NOTE:Platform Agent and Novell Audit are no longer supported. A new Access Manager 4.2 installation no longer installs Platform Agent and Novell Audit for auditing. If you upgrade from an older version of Access Manager to 4.2, Platform Agent is still available. It is recommended to use Syslog for auditing.
Access Manager Appliance supports audit logging and file logging at the component level.Access Manager Appliance provides compliance assurance logging and to maintain audit log entries that can be subsequently included in reports. In addition to selectable events, device-generated alerts are automatically sent to the audit server. You can configure Access Manager Appliance to use a Sentinel server, a third party syslog server, or use Analytics Server.
The audit logs record events that have occurred in the identity and access management system and are primarily intended for auditing and compliance purposes. You can configure the following types of events for logging:
Starting, stopping, and configuring a component
Success or failure of user authentication
Role assignment
Allowed or denied access to a protected resource
Error events
Denial of service attacks
Security violations and other events necessary for verifying the correct and expected operation of the identity and access management system
Audit logging does not track the operational processing of the Access Manager Appliance components; that is, the processing and interactions between Access Manager Appliance components required to fulfill a user request. (For this type of logging, see Section 21.3.1, Configuring Logging for Identity Server.) Audit logs record the results of user and administrator requests and other system events. Although the primary purpose for audit logging is for auditing and compliance, you can also use the event logs for detecting abnormal and error conditions. The event logs can be used as a first alert mechanism for system support.
Access Manager Appliance has been assigned the server-alert event code 0x002E0605. It is responsible for packaging and forwarding audit log entries to the configured audit server.
For a secure system, you need to configure auditing and syslog to notify the system administrator when certain events occur. The most important audit events to monitor are the following:
Configuration changes
System shutdowns and startups
Server imports and deletes
Intruder lockout detection (available only for eDirectory user stores)
User account provisioning
Audit events are device-specific. You can select events for the following devices:
Administration Console: In Administration Console Dashboard, click Auditing.
Identity Server: Click Devices > Identity Servers > Edit > Auditing and Logging.
Access Gateway: Click Devices > Access Gateways > Edit > Auditing.
This section discusses the following topics: