U4-8634 - Usermanagement - Log Useractions to table instead of log-file

Created by Jeffrey Schoemaker 22 Jun 2016, 13:50:57 Updated by Sebastiaan Janssen 19 Sep 2017, 06:04:06

Relates to: U4-1841

Subtask of: U4-10324

In Umbraco 7.x logging of user logon-attempts where added. But their currently written to the txt-logfile in /App_Data/Logs/UmbracoTraceLog.txt.

For example:

2016-06-22 15:17:38,688 [P25496/D3/T71] INFO Umbraco.Core.Security.BackOfficeSignInManager - Event Id: 0, state: Login attempt succeeded for username techniek@perplex.nl from IP address 2016-06-22 15:17:38,688 [P25496/D3/T71] INFO Umbraco.Core.Security.BackOfficeSignInManager - Event Id: 0, state: User: techniek@perplex.nl logged in from IP address 2016-06-22 15:21:55,654 [P25496/D4/T11] INFO Umbraco.Web.Editors.AuthenticationController - User techniek@perplex.nl from IP address has logged out

By doing this you won't be able to make an overview of all actions that one user performed by simply "SELECT * FROM UmbracoUserAction WHERE UserId = x", because these actions are scattered over several logfiles. Furthermore these logfiles are deleted after 30 days and last of all; if you set the loglevel to WARN you won't see them at all.

=== Proposal ===

#1 Log authentication attempts to a databasetable UmbracoUserAuthenticationLog with the columns 'Username', 'IP', 'Date', 'Result' (0 is unsuccesfull, 1 is succesfull), 'Url'. In this table we can't use UserId yet because if the logonname isn't a user we wouldn't be able to log.

#2 Log all user actions to a databasetable UmbracoUserAuditLog with the columns 'UserId', 'Date', 'IP', 'Action', 'Url', 'ByUserId' and 'Comment'. For action we have the following options

  • Login
  • Logout
  • ForgotPasswordRequested: When an user fills in its emailadres in "Forgot password?"
  • ForgotPasswordFinished: When an user clicks on the link in the email and updates his emailadres.
  • UpdateAccount: When somebody saves a specific user in Umbraco. In the 'Comment'-field ideally would be stored what is saved ('Added permissions to Media-section' for example).
  • UpdatePassword
  • Locked
  • Unlocked
  • Created
  • Disabled

With this stuff in place we have a pretty complete overview for auditing reasons and eventually can make a dashboard like http://umbraco.usermanagement.perplex.eu/ (Last tab => Logging)

1 Attachments

Download AuthEventHandler.cs


Sebastiaan Janssen 30 Apr 2017, 08:36:29

Preliminary PR: https://github.com/umbraco/Umbraco-CMS/pull/1923

Sebastiaan Janssen 30 Apr 2017, 08:43:46

Instead of logging these events to a table, for now we'll raise events that can be handled, even by logging them to a custom table. The benefit of adding events is that you can hook in to them and actually immediately do something, think of (for example): Someone gets locked out because they entered their password wrong more than 5 times. With an event you can now:

  • Send an email to the person who got locked out, explaining why
  • Send an email to an admin alerting them that someone might either be trying to brute force the password or has just forgotten their password
  • Start a background task that runs in 30 minutes to unlock the account automatically again (Umbraco currently has no built-in functionality for that).

In the future (v7.7.0 is the first opportunity for adding a new table to the database) it could be good for us to add a table storing the info from the events, and showing the audit info on each user in the users section. It would of course be super awesome if all of the functionality in the example above (http://umbraco.usermanagement.perplex.eu/) would natively be implemented as well!

Sebastiaan Janssen 13 Jul 2017, 08:44:20

Attached is the App_Code file I've been testing with.

It's a pretty shallow test but proves that everything works, would be good to think of some creative ways to hook into these events that I haven't imagined yet and see if that works too!

Warren Buckley 13 Jul 2017, 10:43:47

OK I got all the events to fire from your test App_Code file @sebastiaan and this is mostly OK, however when using Pete's 2FA package threw up some interesting scenarios for events that was not fired.

  • Login correctly with email & password - Login event fired (but I have not passed 2FA - yet as I may fail 2FA

  • Login correctly with email & password - Fail 2FA we get failed login events but no LockedEvent fired after the 5 failed 2FA code attempts

Sebastiaan Janssen 15 Sep 2017, 13:15:17

Couldn't repro first issue, but forgot to raise loginsuccess after 2FA login, this is now fixed and also the second issue is fixed. https://github.com/umbraco/Umbraco-CMS/pull/1923/commits/388d660e110a0b2aed9c068075c18a693712722f

Thanks for the review @warren.buckley !

Priority: Minor

Type: Feature (request)

State: Fixed


Difficulty: Easy


Backwards Compatible: True

Fix Submitted:

Affected versions:

Due in version: 7.6.7

Sprint: Sprint 67

Story Points: 1