You are viewing limited content. For full access, please sign in.

Question

Question

Laserfiche Audit Trail integration with Splunk

Version 11 Audit Trail
Updated April 8
asked on March 5 Show version history

Hello,

 

With version 11 of Audit Trail, there is not a database being used anymore in the background for events. We have would like to use Splunk to gather information from Audit Trail.

 

Events such as who is submitting a form from Forms, changes to configurations in the repository and Forms, as well as searches that users conduct for documents

 

Is there a recommended way of connecting Laserfiche Audit Trail to Splunk?

0 0

Answer

SELECTED ANSWER
replied on March 5 Show version history

Pieter's answer is valid, though people should generally be aware that Audit Trail 11 includes updates to 3rd party libraries that contain security fixes we can't realistically backport to Audit Trail 10. If you do go with that approach, I'd run the Audit Trail 10 instance on its own small VM and lock down network access pretty hard. If its sole purpose is to keep an audit database populated for Splunk (etc.) to look at, end users certainly don't need to be able to reach it.

The answer for Audit Trail 11 (and soon, 12) is to programmatically export the audit data of interest as a tab-separated csv (yes, that's a real thing) on a schedule and ingest those exported logs into your SIEM/log aggregation solution like Splunk.

Refer to: 

And when @Bill Payton says:

--Read the FAQ carefully, especially the notes about the application pool identity and its permissions.

--The script syntax must be followed exactly.

I cannot stress enough how important that is. The script is not forgiving of a single thing being slightly out of line.

3 0
replied on April 8

Thank you for the insight Sam.

 

If we also wanted to use Audit Trail with our Forms server, how would we configure it to pull 2 different CSVs without the Export script deleting the first export?

0 0
replied on April 8

First, use my modified/updated version of the script (attached), which has better handling for Forms reports. Some or all of those modifications will likely make it into a future official release. This version is based on the original and fundamentally works the same way, so all of the earlier guidance on permissions, paths, etc. still applies. While I've done quite a bit of testing on this modified version and am not aware of any new issues, it hasn't undergone our formal software QA process and is thus not "officially supported". If you run into a problem that seems specific to it, I'll try to help here.

As always, make a backup copy of the original Export-AuditReport.ps1 script before replacing it. Alternatively, instead of replacing the original, bring in the updated one as "Export-AuditReport-v2.ps1" and have your commands invoke that instead.

Then, you'd run the command twice with different ExportFile parameter values. Example below. Please note that these commands will not work with the version of the Export-AuditReport.ps1 script that ships with Audit Trail 11 as of today (Update 6), as it only has a "-Repository" parameter and not the general "-DataSource" one I added to support both repository and Forms data sources.

# Export Forms audit report
$FormsReportName = 'DailyFormsReport_' + (Get-Date -Format "yyyy-MM-dd") + '.csv'
$FormsExportFile = Join-Path -Path 'C:\AuditTrailExports\' -ChildPath $ReportName
# $FormsExportFile = C:\AuditTrailExports\DailyFormsReport_2025-04-08.csv
$FormsDataSource = '63ca4d94-3b98-4314-817f-ad75f17e1795'
$ReportId = 'y72mbzN710WpZMkK-RmAqg'
.\Export-AuditReport.ps1 -DataSource $FormsDataSource -ReportId $ReportId -ExportFile $ExportFile -Raw -CheckResultInMinutes 1 -RecheckResultUntilComplete -ReturnValue 'StateString'

# Export repository audit report
$RepoReportName = 'DailyFormsReport_' + (Get-Date -Format "yyyy-MM-dd") + '.csv'
$RepoExportFile = Join-Path -Path 'C:\AuditTrailExports\' -ChildPath $ReportName
# $RepoExportFile = C:\AuditTrailExports\DailyRepositoryReport_2025-04-08.csv
$RepoDataSource = 'TestRepository(localhost)'
$ReportId = 'sKXtXgGe1k6tFxEBNcS_yA'
.\Export-AuditReport.ps1 -DataSource $RepoDataSource -ReportId $ReportId -ExportFile $ExportFile -Raw -CheckResultInMinutes 1 -RecheckResultUntilComplete -ReturnValue 'StateString'

Cheers,
Sam

Export-AuditReport-v2_dotps1.txt (19.46 KB)
Download
2 0

Replies

replied on March 5

Hi Jacob-

I'm going to do that thing where I don't really answer because I'm not familiar with Splunk. But a thought that may be helpful if you don't get the answer you want: LF Audit Trail 10 can still be used with LF 11 (and I presume 12). Meaning, the old method of pulling audit data into a reporting database rather than the LF proprietary format is still supported.

The main note is that Audit Trail 10 is part of the Server installation package so you won't be able to install it on the LF Server machine. But you can put it on another server.

2 0
You are not allowed to follow up in this post.

Sign in to reply to this post.

Details
Attachments
Related Posts
Loading ...