Unified Event log

You can use the Unified Event Log for Axidian CertiFlow Linux installations or in multi-server Windows configurations. It allows events from all servers to be recorded in a single, centralized log.

Configure the Unified Event Log using the Axidian CertiFlow Event Log Proxy or Log Server applications.

Axidian CertiFlow Event Log Proxy

The Axidian CertiFlow Event Log Proxy application enables logging events from one or more Axidian CertiFlow servers into a unified Windows Event Log. The Axidian CertiFlow Event Log Proxy can only be installed on a workstation running the Windows OS.

System requirements

To install and configure the Axidian CertiFlow Event Log Proxy:

1. Log in to the workstation as local administrator.

2. Open the Axidian CertiFlow installation package, navigate to the AxidianCertiFlow.Server catalog and run the AxidianCertiFlow.EventLog.Proxy-<version-number>.x64.en-us.msi installation file.

3. In the installation wizard, select an authentication method based on the operating system where the Axidian CertiFlow server is installed, and specify the required settings in the configuration files.

   Windows

   1. Select the Windows authentication method. When the installation is complete, click Finish and close the installation wizard.
   2. Open the web.config file (C:\inetpub\wwwroot\certiflow\eventlogproxy) in Notepad as an administrator.
   3. In the allow users parameter, specify a user account from the domain where the Event Log Proxy is installed. For example, the user catalog service account.
      Example

      <authorization>
           <clear />
           <add accessType="Allow" users="DOMAIN\servicecertiflow" />
      </authorization>
   4. Save and close the web.config file.

   Linux

   1. Select the Certificate authentication method. When the installation is complete, click Finish and close the installation wizard.

   2. Open the appsettings.json file (C:\inetpub\wwwroot\certiflow\eventlogproxy) in Notepad as an administrator.

   3. In the authSettings section, specify the thumbprint of a client certificate of the Axidian CertiFlow server in the allowedCertificateThumbprints parameter.
      Make sure the certificate's Enhanced Key Usage (EKU) field contains the Client Authentication value and the certificate is installed in the Axidian CertiFlow server's certificate store.

      Example

      "authSettings":{
      "authorizeByCertificate": "true",
      "allowedCertificateThumbprints": "aba8b93d73343f2182e3c1c40482b2ae2d75b6ec"
      }

      How to issue a client certificate

   4. Save and close the appsettings.json file.

4. Restart the Axidian CertiFlow Event Log Proxy application pool to apply the changes.

   1. Open the Internet Information Services (IIS) Manager and select Application Pools in the left menu.
   2. Select the Axidian CertiFlow Event Log Proxy application and click Recycle in the right menu.

Log Server

With Log Server you can record events from one or more Axidian CertiFlow servers to a unified log in the following targets: Windows Event Log, Microsoft SQL Server, PostgreSQL Server, SysLog Server.

System requirements

The Log Server can be installed on a workstation running either Windows or Linux OS.

Windows

Install Log Server

Before installing the Log Server, install .NET 8.0 and URL Rewrite.

To install the Log Server:

1. Log in to the workstation as local administrator.
2. Run the LogServer-<version number>.x64.en-us.msi file from the Log.Server catalog of the Axidian CertiFlow installation package and follow the wizard's instructions.
3. Copy the following files from the Log.Server catalog*:
   • The certiflowSchema.config file to the C:\inetpub\wwwroot\ls catalog.
   • The certiflowEventLogTarget.config, certiflowMsSqlTarget.config, certiflowPgSqlTarget.config, and certiflowSysLogTarget.config files to the C:\inetpub\wwwroot\ls\targetConfigs catalog.

Configure event read/write operations

The Log Server supports reading events from only one storage target (ReadTargetId), while it can write events to multiple storage targets (WriteTargets) at the same time.

You can configure event reading and writing for the following storage types:

• Windows Event Log
• Microsoft SQL Server
• PostgreSQL Server
• Syslog Server

Windows Event Log

1. Open the C:\inetpub\wwwroot\ls catalog and edit the clientApps.config file.

   • In the Applications section, add the following parameters.

   <Application Id="certiflow" SchemaId="certiflowSchema">
       <ReadTargetId>certiflowEventLogTarget</ReadTargetId>
       <WriteTargets>
           <TargetId>certiflowEventLogTarget</TargetId>
       </WriteTargets>
       <AccessControl>
           <!--<CertificateAccessControl CertificateThumbprint="001122...AA11" Rights="Read" />-->
       </AccessControl>
   </Application>
   • In the Targets section, add a new element.

   <Targets>
       <Target Id="certiflowEventLogTarget" Type="eventlog"/>
   </Targets>

2. Save and close the file.

Microsoft SQL

1. Create a database in SQL Server Management Studio.

   1. In the Object Explorer pane, right-click Databases and select New Database.
   2. Enter a database name and click OK.
   3. In the Owner: field, specify the owner of the database.
   4. Click OK to save the database.
   info

   Create or select any existing internal Microsoft SQL or Active Directory account. For example, a service account for running Axidian CertiFlow.

   Once the database is created, the specified account is granted the db_owner and public roles. Axidian CertiFlow use this account for read/write operations.

2. Open the C:\inetpub\wwwroot\ls\targetConfigs catalog and edit the certiflowMsSqlTarget.config file. In the <Settings>…</Settings> section configure the following parameters:

   • Data Source – the Microsoft SQL Server name or the named Microsoft SQL Server instance in the Server name\Instance name format.
   • Database – the database name (ILS).
   • User Id – the service account for managing the Axidian CertiFlow database.
   • Password – the service account password.
   • TrustServerCertificate – the server certificate trust setting. Set the value to True.

   <Settings>
       <ConnectionString>Data Source=MSSQL\SQLEXPRESS;Database=LogServer;User Id=servicesql;Password=P@ssw0rd;TrustServerCertificate=True</ConnectionString>
   </Settings>

3. Open the C:\inetpub\wwwroot\ls catalog and edit the clientApps.config file.

   • In the Application section, add the following parameters.

   <Application Id="certiflow" SchemaId="certiflowSchema">
       <ReadTargetId>certiflowMsSqlTarget</ReadTargetId>
   
       <WriteTargets>
           <TargetId>certiflowMsSqlTarget</TargetId>
       </WriteTargets>
   
       <AccessControl>
           <!--<CertificateAccessControl CertificateThumbprint="001122...AA11" Rights="Read" />-->
       </AccessControl>
   </Application> 
   • In the Targets section, add a new element.

   <Targets>
       <Target Id="certiflowMsSqlTarget" Type="mssql"/>
   </Targets> 

4. Save and close the file.

PostgreSQL

1. Create a database in pgAdmin.

   1. Open pgAdmin and connect to the server.
   2. In the Browser section, right-click Databases and select Create → Database....
   3. On the General tab, specify the database name in the Database field, select the service account from the Owner list, and click Save.

2. Grant the service account the permissions to manage the database.

   1. Select the database and select Tools → Query Tool.
   2. Enter the query with the service account name.

   GRANT ALL PRIVILEGES ON ALL TABLES IN SCHEMA public TO <service account name>;
   3. Click Execute/Refresh (Execute/Refresh).

3. Follow these steps to add Universally Unique Identifiers (UUID) generation support.

   1. Click and select Clear Query.
   2. Enter the query.

   CREATE EXTENSION IF NOT EXISTS "uuid-ossp";
   3. Click Execute/Refresh (Execute/Refresh).

4. Configure a remote connection to the database.

   1. Open the pg_hba.conf configuration file (C:\Program Files\PostgreSQL\<version number>\data).
   2. Add a string in the following format:

   CONNECTIONTYPE DATABASE USER ADDRESS METHOD
   • CONNECTIONTYPE – the name of the connection type. To use TCP/IP connection, specify host.
   • DATABASE – the name of the database. To grant access to all databases, specify ALL.
   • USER – name of the user who accesses the database. To grant access to all users, specify ALL.
   • ADDRESS – the IP address of the remote Axidian CertiFlow server. To grant access from any IP address, specify 0.0.0.0/0.
   • METHOD – the user authentication method. For example, md5, scram-sha-256.
   Example

   host LogServer servicepg 192.200.1.0/24 md5
   host ALL servicepg 10.0.0.0/8 md5
   host ALL ALL 0.0.0.0/0 scram-sha-256

5. Open the C:\inetpub\wwwroot\ls\targetConfigs catalog and edit the certiflowPgSqlTarget.config file. In the <ConnectionString>…</ConnectionString> section, configure the following parameters:

   • Host – the PostgreSQL Server name.
   • Port – the PostgreSQL connection port. Default value is 5432.
   • Database – the database name.
   • Username – the service account for managing the Axidian CertiFlow database.
   • Password – the service account password.

   <Settings>
       <ConnectionString>Host=SRV-POSTGRESQL;Port=5432;Database=LogServer;Username=servicepg;Password=P@ssw0rd</ConnectionString>
   </Settings>

6. Open the C:\inetpub\wwwroot\ls catalog and edit the clientApps.config file.

   • In the Application section add a new TargetId for ReadTarget and WriteTarget.

   <Application Id="certiflow" SchemaId="certiflowSchema">
       <ReadTargetId>certiflowPgSqlTarget</ReadTargetId>
   
       <WriteTargets>
           <TargetId>certiflowPgSqlTarget</TargetId>
       </WriteTargets>
   
       <AccessControl>
           <!-- <CertificateAccessControl CertificateThumbprint="001122...AA11" Rights="Read" /> -->
       </AccessControl>
   </Application>
   • In the Targets section, add a new element.

   <Targets>
       <Target Id="certiflowPgSqlTarget" Type="pgsql"/>
   </Targets>

Syslog

Syslog only supports event writing (WriteTargets). The following configuration extends the PostgreSQL example.

1. Open the C:\inetpub\wwwroot\ls\targetConfigs catalog and edit the certiflowSysLogTarget.config file. In the <ConnectionString>…</ConnectionString> section, configure the following parameters:

   • HostName – the Syslog server name or IP.
   • Port – the Syslog server connection port. Default value is 514.
   • Protocol – the Syslog server connection type: UDP, TCP, TCPoverTLS.
   • Format – an optional parameter that configures log format: Plain, CEF, LEEF.
   • SyslogVersion – an optional parameter that configures the protocol: RFC3164, RFC5424.

   <Settings HostName="SRV-SYSLOG" Port="514" Protocol="UDP"/>

2. Open the C:\inetpub\wwwroot\ls catalog and edit the clientApps.config file.

   • In the Application section, add a new TargetId for WriteTarget.

   <Applications>
       <Application Id="certiflow" SchemaId="certiflowSchema">
           <ReadTargetId>certiflowPgSqlTarget</ReadTargetId>
   
           <WriteTargets>
               <TargetId>certiflowPgSqlTarget</TargetId>
               <TargetId>certiflowSysLogTarget</TargetId>
           </WriteTargets>
   
           <AccessControl>
               <!-- <CertificateAccessControl CertificateThumbprint="001122...AA11" Rights="Read" /> -->
           </AccessControl>
       </Application> 
   </Applications>
   • In the Targets section, add a new element.

   <Targets>
       <Target Id="certiflowPgSqlTarget" Type="pgsql"/>
       <Target Id="certiflowSysLogTarget" Type="syslog"/>
   </Targets>

To apply the changes, restart the IIS application pool.

1. Open Internet Information Services (IIS) Manager and select Application Pools in the left menu.
2. Select the Log Server application pool and click Recycle in the right menu.

Linux

Install Log server

1. Run the installation package.

   Debian

   sudo dpkg -i axidian.logserver-<version number>_amd64.deb
   RHEL

   sudo rpm -i axidian.logserver-<version number>.x86_64.rpm

2. Open the Log.Server catalog and copy the certiflowSchema.config file to the /opt/axidian/ls catalog.

   sudo cp ./certiflowSchema.config /opt/axidian/ls/

Configure event read/write operations

The Log Server supports reading events from only one storage target (ReadTargetId), while it can write events to multiple storage targets (WriteTargets) at the same time.

You can configure event reading and writing for the following storage types:

• Microsoft SQL Server
• PostgreSQL Server
• Syslog Server

Microsoft SQL

1. Create a database in SQL Server Management Studio.

   1. In the Object Explorer pane, right-click Databases and select New Database.
   2. Enter a database name and click OK.
   3. In the Owner: field, specify the owner of the database.
   4. Click OK to save the database.
   info

   Create or select any existing internal Microsoft SQL or Active Directory account. For example, a service account for running Axidian CertiFlow.

   Once the database is created, the specified account is granted the db_owner and public roles. Axidian CertiFlow use this account for read/write operations.

2. Open the /opt/axidian/ls/targetConfigs catalog and edit the certiflowMsSqlTarget.config file. In the <Settings>…</Settings> section, configure the following parameters:

   • Data Source – the Microsoft SQL Server name or the named Microsoft SQL Server instance in the Server name\Instance name format.
   • Database – the database name (ILS).
   • User Id – the service account for managing the Axidian CertiFlow database.
   • Password – the service account password.
   • TrustServerCertificate – the server certificate trust setting. Set the value to True.

   <Settings>
       <ConnectionString>Data Source=MSSQL\SQLEXPRESS;Database=LogServer;User Id=servicesql;Password=P@ssw0rd;TrustServerCertificate=True</ConnectionString>
   </Settings>

3. Open the /opt/axidian/ls catalog and edit the clientApps.config file.

   • In the Application section, add the following parameters.

   <Application Id="certiflow" SchemaId="certiflowSchema">
       <ReadTargetId>certiflowMsSqlTarget</ReadTargetId>
   
       <WriteTargets>
           <TargetId>certiflowMsSqlTarget</TargetId>
       </WriteTargets>
   
       <AccessControl>
           <!--<CertificateAccessControl CertificateThumbprint="001122...AA11" Rights="Read" />-->
       </AccessControl>
   </Application> 
   • In the Targets section, add a new element.

   <Targets>
       <Target Id="certiflowMsSqlTarget" Type="mssql"/>
   </Targets> 

PostgreSQL

1. Create a database in pgAdmin.

   1. Open pgAdmin and connect to the server.
   2. In the Browser section, right-click Databases and select Create → Database....
   3. On the General tab, specify the database name in the Database field, select the service account from the Owner list, and click Save.

2. Grant the service account the permissions to manage the database.

   1. Select the database and select Tools → Query Tool.
   2. Enter the query with the service account name.

   GRANT ALL PRIVILEGES ON ALL TABLES IN SCHEMA public TO <service account name>;
   3. Click Execute/Refresh (Execute/Refresh).

3. Follow these steps to add Universally Unique Identifiers (UUID) generation support.

   1. Click and select Clear Query.
   2. Enter the query.

   CREATE EXTENSION IF NOT EXISTS "uuid-ossp";
   3. Click Execute/Refresh (Execute/Refresh).

4. Configure a remote connection to the database.

   1. Open the pg_hba.conf configuration file (/etc/postgresql/<version number>/main.).
   2. Add a string in the following format:

   CONNECTIONTYPE DATABASE USER ADDRESS METHOD
   • CONNECTIONTYPE – the name of the connection type. To use TCP/IP connection, specify host.
   • DATABASE – the name of the database. To grant access to all databases, specify ALL.
   • USER – name of the user who accesses the database. To grant access to all users, specify ALL.
   • ADDRESS – the IP address of the remote Axidian CertiFlow server. To grant access from any IP address, specify 0.0.0.0/0.
   • METHOD – the user authentication method. For example, md5, scram-sha-256.
   Example

   host LogServer servicepg 192.200.1.0/24 md5
   host ALL servicepg 10.0.0.0/8 md5
   host ALL ALL 0.0.0.0/0 scram-sha-256

5. Open the /opt/axidian/ls/targetConfigs catalog and edit the certiflowPgSqlTarget.config file. In the <ConnectionString>…</ConnectionString> section, configure the following parameters:

   • Host – the PostgreSQL Server name.
   • Port – the PostgreSQL connection port. Default value is 5432.
   • Database – the database name.
   • Username – the service account for managing the Axidian CertiFlow database.
   • Password – the service account password.

   <Settings>
       <ConnectionString>Host=SRV-POSTGRESQL;Port=5432;Database=LogServer;Username=servicepg;Password=P@ssw0rd</ConnectionString>
   </Settings>

6. Open the /opt/axidian/ls catalog and edit the clientApps.config file.

   • In the Application section add a new TargetId for ReadTarget and WriteTarget.

   <Application Id="certiflow" SchemaId="certiflowSchema">
       <ReadTargetId>certiflowPgSqlTarget</ReadTargetId>
   
       <WriteTargets>
           <TargetId>certiflowPgSqlTarget</TargetId>
       </WriteTargets>
   
       <AccessControl>
           <!-- <CertificateAccessControl CertificateThumbprint="001122...AA11" Rights="Read" /> -->
       </AccessControl>
   </Application>
   • In the Targets section, add a new element.

   <Targets>
       <Target Id="certiflowPgSqlTarget" Type="pgsql"/>
   </Targets>

Syslog

Syslog only supports event writing (WriteTargets). The following configuration extends the PostgreSQL example.

1. Open the /opt/axidian/ls/targetConfigs catalog and edit the certiflowSysLogTarget.config file. In the <ConnectionString>…</ConnectionString> section, configure the following parameters:

   • HostName – the Syslog server name or IP.
   • Port – the Syslog server connection port. Default value is 514.
   • Protocol – the Syslog server connection type: UDP, TCP, TCPoverTLS.
   • Format – an optional parameter that configures log format: Plain, CEF, LEEF.
   • SyslogVersion – an optional parameter that configures the protocol: RFC3164, RFC5424.

   <Settings HostName="SRV-SYSLOG" Port="514" Protocol="UDP"/>

2. Open the /opt/axidian/ls catalog and edit the clientApps.config file.

   • In the Application section add a new TargetId for WriteTarget.

   <Applications>
       <Application Id="certiflow" SchemaId="certiflowSchema">
           <ReadTargetId>certiflowPgSqlTarget</ReadTargetId>
   
           <WriteTargets>
               <TargetId>certiflowPgSqlTarget</TargetId>
               <TargetId>certiflowSysLogTarget</TargetId>
           </WriteTargets>
   
           <AccessControl>
               <!-- <CertificateAccessControl CertificateThumbprint="001122...AA11" Rights="Read" /> -->
           </AccessControl>
       </Application> 
   </Applications>
   • In the Targets section, add a new element.

   <Targets>
       <Target Id="certiflowPgSqlTarget" Type="pgsql"/>
       <Target Id="certiflowSysLogTarget" Type="syslog"/>
   </Targets>

Apply Log server settings

1. Open the web server configuration file for nginx or Apache and uncomment the strings for processing the api application.

   nginx example

     location /api   
    {  include /etc/nginx/conf.d/proxy.conf;   proxy_pass http://localhost:5010/api;   }
   Apache example

    ProxyPass /api http://localhost:5010/api
    ProxyPassReverse /api http://localhost:5010/api

2. Restart the web server.

3. Restart the Log Server service.

   sudo systemctl restart axidian-ls.service

Configure Axidian CertiFlow to use the Unified Event log

1. Configure connection to the event log in the Configuration Wizard.
2. Test the event log functionality. Go to the Management Console, open the Log section, and search for events.

tip

The log search might return no results if the log on the remote server contains no events. Perform any action in the Axidian CertiFlow web applications. For example, disable a card, add or modify a comment, and then repeat the event search.