How to Write Security Relevant Information of Adminstration Events in Windows Event Log

Hello All,

for the monitoring of possible unauthorized process changes in productive environments, i.e. changes in the workflow, it is necessary to log the process change event in the Windows event log. As far as I can read here about Orchestration logs you use NLog and it allows to write to the Windows event log. I found information about diagnostic and execution logs, but nothing about administration logs, e.g. like changes of a workflow, deletion of a workflow, etc.

  1. Offers the Orchestrator the possibility to log administrative events?
  2. If yes, what administrative events are the standard and written to the log?
  3. Generally, can own events be defined as well?
  4. Do you have a how-to guide how to configure Orchestrator to log individual information and how to redirect it into the Windows event log?

Thanks for answers.

Best regards

P.S. Here a few additional information:

  • A security relevant event is an event that affects information security and can impair confidentiality, integrity or availability. Typical consequences of such events are spied out, manipulated or destroyed information.

  • If security relevant events are logged insufficiently or not at all, it is not possible to determine sufficiently and quickly enough whether security requirements are being violated or whether there are attacks. In the event of damage, it is also no longer possible to perform an error analysis, and the gateway to an attack may remain open. Log information is also used to carry out checks (for example, as part of an audit or review). However, if the logs are missing, this is not possible.

  • Interesting post about Audit Log

  • Orchestrator API

  • Information about Audit Log

Hey @StefanSchnell

I checked with our team and it looks like it is a gap in our offering. You cannot ship audit logs via nLog or anywhere outside of SQL today.

Having said so, I will add your insight into our ideas tracker and it will hopefully be picked up in future releases :slight_smile:



Thank you very much Maciej.