• Object ID: 00000018WIA30B73450GYZ
  • Topic ID: id_2021766 Version: 4.0
  • Date: Feb 22, 2021 1:46:14 AM

Enterprise Audit Trail (EAT)-audit logging

EAT allows for remote logging of system events.

About this task

Remote logging of system events is achieved using RFC 5424 or RFC 6587 Syslog protocol. The following sources direct log messages to syslog, which are sent out using the rsyslog service:
  • User login, logout, and patient data transfer (EA3/EAT)
  • Linux Auditing System (auditd)
  • Linux operating system messages
  • Antivirus start and end status
  • Others (as configured)
Note: This instruction does not configure the remote (collector) system.

Background

About this task

From DICOM part 15, [RFC 5426] provides the mechanisms for rapid transport of audit messages. It is the standardized successor to the informative standard [RFC 3164], which is widely used in a variety of settings.

  • RFC 3164 – BSD syslog protocol - This was the original protocol supported in EAT, and was Obsoleted by: 5424. This protocol has been used for the transmission of event notification messages across networks for many years.
  • While this protocol was originally developed on the University of California Berkeley Software Distribution (BSD) TCP/IP system implementations, its value to operations and management has led it to be ported to many other operating systems as well as being embedded into many other networked devices.
  • RFC 5424The newer Syslog Protocol defined which obsoletes 3164 (BSD). This is referred as IETF Syslog (or just IETF) in EAT.
  • Both BSD and IETF protocols are supported in EAT (BSD is still supported in many systems, and IETF-Syslog was new/not available on some systems).

From EAT perspective, audit messages remains same (XML message as defined by the DICOM schema).

Only during transmission, additional headers are to be added according to the protocol selected (BSD or IETF syslog). If headers are invalid, the server will reject the messages.

Examples

About this task

The only difference is in the header of the code block.

BSD based Syslog transport request:

<85>Apr 08 11:23:58 INBLREVRASWP515 GE:
 <?xml version="1.0" encoding="UTF-8"?>
<AuditMessage><EventIdentification EventActionCode="E" EventDateTime="2021-04-08T05:53:58" EventOutcomeIndicator="0">
<EventID csd-code="110113" codeSystemName="DCM" originalText="Security Alert" />
<EventTypeCode csd-code="110131" codeSystemName="DCM" originalText="Software Configuration"/>
</EventIdentification><ActiveParticipant UserID="EAT Configuration" UserIsRequestor="true">
</ActiveParticipant>
<AuditSourceIdentification AuditSourceID="">
<AuditSourceTypeCode csd-code="2" codeSystemName="DCM" originalText="Data acquisition device" />
</AuditSourceIdentification>
<ParticipantObjectIdentification ParticipantObjectID="10.177.200.54" ParticipantObjectTypeCode="2" ParticipantObjectTypeCodeRole="13">
<ParticipantObjectIDTypeCode csd-code="12" codeSystemName="RFC-3881" originalText=""/>
<ParticipantObjectName/>
<ParticipantObjectDetail type="Alert Description" value="U2VuZGluZyB0ZXN0IG1lc3NhZ2U=" />
</ParticipantObjectIdentification>
</AuditMessage>

IETF Syslog transport request:

<85>1 2021-04-08T11:25:04.469Z INBLREVRASWP515 GE - DICOM+RFC3881 - 
<?xml version="1.0" encoding="UTF-8"?>
<AuditMessage>
<EventIdentification EventActionCode="E" EventDateTime="2021-04-08T05:55:04" EventOutcomeIndicator="0">
<EventID csd-code="110113" codeSystemName="DCM" originalText="Security Alert" />
<EventTypeCode csd-code="110131" codeSystemName="DCM" originalText="Software Configuration"/>
</EventIdentification>
<ActiveParticipant UserID="EAT Configuration" UserIsRequestor="true">
</ActiveParticipant>
<AuditSourceIdentification AuditSourceID="">
<AuditSourceTypeCode csd-code="2" codeSystemName="DCM" originalText="Data acquisition device" />
</AuditSourceIdentification>
<ParticipantObjectIdentification ParticipantObjectID="10.177.200.54" ParticipantObjectTypeCode="2" ParticipantObjectTypeCodeRole="13">
<ParticipantObjectIDTypeCode csd-code="12" codeSystemName="RFC-3881" originalText=""/>
<ParticipantObjectName/>
<ParticipantObjectDetail type="Alert Description" value="U2VuZGluZyB0ZXN0IG1lc3NhZ2U=" />
</ParticipantObjectIdentification>
</AuditMessage>

The MR system supports TCP, UDP and TLS (only on software revision 29 and later) communications to the enterprise servers, and following combinations are considered valid protocol selections:

  • TCP-BSD, TCP-IETF
  • UDP-BSD, UDP-IETF
  • TLS-BSD, TLS-IETF (only available on software versions 29 and later)

For example, UDP-IETF is defined as using an UDP connection and IETF-Syslog protocol to send data to enterprise server.

Note: Selecting TLS requires that the third party trust certificate from the facility EAT collector server has been imported into the MR system and has been configured for EAT application using the Certificate Management interface, see Importing third-party certificates - public keys.

DICOM part 15 references: