Access Manager supports audit logging and file logging at the component level. Access Manager provides compliance assurance logging and to maintain audit log entries that can be subsequently included in reports. In addition to selectable events, device-generated alerts are automatically sent to the audit server. You can configure Access Manager to use a Sentinel server, a third-party syslog server, or Analytics Server.
Types of events:The audit logs record events that have occurred in the identity and access management system and are primarily intended for auditing and compliance purposes. You can configure the following types of events for logging:
Starting, stopping, and configuring a component
Success or failure of user authentication
Role assignment
Allowed or denied access to a protected resource
Error events
Denial of service attacks
Security violations and other events necessary for verifying the correct and expected operation of the identity and access management system
Audit logging does not track the operational processing of the Access Manager components. This includes processing and interactions between Access Manager components required to fulfill a user request. For this type of logging, see Section 22.3.1, Configuring Logging for Identity Server.
What info is recorded: Audit logs contains the results of users and administrators requests and other system events. Although the primary purpose for audit logging is auditing and compliance, you can also use the event logs for detecting abnormal and error conditions. You can use the event logs as a first alert mechanism for system support.
Event code: Access Manager has been assigned the server-alert event code 0x002E0605. It is responsible for packaging and forwarding audit log entries to the configured audit server.
Important Events: For a secure system, configure auditing and syslog to notify the system administrator when certain events occur. The following are the most important audit events to monitor:
Configuration changes
System shutdowns and startups
Server imports and deletes
Intruder lockout detection (available only for eDirectory user stores)
User account provisioning
Audit events are device-specific. You can select events for the following devices:
Administration Console: In Administration Console Dashboard, click Auditing.
Identity Server: Click Devices > Identity Servers > Edit > Auditing and Logging.
Access Gateway: Click Devices > Access Gateways > Edit > Auditing.
This section discusses the following topics: