Access Manager supports audit logging and file logging at the component level. Access Manager includes a licensed version of Novell Audit to provide compliance assurance logging and to maintain audit log entries that can be subsequently included in reports. In addition to selectable events, device-generated alerts are automatically sent to the audit server. Access Manager comes preconfigured to use the Novell Audit server. You can configure Access Manager to use an already existing Novell Audit server, a Sentinel server, or a Sentinel Log Manager server.
The audit logs record events that have occurred in the identity and access management system and are primarily intended for auditing and compliance purposes. You can configure the following types of events for logging:
Starting, stopping, and configuring a component
Success or failure of user authentication
Role assignment
Allowed or denied access to a protected resource
Error events
Denial of service attacks
Security violations and other events necessary for verifying the correct and expected operation of the identity and access management system.
Audit logging does not track the operational processing of the Access Manager components; that is, the processing and interactions between Access Manager components required to fulfill a user request. (For this type of logging, see Section 17.3.1, Configuring Logging for Identity Server.) Audit logs record the results of user and administrator requests and other system events. Although the primary purpose for audit logging is for auditing and compliance, you can also use the event logs for detecting abnormal and error conditions. The event logs can be used as a first alert mechanism for system support. You can configure the audit log entries to generate alerts by leveraging the Novell Audit Notification feature. You can select to generate e-mail, syslog, and SNMP notifications.
Access Manager has been assigned the Novell Audit server-alert event code 0x002E0605. Novell Audit Platform Agent is responsible for packaging and forwarding audit log entries to the configured audit server. If the audit server is not available, Platform Agent caches log entries until the server is operational and can accept audit log data.
For a secure system, you need to set up either auditing or syslogging to notify the system administrator when certain events occur. The most important audit events to monitor are the following:
Configuration changes
System shutdowns and startups
Server imports and deletes
Intruder lockout detection (available only for eDirectory user stores)
User account provisioning
Audit events are device-specific. You can select events for the following devices:
Administration Console: In the Administration Console, click Auditing > Novell Auditing.
Identity Server: In the Administration Console, click Devices > Identity Servers > Edit > Logging.
Access Gateway: In the Administration Console, click Devices > Access Gateways > Edit > Novell Audit.
This section discusses the following topics: