User Access Logging Overview

 

Applies To: Windows Server 2012 R2, Windows Server 2012

This technical overview describes User Access Logging (UAL), a feature in Windows Server 2012 that aggregates client usage data by role and products on a local server.

Did you mean…

Feature description

User Access Logging (UAL) in Windows Server 2012 is a feature to help server administrators quantify requests from client computers for roles and services on a local server.

UAL is installed and enabled by default in Windows Server 2012, and collects data in nearly real-time. No administrator configuration is required, although UAL can be disabled or enabled. For more information, see Manage User Access Logging.T he User Access Logging service aggregates client usage data by roles and products into local database files. IT administrators can later use Windows Management Instrumentation (WMI) or Windows PowerShell cmdlets to retrieve quantities and instances by server role (or software product), by user, by device, by the local server, and by date.

Practical applications

UAL aggregates unique client device and user request events that are logged on a computer running Windows Server 2012 into a local database. These records are then made available (through a query by a server administrator) to retrieve quantities and instances by server role, by user, by device, by the local server, and by date. In addition, UAL has been extended to enable non-Microsoft software developers to instrument their UAL events to be aggregated by Windows Server 2012.

This information can be useful to server administrators at all levels. UAL can assist server administrators in performing the following tasks:

  • Quantify client user requests for local physical or virtual servers.

  • Quantify client user requests for installed software products on a local physical or virtual server.

  • Retrieve data on a local server running Hyper-V to identify periods of high and low demand on a Hyper-V virtual computer.

  • Retrieve UAL data from multiple remote servers.

In addition, software developers can instrument UAL events that can then be aggregated by Windows Server 2012 and retrieved by using WMI and Windows PowerShell interfaces.

The following server roles and services can be supported by UAL:

  • Active Directory Certificate Services (AD CS)

  • Active Directory Rights Management Services (AD RMS)

  • BranchCache

  • Domain Name System (DNS)

    Note

    UAL collects DNS data every 24 hours, and there is a separate UAL cmdlet for this scenario.

  • Dynamic Host Configuration Protocol (DHCP)

  • Fax Server

  • File Services

  • File Transfer Protocol (FTP) Server

  • Hyper-V

    Note

    UAL collects Hyper-V data every 24 hours, and there is a separate UAL cmdlet for this scenario.

  • Web Server (IIS)

    Warning

    To use UAL with IIS, you must use iisual.exe. For more information, see Analyzing Client Usage Data with IIS User Access Logging.

  • Microsoft Message Queue (MSMQ) Services

  • Network Policy and Access Services

  • Print and Document Services

  • Routing and Remote Access Service (RRAS)

  • Windows Deployment Services (WDS)

  • Windows Server Update Services (WSUS)

Important

UAL is not recommended for use on servers that are connected directly to the Internet, such as web servers on an Internet-accessible address space, or in scenarios where extremely high performance is the primary function of the server (such as in HPC workload environments). UAL is primarily intended for small, medium, and enterprise intranet scenarios where high volume is expected, but not as high as many deployments of Windows Server 2012 that serve Internet-facing traffic volume on a regular basis.

Important functionality

The following table describes key functions of UAL and their potential value.

Functionality

Value

Collect and aggregate client request event data in near real-time.

Up to three years of data can be saved.

Important

Administrators need to enforce compliance of the data collected and data retention periods with the organization’s privacy policy and local regulations.

Query UAL by using WMI or Windows PowerShell interfaces to retrieve client request data on a local or remote server.

UAL enables a single view of ongoing usage data. Server and enterprise administrators can retrieve this data and coordinate with business administrators to optimize use of their volume software licenses.

Enabled by default.

Server administrators do not need to configure or otherwise set up this feature for all core functionality to be available and working.

Data logged with UAL

The following user-related data is logged with UAL.

Data

Description

UserName

The user name on the client that accompanies the UAL entries from installed roles and products, if applicable.

ActivityCount

The number of times a particular user accessed a role or service.

FirstSeen

The date and time when a user first accesses a role or service.

LastSeen

The date and time when a user last accessed a role or service.

ProductName

The name of the software parent product, such as Windows, that is providing UAL data.

RoleGUID

The UAL assigned or registered GUID that represents the server role or installed product.

RoleName

The name of the role, component, or subproduct that is providing UAL data. This is also associated with a ProductName and a RoleGUID.

TenantIdentifier

A unique GUID for a tenant client of an installed role or product that accompanies the UAL data, if applicable.

The following device-related data is logged with UAL.

Data

Description

IPAddress

The IP address of a client device that is used to access a role or service.

ActivityCount

The number of times a particular device accessed the role or service.

FirstSeen

The date and time when an IP address was first used to access a role or service.

LastSeen

The date and time when an IP address was last used to access a role or service.

ProductName

The name of the software parent product, such as Windows, that is providing UAL data.

RoleGUID

The UAL-assigned or registered GUID that represents the server role or installed product.

RoleName

The name of the role, component, or subproduct that is providing UAL data. This is also associated with a ProductName and a RoleGUID.

TenantIdentifier

A unique GUID for a tenant client of an installed role or product that accompanies the UAL data, if applicable.

Software requirements

UAL can be used on any computer running Windows Server 2012.

See also

User Access Logging on MSDN.

Manage User Access Logging