Managing and Maintaining Audit Records

In addition to system logs, Imprivata maintains a complete record of Imprivata activity in the Imprivata audit log.

In a G4 (fourth generation) Imprivata enterprise, the one or two G4 database appliances in the enterprise hold all audit data. Audit records are stored on and served from those database appliances. In a G4 enterprise, there is no longer a concept of an audit appliance. In a G3 (third generation) Imprivata enterprise, at least two G3 appliances served as audit appliances for the enterprise. Audit records were stored on and served from the audit appliances.

Audit records are uploaded from each Imprivata agent at every refresh interval that the agent is online.

The Imprivata audit log can hold millions of records. You can archive and delete audit logs as needed or schedule periodic deletions. Imprivata audit records are used to generate reports. Reports are described below.

NOTE: Imprivata retains audit information related to e-prescribing controlled substances for a minimum of two years per DEA regulations, or for longer depending on your state regulations.

To modify the amount of time for which Imprivata Enterprise Access Management MFA (formerly Confirm ID) audit records are retained, change the Preserve regulated audit records setting in the Record maintenance section of the Settings page.

In the Imprivata Admin Console, go to the gear icon > Settings. The Audit Records section includes:

  • The Manage audit records option, which allows you to view how many audit records you have (excluding regulated records related to the e-prescribing of controlled substances).

  • The Store SSO user names option. When selected, user names for SSO events are recorded in the audit logs.

  • The Record maintenance section, which allows you to archive and/or delete audit records and schedule audit log maintenance. See Maintaining Audit Records.

Audit Record Guidance

Maintaining large numbers of audit records can slow down certain operations. For example, upgrades, enterprise synchronizations, and backing up may be slowed. There are many factors that contribute to your experience, but in general:

  • Less than 5 million records — little or no slowdown
  • From 5-10 million records — possible slowdown
  • 10 million records or more — slowdown likely, consider removing audit records

This guidance assumes two database appliances in a G4 enterprise.

The audit logs contain up to 16 columns, in this order:

  1. Internal ID of the appliance where the record was created
  2. Timestamp
  3. Username*
  4. Domain name*
  5. Type of activity
  6. Authentication method*
  7. Authentication result*
  8. Application name*
  9. Client hostname*
  10. Client IP address*
  11. Client MAC address*
  12. Alternate hostname * ‡
  13. Alternate IP address* ‡
  14. Alternate MAC address* ‡
  15. Notes specific to the authentication method, such as the ID token serial number.
  16. Notes specific to the type of activity, for example (excluding the password) the credentials that were proxied to the application.

    17. NOTE: You can copy this list from the PDF for use in a CSV file. Columns marked * are listed only if relevant. Columns marked ‡ are for VMware Horizon.

To perform an audit records maintenance operation:

  1. In the Imprivata Admin Console, go to the gear icon menu > Settings.
  2. In the Audit Records > Record maintenance section, select whether you want to Archive and Delete, Archive only or Delete only the audit log records.

  3. BEST PRACTICE: Because the audit server has a finite storage capacity, the Best Practice is to delete archived logs. Archive and Delete is the default setting.

  5. If you select Archive and Delete or Archive only, you may need to configure the FTP server, network share server, or SCP server on which to store the archived records. If a file server has not yet been configured, see Configuring a File Server for Storing Audit Records and Reports.

  6. NOTES:

    • File server settings for audit records also apply to reports. Any changes you make to file server settings for audit records are applied to reports, and vice versa. However, the saved location is configured separately for each maintenance job in the Save location field of the Record maintenance section.
    • Imprivata cannot report on deleted data. When setting a period for deletion of logs, take into account the periods you expect to need for reporting purposes.
    • Administrator activity is not stored in the audit logs and cannot be purged.
  7. In the Save location field, enter the relative path of the location on the file server to which you are archiving old records.

    NOTE: For SCP servers, if the Save location path is blank, then the files are saved to the account’s home folder ( such as /home/<user>).

  8. If you want to perform the job immediately, click Perform now. When you are prompted to confirm the number of records to be archived and/or deleted, click OK.
  9. (Optional) — If your enterprise is licensed for MFA (Imprivata Confirm ID), you can choose to preserve regulated audit records for longer than the mandatory minimum period.
  10. (Optional) — If you want to schedule recurring maintenance:
    1. In the Frequency section, select the frequency and time of day when reports automatically run and export: never, daily, weekly, or monthly.
    2. Select an Imprivata site. Audit records for an entire G4 (fourth generation) Imprivata enterprise are logged from a database appliance in the site. Audit log maintenance can consume some bandwidth, so select a site that can handle the traffic. Only sites with database appliances are listed for a G4 enterprise, and only sites within the scope of your administrative role are listed.
    3. Click Perform now. When you are prompted to confirm the number of records to be archived and/or deleted, click OK.

You can run reports on the audit records stored on the server; reports cannot be run on deleted data. If you keep an Imprivata test appliance, then you can restore a backup file to the test appliance and run reports from any date for which you have a backup file.

For example, if you keep audit data for a 90-day period, and if you need to run reports relative to an event one year ago, then you can restore a backup from one year ago and get 90 days worth of data leading up to the date of the backup file.

Audit records can be saved to an FTP server, SCP server, or network file server. Enter the file server information in the File server configuration area of the Audit Records section of the Settings page, shown below configured for an FTP server.

  1. Select FTP from the Protocol drop-down list.
  2. Enter the Server, port number (default is 21), Username, and Password.

NOTE: Use a passive FTP connection.

  1. Select SCP (Secure copy) from the Protocol drop-down list.
  2. Enter the Server, port number (default is 22), Username, and Password.
  3. To use an SCP server, add Imprivata as a trusted host. Copy and paste the SSH public key into the trusted hosts configuration (sometimes known as an authorized keys file of the server. Refer to the SSH documentation for further details).
  1. Select Network share from the Protocol drop-down list.
  2. For Server, enter the IP address or hostname.
  3. Enter the Username, Password, and Domain.

Imprivata database appliances are designated during the configuration of a G4 (fourth generation) enterprise. These appliances store audit data and automatically record data for a number of system activities, plus additional system and user activities that you indicate when you set up event notifications and reports. Imprivata agents also record and save audit data that is uploaded to the appliance at the agent refresh interval. Audit records are replicated to a second database appliance (if deployed) in a G4 enterprise, to ensure reliability and recovery of audit information. Audit data is stored in backups and maintained through upgrades. Imprivata allows you to archive audit records to an FTP server, a network share server, or SCP server and then delete them from the Imprivata servers.

The Effect of Large Amounts of Audit Records

Organizations that use many reports and notifications can generate tens of millions of audit records.

There are several occasions when a high number of audit records can increase server downtime:

  • When you upgrade your enterprise

  • When you restore your enterprise or restore a test appliance from a backup file

  • If you synchronize other appliances in your enterprise from a database appliance for a G4 enterprise

  • When you run a report from the Imprivata Admin Console

In all of the above scenarios, all audit data is transmitted to the receiving appliances; this can take a long time if you have tens of millions of records and limited bandwidth. Therefore, it is a best practice to delete unnecessary audit records. These operations work best if you limit the number of audit records on the appliances to two million or fewer records.

NOTE: Selecting Allow offline authentication in a user policy can mitigate the effects of extended server downtime.

Deleting Large Amounts of Audit Records

To archive and delete unnecessary audit records without burdening your Imprivata servers:

  1. Review your reports to identify how far back you need to keep audit records. If your longest-term report goes back 30 days, then you can safely archive and delete records more than 30 days old.
  2. Audit record maintenance settings are located in the Imprivata Admin Console. Select the gear icon > Settings and see the Audit Records > Record maintenance section. See Maintaining Audit Records.
  3. If the number to be archived and deleted is in the millions, the operation may take a long time. For best results, select a more remote date and delete them in bunches of one million or less over several operations. You can automate this by selecting Daily or Weekly in the Frequency parameters.

  4. Each time you archive and delete audit records in a G4 enterprise, the instruction is replicated to the other database appliance (if deployed) to ensure that both database appliances contain the same audit data.

For a G4 enterprise, you can start the archive and delete operation from any Imprivata appliance in the enterprise, even if you are not logged into a database appliance. The operation takes place on one database appliance first, and then repeats on the second database appliance (if deployed). If both database appliances do not have approximately the same number of audit records within a few hours, contact Imprivata Customer Support.

Best Practices for Maintaining Audit Records

Consult with your compliance team to understand how long audit records should be stored. You should maintain no more than 90 days of audit data on the appliance or fewer than 2 million audit records, whichever is less.

Maintaining the Ability to Report on Archived Data

Since you will be deleting audit records from the appliance, you will need a way to pull in this information should the need arise.

There are two ways to access audit records that are no longer on the appliance:

  • Use a third-party application such as Crystal Reports to import the archived CSV files and then create reports.
  • Make a backup of the database that spans the time period during which the data is needed and restore it to your test environment. It is a best practice to have a test enterprise to perform testing of future releases.