Auditing is a requirement in many systems. It provides a means of tracking activities that occur as part of normal operation of the system. It also provides a means of tracking abnormal behaviour. It is also a requirement from a security standpoint. For more information on the security aspects of auditing, see OPC 10000-2. Subclause 6.5describes what is expected of an OPC UA Serverand Clientwith respect to auditing and it details the audit requirements for each service set. Auditing can be accomplished using one or both of the following methods:

  1. The OPC UA Applicationthat generates the audit event can log the audit entry in a log file or other storage location;
  2. The OPC UA Serverthat generates the audit event can publish the audit event using the OPC UA event mechanism. This allows an external OPC UA Clientto subscribe to and log the audit entries to a log file or other storage location.

Each OPC UA Servicerequest contains a string parameter that is used to carry an audit record id. A Clientor any Serveroperating as a Client, such as an aggregating Server, can create a local audit log entry for a request that it submits. This parameter allows this Clientto pass the identifier for this entry with the request. If this Serveralso maintains an audit log, it should include this id in its audit log entry that it writes. When this log is examined and that entry is found, the examiner will be able to relate it directly to the audit log entry created by the Client. This capability allows for traceability across audit logs within a system.

A Serverthat maintains an audit log shall provide the audit log entries via Event Messages. The AuditEventType and its sub-types are defined in OPC 10000-3. An audit Event Messagealso includes the audit record Id. The details of the AuditEventTypeand its subtypes are defined in OPC 10000-5. A Serverthat is an aggregating Serverthat supports auditing shall also subscribe for audit events for all of the Serversthat it is aggregating (assuming they provide auditing). The combined stream should be available from the aggregating Server.

This Service Setcan be separated into two groups: Services that are called by OPC UA Clientsand Servicesthat are invoked by OPC UA Servers. The FindServersand GetEndpoints Servicesthat are called by OPC UA Clientsmay generate audit entries for failed Serviceinvocations. The RegisterServerService that is invoked by OPC UA Serversshall generate audit entries for all new registrations and for failed Serviceinvocations. These audit entries shall include the ServerURI, Servernames, DiscoveryURIs and isOnline status. Audit entries should not be generated for RegisterServerinvocation that does not cause changes to the registered Servers.

All Servicesin this Service Setfor Serversthat support auditing may generate audit entries and shall generate audit Eventsfor failed service invocations and for successful invocation of the OpenSecureChanneland CloseSecureChannelServices. The Clientgenerated audit entries should be setup prior to the actual call, allowing the correct audit record Id to be provided. The OpenSecureChannelService shall generate an audit Eventof type AuditOpenSecureChannelEventTypeor a subtype of it for the requestType ISSUE. Audit Eventsfor the requestType RENEWare only created if the renew fails. The CloseSecureChannelservice shall generate an audit Eventof type AuditChannelEventType or a subtype of it.Both of these Eventtypes are subtypes of theAuditChannelEventType. See OPC 10000-5for the detailed assignment of the SourceNode, the SourceNameand additional parameters. For the failure cases the Messagefor Eventsof this type should include a description of why the service failed. This description should be more detailed than what was returned to the Client. From a security point of view a Clientonly needs to know that it failed, but from an Auditingpoint of view the exact details of the failure need to be known.

In the case of Certificatevalidation errors the CertificateErrorEventIdof theAuditOpenSecureChannelEventTypeshould include the auditEventIdof the specific AuditCertificateEventTypethat was generated to report the Certificateerror. The AuditCertificateEventTypeshall also contain the detailed Certificatevalidation error. The additional parameters should include the details of the request. It is understood that these events may be generated by the underlying Communication Stacksin many cases, but they shall be made available to the Serverand the Servershall report them.

All Servicesin this Service Setfor Serversthat support auditing may generate audit entries and shall generate audit Eventsfor both successful and failed Serviceinvocations. These Servicesshall generate an audit Eventof type AuditSessionEventType or a subtype of it. In particular, they shall generate the base EventTypeor the appropriate subtype, depending on the service that was invoked. The CreateSessionservice shall generate AuditCreateSessionEventType events or sub-types of it. TheActivateSession service shall generate AuditActivateSessionEventType events or subtypes of it. When the ActivateSession Serviceis called to change the user identity then the Servershall generate AuditActivateSessionEventTypeevents or subtypes of it. The CloseSession service shall generate AuditSessionEventTypeevents or subtypes of it. It shall always be generated if a Sessionis terminated like Session timeout expiration or Servershutdown. The SourceNamefor Eventsof this type shall be “Session/Timeout” for a Sessiontimeout, “Session/CloseSession” for a CloseSession Servicecall and “Session/Terminated” for all other cases. See OPC 10000-5for the detailed assignment of the SourceNode, the SourceNameand additional parameters. For the failure case the Messagefor Eventsof this type should include a description of why the Servicefailed. The additional parameters should include the details of the request.

This Service Setshall also generate additional audit events in the cases when Certificatevalidation errors occur. These audit Eventsare generated in addition to the AuditSessionEventType Events. See OPC 10000-3for the definition of AuditCertificateEventTypeand its subtypes.

For Clients, that support auditing, accessing the services in the Session Service Setshall generate audit entries for both successful and failed invocations of the Service. These audit entries should be setup prior to the actual Serviceinvocation, allowing the invocation to contain the correct audit record id.

All Services in this Service Setfor Serversthat support auditing may generate audit entries and shall generate audit Eventsfor both successful and failed Serviceinvocations. These Servicesshall generate an audit Eventof type AuditNodeManagementEventTypeor subtypes of it. See OPC 10000-5for the detailed assignment of the SourceNode, the SourceNameand additional parameters. For the failure case, the Messagefor Eventsof this type should include a description of why the service failed. The additional parameters should include the details of the request.

For Clientsthat support auditing, accessing the Servicesin the NodeManagement Service Setshall generate audit entries for both successful and failed invocations of the Service. All audit entries should be setup prior to the actual Serviceinvocation, allowing the invocation to contain the correct audit record id.

The Writeor HistoryUpdateServices in this Service Setfor Serversthat support auditing may generate audit entries and shall generate audit Eventsfor both successful and failed Serviceinvocations. These Servicesshall generate an audit Eventof type AuditUpdateEventTypeor subtypes of it. In particular, the Write Serviceshall generate an audit event of type AuditWriteUpdateEventTypeor a subtype of it. The HistoryUpdate Serviceshall generate an audit Eventof type AuditHistoryUpdateEventTypeor a subtype of it. Three subtypes of AuditHistoryUpdateEventTypeare defined as AuditHistoryEventUpdateEventType, AuditHistoryValueUpdateEventTypeand AuditHistoryDeleteEventType. The subtype depends on the type of operation being performed, historical event update, historical data value update or a historical delete. See OPC 10000-5for the detailed assignment of the SourceNode, the SourceNameand additional parameters. For the failure case the Messagefor Eventsof this type should include a description of why the Servicefailed. The additional parameters should include the details of the request.

The Readand HistoryRead Servicesmay generate audit entries and audit Eventsfor failed Serviceinvocations. These Servicesshould generate an audit Eventof type AuditEventTypeor a subtype of it. See OPC 10000-5for the detailed assignment of the SourceNode, SourceNameand additional parameters. The Messagefor Eventsof this type should include a description of why the Servicefailed.

For Clientsthat support auditing, accessing the Writeor HistoryUpdateservices in the Attribute Service Setshall generate audit entries for both successful and failed invocations of the Service. Invocations of the other Servicesin this Service Setmay generate audit entries. All audit entries should be setup prior to the actual Serviceinvocation, allowing the invocation to contain the correct audit record id.

All Servicesin this Service Setfor Serversthat support auditing may generate audit entries and shall generate audit Eventsfor both successful and failed service invocations if the invocation modifies the AddressSpace, writes a value or modifies the state of the system (alarm acknowledge, batch sequencing or other system changes). These method calls shall generate an audit Eventof type AuditUpdateMethodEventTypeor subtypes of it. Methods that do not modify the AddressSpace, write values or modify the state of the system may generate events. See OPC 10000-5for the detailed assignment of the SourceNode, SourceNameand additional parameters.

For Clientsthat support auditing, accessing the Method Service Setshall generate audit entries for both successful and failed invocations of the Service, if the invocation modifies the AddressSpace, writes a value or modifies the state of the system (alarm acknowledge, batch sequencing or other system changes). Invocations of the other Methodsmay generate audit entries. All audit entries should be setup prior to the actual Service invocation, allowing the invocation to contain the correct audit record id.

All of the Servicesin these four Service Setsonly provide the Clientwith information, with the exception of the TransferSubscriptions Servicein the Subscription Service Set. In general, these services will not generate audit entries or audit Event Messages. The TransferSubscriptions Serviceshall generate an audit Eventof type AuditSessionEventTypeor subtypes of it for both successful and failed Serviceinvocations. See OPC 10000-5for the detailed assignment of the SourceNode, the SourceNameand additional parameters. For the failure case, the Messagefor Events of this type should include a description of why the service failed.

For Clientsthat support auditing, accessing the TransferSubscriptions Servicein the Subscription Service Setshall generate audit entries for both successful and failed invocations of the Service. Invocations of the other Servicesin this Service Setdo not require audit entries. All audit entries should be setup prior to the actual Serviceinvocation, allowing the invocation to contain the correct audit record id.