none
User Action Auditing in Standalone Service Fabric Cluster RRS feed

  • Question

  • I have recently setup client certificate authentication on my Standalone Service Fabric cluster, and I have been unable to figure out how to associate administrative actions taken against the cluster to individual users. Since I am using the standalone service fabric cluster I do not have access to the Event Store.

    I have looked through the event viewer logs, and the ETL traces in "C:\ProgramData\SF\Log". The only useful log I have found tells me which IP address signed in with which client certificate. My organization has decided that this is insufficient auditing, and they will not let me ship my SF cluster to production until this requirement is met.

    Is there a clear audit log somewhere that tells me "Client at IP address X did action X" ?

    Monday, September 30, 2019 8:48 PM

All replies

  • If you are running a standalone cluster, you have access to the Windows Event logs and should be able to see when particular IP address attempt a connection. 

    Else, can you elaborate a bit more? Are you looking to see who accesses the cluster or an app running on the cluster?

    You can also look into integrating your cluster with App insights or other Azure monitoring solutions

    https://docs.microsoft.com/en-us/azure/service-fabric/service-fabric-diagnostics-overview

    Tuesday, October 1, 2019 7:28 PM
    Moderator
  • I am looking for audit information about who takes specific administrative actions against the cluster.

    X uploaded an image to the image store, Y deployed/removed an application, Z restarted a node

    I am being told that knowing who connects to the cluster and when is insufficient. There's nothing stopping someone from creating a cluster connection hours in advance, leaving enough time for others to connect to the cluster, and then kicking off a destructive action. I need to know who took that action.

    I would prefer not to lock down the server certificate to my build agents if I can't find this information. I like using the dashboard to troubleshoot issues.

    We have other non-azure monitoring tools in place. I'm just trying to figure out where I can get this data from!
    Wednesday, October 2, 2019 3:43 PM
  • Are you planning on remaining on prem or deploying to Azure?
    Thursday, October 3, 2019 9:34 PM
    Moderator
  • The current plan is to remain on-prem.
    Friday, October 4, 2019 5:25 PM
  • The only real option I can think of would be to integrate your SF cluster with Application insights 

    https://docs.microsoft.com/en-us/azure/service-fabric/service-fabric-tutorial-monitoring-aspnet

    This should allow you to see who and what people are doing in and on the cluster. 

    Monday, October 7, 2019 4:29 PM
    Moderator