NOTE:Platform Agent and Novell Audit are no longer supported. A new Access Manager 4.2 installation no longer installs Platform Agent and Novell Audit for auditing. If you upgrade from an older version of Access Manager to 4.2, Platform Agent is still available. It is recommended to use Syslog for auditing.
Access Manager supports audit logging and file logging at the component level. Access Manager provides compliance assurance logging and to maintain audit log entries that can be subsequently included in reports. In addition to selectable events, device-generated alerts are automatically sent to the audit server. You can configure Access Manager to use a Sentinel server, a Sentinel Log Manager server or a third party syslog server.
The audit logs record events that have occurred in the identity and access management system and are primarily intended for auditing and compliance purposes. You can configure the following types of events for logging:
Starting, stopping, and configuring a component
Success or failure of user authentication
Role assignment
Allowed or denied access to a protected resource
Error events
Denial of service attacks
Security violations and other events necessary for verifying the correct and expected operation of the identity and access management system
Audit logging does not track the operational processing of the Access Manager components; that is, the processing and interactions between Access Manager components required to fulfill a user request. (For this type of logging, see Configuring Logging for Identity Server.) Audit logs record the results of user and administrator requests and other system events. Although the primary purpose for audit logging is for auditing and compliance, you can also use the event logs for detecting abnormal and error conditions. The event logs can be used as a first alert mechanism for system support.
Access Manager has been assigned the server-alert event code 0x002E0605. It is responsible for packaging and forwarding audit log entries to the configured audit server.
For a secure system, you need to configure auditing and syslog to notify the system administrator when certain events occur. The most important audit events to monitor are the following:
Configuration changes
System shutdowns and startups
Server imports and deletes
Intruder lockout detection (available only for eDirectory user stores)
User account provisioning
Audit events are device-specific. You can select events for the following devices:
Administration Console: In the Administration Console, click Auditing.
Identity Server: In the Administration Console, click Devices > Identity Servers > Edit > Logging.
Access Gateway: In the Administration Console, click Devices > Access Gateways > Edit > Auditing.
This section discusses the following topics: