You are viewing limited content. For full access, please sign in.

Discussion

Discussion

Audit Trail Export via Powershell Failing: Access Denied

Audit Trail
Updated January 23
posted on January 16 Show version history

We are trying to export the contents of an audit trail log (V11 and V12) using the Powershell script referenced in the documentation:

Laserfiche Audit Trail 11 Frequently Asked Questions (FAQ) - Knowledge Base

(Thanks Joshua)

The script has a parameter for a username or password, and will use the current Windows credentials if this parameter is not filled in.

The user account we are using is a local administrator and also the admin of the Laserfiche system, and can run all reports natively in the AT Reporter.  In spite of that, the script consistently throws an access denied error.  This does not seem to be Windows permissions. We have run Powershell as an Administrator and not, and that makes no difference.

 

What is interesting is that the error is a write error, which would imply that the problem is not in reading the report, but in writing the csv. We even created a file with the name of our output file, but that did not change the results.  Here is the error detail:

 

    + CategoryInfo          : NotSpecified: (:) [Write-Error], WriteErrorException

    + FullyQualifiedErrorId : Microsoft.PowerShell.Commands.WriteErrorException,Export-AuditReport.ps1

 

And the PS Command we are using:

 

$password = "XYZ" | ConvertTo-SecureString -asPlainText -Force

.\Export-AuditReport.ps1 -BaseUrl "https://audit.example.com/AuditTrail" -Repository MyRepo -ReportId 3J29wOW6GEm_kLqOle1idg -ExportFile C:\temp\savedReport.csv -Username example.com\service-user -Password $Password

 

We went back to check the parameters a bunch of times, because it's often something stupid that gets you.  So, LF Folks, has anyone run this successfully?

 

Edit: The real error was an earlier one, which I did not include originally: "Export failed, check if you have appropriate right to run the audit report and the report id is correct"

Turns out the script will always add the write error at the end if anything goes wrong.

0 0
replied on January 23 Show version history

Follow Up: 

I did end up opening a case, and with Alex H's help, resolved the issue.  For anyone going down this rat hole, here are some tips:

--Read the FAQ carefully, especially the notes about the application pool identity and its permissions.

--The script syntax must be followed exactly. Here is an example:

.\Export-AuditReport.ps1 -BaseUrl "https://Development2.IPDigital.local/AuditTrail" -Repository "THECB(Development2.IPDigital.local)" -ReportId "nqo8zqorZUaRm1PyHH2ruw" -ExportFile "Test.csv"

For the above, BaseURL is not actually necessary, but the -Repository value must be formatted exactly this way Repo(Server) all in quotes.  -ReportID must be in quotes. -ExportFiles I never got to work with a path + file name, just a file name.

The .\ at the beginning of the command line means the cursor was moved to the directory with the PS script, by default, E:\Program Files\Laserfiche\Audit Trail\Samples\.

To run this using the full path (or as a scheduled task) you need to do two things:

1) Run the command, Set-ExecutionPolicy RemoteSigned. This creates a permanent change to PS permissions, and is not session specific.

2) Use this format:  & "E:\Program Files\Laserfiche\Audit Trail\Samples\Export-AuditReport.ps1"  Yes, that ampersand has to be in front.

By default, the output path is [Installation Drive]:\Program Files\Laserfiche\Audit Trail\WebAuditReport. this is problematic due to the extra restrictions on anything in Program Files.  You will want to move this somewhere more neutral.

This can be changed by editing the web.config file, also located at [Installation Drive]:\Program Files\Laserfiche\Audit Trail\WebAuditReport.  Edit this key:  <add key="ExportFolder" value="E:\Install\Test" />

To grant the app pool identify permissions to write the file, you may have to go to the folder, Properties,  Security, Advanced. App pool identity is not viewed as a user account and you have to dig for it in there.

4 0
replied on January 20

Hi Sam - 

 

Thanks for the background and additional detail. In a different system we are using AT V11, on a machine with a valid third party certificate with a root url of https://FQDN/AuditTrail

 

Today we:

Create an export path away from Program Files, and added this path export path to web.config
Granted IIS_IIUSERS modify/read/execute/write permissions to the export folder.  
  --There was no separate IIS AppPool\AuditTrailAppPool account (Windows Server 2016)

Ran the report manually using Windows Authentication
Created in advance a file with the export file name (Test.csv)
Logged on with an account that is a local administrator and LF administrator with access to AT and all reports.

Ran Powershell as an administrator
Passed command line with explicit username and pwd, and then without, errored out.
Base URL correctly identifed (also passed in as a parameter), errored out.

Set the AT App Pool identity to the login account, recycled, errored out.

Set the AT App Pool identify to local system, recycled, errored out.

I think the PS Write error is misleading.  Technically the file did not write, but this is because the script never authenticates.

 

Here is the first error message:

{"message":"You do not have permissions to run the report or the report does not exist. ","isError":true,"errorCode":267}

 

At this point it's baffling, because the user account pretty much as all the permissions one could ever ask for.  This seems beyond what support would normally handle, but is it worth opening a case?

0 0
replied on January 21 Show version history

Worth opening a case. Support has helped with troubleshooting issues with this script before and you've gone through reasonable basic troubleshooting steps at this point. Please start it by linking to this Answers post.

1 0
replied on January 17

Every time I've seen an Access Denied error while trying to invoke the Audit Trail report export script, it's been due to the ExportFile directory.

Read the instructions for that parameter closely. I've reproduced them here for reference:

  .PARAMETER ExportFile
  Target file, on the machine where Audit Trail is installed, to save the report. If the file already exists, it will be deleted first, then the new file will be saved with the same name.
  Supported file types are '.xlsx' (Excel) and '.csv' (TAB DELIMITED csv, not comma delimited). 
  If no file type is specified, e.g., "savedReport", '.xlsx' is used by default, unless the export has over 100k rows, in which case '.csv' is automatically used due to technical limitations generating large xlsx files.
  Explicitly using '.csv' is recommended for most use cases. E.g., "savedReport.csv". 

  By default, the export file is saved under '%ProgramData%\Laserfiche\AuditAnalytics\Export' on the server hosting Audit Trail Reporting. To change the export directory:
  1. Update the Audit Trail web.config file as detailed below
  2. Grant the "IIS AppPool\AuditTrailAppPool" local user access rights to the new export location.
  
  The export file is saved under the directory specified in the '<add key="ExportFolder" value="" />' setting in the '<appSettings>' section of the '.\Program Files\Laserfiche\Audit Trail\WebAuditReport\web.config' file. If no ExportFolder value is specified, the default ExportFolder directory is '%ProgramData%\Laserfiche\AuditAnalytics\Export'.
  If you want a different directory, please update the '<add key="ExportFolder" value="" />' setting in this 'web.config' file. It is a good practice to create a backup copy of the web.config file before making any changes.

  UNC paths to other servers or file shares are not supported. If you need the export file to end up at a remote location, either write a secondary script or make a copy of this script and extend it to copy/move the export file to the desired location once the export is complete (you can use the "ReturnValue" outputs to check for completion).

  This parameter takes a full path, e.g., "C:\AuditReportExports\savedReport.csv", which must be under the "ExportFolder" (including subdirectories). Audit Trail will attempt to create a specified subdirectory if it does not exist. For example, with the default ExportFolder (no value set in the web.config), this parameter value will create a subfolder named "2024-06-20" and save the export file as "savedReport.csv" within it:
  -ExportFile 'C:\ProgramData\Laserfiche\AuditAnalytics\Export\2024-06-20\savedReport.csv'

  If you specify a path that is not under the ExportFolder, you will receive an error message in PowerShell like:
  "'C:\\AuditReportExports\\savedReport.csv' is not a valid exporting path, please using a path
  under 'C:\\ProgramData\\Laserfiche\\AuditAnalytics\\Export', and the permission settings are correct. If you want another directory to export, please contact Administrator to change the settings of Audit Trail web site.

Assuming you have not modified the ExportFolder value in the \WebAuditReport\web.config file, start by trying with -ExportFile 'C:\ProgramData\Laserfiche\AuditAnalytics\Export\savedReport.csv'.

1 0
You are not allowed to follow up in this post.

Sign in to reply to this post.

Details
Related Posts
Loading ...