You can configure Access Manager Appliance to send audit events to a Sentinel server, a Syslog server, Novell Audit Server (on upgraded systems only), or a Sentinel Log Manager.
In addition to the selectable events, device-generated alerts are automatically sent to the audit server. These Management Communication Channel events have an ID of 002e0605. All Access Manager events begin with 002e.
For information about audit event IDs and field data, see Access Manager Audit Events and Data.
The Access Gateway also supports sending e-mail notification to system administrators. To configure this system in the Administration Console, click Devices > Access Gateways > Edit > Alerts.
NOTE:The eDirectory audit configuration remains unchanged even after you upgrade to the latest version of the Access Manager. To fetch eDirectory audit events, you have to manually unload and re-load the audit modules. Perform this activity each time you start the eDirectory.
To install and enable eDirectory packages, see Installing Novell Audit Packages in the NetIQ eDirectory 8.8 SP8 Administration Guide.
By default, Access Manager Appliance is preconfigured to use syslog. If you install more than one instance of for failover, syslog server is installed with each instance. However, if you already use a third party syslog server, you can configure Access Manager Appliance to use your audit server.
Access Manager Appliance allows you to specify only one audit server. You still have failover if the audit server is not reachable. The failover mechanism changes based on the type of logging:
For File-based: Does not require a failover mechanism.
For Syslog: The events are sent to a local file. The syslog client must be configured for failover. For more information, see the third party syslog server documentation.
If you have a Sentinel server or a Sentinel Log Manager server, you can configure Access Manager Appliance to send the events to them.
This section includes the following topics:
The Secure Logging Server manages the flow of information to and from the auditing system. It receives incoming events and requests, logs information to the data store, monitors designated events, and provides filtering and notification services. It can also be configured to automatically reset critical system attributes according to a specified policy.
To specify the logging server, click Auditing.
Fill in the following fields:
Audit Messages Using: Select any one of the following:
Platform Agent (Discontinued): (Only on an Upgraded Access Manager)
Log File (Not Recommended For Production): (Only on a fresh installation of Access Manager)
The audit events are sent to a local log file. The file locations are:
On Windows:
Identity Server and ESP: "C:\Program Files(x86)\Novell\Syslog\audit_common.log"
Access Gateway: "C:\Program Files\Novell\Syslog\audit_ag.log"
On Linux:
Identity Server and ESP: /var/opt/novell/syslog/audit_common.log
Access Gateway: /var/opt/novell/syslog/audit_ag.log
Syslog: From the list, select a syslog server. The available options are:
Send to Sentinel: The audit event are sent in CSV format.
Send to Third party: The audit events are sent in JSON format.
NOTE:If the Administration Console is configured as a remote Audit server for syslog, then, the audit logs are sent to the following location: /var/log/NAM_Audits.log.
Server Listening Address: Specify the IP address or DNS name of the audit logging server you want to use. By default, the system uses the primary Administration Console IP address. If you want to use a different Secure Logging Server, specify that server here. For example, if you select syslog, specify the syslog server details here.
NOTE:
Access Manager supports auditing through syslog only on TCP.
On Windows, if syslog is selected for auditing, the Server Listening Address field is disabled. To specify the server details, manually install and configure the local syslog client.
Server Public NAT Address: If your auditing server is in the private network, then you have to enter Public NAT IP Address of the auditing server using which devices can reach the auditing server.
To use a Sentinel server or a Sentinel Log Manager, specify the IP address or DNS name of the Sentinel.
For more information about Sentinel, see Sentinel 7.3.
For more information about Sentinel Log Manager, see Sentinel Log Manager 1.0.
Port: Specify the port that the Platform Agents or syslog uses to connect to the Secure Logging Server.
For Platform Agent: The default secure logging server port is 1289.
For Syslog:
For Sentinel server, the default port is 1468.
For third party syslog servers, specify the configured port of that server.
NOTE:If you select Sentinel server for auditing through syslog, then you must use the latest NetIQ Access Manager Collector for Sentinel.
Stop Service on Audit Server Failure: Enable this option to stop the Apache services when the audit server is offline or not reachable and audit events could not be cached.
Under Management Console Audit Events, specify the system-wide events you want to audit:
Select All: Selects all of the audit events.
Health Changes: Generated whenever the health of a server changes.
Server Imports: Generated whenever a server is imported into the Administration Console.
Server Deletes: Generated whenever a server is deleted from the Administration Console.
Configuration Changes: Generated whenever you change a server configuration.
Click OK.
If you did not change the address or port of the Secure Logging Server, this completes the process. It might take up to fifteen minutes for the events you selected to start appearing in the audit files.
NetIQ Access Manager supports syslog for auditing. You can use a Sentinel server or a third party syslog server to send audit events. To configure syslog, see Specifying the Logging Server and Console Events.
On Linux, if you select syslog for auditing, then the syslog server configurations are automatically pushed to Identity Server and Access Gateway.
On Windows, you need to manually install the preferred syslog service and configure it to communicate to the local TCP port 1290. To configure the syslog agent to communicate with the remote syslog server, you need to manually configure the installed syslog agent on each device.
To view the prerequisites, see Upgrading Access Manager Appliance.
NOTE:To use Syslog for auditing, you need to upgrade the base operating system. After the upgrade, install the Syslog RPMs manually. To install the RPMs, execute the following command: zypper in -t pattern NetIQ-Access-Manager.
The following are the limitations of syslog:
On Identity Server and ESP, the events are cached to a local file during a local audit failure. The file locations:
On Windows:
Identity Server and ESP: "C:\Program Files(x86)\Novell\Syslog\audit_common.log"
On Linux:
Identity Server and ESP: /var/opt/novell/syslog/audit_common.log
The log forwarding of cached logs in not supported for Identity Server and ESP events.
The failover mechanism communication does not work in the Access Gateway.
IMPORTANT:
By default, syslog agents do not cache or queue the audit events when the remote syslog audit server is not reachable. You need to manually configure the local syslog agent for caching the events.
By default, syslog agents are configured without SSL communication with the remote audit server. You need to manually configure SSL between local syslog agent and remote syslog audit server.
For more information about syslog configuration, see Syslog Configuration Whitepaper.