If you have an existing audit server as Sentinel Server and require a graphical view of Access Manager events by using Analytics Dashboard, then you can forward the audit events from Sentinel Server to Analytics Server by using Sentinel link connector.
When Analytics Server is installed and configured, Access Manager displays the following message:
Analytics Server will be functional only when it is set as the Audit Server.
If you want to continue using Sentinel server as the audit server, then you can ignore this message. To view the graphical view of the audit events in Analytics Dashboard you can perform the following steps:
To forward the events you must perform the following:
Configure Analytics Server to receive events.
Log in to Access Manager Administration Console
Click Devices > Analytics Server > Reports
Log in to Analytics Server with the Analytics Server administrator credentials
Click admin > Applications
Click Launch Control Center
Click Event Source Management > Live view
Click on the Table tab, then click the expand symbol (+) next to Sentinel
Right click Sentinel Server, then click Add Event Source Server
Select Sentinel Link from the installed connectors list, then click Next
Configure network settings by specifying Port Number for Event Source Server, then click Next. The default port is 1290
Continue with the default configuration for Security and Auto Configuration
In the General dialog box, select the Run icon
This allows the connector to run on 1290 so that Sentinel Server can connect with Analytics Server.
Click Finish
Click the expand symbol (+) next to Sentinel Server and verify if the status of Sentinel Link Server All:<port number> is On
Configure Sentinel Server to send events to Analytics Server.
Update the latest NetIQ Access Manager Collector in Sentinel Server
Log in to the Sentinel Control Center with administrator rights
Click the Configuration tab to enable Configuration on the menu bar
Click Configuration, then select Integrator Manager
Click the Add Integrator (+) icon to configure Integrator plug-in
Select the Sentinel Link Integrator from the Select Integrator drop-down list
Specify a name for the integrator in the Name field
Click Next
In the Server Configuration dialog box, specify the Host Name as the IP address of Analytics Server
Specify the port number to connect to Analytics Server
The default port is 1290.
Click Next to continue with the default configurations, then click Test configuration to verify the connection is successful.
Click OK > Finish
Add an Action by using Sentinel Action Manager
Navigate to control center > configuration > Action Manager
Click Add
In the Configure Action dialog box, specify the following:
Action Name: any name
Action: Sentinel Link
Name: Integrator
Value: Select the same integrator name that you have specified in Step 2.g.
Click Save
In Sentinel Server, create a routing rule to enable default routing that sends events automatically to Analytics Server
Log in to Sentinel Server
On the main menu, click Routing
Click Edit next to Forward Events To Another Sentinel System
Specify the following:
Criteria: (((sev:[0 TO 5]) NOT st:"I" NOT st:"A" NOT st:"P") AND (evt:"NIDS\: User session was authenticated" OR evt:"NIDS\: Risk based authentication action for user" OR rv40:"002E0606" OR rv40:"002E0525" OR rv40:"002E001F" OR rv40:"002E0029" OR rv40:"002E0514" OR rv40:"002E0102" OR rv40:"002E000C"))
Route to the following services: All
Perform the following actions: Specify the action name that you specified during the configuration of Action Manager in Step 3.
Click Save
Ensure that the routing rule is enabled.