You are viewing limited content. For full access, please sign in.

Question

Question

Audit Trail Logon Event Missing?

Audit Trail
Updated August 26, 2022
asked on August 25, 2022

We are investigating an unexpected change to the WFUSER$ password. This user is not directly audited however in order to set the password for this user, you must authenticate with a normal user.

However I just authenticated and changed the password with the Admin account and that login does not show.

Do logins done through Workflow Administration Console avoid auditing?

I see other logins of windows users before and after my login with Admin, but no mention of the Admin login.

0 0

Answer

SELECTED ANSWER
replied on August 26, 2022

Did you check audit events settings for the "admin" user in the Laserfiche Admin Console? It sounds like that user's logins are not audited.

Yes, the service log is in UTC time ( so Pacific time +7 hours right now for me in California). The log on the current server would, obviously, have only actions that happen on this Workflow server.

0 0

Replies

replied on August 25, 2022

No, the server audits all events specified for the user regardless of the application. Are you auditing logins for the user you specified when prompted for login in the Workflow Admin Console? (Pedantic aside: the user is not a "normal user", it needs to have Manage Trustees privilege in order to allow WF to set the password for WFUser$)

The most likely cause for an unexpected change of password for WFUser$ is a second WF Subscriber was configured to monitor the repository and reset the password. Other ways to change the user's password like SDK scripts or direct SQL edits are a lot less likely. If that second subscriber is still connected (unlikely because you changed the password already), you may be able to see from the session listed the Laserfiche Admin Console and see which machine it's coming from. Then on that machine, Workflow's service.log (in the install folder under Logs) will tell you who did it. There should be a line in it saying something like "user so and so configured repository X", just search for the repository name.

3 0
View 1 previous reply
replied on August 26, 2022 Show version history

I was running an audit reports on logins for the day, no filters by user, but "Admin" is not listed as having ever logged in.

I assume this service.log is some sort of universal time since it saying all this happened in the middle of the night while the change was made in the afternoon.

It says the Repository was registered by and shows my Windows Account which I was logged into the server with, but not the credentials I used to register the repository (Admin)

I found another registration done on the 22nd but I confirmed this was done on the same server by the one who did the registration, not from another server. So we are still trying to find this mystery second WF server that registered and changed the password sometime this week.

 

0 0
SELECTED ANSWER
replied on August 26, 2022

Did you check audit events settings for the "admin" user in the Laserfiche Admin Console? It sounds like that user's logins are not audited.

Yes, the service log is in UTC time ( so Pacific time +7 hours right now for me in California). The log on the current server would, obviously, have only actions that happen on this Workflow server.

0 0
replied on August 26, 2022

Oh I see what you mean, they had auditing turned off for everyone including Admin. I enabled all events on Admin since that would be important and Entry and Account events for Everyone.

I see, this log would not show anything regarding the other server that changed the password. Only audit log would show, but now it is too late since it was disabled.

0 0
replied on August 26, 2022

Correct.

Depending on what network/software inventory tools you or your customer have, you may be able to identify where the other workflow server is installed that way. 

Or you can try searching for all login events where the application name contains "Workflow" and maybe they logged in as a user that you were auditing at the time.

 

0 0
You are not allowed to follow up in this post.

Sign in to reply to this post.

Details
Related Posts
Loading ...