<serviceSecurityAudit>
Specifies settings that enable auditing of security events during service operations.
Schema Hierarchy
<system.serviceModel>
<behaviors>
<serviceBehaviors>
<behavior> of <serviceBehaviors>
<serviceSecurityAudit>
Syntax
<serviceSecurityAudit
auditLogLocation="Default/Application/Security"
messageAuthenticationAuditLevel= None/Success/Failure/SuccessAndFailure" serviceAuthorizationAuditLevel="None/Success/Failure/SuccessAndFailure"
suppressAuditFailure="Boolean"
/>
Attributes and Elements
The following sections describe attributes, child elements, and parent elements.
Attributes
Attribute | Description |
---|---|
auditLogLocation |
Specifies the location of the audit log. Valid values include the following:
The default value is Default. For more information, see AuditLogLocation. |
suppressAuditFailure |
A Boolean value that specifies the behavior for suppressing failures of writing to the audit log. Applications should be notified for failures of writing to the audit log. If your application is not designed to handle audit failures, you should use this attribute to suppress failures in writing to the audit log. If this attribute is true, exceptions other than OutOfMemoryException, StackOverFlowException, ThreadAbortException, and ArgumentException that result from attempts to write audit events are handled by the system, and are not propagated to the application. If this attribute is false, all exceptions that result from attempts to write audit events are passed up to the application. The default is true. |
serviceAuthorizationAuditLevel |
Specifies the types of authorization events that are recorded in the audit log. Valid values include the following:
The default value is None. For more information, see AuditLevel. |
messageAuthenticationAuditLevel |
Specifies the type of message authentication audit events logged. Valid values include the following:
The default value is None. For more information, see AuditLevel. |
Child Elements
None.
Parent Elements
Element | Description |
---|---|
Specifies a behavior element. |
Remarks
This configuraton element is used to audit Windows Communication Foundation (WCF) authentication events. When auditing is enabled, either successful or failed authentication attempts (or both) can be audited. The events are written to one of three event logs: application, security, or the default log for the operating system version. The event logs can all be viewed using the Windows Event viewer.
For a detailed example of using this configuration element, see Service Auditing Behavior.
By default, on Windows XP the audit events can be seen in the Application Log; while on Windows Server 2003 and Windows Vista, the audit events can be seen in the Security Log. The location of audit events can be specified by setting the auditLogLocation attribute to 'Application' or 'Security'. For more information, see How To: Audit Security Events. If the events are written in the Security Log, the LocalSecurityPolicy-> Enable Object Access should be set for "Success" and "Failure".
When looking at the event log, the source of the audit events is "ServiceModel Audit 3.0.0.0". Message authentication audit records have a category of "MessageAuthentication" while service authorization audit records have a category of 'ServiceAuthorization'.
Message authentication audit events cover whether the message was tampered with, whether the message has expired and whether the client can authenticate to the service. They provide information about whether the authentication succeeded or failed along with the identity of the client and the endpoint the message was sent to along with the action associated with the message.
Service authorization audit events cover the authorization decision made by a service authorization manager. They provide information about whether authorization succeeded of failed along with the identity of the client, the endpoint the message was sent to, the action associated with the message, the identifier of the authorization context that was generated from the incoming message and the type of the authorization manager that made the access decision.
Example
<system.serviceModel>
<serviceBehaviors>
<behavior name="NewBehavior">
<serviceSecurityAudit auditLogLocation="Application"
suppressAuditFailure="true"
serviceAuthorizationAuditLevel="Success"
messageAuthenticationAuditLevel="Success" />
</behavior>
</serviceBehaviors>
</behaviors>
See Also
Reference
ServiceSecurityAuditElement
ServiceSecurityAuditBehavior
Other Resources
Security Behaviors in WCF
Auditing Security Events
How To: Audit Security Events
Service Auditing Behavior