31.17 Access Manager Audit Events and Data

This section contains all the audit events logged by Access Manager. Each event has EventID, Description, Originator Title, Target Title, Subtarget Title, Text1 Title, Text2 Title, Text3 Title, Value1 Title, Value1 Type, Group Title, Data Length, and Data Type values stored. Each field contains a single character token (such as B, U, Y, and so on) that represent the data fields of the audit event, with each letter representing a different data field. The mapping of the character tokens to data fields is found in the nids_en.lscfile.

Audit events are device-specific. You can select events for the following devices:

  • Administration Console: In Administration Console Dashboard, click Auditing.

  • Identity Server: Click Devices > Identity Servers > Edit > Auditing and > Logging.

  • Access Gateway: Click Devices > Access Gateways > Edit > Auditing.

JavaScript Object Notation (JSON) Event Format

Sample JSON Format

This event is generated when you select the Risk-Based Authentication Succeeded option under Audit Logging on the Logging page of an Identity Server configuration.

The following is a sample JSON event format of a Risk-Based authentication:

{
"appName" : "Novell Access Manager",
"Component" : "nidp",
"timeStamp" : "Fri, 31 Jul 2015 17:30:57 +0530",
"eventId" : "002E0025",
"Description": "NIDS: Risk based additional authentication executed successfully   for user",
"Originator": "9772686A5705BA6C",
"Target": "cn=admin,o=novell",
"SubTarget": "3883A05A302BA3BDC7899AF05810B08B",
"stringValue1": "35",
"stringValue2": "medium",
"stringValue3": "null",
"numericValue1": "0",
"numericValue2": "0",
"numericValue3": "0",
"Data": "MTY0Ljk5LjEzNy41Mg==",
"Message": "[Fri, 31 Jul 2015 17:30:57 +0530] [Novell Access Manager\nidp]: AMDEVICEID#9772686A5705BA6C: AMAUTHID#YfdEmqCT2ZutwybD1eYSpfph8g5a5aMl6MGryq1hIqc=: Risk based authentication successful for user: [cn=admin,o=novell]. RiskScore: [35] RiskLevel: [Medium] Additional authentication class: [$SF] Client IP Address: [164.99.137.52]",
}

NOTE:The IP address is encoded in the base64 format.

The following table lists the event fields with its corresponding description:

Field

Description

appName

Specifies the name of the product.

Component

Specifies the name of the Access Manager component. For example, “nipd” identifies that the audit is triggered by Identity Server.

timeStamp

Specifies the time when the event occurred.

eventId

Specifies the event ID. For example, 002E0025. To view all the events and their corresponding event IDs, see the below sections.

Description

Describes the event.

Originator

Specifies the ID of the device that generated this event. For example, 9772686A5705BA6C is the device with ID “idp-9772686A5705BA6C”

Target

Specifies the target on which this action is executed. In the above example, the action is risk-based authentication, hence the target is the user id for which the risk was assessed.

SubTarget

Specifies the additional details about the target.

stringValue1

Specifies an event-specific string value. The value of this field varies from event to event. For example, it is null if the event has no value to pass.

stringValue2

Specifies an event-specific string value. The value of this field varies from event to event. For example, it is null if the event has no value to pass.

stringValue3

Specifies an event-specific string value. The value of this field varies from event to event. For example, it is null if the event has no value to pass.

numbericValue1

Specifies an event-specific string value. The value of this field varies from event to event. For example, it is null if the event has no value to pass.

numbericValue2

Specifies an event-specific string value. The value of this field varies from event to event. For example, it is null if the event has no value to pass.

numbericValue3

Specifies an event-specific string value. The value of this field varies from event to event. For example, it is null if the event has no value to pass.

Data

Specifies an event-specific data.

Message

Specifies a friendly detailed message related to the event.

NOTE:The Syslog agents use the following message format: rfc3164. For more information, see RFC 3164 documentation.

This section discusses the following audit events: