Log Server

Axidian Log Server (Log Server) is a web application that runs on the AIS database. This module is responsible for the centralized collection and audit of system events.

Events are recorded in databases.

How do I create and configure a database?

Installation files

The files for the Log Server are located in the Axidian Access LogServer folder.

Axidian.LogServer-version number.x64.ru-ru.msi: Log Server installation package.
Axidian.Server.EventLog-version number.x64.ru-ru.msi: Package for creating an Axidian Access event schema and the required log structure in Windows EventLog.
Axidian.LogServer.Config.Encryptor.zip: Utility for encrypting a configuration file.

Install Log Server and EventLog

System requirements

To install Log Server, start the corresponding package.
To install EventLog on a computer with Log Server, run the Axidian.Server installer.EventLog-version numbers.x64.ru-ru.msi.

The event schema is created automatically when installing the Axidian.Server component.EventLog and it is located at C:\ProgramData\Axidian\LogServer\Schemes.

HTTPS binding in IIS Manager

Log Server is a web application that runs on the AIS database. During the installation process, SSL is required in the settings for Log Server, which in turn requires HTTPS connectivity.

Start IIS Manager and expand the Sites item.
Select Default Web Site and in the Actions section, click Bindings.
Click Add and configure the following options:
- Type: https.
- Port: 443.
- Select SSL Certificate.
Save the link.

If you do not plan to use the HTTPS protocol, disable the SSL requirement in the IIS settings for Log Server.

Configure Log Server with different types of data storage

Select and configure the supported data storage:

Microsoft SQL or PostgreSQL databases
EventLog storage
Storage in SysLog
Backup storage

Microsoft SQL

Open C:\inetpub\wwwroot\ls\targetConfigs\sampleDb.config for editing.
Specify the data to connect to the database in the ConnectionString tag.
- Data Source: Server instance. This property is mandatory for all compounds. Acceptable values are the network name or IP address of the server, local or localhost for local connections.
- Database: Name of the database.
- User Id: Name of the user to connect to the database.
- Password: User password for connecting to the database.
```
<Settings>
<ConnectionString>Data Source=localhost;Database=LogServ;User Id=log;Password=Q1q2E3e4</ConnectionString>
</Settings>
```
Open C:\inetpub\wwwroot\ls\clientApps.config.
Locate and uncomment the block with "applicationId"="ea" in the TargetID and ReadTargetId tags to specify sampleDb.

Information

The ReadTargetId tags specify the identifier of the repository where events are read.

In the WriteTargets block, the TargetID tags specify the identifier of the repository where events are recorded.

The IDs are set in the Targets tag, and the configuration files for each type are located in the targetConfigs folder with the corresponding name.

      <Application Id="ea" SchemaId="eaSchema">
          <ReadTargetId>sampleDb</ReadTargetId>
          <WriteTargets>
            <TargetId>sampleDb</TargetId>
          </WriteTargets>
          <AccessControl>
            <!--<CertificateAccessControl CertificateThumbprint="001122...AA11" Rights="Read" />-->
          </AccessControl>
        </Application>

Encryption/Decryption of the configuration file

Run the command prompt as an administrator.
At the command prompt, navigate to the folder with the encryption utility Axidian.LogServer.Config.Encryptor.

Encrypting the configuration file

For encryption, run the utility with the following parameters:

protect -f C:\inetpub\wwwroot\ls\targetConfigs\sampleDb.config -t Sql

 -f, --file Path to the configuration file, required parameter.
  -t, --type is the type of the configuration file target. An optional parameter, which is Sql by default.

Decryption of the configuration file

To decrypt it, run the utility with the following parameters:

unprotect -f C:\inetpub\wwwroot\ls\targetConfigs\sampleDb.config -t Sql

 -f, --file Path to the configuration file, required parameter.
  -t, --type is the type of the configuration file target. An optional parameter, which is Sql by default.

PostgreSQL

Navigate to C:\inetpub\wwwroot\ls\targetConfigs.
Create a file with an arbitrary name and the .config extension, such as postgresDb.config.
Add the following lines to the file:

<?xml version="1.0" encoding="utf-8"?>
<Settings>
<ConnectionString>server=server_dns_name;port=5432;user id=account_name;password=account_password;database=database_name</ConnectionString>
</Settings>

In the ConnectionString line, set the values of the following parameters:
- server: DNS\IP address of the server with the PostgreSQL database.
- port: Port where the connection takes place. The default value is 5432.
- user ID: Name of the user who has full rights to the Database.
- password: User password.
- database: Name of the Log Server database.
```
 server=192.200.1.2;port=5432;user id=AxidianDB;password=Passw0rd;database=LogServerDB
```

Open C:\inetpub\wwwroot\ls\clientApps.config for editing.
Uncomment the block with applicationId="ea" in the TargetID and ReadTargetId tags, specify postgresDb.
Information
In the ReadTargetId tags, the storage identifier is specified, and events are read.
The WriteTargets block, in the TargetID tags, specifies the identifier of the repository where events are recorded.
The identifiers are specified in the Targets tag, the configuration files for each type are located in the targetConfigs folder with the corresponding name.
Then, in the same file, in the Targets section, add a new element:
```
<Targets>
...
<Target Id="postgresDb" Type="pgsql"/>
</Targets>
```

Encryption/Decryption of the configuration file

Run the command prompt as an administrator.
At the command prompt, navigate to the folder with the encryption utility Axidian.LogServer.Config.Encryptor.

Encrypting the configuration file

To encrypt, run the utility with the following parameters:

protect -f C:\inetpub\wwwroot\ls\targetConfigs\postgresDb.config -t Sql

 -f, --file Path to the configuration file, required parameter.
  -t, --type is the type of the configuration file target. An optional parameter, which is Sql by default.

Decryption of the configuration file

To decrypt, run the utility with the following parameters:

unprotect -f C:\inetpub\wwwroot\ls\targetConfigs\postgresDb.config -t Sql

 -f, --file Path to the configuration file, required parameter.
  -t, --type is the type of the configuration file target. An optional parameter, which is Sql by default.

EventLog storage

Editing the configuration file

Open C:\inetpub\wwwroot\ls\clientApps.config for editing.
Uncomment the block with "Application Id"="ea" in the TargetID and ReadTargetId tags to specify sampleEventLog.
Information
The ReadTargetI tags specify the identifier of the repository where events are read.
In the WriteTargets block, the TargetID tags specify the identifier of the repository where events are recorded.
The IDs are set in the Targets tag, and the configuration files for each type are located in the targetConfigs folder with the corresponding name.
```
    <Application Id="ea" SchemaId="eaSchema">
      <ReadTargetId>sampleEventLog</ReadTargetId>
      <WriteTargets>
        <TargetId>sampleEventLog</TargetId>
      </WriteTargets>
      <AccessControl>
        
      </AccessControl>
    </Application>
```

Storage in SysLog

The Log Server supports the syslog format, you can use any server that works with this format. As an example, the configuration of the syslog server Syslog Watcherv4.8.6 is further considered.

You can download the utility on the official website

Run the installation file SyslogWatcherSetup-win32.msi.
In the License Agreement window, accept the license agreement.
In the Installation Type window, select the install type InstallSyslogWatcher Service and GUI.
In the Select installation Folder window, select the installation path for the us-log server.
In the Windows Firewall Exception window, allow the addition of rules for all incoming connections for Syslog Watcher to the Firewindows firewall.
In the Confirm Installation window, click Next to confirm the installation.
Wait for the server installation to complete.

Configure the sysLog server

Launch Syslog Watcher and select Manage Local SyslogServer.
Click Settings in the top menu of the program.
1. Select Network Interfaces.
2. Verify that the udp protocol is selected and the port is specified.
3. Select Processing, then select the UTF-8 encoding.

Edit the configuration file

Open C:\inetpub\wwwroot\ls\targetConfigs\sampleSyslog.config and specify the following parameters in the ConnectionString tag:
- HostName: Name or IP address of the Syslog server.
- Port: Port of the Syslog server (514 is the default port).
- Protocol: Type of connection to the Syslog server: UDP, TCP, TCPoverTLS.
- Format: Optional parameter that defines the format of logs: Plain (default), CEF, LEEF.
- SyslogVersion: Optional parameter, protocol specification: RFC3164, RFC5424.
```
<Settings HostName="localhost" Port="514" Protocol="UDP" Format="Plain"  />
```
Open C:\inetpub\wwwroot\ls\clientApps.config.
For a block with "Application Id"="ea", specify sampleSyslog in the TargetID tag for WriteTargets. Leave *the ReadTargetId tag empty, since reading is performed by a third-party program, in this example Syslog Watcher.
Information
The ReadTargetId tags specify the identifier of the repository where events are read.
In the WriteTargets block, the TargetID tags specify the identifier of the repository where events are recorded.
The IDs are set in the Targets tag, and the configuration files for each type are located in the targetConfigs folder with the corresponding name.
```
<Application Id="ea" SchemaId="eaSchema"> 
    <ReadTargetId> </ReadTargetId> 
        <WriteTargets>
            <TargetId>sampleSyslog</TargetId> 
        </WriteTargets> <AccessControl> 
 </AccessControl> 
</Application> 
```
Click Start Server in the upper-left corner of the SyslogWatcher program.

Backup Storage

Backup storage

Setup with multiple repositories of different types

Information

As an example, a setting has been made in which events are read from Windows events and written to Windows events and the SQL database.

Open the C:\inetpub\wwwroot\ls\clientApps.config*.
For a block with "Application Id"="ea", specify sampleEventLog or sampleDb in the ReadTargetId tags.
Information
The ReadTargetId tags specify the identifier of the repository from which events are read.
In the WriteTargets block, the TargetID tags specify the identifier of the repository where events are recorded.
The identifiers are specified in the Targets tag, and the configuration files for each type are located in the targetConfigs folder with the corresponding name.
In the WriteTargets block, specify <TargetID>sampleEventLog</TargetID> and <TargetID>sampleDb</TargetID>.
Open C:\inetpub\wwwroot\ls\targetConfigs\sampleDb.config.
Specify the data to connect to the database in the ConnectionString tag.
- Data Source: Server instance. This property is mandatory for all compounds. Acceptable values are the network name or IP address of the server, local or localhost for local connections.
- Database: Name of the database.
- User Id: Name of the user to connect to the database.
- Password: User password for connecting to the database.
```
<Settings>
<ConnectionString>Data Source=localhost;Database=LogServ;User Id=log;Password=Q1q2E3e4</ConnectionString>
</Settings>
```
Information
With this configuration, system events will be read from Windows events, and events will be written to the SQL database.
```
<Application Id="ea" SchemaId="eaSchema">
<ReadTargetId>sampleEventLog</ReadTargetId>
<WriteTargets>
    <TargetId>sampleEventLog</TargetId>
    <TargetId>sampleDb</TargetId> 
</WriteTargets>
<AccessControl>
    
</AccessControl>
</Application>
```

Configuration with backup storage in the database

Open C:\inetpub\wwwroot\ls\clientApps.config.

In the Targets block, copy the Target tag with Id="sampleDb" and change the id to an arbitrary value, such as sampleDbBackup.

<Targets>
    <Target Id="sampleEventLog" Type="eventlog"/>
    <Target Id="sampleDb" Type="mssql"/>
    <Target Id="sampleDbBackup" Type="mssql"/>
    <Target Id="akcSqlTarget" Type="mssql"/>
    <Target Id="akcEventLogTarget" Type="eventlog"/>
    <Target Id="sampleSyslog" Type="syslog"/>
</Targets>

For a block with Application Id="ea", specify sampleDb in the ReadTargetId tags.
Information
The ReadTargetId tags specify the identifier of the repository from which events are read.
In the WriteTargets block, the TargetID tags specify the identifier of the repository where events are recorded.
The IDs are set in the Targets tag, and the configuration files for each type are located in the targetConfigs folder with the corresponding name.
In the WriteTargets block, specify the <TargetID>sampleDb</TargetID> and <TargetID>sampleDbBackup</TargetID>.
Information
With this configuration, events will be read from the database specified in the configuration file ls\targetConfigs\sampleDb.config. The recording will be performed in the databases specified in the files:
- ls\targetConfigs\sampleDb.config
- ls\targetConfigs\sampleDbBackup.config
```
<Application Id="ea" SchemaId="eaSchema">
<ReadTargetId>sampleDb</ReadTargetId>
<WriteTargets>
    <TargetId>sampleDb</TargetId> 
    <TargetId>sampleDbBackup</TargetId> 
</WriteTargets>
<AccessControl>
    
</AccessControl>
</Application>
```
Open C:\inetpub\wwwroot\ls\targetConfigs\sampleDb.config.
Specify the data to connect to the database in the ConnectionString tag:
Information
Specify the data to connect to the main database.
- Data Source: Server instance. This property is mandatory for all compounds. Acceptable values are the network name or IP address of the server, local or localhost for local connections.
- Database: Name of the database.
- User Id: Name of the user to connect to the database.
- Password: User password for connecting to the database.
```
<Settings>
<ConnectionString>Data Source=localhost;Database=LogServ;User Id=log;Password=Q1q2E3e4</ConnectionString>
</Settings>
```
Create a sampleDbBackup file with the .config extension.
caution
The file name must exactly repeat the value of the Id specified in step 2.
Specify the data to connect to the database in the ConnectionString tag.
Information
Specify the data to connect to the backup database.
- Data Source: Server instance. This property is mandatory for all compounds. Acceptable values are the network name or IP address of the server, local or localhost for local connections.
- Database: Name of the database.
- User Id: Name of the user to connect to the database.
- Password: User password for connecting to the database.

 <Settings>
   <ConnectionString>Data Source=localhost;Database=LogServBackup;User Id=log;Password=Q1q2E3e4</ConnectionString>
 </Settings>

Fault tolerance

If Log Server is unavailable, the events are cached in the local folder on the Axidian Access server.

The information about Log Server unavailability is displayed in Windows events on the Application tab.

Event code: 500.

Text: Log server client fluentSchedulerBackgroundLoaderTask. IterationWEBexception: The waiting time for the operation has expired.

The path to the folder for storing events is set in the Web.config configuration file in the logServerClient tag of the eventcachedirectory parameter (default: ./EventCache). The time for sending logs after LogServer is resumed is set in the Logserverclient tag of the EventCacheSendingIntervalSec parameter (default: 600 seconds).

It is not recommended to set the value for theeventcachesendingintervalsec parameter to less than 30 seconds.

Installation files​

Install Log Server and EventLog​

HTTPS binding in IIS Manager​

Configure Log Server with different types of data storage​

Microsoft SQL​

PostgreSQL​

EventLog storage​

Storage in SysLog​

Backup storage​

Fault tolerance​