User Login Audit Log

[Martyn Houghton]

Does the system record user logins to an audit table, or is there just the last authentication date stamp against the user's record?

We implemented this in SupportWorks using VPME on the event to populate a table with a history of user logon data stamps, so looking at a way of acheiving a similar outcome in the platform.

Cheers

Martyn

[Guest Chaz]

Hi Martyn,

you can find the last logged on date for each user in the h_sys_accounts table. The column you're looking for is called h_last_logon and contains a timestamp in the following format: YYYY-MM-DD HH:MM:SS

There's no log of this information, however.

Hope that helps!

[Gerry]

Hi Martyn,

It currently does not do this, although it probably should for security audit reasons. Can I ask what you use the gathered data for and how you browse/interact with the gathered data? Also, what information were you collecting (and why just curious to know as I will look into it. Of course in the world of Hornbill the concept of "logging in" is a little vague when using SSO. Under the hood we still do it so we can definitely log it but I am not sure how meaningful the information would be.

Another example is mobile access - its always on and does not even have a concept of logging in (apart from the first time you register the device), its a secure trust relationship set up between a user account and a device.

Interested in your thoughts

Gerry

[Martyn Houghton]

Gerry

We currently use the login audit to check on a distributed workforce to ensure they are logging into the system in a timely manner in relation to their shifts. Also as sometime we have to connect to restrictive VPN connections to provide support to our customers, the last login date/time stamp is not necessarily as useful to us, as it would be for sites where the analysts are all office based and stay logged into the system from the beginning of the day.

As you say form a security point of view it would also be useful given that the application is cloud based rather than on premise.

Cheers

Martyn

[Martyn Houghton]

@Gerry @cchana

I seem to have a vague memory that there were some mention of some auditing of login's in a subsequent release of the platform but do not seem to be able to locate it in any of the release notes, so not sure if there was some changes on this front or if I just misunderstood something. Was there any changes on this front?

Cheers

Martyn 

 

[Gerry]

Hi Martyn,

Sorry for the delay on this one.  We tend to roll this suff out incrementally, and this is no exception.  You will find there is now a table called h_sys_security_log which has been quietly logging security events for a couple of months now. Further work needs to be done to expose this and make it useful, and to document it but the basics of it are there and in place.  I will have a look and see what happens next but if you want to pull a report out from that table then the information is there for you. Let me know if you think there is anything missing/amiss here. 

Gerry

[Gerry]

Hi Martyn,

I expect you will be asking what the following mean, I thought I would pre-empt the question

h_type
        0 = Logon
        1 = Logoff
        2 = UserApiSessionCreate
        3 = SessionTimeout
        4 = SessionKill  

h_source
        0 = GuestLocal
        1 = GuestSaml
        2 = UserLocal
        3 = UserSaml
        4 = System
        5 = BasicLocal
        6 = BasicSaml
 

Gerry

[Gerry]

Martyn,

Please not that the security log only currently includes logon events from the UserLocal source. The next server update will start to include all sources except System and all types except USerApiSessionCreate

Gerry

[Martyn Houghton]

@Gerry

Thanks for the detailed response as that will allow me to report from these tables in the interim.

Cheers

Martyn

[Gerry]

Hi Martyn,

No problem. I believe we are meeting on Monday, look forward to catching up

Gerry