orchestrator

2022.10

false

Orchestrator Installation Guide

DELIVERY:

Automation Cloud Automation Cloud Public Sector Automation Suite Standalone

Last updated Oct 3, 2024

UiPath.Orchestrator.dll.config

The UiPath.Orchestrator.dll.config file (C:\Program Files (x86)\UiPath\Orchestrator) defines the parameters, settings, and preferences applied to your Orchestrator deployment.

Important:

Any changes to the parameters in this file are overwritten upon upgrade.
Only administrators should change the values of these parameters.
It is recommended to manually restart the website after making changes to UiPath.Orchestrator.dll.config.
Parameters that are not documented on this page should not be changed or have counterparts in the Settings pages.
All parameters are case sensitive.

App Settings

Advanced Installation Settings

`EncryptionKeyPerTenant.Enabled`

Enables you to use different encryption keys per tenant, based on a Microsoft Azure Key Vault account. The following values can be attributed:

false - Uses a single encryption key on the entire Orchestrator instance. This is the default value.
true - Uses a different encryption key for each tenant, enhancing your tenant security and providing better segregation of sensitive data.

If you enable this feature, you must also fill in the EncryptionKeyPerTenant.KeyProvider parameter, as well as the ones in the SecureAppSettings section.

`EncryptionKeyPerTenant.KeyProvider`

Enables you to indicate which key management application to store the encryption keys generated per tenant from Orchestrator. Set it to AzureKeyVault to use a preconfigured Microsoft Azure Key Vault. We do not provide Azure Key Vault licenses. Please note that you also have to configure the parameters described in the SecureAppSettings section. If EncryptionKeyPerTenant.Enabled is set to false, this parameter is not used.

Changes made to the encryption settings here need to be mirrored in the Identity Server appsettings.Production.json file, according to the following field equivalence:

Orchestrator UiPath.Orchestrator.dll.config	Identity Server appsettings.Production.json
EncryptionKeyPerTenant.Enabled	EncryptionKeyPerTenant
Azure.KeyVault.VaultAddress	AzureKeyVaultAddress
Azure.KeyVault.CertificateThumbprint	AzureKeyVaultCertificateThumbprint
Azure.KeyVault.ClientId	AzureKeyVaultClientId
Azure.KeyVault.DirectoryId	AzureKeyVaultDirectoryId
EncryptionKeyPerTenant.KeyProvider	MultiTenantEncryptionKeyProvider

Queues

Note: To apply changes related to the schedules of internal jobs, follow the steps in Updating Schedules of Internal Jobs.

`inProgressMaxNumberOfMinutes`

The maximum amount of time queue items can have the In Progress status. After this time, the status of the queue items changes to Abandoned. By default, this is set to 1440 minutes (24 hours).

`QueuesStatisticsScheduleCron`

The frequency of updating queue items statistics in the Dashboard and Transactions page, and the Chart window. By default, they are updated every minute.

`UpdateUncompletedItemsJobCron`

The frequency of searching the database for queues that need to be moved to Abandoned. By default, this parameter is set to every hour.

`Queue.MaxSlaInMinutes`

The maximum value the SLA can be set to, expressed in minutes. By default, the value is 129600 minutes (90 days), and it is displayed by default in UiPath.Orchestrator.dll.config, including in update scenarios.

`Queue.MaxSchemaFileSizeInKilobytes`

The maximum file size of the JSON schema against which queue item data and output is validated, in KB. This setting does not appear by default in the UiPath.Orchestrator.dll.config file.

`Queue.SlaReadaheadTimeLimitHours`

The amount of time in which queue item deadlines must fall for the items to be taken into account when making SLA predictions. The default value is 24 hours. This parameter is not displayed by default in UiPath.Orchestrator.dll.config.

`Queue.MaxSpecificDataSizeInKiloBytes`

The maximum size of Specific Data content for new queue items, in kilobytes. For clean Orchestrator installations, this parameter is hidden and has a default value of 1024 (1MB). In upgrade scenarios, this parameter is visible and has a value of 204800 (200MB).

`Queue.ProcessActivationSchedule`

The amount of time between checks for unprocessed queue items. By default, it is set to 30 minutes. To adjust the check interval, specify a value between 0 and 59, restart the IIS, then delete the existing queue trigger and recreate it.

Alerts

Note: To apply changes related to the schedules of internal jobs, follow the steps in Updating schedules of internal job.

`DailyAlertMailJobCron`

Enables you to configure a cron expression that controls when daily email alerts are sent. This only works if email alerts are enabled. The report contains all the Fatal and Error severity alerts generated the previous day. By default, it is sent every day at 7 a.m.

`Alerts.Email.Enabled`

This parameter is only relevant for new tenants, and it is set to false by default. You can set it to true to enable email alerts automatically for the tenant that you are about to create.

Once the tenant is created, however, any changes to this parameter are no longer taken into account. Instead, the setting can be toggled via the Enable Alerts Email check box from the Settings page. Details...

`NotificationDistributerJobCron`

The frequency with which alert notifications are sent to the interface. By default, alerts are sent every 10 seconds.

`PeriodicErrorMailJobCron`

Enables you to configure a cron expression that controls the frequency with which periodic email alerts are sent. This only works if email alerts are enabled. The default value is every 10 minutes, meaning the report contains Fatal and Error severity alerts generated in the past 10 minutes. If no alerts have been generated, no report is sent.

`PasswordComplexity`

Controls the validation rules for password complexity and is expressed using regular expressions. The complexity applies to all passwords (including the host admin one) by default. Still, each tenant can customize their user login password complexity on the Security tab in the Settings page. By default, passwords must contain at least 8 characters and at least one letter and a digit.

`SystemJobs.DetectNotRespondingRobots.MaxAlertCount`

Enables you to limit the number of alerts that are sent when Robots become unresponsive. This parameter can be useful if your Orchestrator instance deals with a very large number of Robots, and most of them become unresponsive often. Please note that it is not displayed in the configuration file by default. For example, if you want to limit the number of alerts you receive for unresponsive Robots to 10, add <add key="SystemJobs.DetectNotRespondingRobots.MaxAlertCount" value="10" /> in the UiPath.Orchestrator.dll.config file, under all the other alerts parameters. If you apply this setting, please note that a warning is raised in the Event Viewer when the total number of alerts is higher than that of the one configured, such as: Alerts not published: total number of unresponsive sessions (21) is bigger than the configured max allowed (10)..

`SystemJobs.LicenseExpirationAlert.DaysBefore`

Enables you to define the time intervals before the license expiry date when you receive email alerts. The default value is 180,90,30,14,7,1, meaning you receive email alerts 6 times: 180, 90, 30, 14, 7, and 1 day before your license expires. You can define fewer values to reduce the email alerts' frequency. For example, this can be done by adding the following key in the UiPath.Orchestrator.dll.config file: <add key="SystemJobs.LicenseExpirationAlert.DaysBefore" value="90,30,14" />.

Deployment

Orchestrator uses a composite repository. Package metadata is saved to the SQL database for faster search and filtering. Packages are saved to the location specified through the Storage.Type and Storage.Location parameters.

Note: The use of copy-paste commands in the packages-dedicated folder is not supported.

`Storage.Type`

Defines the target where packages and execution media are saved. It can be populated with the following targets:

File System - <add key="Storage.Type" value="FileSystem" />.
Azure - <add key="Storage.Type" value="Azure" />.
Amazon - <add key="Storage.Type" value="Amazon" />.
Minio - <add key="Storage.Type" value="Minio" />.

`Storage.Location`

Defines the actual location where packages and execution media are saved.

Important:

The Storage.Location parameter is mandatory when:

upgrading from any pre-2020.10 version of Orchestrator, and
the previous NuGet.Repository.Type was Legacy, and
the previous NuGet.Packages.Path did not use the default value.

Target	Location
FileSystem	Provide an absolute path using the following format: `RootPath=C:\FolderName\AnotherFolderName`. Example: `<add key="Storage.Location" value="RootPath=C:\FolderName\AnotherFolderName" />`. In the provided folder, the following folder structure gets created: `Orchestrator-Host\Libraries` - One folder dedicated to the libraries stored in the host feed. `Orchestrator-[tenantKey]` -One folder for each tenant. The tenant is identified by the tenant key as found in the database. For example `Orchestrator-12ab1234-a567-456b-a12b-ab3456b123ab`. For each tenant folder, three other sub-directories are created: `\ExecutionMedia` `\Packages` `\Libraries` Files are saved in the dedicated folders at the specified location. By default, they are stored at the following path: `C:\Program Files (x86)\UiPath\Orchestrator\Storage`.
Azure	Provide a connection string. Example: `<add key="Storage.Location" value="DefaultEndpointsProtocol=https;AccountName=usr;AccountKey=...;EndpointSuffix=core.windows.net" />`.
Amazon	Provide a connection string. Example: `<add key="Storage.Location" value="EndpointRegion=eu-west-3;accessKey=AKIAZGUEIGXUJ3BBI4MW;secretKey=W/LOzDbI1qumvcwYs8iUf4pRwW6ltKos/paTLVYM;useHttp=false" />`. To disable public access to newly created Amazon S3 buckets, add `BlockPublicAccess=true` to the connection string. Note that this has no impact on existing buckets. Example: `<add key="Storage.Location" value="EndpointRegion=eu-west-3;accessKey=AKIAZGUEIGXUJ3BBI4MW;secretKey=W/LOzDbI1qumvcwYs8iUf4pRwW6ltKos/paTLVYM;useHttp=false;BlockPublicAccess=true" />`. To use the default Amazon S3 credentials, remove `AccessKey` and `SecretKey` and add `UseDefaultCredentials=true` instead. This allows you to use the machine's IAM role on an Amazon EC2 VM. Example: `<add key="Storage.Location" value="EndpointRegion=eu-west-3;UseDefaultCredentials=true" />`.
Minio	Provide a connection string. Example: `<add key="Storage.Location" value="host=localhost:9001;accessKey=YVKYFJ0ZY246KDKP0634;secretKey=bdBEk2ubhIFsTNPuQ80PjKL+oqZBj67HoSWBFnw1" />`.

Example

<add key=\"Storage.Type\" value=\"Azure\" /> <add key=\"Storage.Location\" value=\"DefaultEndpointsProtocol=https;AccountName=usr;AccountKey=...;EndpointSuffix=core.windows.net\" /><add key=\"Storage.Type\" value=\"Azure\" /> <add key=\"Storage.Location\" value=\"DefaultEndpointsProtocol=https;AccountName=usr;AccountKey=...;EndpointSuffix=core.windows.net\" />

The configuration above instructs Orchestrator:

to store the package metadata in the SQL database;
to keep the actual files in the Azure Blob storage at the location indicated by the DefaultEndpointsProtocol=https;AccountName=usr;AccountKey=...;EndpointSuffix=core.windows.net connection string;
to use the default naming convention for the Azure container name - Orchestrator-tenantKey.
Important:
If you have more than 99 tenants in Orchestrator, you have two options to avoid AWS S3 bucket account limit.
- Store your data in a single external bucket, as instructed in the following section.
- Increase your default AWS S3 bucket account limit to match the number of tenants.
This is required because a separate bucket is created for each tenant.

Storing Orchestrator data in a single external bucket

To use a single bucket with your own external storage provider, add the following parameters to the corresponding connection string:

BucketName - mandatory. Enables Orchestrator to store all tenants in a single bucket. It requires the bucket name as set in your storage provider. For this, your external storage must exist prior to installing Orchestrator.
CanCreateBucket - optional. If set to true, it allows Orchestrator to create the bucket in your external storage on your behalf. The default value is false.

Note: When using this parameter, make sure to grant Orchestrator the proper permissions to create a bucket in your external storage. Otherwise, the installation fails.

ContentPrefix - optional. Specifies the path of your Orchestrator data inside the external storage. For example, orchestrator/data.

Note: These parameters apply to the connection strings of external storage providers, namely Azure, Amazon, or Minio. They do not apply to FileSystem storage.

Example: Using a single bucket with your own external storage provider

<add key="Storage.Location" value="DefaultEndpointsProtocol=https;AccountName=usr;AccountKey=...;EndpointSuffix=core.windows.net;BucketName=UiPath;ContentPrefix=orchestrator/data" /><add key="Storage.Location" value="DefaultEndpointsProtocol=https;AccountName=usr;AccountKey=...;EndpointSuffix=core.windows.net;BucketName=UiPath;ContentPrefix=orchestrator/data" />

`NuGet.Packages.ApiKey`

The license key of your NuGet account. If the activities and packages are stored in the same NuGet feed, this parameter's value has to be identical to the NuGet.Activities.ApiKey one. The default value is used in the initial seeding of the database. Please note that arbitrary strings are also accepted.

`NuGet.Activities.ApiKey`

The license key of your NuGet account. If the activities and packages are stored in the same NuGet feed, the value of this parameter has to be identical to the NuGet.Packages.ApiKey one. Please note that arbitrary strings are also accepted.

Package synchronization between multiple Orchestrator nodes and the interface can be done either by monitoring the file system or using Redis. This can be configured using the configuration below. The recommended way is through Redis.

`Processes.AllowUpdateWithRunningJobs`

Specifies whether you can delete a process while having running or pending jobs associated with it. Note that this parameter is hidden by default. The following values are available:

true - Processes can be deleted while having associated running or pending jobs.
false - Processes cannot be deleted while having associated running or pending jobs. Trying to delete a process, in this case, displays the following error message: "Modifying this process is not possible at the moment, because there are active jobs associated with it. (#1666)". This is the default value.

For example, if you want to be able to remove your processes while having an associated job running, add <add key="Processes.AllowUpdateWithRunningJobs" value="true" /> in the UiPath.Orchestrator.dll.config file.

`Deployment.Libraries.AllowTenantPublish`

Enables you to specify whether the tenants using the host feed can or cannot upload libraries into the feed. The following values are available:

true - Libraries uploaded at the tenant level are propagated to the host feed. This is the default value.
false - Libraries uploaded at the tenant level are not propagated to the host feed. However, note that users do have access to the existing libraries in the feed.

You can configure this from the user interface as well. The corresponding option, Allow Tenant Users to Upload into the Feed, can be found at the host level, on the Settings page.

Storage Buckets

`Buckets.ContentSecurityPolicy`

Used to indicate domains outside the trusted ones to which Orchestrator can make requests. Multiple values can be entered as a comma-separated list. This parameter overrides the corresponding Orchestrator settings regarding Azure and AWS, so make sure to add Azure and/or AWS as well, if needed. This parameter does not appear by default in the UiPath.Orchestrator.dll.config file.

`Buckets.AvailableProviders`

Used to control which providers can be used in creating storage buckets. The available providers are: Orchestrator, Amazon, Azure, Minio, S3 compatible storage providers, and File System. Multiple values can be entered with a comma separator.

Note: By default, this key is not displayed in the UiPath.Orchestrator.dll.config file, and only the following providers are selected: Orchestrator, Amazon, Azure, Minio and S3Compatible. The default behavior is specific to both clean installations and upgrades. If the key is visible, the available providers are limited to those specified as Buckets.AvailableProviders values.

Example: To use only Orchestrator, Amazon and Azure as storage bucket providers, add the following key:

<add key="Buckets.AvailableProviders" value="Orchestrator,Amazon,Azure" /><add key="Buckets.AvailableProviders" value="Orchestrator,Amazon,Azure" />

`Buckets.FileSystem.Allowlist`

Provides a way to control the use of FileSystem buckets. The setting comes with no value configured by default. This, along with the fact that FileSystem is disabled by default on both new installations and upgrades, means that no FileSystem paths can initially be used. For security reasons, in order to use the FileSystem feature, an Administrator must first enable FileSystem, and then explicitly allow access to a list of folders or network shares by attributing values to Buckets.FileSystem.Allowlist.

Multiple values, separated by the | character, can be entered. Note that the paths must be fully qualified, either rooted with a drive or a UNC path (e.g. c:\, c: est, \\servershare\shared), and each of them represents a prefix allowed to be used for any bucket. A bucket can be created on that particular path or any subpath.

Important: Considering that creating a FileSystem allowlist via the Buckets.FileSystem.Allowlist setting has a series of security implications, you are strongly advised to refer to Using the FileSystem Storage Allowlist Securely before proceeding.

Authorization

`AcceptedRootUrls`

Enables you to add a list of trusted URLs. If no value is attributed to this setting, then no one can access Orchestrator. If you want to add multiple URLs, do it without spaces and separate items through commas (,), such as "https://server1,https://server2".

`Auth.Bearer.Robot.Expire`

The amount of time after which the bearer token of your Robot expires. By default, it is set to 30 minutes.

`Auth.DisabledPermissions`

Enables you to configure permissions to be disabled from the user interface and ignored when using API. Note that this parameter is hidden by default. The permissions need to be added as they are used in API, and they have to be separated by commas. For example, if you want to disable Delete permissions on Libraries and Machines, you need to add the following key: <add key="Auth.DisabledPermissions" value="Machines.Delete,Libraries.Delete" />.

`Auth.AllowChangePassword`

Enables you to configure whether a user can change their password via API. This setting is not displayed by default in the UiPath.Orchestrator.dll.config file. The available values are true (default value) and false.

`Auth.AllowSelfEmailUpdate`

Enables you to configure whether a user can change his email address from the General section, in the Profile page. By default, the parameter is set to true, meaning you can update it. Set the parameter to false to make the field read-only. This setting is not displayed by default in the UiPath.Orchestrator.dll.config file.

`ExternalAuth.AccessTokenAuth.Enabled`

Enables you to configure if you can authenticate to Orchestrator using a bearer access token issued by Auth0. This setting is not displayed by default in the UiPath.Orchestrator.dll.config file. The following values are available:

true - The user can make authenticated requests using an access token issued by Auth0. This is only considered if you set a valid audience for the ExternalAuth.AccessTokenAuth.Audience parameter.
false - The user cannot make authenticated requests using an access token issued by Auth0. This is the default value.

`ExternalAuth.AccessTokenAuth.Audience`

Enables you to control the target audience of the access token. This parameter needs to be set to a valid audience, which is used to check against the Auth0 token audience. For example, if you want to set the audience to https://cloud.uipath.com, you need to add the following key: <add key="ExternalAuth.AccessTokenAuth.Audience" value="https://cloud.uipath.com" />. This setting is not displayed by default in the UiPath.Orchestrator.dll.config file.

`ExternalAuth.ShowPII`

Allow for Orchestrator PII display by adding the following key: <add key="ExternalAuth.ShowPII" value="true" />. The key is not displayed by default in UiPath.Orchestrator.dll.config, and the default behavior does not allow for PII display.

`RestrictBasicAuthentication`

Moved to Identity Server appsettings.json.

`EnableBasicAuthenticationForHostTenant`

Moved to Identity Server appsettings.json.

Load Balancer

These settings should only be modified if you are using a load balancer.

`LoadBalancer.UseRedis`

Use Redis as a database to distribute messages and cache to and from all the machines connected through your load balancer. By default, it is set to false.

`LoadBalancer.Redis.ConnectionString`

Can only be used if LoadBalancer.UseRedis is set to true. A connection string that enables you to set up your Redis server, which contains the URL of the server, the password, and the port used with Redis. All the HAA cluster nodes should be added in the connection string.

It is also possible to enable SSL encrypted connections between the Orchestrator nodes and the Redis service. For more information, please click here. Examples:

with SSL enabled - <add key="LoadBalancer.Redis.ConnectionString" value="10.10.20.184:10000,10.10.24.148:10000,10.10.22.114:10000,password=12345678,ssl=true" />
without SSL enabled - <add key="LoadBalancer.Redis.ConnectionString" value="10.10.20.184:10000,10.10.24.148:10000,10.10.22.114:10000,password=12345678" />

Password Vault

`Plugins.SecureStores`

This setting should be updated to include the plugins of any credential stores you are using. You can choose from the following: CyberArk, CyberArk CCP, Azure Key Vault, Thycotic Secret Server, BeyondTrust, and HashiCorp Vault. The credential store plugins are located in the \Orchestrator\Plugins folder of your installation directory. For example:

Single Store: <add key="Plugins.SecureStores" value="UiPath.Orchestrator.CyberArk.dll"/>
Multiple Stores: <add key="Plugins.SecureStores" value="UiPath.Orchestrator.CyberArk.dll;UiPath.Orchestrator.AzureKeyVault.SecureStore.dll;UiPath.Orchestrator.SecureStore.CyberArkCCP.dll;UiPath.Orchestrator.SecureStore.HashiCorpVault.dll;UiPath.Orchestrator.SecureStore.BeyondTrust.dll;UiPath.Orchestrator.SecureStore.AWSSecretsManager.dll" />

Note: When upgrading an Orchestrator instance with an existing CyberArk integration, this setting is pre-populated with the CyberArk plugin. For all other installations, the setting value is empty by default.

`Plugins.SecureStores.CyberArk.CLIPasswordSDKExePath`

Enables the CyberArk plugin to search for CLIPasswordSDK64.exe in a custom installation path. For example, if D:\CustomFolder\ is the CyberArk installation directory, you need to add the following key: <add key="Plugins.SecureStores.CyberArk.CLIPasswordSDKExePath" value="D:\CustomFolder\CLIPasswordSDK64.exe"/>. The default value of this app setting is C:\Program Files (x86)\CyberArk\ApplicationPasswordSdk\CLIPasswordSDK64.exe.

`Plugins.SecureStores.CyberArk.UsePowerShellCLI`

Enables retrieving credentials from a CyberArk vault when using Path authentication. The key is hidden by default. The default value is false. Add the following key to enable it: <add key="Plugins.SecureStores.CyberArk.UsePowerShellCLI" value="true"/>.

`Plugins.SecureStores.CyberArkCCP.KeyStorageFlags`

Enables choosing where to store and how to import the private key of the client certificate configured for a CyberArk CCP credential store.

The values that can be set for this parameter are described here, with DefaultKeySet being the default option.

Note that EphemeralKeySet does not work on Windows machines. We recommend using MachineKeySet instead.

Azure AD Authentication

The configuration for Azure AD authentication has been moved to Identity Server's External Providers page.

Active Directory Authentication

The configuration for Active Directory authentication is performed post-installation from Orchestrator's Management portal.

For instructions, see Configuring the Active Directory integration page.

Logs

`Logs.RobotLogs.ReadTarget`

Enables you to configure the source from which Orchestrator reads and populates logs (e.g., database or robotelasticbuffer).

`RobotsLogs.Flush.Interval`

This setting allows you to change the flush interval for the SubmitLogs endpoint. Note that it is not displayed by default in UiPath.Orchestrator.dll.config. Unless specified otherwise, its value is 0 seconds. The following example shows how to set a flush interval of 60 seconds, which means that the Robot sends logs to the server every 60 seconds.

<add key="RobotsLogs.Flush.Interval" value="60" /><add key="RobotsLogs.Flush.Interval" value="60" />

Important: If the Robot disconnects before the flush interval completes, the last batch of logs is sent the next time it connects to Orchestrator.

`RobotsLogs.Flush.BatchSize`

This setting's purpose is to adjust the flush size for the SubmitLogs endpoint. By default, it is not displayed in the UiPath.Orchestrator.dll.config. Unless specified otherwise, its value is 100 log message entries, which translates to the Robot sending batches of 100 logs to the server.

<add key="RobotsLogs.Flush.BatchSize" value="100" /><add key="RobotsLogs.Flush.BatchSize" value="100" />

`Logs.RequestAbortedLogBehavior`

Specifies the logging behavior for cancellation exceptions which are thrown upon cancellation of an operation that was executing. These are generated, for example, when you click a button, and before the operation is executed, you click a different one. Note that this parameter is hidden by default. The following values are available:

Ignore - All cancellation exceptions are ignored if the corresponding requests were aborted. This is the default value.
Info - Cancellation exceptions are logged with Info severity level.
None - Cancellation exceptions are logged with Error severity level.

For example, if you don't want any cancellation exceptions to be logged, add <add key="Logs.RequestAbortedLogBehavior" value="Ignore" /> in the config file.

`Logs.Elasticsearch.SharedIndex`

Enables you to log to the same index for all tenants. It must be set to the same value as used for the index parameter in the NLog target. For example, <add key="Logs.Elasticsearch.SharedIndex" value="robotlogs" />. Details here. Note that this parameter is hidden by default.

`Logs.Elasticsearch.EnableFolderIdFilter`

Control the visibility of logs generated prior to 2019.10 that cannot be filtered by the containing folder on the Logs page. The parameter is set to true by default, meaning logs are hidden. Set it to false to display them: <add key="Logs.Elasticsearch.EnableFolderIdFilter" value="false" />

`Logs.Elasticsearch.Username`

The username required for reading logs in Elasticsearch. Note that you need to configure this parameter only if Elasticsearch authentication is enabled, and you do not use an NLog target. When configuring the parameter, make sure its value matches the Elasticsearch server settings. For more details, see X-Pack Authentication.

`Logs.Elasticsearch.Password`

`Logs.Elasticsearch.OAuthEnabled`

Set this parameter to true to enable OAuth2 and use a token-based authentication mechanism for reading robot logs in Elasticsearch, as an alternative to the user and password system. By default, this parameter is set to false.

When enabling OAuth authentication, you still need to provide the username and password as in the default authentication method. This is required because the initial token is generated based on those credentials.

See OAuth2 Authentication for detailed instructions on how to configure OAuth2 authentication for Elasticsearch.

`Logs.Elasticsearch.OAuthExpireInSeconds`

Enables you to set the time (in seconds) before the access token used for reading robot logs in Elasticsearch expires and is refreshed. Its default and recommended value is 1200 seconds (20 minutes), and its maximum value is 3600 seconds (60 minutes). To invalidate a token, you can use the dedicated button available in the Orchestrator UI.

Before changing the token validity, make sure that Logs.Elasticsearch.OAuthEnabled is set to true and that you have properly configured the Elasticsearch server. For more on this, see OAuth2 Authentication.

`Logs.Elasticsearch.DisableProductCheckStatus`

Allows you to select an Elasticsearch version previous to 7.16.3. To do that, it must be set to true.

This parameter is hidden, and its default value is false.

It works in conjunction with the disableProductCheckStatus in the Nlog file, which is also hidden and false by default. It must also be set to true in order to enable the feature.

Webhooks

More webhooks settings are available in Webhooks AppSettings.json.

`Webhooks.VerifyAvailability.Enabled`

Checks if a webhook target is reachable when configuring it in the user interface. By default, it is set to true, meaning the feature is enabled.

Scalability

`Scalability.Heartbeat.PeriodSeconds`

The time interval, expressed in seconds, at which the Robot sends a heartbeat to Orchestrator, letting the latter know its status. By default, it is set to 30 seconds.

`Scalability.Heartbeat.FailureThreshold`

The number of successively failed heartbeats sent by a Robot until it is marked as unresponsive in Orchestrator. By default, it is set to 4, meaning that after 2 minutes of failed heartbeats (4 x 30 seconds = 2 minutes), a Robot is flagged as unresponsive.

`Scalability.SignalR.Enabled`

Specifies if the Robot service should subscribe to Orchestrator's SignalR channels. By default, it is set to true. This parameter is used in the initial seeding of the database. To make changes after installation, use the Settings page, at tenant or host level.

`Scalability.SignalR.Transport`

Specifies the transport protocol used to connect to Orchestrator's SignalR channels. The following values can be attributed (any combination bitwise OR):

WebSocketTransport = 1
ServerSentEventsTransport = 2
LongPollingTransport = 4
Default value: 7 (WebSocketTransport | ServerSentEventsTransport | LongPollingTransport)

This parameter is used in the initial seeding of the database. To make changes after installation, use the Settings page, at tenant or host level.

`Scalability.AzureSignalR.ConnectionString`

Helps you enable Azure SignalR Service, facilitating direct communication between your Robot fleet and the SignalR Service

Orchestrator no longer intermediates it. This option should be used only if you have an Azure-hosted Orchestrator instance. It can be used in conjunction with the Scalability.AzureSignalR.ConnectionCount key. This parameter is enabled in our Cloud offering. It is not displayed by default in the UiPath.Orchestrator.dll.config file.

Please note that, if enabled, Robots with a version lower than 2019.2 rely only on the Heartbeat protocol to communicate to Orchestrator, meaning that any command given from Orchestrator is picked up by a Robot only every 30 seconds. To enable this parameter, populate its value with the connection string to Azure Service. Example:

<add key="Scalability.AzureSignalR.ConnectionString" value="Endpoint=https://test.signalr.net;AccessKey=M1ug+sBu07hyyi12AgyJ52SEd4OgC2Mm6BvllVHCC9c=;Version=1.0;"
                           />

`Scalability.AzureSignalR.ConnectionCount`

Enables you to change the number of connections (per hub) between the server and Azure SignalR Service. The default value is 5. Example: <add key="Scalability.AzureSignalR.ConnectionCount" value="7" />. This setting is not displayed by default and cannot be used without the Scalability.AzureSignalR.ConnectionString key.

`Scalability.SignalR.RequireStickySessions`

Enable sticky sessions. If set to true, all transports are enabled, and Orchestrator assumes sticky sessions are enabled on the load balancer. Enabling sticky sessions in UiPath.Orchestrator.dll.config without enabling them on the load balancer will result in failed SignalR connections.

Analytics

`Telemetry.Enabled`

Enables or disables the usage and performance data collection that UiPath uses to help diagnose problems and improve Orchestrator. For more details about UiPath’s privacy practices, please review the privacy statement. The following values are available:

true - The telemetry feature is enabled. This is the default value.
false - The telemetry feature is disabled.

It is also possible to opt-in or out of the performance and usage data collection when you install or update your Orchestrator instance, as described here.

Media Recording

`MediaRecording.Enabled`

Set it to false to disable the recording feature. By default, it is set to true, meaning the feature is enabled. File storage is configured using the Storage.Type and Storage.Location parameters.

Pagination

`Pagination.Limits.Enabled`

Set to true by default for Cloud Platform and clean installs of on-premise Orchestrator instances. Adds a default $top value for all calls to API endpoints with pagination parameters (e.g. odata/Users).

Triggers

`Triggers.DisableWhenFailedCount`

You can configure a trigger to get disabled automatically after a certain number of failed launches and no successful runs occurring in a specific number of days. In this context, Triggers.DisableWhenFailedCount allows you to adjust the number of failed runs whereas Triggers.DisableWhenFailingSinceDays enables you to change the number of days. By default, the Triggers.DisableWhenFailedCount value is 10, and the Triggers.DisableWhenFailingSinceDays value is 1, which means that the trigger is disabled after 10 unsuccessful attempts to launch if there were no successful runs in the past day.

To stop triggers from being disabled when they fail, you must set Triggers.DisableWhenFailedCount to 0.

A trigger is automatically disabled if it experiences 10 consecutive failed launches and hasn't successfully launched in the past 24 hours.

`Triggers.JobsCountStrategy`

Enables you to choose the job count strategy for jobs launched through triggers. Hidden by default. The following options are available:

PerProcess - A trigger launches the required number of jobs taking into account any pending jobs for the specified process. E.g., two triggers defined for the same process launch 3 and 5 jobs, respectively. If the first trigger launches 3 jobs at a given point in time, when the second trigger is set off, 2 jobs are launched so as to reach the 5 required jobs. Add the following key in the config file to use this strategy: <add key="Triggers.JobsCountStrategy" value="PerProcess" />. This is the default value.
PerTrigger - A trigger launches the required number of jobs taking into account any existing jobs previously launched by that same trigger. E.g., a trigger is defined to launch 9 jobs at a given point in time. If 2 jobs have been successfully completed by the time this trigger is set off again, Orchestrator launches another 2 jobs so as to reach the 9 required jobs. Add the following key in the config file to use this strategy: <add key="Triggers.JobsCountStrategy" value="PerTrigger" />.
NoLimit - The trigger launches the required number of jobs irrespective of any existing, pending jobs. E.g., a trigger is defined to launch 5 jobs at a given point in time. The second time the trigger is set off, another 5 jobs are launched. Add the following key in the config file to use this strategy: <add key="Triggers.JobsCountStrategy" value="NoLimit" />.

`Features.QueueTriggers.PendingJobsStrategy`

Enables you to choose the computation method for the number of additional jobs to be triggered when new items are added to a queue. This is done by subtracting the number of jobs in a certain state from the maximum targeted number of jobs to be created.

The following options are available:

True - This is the default option. It is best suited for cases where you want Orchestrator to assume that all running jobs have already moved queue items out of the status New.

The number is computed as follows:

Maximum additional jobs to be created based on newly available queue items = the maximum number of pending and running jobs allowed simultaneously minus the number of jobs in a Pending state.
False - This option is best suited for cases where you want Orchestrator to assume all running jobs have yet to move queue items out of the status New.

The number is computed as follows:

Maximum additional jobs to be created based on newly available queue items = the maximum number of pending and running jobs allowed simultaneously minus the number of jobs in one of these states: Pending,Resumed,Running,Stopping,Terminating.

Others

`PreventAutoRefresh.Enabled`

Control whether or not the Jobs page under the Monitoring menu auto-refreshes for each newly created job. The <add key="PreventAutoRefresh.Enabled" value="true" /> key can be added to restrict auto-refreshing of the page when jobs are running. The key is not displayed by default, and the default value is false meaning Orchestrator auto-refreshes the page for each new job.

The page is updated when filters are applied or job states change, irrespective of the PreventAutoRefresh.Enabled parameter.

`Features.ClassicFolders.Enabled`

Control if the classic folders model is enabled. The default value is false, meaning classic folders are disabled, and only modern folders are available. This parameter is hidden by default.

`Jobs.TerminatingJobsTimeout`

Configure the time elapsed until Terminating jobs become fit to be marked as Failed. The default value is 1440, meaning jobs can't be marked as Failed unless they have been in a Terminating state for at least one day. This parameter is hidden by default.

`Jobs.TerminatingJobsCleanupCron`

Configure a cron expression that controls the frequency of the background job marking Terminating jobs as Failed. Jobs can't be marked as Failed unless they have been in a Terminating state for at least the duration set in the Jobs.TerminatingJobsTimeout parameter. The default values are 0 0 0/3 1/1 * ? * for Jobs.TerminatingJobsCleanupCron, and 1440 for Jobs.TerminatingJobsTimeout, meaning the background job runs once every three hours and only transitions to Failed the jobs that have been in a Terminating state for at least one day. This parameter is hidden by default.

`PW.StopExploringCron`

Configure a cron expression that controls the frequency of a background job that checks if the users exploring personal workspaces still have the required permissions (View and Edit on Folders) to explore them. The default value is 0 25 * ? * * meaning the background job runs at minute 25 of every hour. If they do not have the required permissions, the explore sessions are terminated. This parameter is hidden by default.

`Features.LongRunning.Enabled`

Configure whether long running workflows are supported in your instance or not. Add the following key to enable it: <add key="Features.LongRunning.Enabled" value="true" />.

`Tasks.ModuleEnabled`

Configure whether the Actions feature is enabled in your instance. Add the following key to enable it: <add key="Tasks.ModuleEnabled" value="true" />. This setting makes the feature available at the instance level. To configure it on a per-tenant basis, follow the steps here. The Features.LongRunning.Enabled parameter needs to be set to true for this setting to take effect.

`Features.SmartCardAuthentication.Enabled`

Configure whether smartcard authentication is enabled in your instance or not. Add the following key to enable it: <add key="Features.SmartCardAuthentication.Enabled" value="true" />.

`OData.BackwardsCompatible.Enabled`

Enables you to control how special characters are parsed in the Orchestrator API. If set to true, special characters in the body of requests and responses are parsed. By default, this parameter is hidden and set to false.

`NotRespondingRobotsJobStartDelay`

Enables you to set a delay, in seconds, of the first check performed on your Robots' status after an upgrade. This parameter is not displayed by default in UiPath.Orchestrator.dll.config.

`Upload.Queues.MaxNumberOfItems`

Enables you to lower the maximum number of items that can be uploaded at once using the bulk upload functionality. The default value is 15000. Please note that this parameter is not displayed by default in UiPath.Orchestrator.dll.config.

`Processes.FilterOutDeleted`

Enables you to optimize how Orchestrator retrieves processes. Optimization is achieved by removing unnecessary verifications for orphaned processes whose associated packages were deleted. This improves the overall performance of your instance, especially if it's a large deployment. The following values are available:

false - Package retrieval is optimized; verifications are not performed for orphaned processes.
true - Package retrieval is not optimized.

Note that this parameter is hidden and set to true by default, meaning process retrieval is not optimized.

`CertificatesStoreLocation`

Specify the certificate for your Orchestrator instance is installed on the local machine certificate store using the following setting: <add key="CertificatesStoreLocation" value="LocalMachine" />. Make sure that AzureKeyVaultCertificateStoreLocation in appsettings.Production.json has the same value.

`ProxyIntegration.Enabled`

Provides a way to control the proxy integration. By default, the parameter is not displayed in UiPath.Orchestrator.dll.config, and its value is set to true, which means that proxy integration is enabled unless otherwise specified. Use <add key="ProxyIntegration.Enabled" value="false"/> to disable proxy integration.

SecureAppSettings

`EncryptionKey`

The encryption key used to secure passwords in credential assets. If you are using an environment with a network load balancer, this key should be the same for all machines.

The following parameters enable you to set up your Azure Key Vault, where you can store your tenant-based encryption keys. Please note that these parameters can be used only if EncryptionKeyPerTenant.Enabled is set to true, and EncryptionKeyPerTenant.KeyProvider set to AzureKeyVault. Additionally, ensure that you provide all key, secret, and certificate permissions to your Orchestrator instance, in the Access policies of your Azure Key Vault. For the full procedure, please see this page.

`Azure.KeyVault.ClientId`

The application ID of your Orchestrator instance. This can be found in Azure in App Registrations and should have the ae11aa1a-1234-1234-a123-a12a12aaa1aa format. This setting is not displayed by default in the UiPath.Orchestrator.dll.config file. Example: <add key="Azure.KeyVault.ClientId" value="ae11aa1a-1234-1234-a123-a12a12aaa1aa" />.

`Azure.KeyVault.CertificateThumbprint`

The thumbprint generated by Azure for the Orchestrator certificate. You can find this value in Azure in App Services > Your instance > SSL Settings > Private Certificates (or Public Certificates). This setting is not displayed by default in the UiPath.Orchestrator.dll.config file. Example: <add key="Azure.KeyVault.CertificateThumbprint" value="1234123412341234123412341234124312341234" />.

`Azure.KeyVault.VaultAddress`

The DNS name of your Azure Key Vault. This can be found in the Overview of your vault, in the DNS Name field, and should have the https://CustomVaultName.vault.azure.net/ format. This setting is not displayed by default in the UiPath.Orchestrator.dll.config file. Example: <add key="Azure.KeyVault.VaultAddress" value="https://CustomVaultName.vault.azure.net/" />.

`Azure.KeyVault.DirectoryId`

Indicate the directory ID of your organization as displayed in the Azure portal. Mandatory if you store per-tenant encryption keys in Azure Key Vault. Example: <add key="Azure.KeyVault.DirectoryId" value="c9d0e174-684e-469e-84ea-d32c863ad534" />.

Identity Server Settings

This section contains settings for configuring S2S access tokens and Robot provisioning access tokens.

Integration

To securely propagate data to Identity Server, Orchestrator needs an access token for token authentication. This token is fetched from Identity Server via client credential flow (S2S). The following keys should be added to UiPath.Orchestrator.dll.config:

`IdentityServer.GroupMembershipCacheExpireHours`

Enables you to specify the amount of time, in hours after which the cache of Identity Server groups added to Orchestrator expires. This parameter is not visible by default, and its default value is 1

`IdentityServer.Integration.Enabled`

Enables/disables the integration of Identity Server to Orchestrator. By default, the value is set to true.

`IdentityServer.Integration.Authority`

Enables you to set the location of the Identity Server. By default, the value is set to https://Orchestrator/Identity, where Orchestrator is the installation address of your Orchestrator.

`IdentityServer.Integration.ClientId`

Enables you to set the application Id (Client Id) used to generate S2S access tokens registered inside Identity Server. The value is generated at install time.

`IdentityServer.Integration.ClientSecret`

Enables you to set the Client Secret for the Orchestrator S2S application to be recognized by Identity Server. The value is generated at install time.

`IdentityServer.Integration.AccessTokenCacheBufferInSeconds`

Enables you to set the time in seconds before the cache buffer of the access token expires. By default, the value is set to 50.

`IdentityServer.Integration.UserOrchestratorApiAudience`

The Identity Server can generate multiple access tokens with different audiences. Orchestrator API requests can be authorized using user access tokens that have this audience. By default, the value is set to OrchestratorApiUserAccess.

<add key="IdentityServer.Integration.Enabled" value="true" />
<add key="IdentityServer.Integration.Authority" value="https://Orchestrator/Identity" />
<add key="IdentityServer.Integration.ClientId" value="orchestratorapiaccess" />
<add key="IdentityServer.Integration.ClientSecret" value="a5d57b1d-5b25-49ba-bff7-33aa57f96a58" />
<add key="IdentityServer.Integration.AccessTokenCacheBufferInSeconds" value="50" />
<add key="IdentityServer.Integration.UserOrchestratorApiAudience" value="OrchestratorApiUserAccess" /><add key="IdentityServer.Integration.Enabled" value="true" />
<add key="IdentityServer.Integration.Authority" value="https://Orchestrator/Identity" />
<add key="IdentityServer.Integration.ClientId" value="orchestratorapiaccess" />
<add key="IdentityServer.Integration.ClientSecret" value="a5d57b1d-5b25-49ba-bff7-33aa57f96a58" />
<add key="IdentityServer.Integration.AccessTokenCacheBufferInSeconds" value="50" />
<add key="IdentityServer.Integration.UserOrchestratorApiAudience" value="OrchestratorApiUserAccess" />

To consume client credential (S2S) access tokens generated by Identity Server, Orchestrator needs the following keys to be added to UiPath.Orchestrator.dll.config:

`IdentityServer.Integration.S2SOrchestratorApiAudience`

Enables you to set the audience that Orchestrator will check when validating an S2S access token. By default, the value is set to OrchestratorApiS2SAccess.

Make sure UiPath.Orchestrator.dll.config also contains the following pre-existent keys with their values set to true:

`MultiTenancy.AllowHostToAccessTenantApi`

When set to true, it allows the host users to access other tenants' specific data. By default, the value is set to true.

`MultiTenancy.TenantResolvers.HttpGlobalIdHeaderEnabled`

When Orchestrator receives an API call authorized using S2S access token, a true setting allows Orchestrator to identify the tenant by reading the tenant global id from the API's request header.

<add key="IdentityServer.Integration.S2SOrchestratorApiAudience" value="OrchestratorApiS2SAccess" />
<add key="MultiTenancy.AllowHostToAccessTenantApi" value="true" />
<add key="MultiTenancy.TenantResolvers.HttpGlobalIdHeaderEnabled" value="true" /><add key="IdentityServer.Integration.S2SOrchestratorApiAudience" value="OrchestratorApiS2SAccess" />
<add key="MultiTenancy.AllowHostToAccessTenantApi" value="true" />
<add key="MultiTenancy.TenantResolvers.HttpGlobalIdHeaderEnabled" value="true" />

Robot Provisioning Access Tokens

Orchestrator acts as a Token Generator for Robots. Robots call the Orchestrator endpoint to generate an access token. The access token is then passed to activities that can call different resources, such as AI Fabric. With the integration of Identity Service with Orchestrator, Identity Server takes over the access tokens' generation.

Update Server Settings

This section contains parameters for configuring the Update Server.

`UpdateServer.CheckUpdates.PollingInterval`

How often the client checks for updates. The default value is 180 minutes.

`UpdateServer.CheckUpdates.DefaultForceInstallAfterMinutes`

After how many minutes, a force update starts if the update has been postponed. The default value is 1440 minutes.

`UpdateServer.CheckUpdates.ScheduledForceInstallAfterMinutes`

After how many minutes, a force update starts if the update has been postponed. This is specific to scheduled updates. The default value is 10 minutes.

`UpdateServer.CheckUpdates.MaxRetries`

How many times a failed update is retried. The default value is 3.

`UpdateServer.UpdateRequest.RetryStepMinutes`

How the retry is performed based on time series.

Example:

First retry: after the configured value in minutes.
Second retry: after two times the configured value in minutes.
Third retry: after four times the configured value in minutes.

Logging Configuration

Robot Logs

This is the corresponding UiPath.Orchestrator.dll.config key: <logger name="Robot.*" writeTo="database,robotElasticBuffer" final="true" />. It is used to configure log messages generated by Robots. The following parameters have to be configured:

writeTo - The location where log messages generated by the Robot are written. The following values are available:
- database - Logs are sent to Orchestrator's SQL database. This is one of the default values.
- robotElasticBuffer - Logs are sent to Elasticsearch. This is the second default value. Please remember this requires additional settings. Details here.
  
  Having logs sent both to the Orchestrator's SQL database and Elasticsearch enables you to have non-repudiation logs. Delete one of the values to stop logging to that location.
final - A flag that indicates what to do when a match between a logged message and the logger name is found. When set to true, it does not look for another match. When set to false, other rules matching the same source are checked. By default, it is set to true.

Monitoring Logs

This is the corresponding UiPath.Orchestrator.dll.config key: <logger name="Monitoring.*" writeTo="monitoring" minlevel="Warn" final="true" />. It is used to configure the error logs displayed on the Monitoring page. Please note if you remove this rule or alter the target, no error logs will display on the Monitoring page.

Business Exception Logs

This is the corresponding UiPath.Orchestrator.dll.config key: <logger name="BusinessException.*" minlevel="Info" writeTo="businessExceptionEventLog" final="true" />. It is used to configure the logs for thrown business exceptions. For example validation issues (e.g Invalid username) or business conflicts (e.g. License expired).

Other Logs

This is the corresponding UiPath.Orchestrator.dll.config key: <logger name="*" minlevel="Info" writeTo="eventLog" />. It is used to configure all other logs besides the ones described above, including those generated by Orchestrator.

Note: If you accumulate more than 2 million Robot logs per week in the SQL database, performance might degrade after a few months without cleaning up older logs. For such a large number of logs, we recommend using Elasticsearch.

Additional Settings

Learn about additional settings.

Elasticsearch

The following NLog target must be populated according to your Elasticsearch configuration:

<target xsi:type="ElasticSearch" name="robotElastic" uri="<elasticSearch_url_1>,<elasticSearch_url_2>, <elasticSearch_url_3>" index="${event-properties:item=indexName}-${date:format=yyyy.MM}" documentType="logEvent" includeAllProperties="true" disablePing="true"  layout="${message}" excludedProperties="agentSessionId,tenantId,organizationUnitId,indexName" /><target xsi:type="ElasticSearch" name="robotElastic" uri="<elasticSearch_url_1>,<elasticSearch_url_2>, <elasticSearch_url_3>" index="${event-properties:item=indexName}-${date:format=yyyy.MM}" documentType="logEvent" includeAllProperties="true" disablePing="true"  layout="${message}" excludedProperties="agentSessionId,tenantId,organizationUnitId,indexName" />

uri - the Elasticsearch URL; note that you have to include the protocol and port, such as http://elastic_server:9200. You can remove the need for a load balancer by populating this parameter with the Elasticseach URL of each node, such as uri="http://elastic-node1:9200,http://elastic-node2:9200,http://elastic-node3:9200".
excludedProperties - data that you do not want to be saved to Elasticsearch.
index - the format of the logging index, which can be either unique per tenant or shared across all tenants. Details below.
requireAuth - set to true to enable authentication when connecting Orchestrator to Elasticsearch.
username - specify the username used to log into Elasticsearch. You need to configure it if requireAuth is set to true and OAuthEnabled is set to false.
password - specify the password used to log into Elasticsearch. You need to configure it if requireAuth is set to true and OAuthEnabled is set to false.
OAuthEnabled - set this parameter to true to enable OAuth2 and use a token-based authentication mechanism for the Nlog target for Elasticsearch. When enabling this for the first time, you need to provide your current username and password to generate the initial token. For this parameter to take effect, you need to ensure that Logs.Elasticsearch.OAuthEnabled is also set to true and that you properly configured the Elasticsearch server. For more on this, see X-Pack Authentication.

Index Configuration

Individual Index - index="${event-properties:item=indexName}-${date:format=yyyy.MM}" A separate index is used for each tenant, meaning that logs specific to one tenant are generated and retrieved based on a unique tenant identifier, in this case, indexName, which defaults to the name of the tenant. This is the default configuration. In this case, logs are generated per month.
Shared Index - index="robotlogs-${date:format=yyyy.MM.dd}" One index is used for all tenants, meaning that all logs use the same index regardless of the tenant. In this case, logs are generated per day. To use a shared index, you are also required to add the following key in UiPath.Orchestrator.dll.config: <add key="Logs.Elasticsearch.SharedIndex" value="robotlogs" />. Make sure to set it to the same value as for the index parameter in the NLog target.

Important: Logs generated using an individual index are kept if you shift to a shared index. However, logs generated using a shared index are lost if you shift to an individual one.

Note: The Elastic robot logs index name pattern in Orchestrator must match the following locations:

The NLog target config section name="robotElastic" index="robot-logs-${date:format=yyyy-MM}" from UiPath.Orchestrator.dll.config.
The LoggingIndex record from the Orchestrator database’s dbo.Settings table. Ensure the record matches the index pattern from the NLog target config (i.e. robot-logs-${date:format=yyyy-MM}).

Logging Events in the Database

To store system event logs in the database rather than Event Viewer, follow these steps:

Create a new database table, for example:
```
CREATE TABLE [dbo].[EventLogs](
    [Id] [bigint] IDENTITY(1,1) NOT NULL,
    [Timestamp] [datetime] NOT NULL,
    [Level] [int] NOT NULL,
    [Message] [nvarchar](max) NULL,
    [Exception] [nvarchar](max) NULL)CREATE TABLE [dbo].[EventLogs](
    [Id] [bigint] IDENTITY(1,1) NOT NULL,
    [Timestamp] [datetime] NOT NULL,
    [Level] [int] NOT NULL,
    [Message] [nvarchar](max) NULL,
    [Exception] [nvarchar](max) NULL)
```
In the above query, we create a table named EventLogs with the following columns:
- Id - to hold an ID number for each log, here starting with 1 and incrementing the value with each log added;
- Timestamp - to hold the time each event was logged;
- Level - to hold the numerical logging level of each event;
- Message - to hold the message of each event, if applicable;
- Exception - to hold the exception logged for each event, if applicable.
  
  Note: You can use any name for your table, and remove any columns from the above query or add others to suit your needs.

In the UiPath.Orchestrator.dll.config file, add a new NLog target:

<target xsi:type="Database" connectionString="${ui-connection-strings:item=Default}" name="eventLogDatabase" keepConnection="true">
        <commandText>
          INSERT INTO dbo.EventLogs (Timestamp, Level, Message, Exception)
          VALUES (@timestamp, @level, @message, @exception)
        </commandText>
        <parameter name="@timestamp" layout="${date:format=yyyy-MM-dd HH\:mm\:ss.fff}" />
        <parameter name="@level" layout="${event-properties:item=levelOrdinal}" />
        <parameter name="@message" layout="${message}" />
        <parameter name="@exception" layout="${onexception:${exception:format=tostring:maxInnerExceptionLevel=5:innerFormat=tostring}}" />
</target><target xsi:type="Database" connectionString="${ui-connection-strings:item=Default}" name="eventLogDatabase" keepConnection="true">
        <commandText>
          INSERT INTO dbo.EventLogs (Timestamp, Level, Message, Exception)
          VALUES (@timestamp, @level, @message, @exception)
        </commandText>
        <parameter name="@timestamp" layout="${date:format=yyyy-MM-dd HH\:mm\:ss.fff}" />
        <parameter name="@level" layout="${event-properties:item=levelOrdinal}" />
        <parameter name="@message" layout="${message}" />
        <parameter name="@exception" layout="${onexception:${exception:format=tostring:maxInnerExceptionLevel=5:innerFormat=tostring}}" />
</target>

Defining a corresponding parameter for the data to be added in each database column, in this example @timestamp, @level, @message, and @exception.

Lastly, associate the newly created target with the NLog logger classification for all Orchestrator messages, from above, by adding:
```
<logger name="*" minlevel="Info" writeTo="eventLog,eventLogDatabase" /><logger name="*" minlevel="Info" writeTo="eventLog,eventLogDatabase" />
```

Enabling NLog Debugging

NLog is an open-source, easily configured, and extensible logging platform for a variety of .NET platforms. With NLog, you can store or pass log data to any number of predefined or custom targets, such as a local file, an event log, email, or database.

Important: Custom NLog targets are not automatically migrated during an upgrade. You need to migrate them to Identity Server and Webhooks services manually. See NLog documentation in Identity Server.

Though there exists some overlap, NLog and Orchestrator have several differentiating logging levels. For NLog, you can select either Trace, Debug, Info, Warn, Error, Fatal, or Off. See Logging Levels for a description of the available levels in Orchestrator.

You can enable debugging in NLog to ensure that it is functioning properly. By default NLog is set to Off, it is enabled by configuring the following section of the UiPath.Orchestrator.dll.config file:

<nlog xmlns="http://www.nlog-project.org/schemas/NLog.xsd" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" autoReload="true" throwExceptions="false" internalLogLevel="Off" internalLogFile=""><nlog xmlns="http://www.nlog-project.org/schemas/NLog.xsd" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" autoReload="true" throwExceptions="false" internalLogLevel="Off" internalLogFile="">

The attributes which must be set are:

internalLogLevel - the desired logging level
internalLogFile - the location of the log file

For example:

<nlog xmlns="http://www.nlog-project.org/schemas/NLog.xsd" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" autoReload="true" throwExceptions="false" internalLogLevel="Debug" internalLogFile="C:\logs.txt"><nlog xmlns="http://www.nlog-project.org/schemas/NLog.xsd" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" autoReload="true" throwExceptions="false" internalLogLevel="Debug" internalLogFile="C:\logs.txt">