Logging Failures to Write Audit Messages
To comply with certain regulatory or security frameworks, you may need to track whenever an audit event that should have happened fails. This improvement can assist ThingWorx Customers in complying with the U.S. Department of Defense Cyber Maturity Model Certification (CMMC) requirement AU.3.046: Alert in the event of an audit logging process failure. The following section explains how to use some of the tools provided in ThingWorx to implement this capability, which is disabled by default.
 |
This feature is available only for users logged in as Administrator of the related ThingWorx Platform.
|
Implementing the Logging of Audit Message Failures
When configured to do so, the Audit Subsystem can trigger an alert for any issue that should be, but fails to be recorded as an Audit entry. Here are the ThingWorx tools needed to implement this feature, listed in the order in which you should use them:
|
Tool
|
Usage
|
For More Information
|
|---|---|---|
|
Audit Subsystem Configuration page
|
Use the Configuration page of the Audit Subsystem to enable the subsystem, specify the implementation to use, and enable the logging of failures to write audit messages.
The descriptions of the rest of these tools assume that you have enabled the Audit Subsystem and logging of failed audit messages.
|
• For information about the implementations of the Audit Subsystem, refer to Enabling the Audit Subsystem
• To configure the Audit Subsystem, refer to Configuration of Audit Subsystem
|
|
AuditFailure Thing and property
|
This system entity is created when the ThingWorx Platform starts. This Thing has a property, AuditFailureData of base type infotable, that will contain information about the failure to write an audit entry.
|
• For an explanation of infotables, refer to Infotables
|
|
Services of the AuditFailure Thing
|
You need to run the EnableThing() service and then the RestartThing() service on the AuditFailure Thing for this feature to work.
|
• For information about services for Things, refer to Thing Services
|
|
Thing Subscriptions
|
For each Thing on which the Audit Subsystem writes audit entries, you need to create a subscription that has a DataChange event on the AuditFailureData property of the AuditFailure Thing. You can write the subscription code such that event information such as eventData is used to meet your organizations' requirements.
|
• For an explanation of Data Change, refer to
• For information about events, refer to Thing Events
• For information about subscriptions, refer to Thing Subscriptions
|
|
Scheduler
|
To avoid performance issues due to many failures to write audit entries, configure a scheduler in ThingWorx Composer to archive and prune the AuditFailureData property.
|
• For information about schedulers, refer to Schedulers
|
|
Notifications
|
Use this feature of ThingWorx Composer to configure notifications about audit entry failure events, via email or SMS
|
• For information about notifications, refer to Notifications
• For information about configuring notifications, refer to Adding Notifications
|
 |
The AuditFailure Thing is disabled after every update or upgrade of the ThingWorx Platform. You must run the EnableThing() service and then the RestartThing() service on the AuditFailure Thing for this feature to work.
|