Alik Levin's : Auditing and Logging

Examining WCF Diagnostic Traces Using Service Trace Viewer Tool (SvcTraceViewer.exe)

alikl — Tue, 23 Oct 2007 16:52:57 GMT

Service Trace Viewer Tool (SvcTraceViewer.exe) tool comes with Microsoft® Windows® Software Development Kit for Windows Vista™ and .NET Framework 3.0 Runtime Components. It allows to view WCF diagnostics traces in very convenient way. "Using Service Trace Viewer for Viewing Correlated Traces and Troubleshooting" article explains how.

Specifically I used it for two scenarios

Troubleshooting when implementing Message Security with a Windows Client without Credential Negotiation. Using SvcTraceViewer.exe I spotted the following error message: "The security timestamp is invalid because its creation time ('9/19/2007 5:43:39 PM') is in the future. Current time is '9/19/2007 8:43:42 AM' and allowed clock skew is '00:05:00'." I immediately understood that machines clocks are out of sync - which is super important for Kerberos to work properly.
Examining message sizes with different protection mechanisms and levels. I needed to understand the impact of data protection mechanisms on general performance. See How Message and Transport Security compare.

Related posts

WCF Security In Intranet Scenario : Thoughts On Cons and Pros

Use Sysinternals DebugView To Diagnose The Application

alikl — Mon, 16 Jul 2007 18:42:00 GMT

"Unspecified error", "Catastrophic failure", "Object reference not set to an instance of an object" and other "self explanatory" errors promise no easy debugging. Good instrumentation of the application to the rescue! The techniques described in the paper explores on very often overlooked healthmonitoring feature of ASP.NET 2.0. It supports few providers - mechanisms that collect and log the events emitted by the application:

SimpleMailWebEventProvider. This provider sends e-mail for event notifications.
TemplatedMailWebEventProvider. This provider uses templates to define and format e-mail messages sent for event notifications.
SqlWebEventProvider. This provider logs event details to a SQL Server database. If you use this provider, you should encrypt the connection string in your Web.config file by using the Aspnet_regiis.exe tool.
EventLogWebEventProvider. This provider logs events to the Windows application event log.
TraceWebEventProvider. This provider logs events as ASP.NET trace messages.
WmiWebEventProvider. This provider maps ASP.NET health monitoring events to Windows Management Instrumentation (WMI) events.

Nothing is to log into file or to show interactively though.

Here is another way for quick and dirty understanding what happened in the app (assuming instrumentation is in place). Instrumentation mechanism is my old friend System.Diagnostics.Debug.WriteLine(string message). This command emits messages to OutputDebugString. The best tool that collects and shows the messages that I found so far is Sysinternal's Debugview.

The following code:

    protected void Page_Load(object sender, EventArgs e)
    {
        Trace.WriteLine("Loading the page");

}

Would interactively look like this:

DebugView also offers logging the events into file - very handy.

While healthmonitoring is great to log stuff for later analyzing, tracing with DebugView is great for interactive debugging. I can think of some wrapper class that is used by the application to log the messages, and the implementation uses both healthmonitoring custom events and Debug.WriteLine. Both then rely on the web.config stuff.

Enjoy and happy debugging, tracing, instrumentation, and other veggies.

ASP.NET Health Monitoring Means Logging And Auditing

alikl — Wed, 02 May 2007 21:35:00 GMT

I constantly keep seeing ASP.NET developers using log4net for logging and auditing their Web apps. While I have nothing against log4net - it is great stuff I presume though never used it - it is pretty funny to me to get why people do not use built-in ASP.NET 2.0 Health Monitoring. I started to ask - turns out people are just not aware of it...

Our logging story with ASP.NET 1.1 was pretty bad although with small effort one could do very cool things with TraceListener.

I think it was mistake calling it Health Monitoring since folks miss it - no one looks for Health Monitoring but logging or may be auditing.

So here is detailed how-to for ASP.NET 2.0 Auditing and Logging, ...ehm ...Health Monitoring:

How To: Use Health Monitoring in ASP.NET 2.0

How To: Instrument ASP.NET 2.0 Applications for Security

For those who still on ASP.NET 1.1 similar pluggable design can be achieved by implementing Custom TraceListener. Then registering it with web.config. In order to send error message to it one uses standard System.Diagnostics.Trace.WriteLine(message);

Here is custom TraceListener:

namespace DeepDive2004
{

public class CustomListener : TextWriterTraceListener
{
public CustomListener() : base()
{
}

public CustomListener(string initData)
{

}

public override void Write(string message)
{
//ACTUAL CODE TO SEND MESSAGES TO SOME STORE, SAY WEB SERVICE
base.Write (message);
}
public override void WriteLine(string message)
{
//ACTUAL CODE TO SEND MESSAGES TO SOME STORE, , SAY WEB SERVICE
base.WriteLine (message);
}

}

}

and here is web.config configuration:

<system.diagnostics>
<trace autoflush="true" indentsize="0">
<listeners>
<add name="MyCustomListener"
type="DeepDive2004.CustomListener, DeepDive2004"
initializeData="http://MyWebService"/>
</listeners>
</trace>
</system.diagnostics>

Those who is interested in using log4net I suggest reading Mitch's excellent post log4net: .NET Logging Tool

Ed. - After posting this one I've jsut noticed your personal approach to my question here Logging and ASP.NET Health Monitoring.

Mitch, you rock, man!

Enjoy

File Access Auditing - I Am Not Afraid Of GPO

alikl — Mon, 02 Apr 2007 00:45:00 GMT

Security logging and auditing mitigates repudiation threat (the "R" in STRIDE, see also Auditing and Logging threats). The lesser coding the better security. Here is the no coding auditing for file access using Group Policy

From http://support.microsoft.com/kb/324739

Create a Group Policy Object

To create a Group Policy object (GPO) that you can use to turn on auditing in a domain, follow these steps:

1. Click Start, point to Administrative Tools, and then click Active Directory Users and Computers.

2. Right-click your domain, and then click Properties.

3. Click the Group Policy tab, and then click New.

4. Type the name that you want to use for this policy (for example, Enable auditing policy), and then press ENTER.

5. Click Properties, and then click the Security tab.

6. Click to clear the Allow check box next to Apply Group Policy for the security groups that you want to prevent from having this policy applied.

7. Click to select the Allow check box next to Apply Group Policy for the groups to which you want to apply this policy, and then click OK.

8. Click OK, click OK again, and then quit Active Directory Users and Computers.

Turn On Auditing on a Domain Controller

1. Click Start, point to Administrative Tools, and then click Active Directory Users and Computers.

2. Right-click your domain, and then click Properties.

3. Click the Group Policy tab, click the Group Policy object that you want to use, and then click Edit.

4. Under Computer Configuration, expand Windows Settings, expand Security Settings, expand Local Policies, and then click Audit Policy.

5. In the right pane, double-click Audit object access.

6. Click to select the Define these policy settings check box, click to select the Success check box, click to select the Failure check box, and then click OK.

Define auditing on actual file:

Test auditing by accessing the file, say double clicking it, then open Event Viewer.

Similar entry should be there:

Enjoy