Comprehensive logging and monitoring are essential for detecting security incidents, troubleshooting issues, and maintaining compliance. This guide covers how to configure and use SPE logging for security purposes.
Overview
SPE provides logging capabilities that record:
Script execution
User authentication and authorization
Session elevation events
Delegated access usage
Web service calls
Errors and exceptions
Security Best Practice: Enable comprehensive logging in all non-development environments to create an audit trail.
SPE Log Files
Default Log Location
SPE logs are written to:
$SitecoreLogFolder\SPE.log.{date}.txt
Typically resolves to:
Log Levels
SPE supports standard log4net levels:
Level
Description
Use Case
DEBUG
Detailed diagnostic information
Development and troubleshooting
INFO
Informational messages
Production (recommended)
WARN
Warning messages
Production (recommended)
ERROR
Error messages
Always enabled
FATAL
Critical errors
Always enabled
Configuring Log Level
Edit your log4net configuration (typically in App_Config\Sitecore.config or a patch file):
Recommended Settings:
Environment
Log Level
Rationale
Development
DEBUG
Maximum detail for troubleshooting
QA/Staging
INFO
Balance detail and volume
Production
INFO or WARN
Important events without excessive detail
What Gets Logged
Script Execution
Format:
Session Elevation
Format:
Delegated Access
Format:
Includes:
Script ID
Context user (actual logged-in user)
Impersonated user (elevated account)
This is critical for audit trails showing privilege escalation.
Web Service Calls
Format:
Logged Events:
Remoting connections
File uploads/downloads
RESTful API calls
Authorization failures
Authentication Events
Format:
Logged Events:
Successful authentication
Failed authentication
Authorization denials
Errors and Exceptions
Format:
Includes:
Exception details
Stack traces
User context
Operation being performed
Monitoring Strategies
Real-Time Monitoring
Using PowerShell to Tail Logs
Monitor for Specific Events
Log Analysis
Find Failed Authentication Attempts
Track Delegated Access Usage
Find Unauthorized Access Attempts
Analyze Web Service Usage
Scheduled Log Review
Create a scheduled task to analyze logs daily:
IIS Log Integration
IIS Logs for Web Services
IIS logs provide additional context for web service access:
Location:
Useful IIS Log Fields
Field
Description
Security Value
c-ip
Client IP address
Identify source of requests
cs-username
Authenticated username
Track who accessed services
cs-uri-stem
Requested URI
Identify which services were called
sc-status
HTTP status code
Find authorization failures (401, 403)
cs-User-Agent
User agent string
Identify automation vs browsers
Analyzing IIS Logs for SPE
Find SPE web service requests:
Find failed authentication (401) to SPE services:
Alerting
Simple Email Alerts
Create alerts for critical security events:
Run this script via Task Scheduler every 5 minutes.
Integration with SIEM
For enterprise environments, integrate SPE logs with your Security Information and Event Management (SIEM) system.
Common SIEM Solutions:
Splunk
ELK Stack (Elasticsearch, Logstash, Kibana)
Azure Sentinel
ArcSight
Log Retention
Regulatory Requirements
Different compliance frameworks have different retention requirements:
Framework
Typical Requirement
PCI-DSS
1 year (3 months online)
HIPAA
6 years
SOC 2
1+ years
GDPR
Varies by data type
Note: The requirements may have changed since the publishing of this document. Please confirm with your organization and legal team as to the requirements you must meet.
Configuration
The configuration of log retention will be dependent on your solution.
Archival Strategy
The archival strategy implementation will be dependent on your solution.
Security Metrics
Key Performance Indicators (KPIs)
Track these metrics for security monitoring:
Metric
Description
Threshold
Failed Auth Rate
Failed authentications per hour
Alert if > 10
Elevation Denials
Session elevation denials
Alert if > 5
Delegated Access
Delegated access usage
Monitor trends
Web Service 401/403
Unauthorized web service calls
Alert if > 20
File Upload Attempts
File upload failures
Monitor for patterns
Script Errors
Script execution errors
Monitor trends
Best Practices
Security Recommendations
✅ Do:
Enable INFO level logging in production
Monitor logs daily for suspicious activity
Set up alerts for critical security events
Retain logs per compliance requirements
Archive old logs securely
Integrate with SIEM if available
Document your monitoring procedures
Review delegated access usage regularly
Track failed authentication patterns
Monitor web service usage for anomalies
❌ Don't:
Disable logging in production
Ignore failed authentication attempts
Delete logs prematurely
Log sensitive data (passwords, tokens)
Rely solely on manual log review
Forget to monitor IIS logs too
Ignore ERROR and WARN messages
Let log files consume all disk space
Monitoring Frequency
Activity
Frequency
Method
Real-time Alerts
Continuous
Automated scripts/SIEM
Daily Review
Daily
Automated summary email
Weekly Analysis
Weekly
Manual review of trends
Monthly Audit
Monthly
Comprehensive security review
Quarterly Report
Quarterly
Executive summary
Troubleshooting
Logs not being written
Possible causes:
log4net configuration incorrect
File permissions prevent writing
Disk space full
SPE logger disabled
Solution: Check log4net config, verify permissions, ensure disk space.
Too much log data
Cause: DEBUG level in production or high activity.
Solution: Change to INFO or WARN level, implement log rotation.
Can't find specific events
Cause: Log rotation moved old logs or logs were deleted.
INFO Arbitrary script execution in ISE by user: 'sitecore\Admin'
WARN Session state elevated for 'ISE' by user: sitecore\Admin
INFO [Gutter] Executing script {CFE81AF6-2468-4E62-8BF2-588B7CC60F80} for Context User sitecore\test as sitecore\Admin.
INFO A request to the remoting service was made from IP 10.0.0.27
INFO A request to the mediaUpload service was made from IP 10.0.0.27
WARN A request to the mediaUpload service could not be completed because the provided credentials are invalid.
INFO [Runner] Executing script {BD07C7D1-700D-450C-B79B-8526C6643BF3} for Context User sitecore\test2 as sitecore\Admin.
# TODO
# Tail the SPE log file
# Note that the SPE Console doesn't exit when using -Wait
Get-Content -Path "$($SitecoreLogFolder)\SPE.log.20251201.txt" -Tail 10
$logPath = "$SitecoreLogFolder\SPE.log.20251201.txt"
$failedAuth = Get-Content $logPath |
Where-Object { $_ -match "credentials are invalid" } |
ForEach-Object {
if ($_ -match "(\d{2}:\d{2}:\d{2}).*WARN\s*(\S+)") {
[PSCustomObject]@{
Timestamp = $matches[1]
User = $matches[2]
LogLine = $_
}
}
}
$failedAuth
# Timestamp User LogLine
# --------- ---- -------
# 11:20:23 A 1508 11:20:23 WARN A request to the mediaUpload service could not be completed because the provided credentials are invalid.
$logPath = "$SitecoreLogFolder\SPE.log.20251201.txt"
$unauthorized = Get-Content $logPath |
Where-Object { $_ -match "credentials are invalid" }
$unauthorized | ForEach-Object {
Write-Host $_ -ForegroundColor Red -BackgroundColor White
}
# 1508 11:20:23 WARN A request to the mediaUpload service could not be completed because the provided credentials are invalid.
$logPath = "$SitecoreLogFolder\SPE.log.20251201.txt"
$webServiceCalls = Get-Content $logPath |
Where-Object { $_ -match "remoting" }
# Group by IP address
$webServiceCalls | ForEach-Object {
if ($_ -match "IP\s*(?<ip>[\d\.]+)") {
[PSCustomObject]@{
IP = $matches['ip']
LogLine = $_
}
}
} | Group-Object IP |
Select-Object Name, Count |
Sort-Object Count -Descending
# Name Count
# ---- -----
# 10.0.0.27 105
