Audit logging

Audit logging is the process of documenting activity within the software systems used across your organization. Audit logging records actions taken within the system to document the occurrence of an event, the time it occurred, who performed the action, and the service affected by the action.

A typical ControlSuite deployment can range from several to several dozen nodes with different ControlSuite services and applications where different admin actions like changing configuration or installing new components or services can take place.

ControlSuite provides a central audit log collection subsystem where audit logs can be collected, maintained, and viewed. The audit log collection subsystem logs all events, collects them, and stores them in a database. Through this central tool the administrator can view all audit logs from each different ControlSuite component deployed across multiple servers.

The Audit log subsystem contains the following components:

  • Audit Log Collection Service - This is an IIS service installed on each Security Framework Service (SFS) node.
  • Audit Log Agent - This is a Windows service installed on every ControlSuite node where installation is done by Install Assistant.
  • Audit Log Viewer - This is a web application that is deployed with the Audit Log Collection Service. This is an optional installation component. The Audit Log Viewer allows admins to look at all the events by date and time, accounts, site and component in one central location.

The Audit Log Collection Service is installed on every SFS node. This is not an optional component and does not need to be selected during installation. Audit Log Collection receives audit records from the Audit Agents and stores them into a ControlSuite Audit database. All Audit Log Collection services use the same single Microsoft SQL Database.

Any ControlSuite service or application can log audit events in a Windows event log subsystem using Audit Log library methods. The Audit log library stores records in a Windows Event log “Kofax CS” branch. The Kofax CS branch should be created by Install Assistant.

The Audit Agent is a Windows service that is installed on every ControlSuite node where the installation is done by Install Assistant. It sends records to the Audit Log Collection Service every 10 minutes if new records are available. Windows Event log does not support removing individual records, only all branch records can be removed. To ensure all records are sent to the Audit Log Collection Service, the current records are kept in temp file, which is cleared after the records are successfully sent.

Audit logging collection can be turned OFF for individual nodes. In this case, local services and applications stop logging audit events and Audit Agent stops sending logs to the Audit Log Collection Service. Audit log collection can be restarted as required.

To disable Audit logging collection, open the Registry Editor and go to HKEY_LOCAL_MACHINE\SOFTWARE\Kofax\ControlSuite and create a String Value "AuditLogCollectionEnabled" with a "false" value. To enable Audit logging collection set the value to “true”. Alternatively, you can delete the "AuditLogCollectionEnabled" entry.