3.2 Logging to a Novell Audit or Sentinel Server

To log to a Novell Audit or Sentinel server:

  1. Add the Identity Manager application schema to the Novell Audit server as a log application

    Section 3.2.1, Adding the Identity Manager Application Schema to your Novell Audit Server as a Log Application

  2. Configure the Novell Audit platform agent on your application server

    The Platform Agent is required on any client that reports events to Novell Audit or Sentinel. You configure the platform agent through the logevent configuration file. This file provides the configuration information that the platform agent needs to communicate with the Novell Audit server. The default location for this file, on the application server, is:

    • Linux: /etc/logevent.conf

    • Windows: / <WindowsDir> /logevent.cfg (Usually c:\windows)

    Specify the following four properties:

    Loghost: The IP address or DNS name of your Novell Audit or Sentinel server. For example:

    LogHost=xxx.xxx.xxx.xxx
    

    LogJavaClassPath: The location of the lcache jar file NauditPA.jar. For example:

    LogJavaClassPath=/opt/novell/idm/NAuditPA.jar
    

    LogCacheDir: Specifies where lcache stores cache files. For example:

    LogCacheDir=/opt/novell/idm/naudit/cache
    

    LogCachePort: Specifies on which port lcache listens for connections. The default is 288, but in a Linux server, set the port number greater than 1000. For example:

    LogCachePort=1233
    

    BigData Specifies the maximum number of bytes that the client will allow. Larger amounts of logging data will be truncated. The default value is 3072 bytes, but you should change this to at least 8192 bytes to handle a typical form that has approximately 15 fields on a half page.

    LogMaxBigData=8192
    

    IMPORTANT:If your data is very large, you may want to increase this value. If you are logging events that include digital signatures, it is critical that the value of LogMaxBigData be large enough to handle the data being logged.

    Specify any other settings needed for your environment.

    NOTE:You must restart the Platform Agent any time you change the configuration.

    For more information about the structure of the logevent configuration file, see the section on configuring platform agents in the section on the logging system in the Novell Audit Administration Guide.

  3. Enable Novell Audit logging. For more information, see Section 3.2.2, Enabling Audit Logging.

3.2.1 Adding the Identity Manager Application Schema to your Novell Audit Server as a Log Application

To configure Audit to use the Identity Manager User Application as a log application:

  1. Locate the following file:

    dirxml.lsc
    

    This file is located in the Identity Manager User Application installation directory after the install, for example /opt/novell/idm.

  2. Use a Web browser to access an iManager with the Novell Audit plug-in installed, and log in as an administrator.

  3. Go to Roles and Tasks > Auditing and Logging and select Logging Server Options.

  4. Browse to the Logging Services container in your tree and select the appropriate Audit Secure Logging Server. Then click OK.

  5. Go to the Log Applications tab, select the appropriate Container Name, and click the New Log Application link.

  6. When the New Log Application dialog box displays, specify the following:

    For this setting

    Do this

    Log Application Name

    Type any name that is meaningful for your environment

    Import LSC File

    Use the Browse button to select the dirxml.lsc file

    Click OK. The Log Applications tab displays the added application name.

  7. Click OK to complete your Novell Audit server configuration.

  8. Make sure the status on the Log Application is set to ON. (The circle under the status should be green. If it is red, click it to switch it to ON.)

  9. Restart the Novell Audit server to activate the new log application settings.

3.2.2 Enabling Audit Logging

To enable Novell Audit logging in your Identity Manager User Application:

  1. Log in to the User Application as the User Application Administrator.

  2. Select the Administration tab.

  3. Select the Logging link.

  4. Select the Also send logging messages to NovellAudit check box (near the bottom of the page).

  5. To save the changes for any subsequent application server restarts, make sure Persist the logging changes is selected.

  6. Click Submit.

3.2.3 Events That Are Logged

The Identity Manager User Application logs a set of events automatically from workflow, search, detail, and password requests. By default, the Identity Manager User Application automatically logs the following events to all active logging channels:

Table 3-1 Logged Events

Event ID

Process

Event

Severity

31400

Detail portlet

Delete_Entity

Info

31401

Update_Entity

Info

31410

Change Password portlet

Change_Password_Failure

Error

31411

Change_Password_Success

Info

31420

Forgot Password portlet

Forgot_Password_Change_Failure

Error

31421

Forgot_Password_Change_Success

Info

31430

Search portlet

Search_Request

Info

31431

 

Search_Saved

Info

31440

Create portlet

Create_Entity

Info

31470

Digital Signature

Digital_Signature_Verification_Request

Info

31471

 

Digital_Signature_Verification_Failure

Error

31472

 

Digital_Signature_Verification_Success

Info

31520

Workflow

Workflow_Error

Error

31521

Workflow_Started

Info

31522

Workflow_Forwarded

Info

31523

Workflow_Reassigned

Info

31524

Workflow_Approved

Info

31525

Workflow_Refused

Info

31526

Workflow_Ended

Info

31527

Workflow_Claimed

Info

31528

Workflow_Unclaimed

Info

31529

Workflow_Denied

Info

31534

Workflow_Escalated

Info

31535

Workflow_Reminder_Sent

Info

31536

Digital_Signature

Info

31537

Workflow_ResetPriority

Info

3152A

Workflow_Completed

Info

3152B

Workflow_Timedout

Info

3152C

User_Message

Info

31533

Workflow_Retracted

Info

3152D

Provisioning

Provision_Error

Error

3152E

Provision_Submitted

Info

3152F

Provision_Success

Info

31530

Provision_Failure

Error

31531

Provision_Granted

Info

31532

Provision_Revoked

Info

31450

Security Context

Create_Proxy_Definition_Success

Info

31451

Create_Proxy_Definition_Failure

Error

31452

Update_Proxy_Definition_Success

Info

31453

Update_Proxy_Definition_Failure

Error

31454

Delete_Proxy_Definition_Success

Info

31455

Delete_Proxy_Definition_Failure

Error

31456

Create_Delegatee_Definition_Success

Info

31457

Create_Delegatee_Definition_Failure

Error

31458

Update_Delegatee_Definition_Success

Info

31459

Update_Delegatee_Definition_Failure

Error

3145A

Delete_Delegatee_Definition_Success

Info

3145B

Delete_Delegatee_Definition_Failure

Error

3145C

Create_Availability_Success

Info

3145D

Create_Availability_Failure

Error

3145E

Delete_Availability_Success

Info

3145F

Delete_Availability_Failure

Error

3.2.4 Log Reports

If you log events to the Novell Audit database channel, you can run reports on the data. There are several ways to generate reports against data logged to a Novell Audit database:

  • Use the Novell Audit Report application to run your own reports or to run the predefined reports described in Predefined Log Reports.

  • Write queries against the logged data by using iManager to select Auditing and Logging > Queries.

  • Write your own SQL queries against the logged data.

  • Produce Identity Manager reports in Sentinel (see Sentinel Reports.

The default Novell Audit table is called NAUDITLOG.

Predefined Log Reports

The following predefined log reports are created in Crystal Reports ( .rpt) format for filtering data logged to the Novell Audit database:

Report Name

Description

Administrative Action

Shows all administrative actions initiated from the Identity Manager User Application portal. This report includes the administrator who initiated the action.

It excludes any administrative changes made using iManager or the Designer for Identity Manager.

Historical Approval Flow

Shows all approval flow activities for a specified time frame.

Resource Provisioning

Shows all provisioning activities, sorted by resource.

User Audit Trail

Shows all activity relating to a user. Activities include both provisioning and self-service activities.

Specific User Provisioning

Shows all provisioning activities for a specific user.

User Provisioning

Shows all provisioning activities, sorted by user.

The following graphic shows an example of the Specific User Audit Trail report:

Figure 3-1 Sample Audit Trail Report

Illustration

The report files are in the following locations:

Platform

Location

Windows

/nt/dirxml/reports

You can use these reports as templates for creating custom reports in the Crystal Reports Designer or you can run the reports using Audit Report ( lreport.exe), a Windows program supplied with Novell Audit. The predefined reports query data from the default Novell Audit log database named naudit and a database table named nauditlog. If your Novell Audit log database has a different name, use the Set Datasource Location menu item in Crystal Reports Designer to replace the naudit database name with the one in your environment.

For more information, see the section on working with reports in the Novell Audit documentation.

Sentinel Reports

If you have configured the platform agent to send events to Sentinel, you can produce the following reports about Identity Manager events in Sentinel:

  • IDM_Administrative_Action_Report.rpt

  • IDM_Historical_Approval_Flow_Report.rpt

  • IDM_Password-Management.rpt

  • IDM_Provisioning_Report_by_Top_10_DHNs.rpt

  • IDM_Provisioning_Report_by_Top_10_DIPs.rpt

  • IDM_Resource_Provisioning_Report.rpt

  • IDM_Specific_User_Audit_Trail_Report.rpt

  • IDM_Specific_User_Provisioning_Report.rpt

  • IDM_Sync-vs-Reset.rpt

  • IDM_User_Provisioning_Report.rpt

  • IDM_Workflow_Stats_by_Top_10_DHNs.rpt

  • IDM_Workflow_Stats_by_Top_10_DIPs.rpt

For more information about Sentinel reports, see the Sentinel User’s Guide. The following is a sample Sentinel report on Password Management:

Figure 3-2 Sample Sentinel Report