cancel
Showing results for 
Search instead for 
Did you mean: 

How to Write Security Relevant Information of Adminstration Events in Windows Event Log

StefanSchnell1
Level 7


Hello Blue Prism Team,
for the monitoring of possible unauthorized process changes in productive environments, e.g. changes in the workflow, it is in my case necessary to log a process change event in the Windows event log. In the context of this perspective here a few questions:

  1. Offers Blue Prism the possibility to log this kind of administrative events?
  2. If yes, what administrative events are the standard and written to the log and how can I activate it?
  3. Generally, can own events for logging be defined as well?
  4. Do you have a how-to guide how to configure Blue Prism to log individual information and how to redirect it into the Windows event log?

Thanks for answers.

Best regards
Stefan

1 BEST ANSWER

Helpful Answers

james.man
Staff
Staff
All changes to the workflow are captured in the Audit log table of the database (BPAAuditEvents).  Different categories of events are captured in the sCode column of the table, for example a successful login event has the sCode L001 and modifying a process has the sCode P004. You can obtain the list of sCodes from Customer support - see this article here https://portal.blueprism.com/customer-support/support-center#/path/Installation-Platform/Security/Audit/1211701332/Which-Blue-Prism-Actions-and-Events-are-audited.htm.

By default, this audit logging is enabled by default and cannot be turned off. Custom logging cannot be added to the BPAAuditEvent table directly. You can log anything that you want from inside a running process by implementing your own logging solution, but those won't log the actions taken inside the Blue Prism GUI software itself, as those are handled automatically.

There isn't any in-product functionality that would allow you to redirect those logs to the Event Log.  What I would recommend would be to, from a database level, regularly select the results of the BPAAuditEvent table, and use some custom scripts to import them to the Event Log. Or you can export the Audit Events from the command line interface using the "getauditlog" flag, for example:
c:\%Blue Prism Installation Folder%> Automatec /getauditlog /from 20181001 /to 20181031 /user username p@ssword

Then you can also write a script to process the text returned from the /getauditlog command and push that data into the Windows Event Viewer.

View answer in original post

2 REPLIES 2

james.man
Staff
Staff
All changes to the workflow are captured in the Audit log table of the database (BPAAuditEvents).  Different categories of events are captured in the sCode column of the table, for example a successful login event has the sCode L001 and modifying a process has the sCode P004. You can obtain the list of sCodes from Customer support - see this article here https://portal.blueprism.com/customer-support/support-center#/path/Installation-Platform/Security/Audit/1211701332/Which-Blue-Prism-Actions-and-Events-are-audited.htm.

By default, this audit logging is enabled by default and cannot be turned off. Custom logging cannot be added to the BPAAuditEvent table directly. You can log anything that you want from inside a running process by implementing your own logging solution, but those won't log the actions taken inside the Blue Prism GUI software itself, as those are handled automatically.

There isn't any in-product functionality that would allow you to redirect those logs to the Event Log.  What I would recommend would be to, from a database level, regularly select the results of the BPAAuditEvent table, and use some custom scripts to import them to the Event Log. Or you can export the Audit Events from the command line interface using the "getauditlog" flag, for example:
c:\%Blue Prism Installation Folder%> Automatec /getauditlog /from 20181001 /to 20181031 /user username p@ssword

Then you can also write a script to process the text returned from the /getauditlog command and push that data into the Windows Event Viewer.

StefanSchnell1
Level 7
@james.man

Thank you very much James for your great explanation.​