Start a new topic

Sending Royal Document activity logs from RoyalTS/X to Royal Server

Hi Stefan,

I was looking for a way to get some (security) audit logging for actions done around Royal Server and got some good hints from Michael on this part :)

There is one point that may be interesting on the RoyalTS/X side and we think that it would be a good idea to create this feature request to see what other users' can contribute as ideas too !

Currently, Royal Server already logs interactions from a RoyalTS/X client allowing us to get details of actions like documents opening and established connections, and also interaction with the configuration tool, but from the Royal Server point of view only.

It would be interesting to add the ability to get tracks of some actions done on objects in a Royal Server's hosted document, this time from the client point of view.

I know that RoyalTS already offer logging capabilities (I definitely need to read the Serilog documentation on how to implement Elasticsearch/Splunk/Syslog forwarding...), but sending this directly to the related Royal Server to limit logs tampering and get a centralized source of knowledge around Royal Server stuff would be great.

For example, these types of actions can be targeted:

  • A user modified some values of an object (with when possible the old & new values for text fields, unless it is protected of course)
  • An object is deleted from the document (with at least the local username/object name/type/description involved)
  • A user reveal or copy to clipboard a protected field (password or protected custom property) in case lockdown-mode is not possible to prevent that (eg. some admin pages can't be auto-filled or the data is used in a RDP/SSH session after initial login)
  • A user unlocked a locked-down document (this way we would be able to found out if the lockdown-password has been leaked and, in this case knowing if fields were revealed may help find out if credentials/passwords or protected fields were recovered/exfiltrated)

It could probably also concern objects from other documents (aka not from the document store) configured to use a Royal Server Gateway, but I have doubts about the relevence for such objects as there may be no reliable way to know if they are stored in a "sensitive" shared document for a team or a purely personal document... (you can create a personal document and set it to shared mode and/or save it to a network share if you want...) and this would not have any sense to log those interactions.

As you already said in another post, users are still able to use other clients or gateways to connect to resources which would circumvent logging (unless proper audit logs on the remote host), but it would help some CISO teams get fewer unsupervised gray areas and being more confident.

I hope that makes sense, as always, feel free to ask for more details on some points ;-)

This post is obviously open to constructive and peaceful exchange with other users ;-)

Best Regards,

Login or Signup to post a comment