Local Auditing

Understanding Local Audit Records and Reports

By design, Secret Server locally audits all actions taken within Secret Server. Secret Server’s auditing capacity is not configurable. See Auditable Events for details on Secret Server items that are audited and corresponding user permissions required for accessing audit records.

Various User Permissions are tailored for specific kinds of audits, listed below. To adjust user permissions, go to Admin | Roles and create a new role or click an existing role to edit the permissions on it. You can assign roles to individual users by going to Admin | Users and assigning roles.

  • Add Secret Custom Audit
    Allows a user to make a custom audit entry when accessing a Secret using the web services API.

  • User Audit Expire Secrets
    Allows a user to view the User Audit report, which shows all secrets thathave been accessed by a particular user in a specified date range. Alsoallows the user to force expiration on all these secrets, which would make Secret Server automatically change the password.

  • View Configuration Unlimited Admin
    Formerly “View Unlimited Admin Configuration,” allows a user to view theUnlimited Admin Mode configuration. Also allows a user to view the Unlimited Admin Mode audit log.

  • View Secret Audit
    Allows a user to view Secret Audit.

  • View User Audit Report
    Allows a user to view, but not edit, the User Audit Report.

Accessing Local Reports

To view a list of out of the box reports, navigate to the Reports tab from an Administrator account.

Reports tab

For customized reports and creation, see the options available to you at the bottom right corner of the Reports page. The View Audit button on the bottom left corner will show you a local audit for any reports that have been viewed.

View Audit

Administrator actions have audit trails inside Secret Server, these are generally found as a View Audit button on any landing page under the Admin tab. For example, at the bottom of Admin | Configuration you can view the audit for every edit that has occurred on the Configuration page:

Configuration tab

For User Audits, navigate to Reports | User Audit tab, then select a user and time period to view the audit of all actions taken by that user in Secret Server.

User Audit

Configuring Local Windows Event Log Auditing

Outside of Secret Server, you can also send audit logs as EVT records to your Windows Server’s Windows Event Log locally**.**

Note that the Windows Event Log is tied to the syslog implementation, because of this, disabling syslog will disable Windows Event Logs as well. If Syslog/CEF Logging is not yet enabled within Secret Server, go to Admin | Configuration and Edit the General tab to check Enable Syslog/CEF Logging followed by Write Syslogs As Windows Events. Syslog/CEF Logging configuration also detailed in section 13.3 Configuring Auditing for TLS Connections

The following steps walk you through how to grant required permissions to the Application Pool outside of Secret Server to successfully write audits to the Windows Event Log:

Granting Application Pool Access to Windows Event Log

When the database becomes inaccessible, Secret Server will try to log errors to the Windows Event Log. By default, however, Network Service and standard service accounts will not have permissions to the Event Log.  Permissions must be manually added to the Application Pool for specific Event Log registry keys.

Changes made to the Windows registry happen immediately, no backup is created automatically. Do not edit the Windows registry unless youare confident about doing so. Using Registry Editor incorrectly can causeserious, system-wide problems that may require you to re-install Windows tocorrect them. Microsoft cannot guarantee that any problems resulting from the use of Registry Editor can be solved. Use this tool at your own risk.

Required Registry Permissions

The following permissions are required for the Identity configured on the Secret Server Application Pool in IIS (Network Service, IIS APPPOOL\SecretServer, etc.).

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog

Applies to "This key and subkeys".

  • Read

    • Query Value

    • Enumerate Subkeys

    • Notify

    • Read Control

  • Set Value

  • Create Subkey

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Security

Applies to "This key and subkeys".

  • Read

    • Query Value

    • Enumerate Subkeys

    • Notify

    • Read Control

How to Apply Windows Event Log Permissions

  1. Determine the account that is running Secret Server. This can be done by Secret Server. logging in to Secret Server, Admin | Diagnostics. Click the button toShow Background Processes. Look for any of the "Thread Identity" labels.These will contain the identity of Secret Server (often NT AUTHORITY\NETWORK SERVICE or IIS APPPOOL\SecretServer).

    A screenshot of a social media post Description generated with very high confidence

    A screenshot of a social media post Description generated with very high confidence

    A screenshot of a social media post Description generated with very high confidence

  2. Open the Registry Editor on the machine running Secret Server (Start | run-regedit, depending on OS)

  3. On the left, navigate to HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog

  4. Right click on the EventLog folder in your registry editor and select Permissions, then click the Advanced button

  5. On the Permissions tab, Click Add

  6. Click Select a principal.

  7. Enter the name of your app pool’s account (see step 1, for example: “IIS APPPOOL\SecretServer”) in the box listed under Enter the object name to select (examples). Click Check Names, Once “SecretServer” (or the name of your Secret Server app pool) is listed in the box and underlined, click OK

  8. Under Basic permissions:, check Read.

  9. Click Show advanced permissions, then check Set Value and Create Subkey under Advanced permissions:.

    https://support.thycotic.com/AvatarHandler.ashx?fid=126477&key=2117909423

  10. Click OK on the remaining dialogs and Apply the permissions.  You should be back on the main Registry Editor window.

  11. Navigate to HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Security, right-click and select Permissions...

  12. Click Add..., find the account running Secret Server (like in step 7), then click OK.

  13. Check Read in the Allow column, then click OK to apply the permission.

    https://support.thycotic.com/AvatarHandler.ashx?fid=126478&key=2614534886

  14. In Secret Server, navigate to Admin ZZ_BAR_ZZ Configuration ZZ_BAR_ZZ General tab to verify that the Application Setting Write Syslogs as Windows Events is set to Yes.

Accessing Windows Event Logs

After setting up Windows Event Logs to consume Secret Server logs you can access logs for local auditing and troubleshooting purposes through the Windows Event Log Event Viewer on Secret Server’s local server.

To find the Windows Event Log, open the Windows Event Viewer from the local server and navigate to Windows Logs | Application. Event Logs for Secret Server will be listed as [SecretServer] under the Source column:

Windows Event Log