web_messages.svclog" type="System.Diagnostics.XmlWriterTraceListener, System, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089" name="ServiceModelMessageLoggingListener" traceOutputOptions="Timestamp"> <filter type="" /> </add> </sharedListeners> </system.diagnostics> <system.serviceModel> <diagnostics> <messageLogging logMalformedMessages="true" logMessagesAtServiceLevel="true" logMessagesAtTransportLevel="true" /> </diagnostics>
Additional Resources
- For more information on auditing, see Auditing Security Events.
- For message logging information, see Message Logging.
- For more information on auditing in WCF, see How to: Audit Windows Communication Foundation Security Events.
- For auditing guidelines, see the Auditing and Logging section of WCF Security Guidelines.
How to: Enable WCF Tracing
Use WCF tracing to help debug your WCF service by logging all operations on your service.
Enabling Tracing
Perform the following steps to enable tracing:
Open the web.config file of the WCF service by using the Configuration Editor tool (SvcConfigEditor.exe).
In the Configuration Editor, navigate to the Diagnostics node and then click the Enable Tracing link.
This enables tracing of your WCF service and also creates a listener (ServiceModelTraceListener) and a source (SystemServiceModel) under the Listeners and Sources folders, respectively.
Determining Where Traces Will Be Written
Perform the following step to determine where the traces will be written:
Select ServiceModelTraceListener under the Listeners node and note the value of the InitData attribute. The default location where trace messages are written is c:\inetpub\wwwroot\auditingwcf\web_tracelog.svclog.
The configuration file should look as follows:
<system.diagnostics> <sources> <source name="System.ServiceModel" switchValue="Warning, ActivityTracing" propagateActivity="true"> <listeners> <add type="System.Diagnostics.DefaultTraceListener" name="Default"> <filter type="" /> </add> <add name="ServiceModelTraceListener"> <filter type="" /> </add> </listeners> </source> </sources> <sharedListeners> <add initializeData="c:\inetpub\wwwroot\auditingwcf\web_tracelog.svclog" type="System.Diagnostics.XmlWriterTraceListener, System, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089" name="ServiceModelTraceListener" traceOutputOptions="Timestamp"> <filter type="" /> </add> </sharedListeners> </system.diagnostics>
Additional Resources
- For more information on tracing, see Tracing.
- For more information on using the WCF Service Trace Viewer Tool, see Service Trace Viewer Tool and Examining WCF Diagnostic Traces Using Service Trace Viewer Tool (SvcTraceViewer.exe).
- For auditing guidelines, see the Auditing and Logging section of WCF Security Guidelines.
How to: Use Health Monitoring in WCF
You can use the health monitoring feature in WCF to log custom events in your service based on business logic. You can use health monitoring to instrument your application and monitor user-management events around authentication and authorization. This instrumentation can help you to detect and react to potentially suspicious behavior. It also enables you to gather data on operations; for example, to track who is accessing your application and when user account passwords need to be reset.
Perform the following high-level steps to configure your WCF service to use health monitoring:
- Create a custom health monitoring event.
- Configure your WCF service for health monitoring.
- Instrument your application to raise a custom event.
Each of these steps is detailed below.
Create a custom health monitoring event.
Create a custom user management Web event by first creating a class library and then creating a class that inherits from WebAuditEvent, as follows:
using System.Web.Management; public class MyEvent : WebAuditEvent { public MyEvent(string msg, object eventSource, int eventCode) : base(msg, eventSource, eventCode) { } public MyEvent(string msg, object eventSource, int eventCode, int eventDetailCode) : base(msg, eventSource, eventCode, eventDetailCode) { } public override void FormatCustomEventDetails(WebEventFormatter formatter) { base.FormatCustomEventDetails(formatter); // Display some custom event message formatter.AppendLine("Some Critical Event Fired"); } }Configure your WCF Service for health monitoring.
Add a health monitoring element to your configuration file as follows:
… <system.web> <healthMonitoring> <eventMappings> <add name="Some Custom Event" type="MyEventLibrary.MyEvent, MyEventLibrary"/> </eventMappings> <rules> <add name="Custom event" eventName="Some Custom Event" provider="EventLogProvider" minInterval="00:00:01"/> </rules> </healthMonitoring> </system.web> …Instrument your application to raise a custom event.
Instrument the WCF service by raising the custom event in a service contract as follows.
[OperationContract] string InvokeCriticalEvent(); public string InvokeCriticalEvent() { MyEvent obj = new MyEvent("Invoking Some Custom Event", this, WebEventCodes.WebExtendedBase + 1); obj.Raise(); return "Critical event invoked"; }
After completing these steps, you can verify that the custom events are in the system event log after calling the service method from a test client.
Additional Resources
- For more information on health monitoring, see How To: Use Health Monitoring in ASP.NET 2.0.
- For additional information on health monitoring, see ASP.NET Health Monitoring Overview.
- For auditing guidelines, see the Auditing and Logging section of WCF Security Guidelines.
How to: Filter Sensitive Data from Your Logs
You can use message filters to log messages that match the filter criteria. For example, you could use a message filter to remove personally identifiable information (PII) before it can get into log files.
Filters support the full XPath syntax. The following code shows how to configure a filter that records only messages that have a Simple Object Access Protocol (SOAP) header section:
<messageLogging logEntireMessage="true"
logMalformedMessages="true"
logMessagesAtServiceLevel="true"
logMessagesAtTransportLevel="true"
maxMessagesToLog="420">
<filters>
<add nodeQuota="10"
xmlns:soap="http://www.w3.org/2003/05/soap-envelope">
/soap:Envelope/soap:Header
</add>
</filters>
</messageLogging>
Filters provide a safety feature using the nodeQuota attribute, which limits the maximum number of nodes in the XPath Document Object Model (DOM) that can be examined to match the filter.
Additional Resources
- For more information on message logging, see Configuring Message Logging.
How to: View Log Information
You can use the SvcTraceViewer.exe utility to view both message log files and trace files. You can find this tool at <Drive Name>:\Program Files\Microsoft SDKs\Windows\v6.0\Bin.
This tool gives you a comprehensive analysis of the step-by-step process of the WCF service, showing each interaction with the WCF run time and the clients. It shows the object activities, messages, and all errors that occurred in the host's life. It also provides you a graphical view of the log or trace data.
Additional Resources
- For more information on using the Service Trace Viewer Tool, see Service Trace Viewer Tool and Examining WCF Diagnostic Traces Using Service Trace Viewer Tool (SvcTraceViewer.exe).
- For more information on authentication, see Authentication.
How to: View Trace Information
Perform the following steps to view trace information:
Enable tracing by adding configuration information to the application web.config or app.config file; for example:
<system.diagnostics> <trace autoflush="true" /> <sources> <source name="System.ServiceModel" switchValue="Information, ActivityTracing" propagateActivity="true"> <listeners> <add name="sdt" type="System.Diagnostics.XmlWriterTraceListener" initializeData= "WCFTraceLog.svclog" /> </listeners> </source> </sources> </system.diagnostics>Navigate to the SvcTraceViewer.exe installation location (C:\Program Files\Microsoft SDKs\Windows\v6.0\Bin) and run SvcTraceViewer.exe.
On the File menu, click Open and then navigate to the location where your trace files are stored.
Double-click the trace log file to open it.
Additional Resources
- For more information on tracing, see Tracing.
- For more information on the Service Trace Viewer Tool, see Service Trace Viewer Tool (SvcTraceViewer.exe).
- For more information on authentication, see Authentication.
- For auditing guidelines, see the Auditing and Logging section of WCF Security Guidelines.
How to: Log Traces to a WMI Provider
Perform the following steps to enable a Windows Management Instrumentation (WMI) provider for your service:
Open the web.config file of the WCF service by using the Configuration Editor tool (SvcConfigEditor.exe).
In the Configuration Editor, navigate to the Diagnostics node and then click the Enable WMI Provider link. The configuration file should look as follows.
<system.serviceModel> <diagnostics wmiProviderEnabled="true"> ... </diagnostics> ... </system.serviceModel>To view the WMI trace information, you need to install WMI CIM Studio so that you can view the WMI interactions. WMI CIM Studio is a Microsoft ActiveX component that plugs into Microsoft Internet Explorer. You can get this as a free download available from Microsoft.
Additional Resources
- To download the WMI CIM Studio tool, see WMI Administrative Tools.
How to: Turn Off Audit Failure Suppression
By default, WCF will ignore audit failures and allow the service to continue running by setting the SuppressAuditFailure property to true. You can set this property to false, which will turn off audit failure suppression, thereby throwing an exception when there has been an auditing failure.
Perform the following step to turn off audit failure suppression:
Set the suppressAuditFailure property to false as follows:
<configuration> <system.serviceModel> <behaviors> <behavior> <serviceSecurityAudit auditLogLocation="Application" suppressAuditFailure="false" serviceAuthorizationAuditLevel="Failure" messageAuthenticationAuditLevel="SuccessOrFailure" /> </behavior> </behaviors> </system.serviceModel> </configuration>
Additional Resources
- For more information on auditing in WCF, see How to: Audit Windows Communication Foundation Security Events.