Secure Logging Server manages the flow of information with the auditing system. It performs the following actions:
Receives incoming events and requests.
Logs information to the data store.
Monitors designated events.
Provides filtering and notification services.
Resets critical system attributes according to a specified policy automatically.
Specifying the logging server details:
Click Auditing.
Specify the following details:
Field |
Description |
---|---|
Audit Messages Using |
Select any one of the following options: Log File (Not Recommended For Production): Audit events are sent to a local log file.
Syslog: The available options are: NOTE:These options are available in Access Manager 4.5 Service Pack 1 and earlier versions.
|
Stop Services on Audit Server Failure |
Select to stop the Apache services when the audit server is offline or not reachable and audit events could not be cached. |
Server Listening Address (Access Manager 4.5 Service Pack 1 and earlier) |
Specify the IP address or DNS name of the audit logging server you want to use. If you want to use a different Secure Logging Server, specify that server here. For example, specify syslog server details if you select syslog. |
Auditing Server 1 (Access Manager 4.5 Service Pack 2 and later) |
Specify the IP address or DNS name of the audit logging server you want to use. You can send the audit events to a maximum of two audit servers at a time. For example, you can use the Sentinel server as Auditing Server 1 and any Third party server as Auditing Server 2. |
IMPORTANT:If you have configured Analytics Server cluster, the virtual IP address is auto-populated. |
|
Server Listening Address (Access Manager 4.5 Service Pack 2 and later) |
Specify the IP address or DNS name of the second audit logging server you want to use. You can send the audit events to a maximum of two audit servers at a time. If your auditing server is in a private network, you can specify the public NAT IP address of the auditing server instead of the IP address or DNS name of the auditing server. Using this address, devices can contact the auditing server. |
Port |
Specify the port that syslog uses to connect to the Secure Logging Server.
|
Format (Access Manager 4.5 Service Pack 2 and later) |
You can choose to send the audit events in CSV or JSON format. |
Server Public NAT Address |
If your auditing server is in a private network, specify the public NAT IP address of the auditing server. Using this address devices can contact the auditing server. To use Sentinel server or Sentinel Log Manager, specify the IP address or DNS name of the Sentinel. |
Send Audit Events to Interset Behavioral Analytics Server (Access Manager 4.5 Service Pack 3 and later) |
This is a read-only field. It indicates whether you have configured to send audit events to Interset for behavioral analytics. For more information, see Section 10.7.4, Configuring Behavioral Analytics. |
IMPORTANT:If you select Sentinel server for auditing through syslog, you must use the latest Access Manager Collector for Sentinel. |
|
Management Console Audit Events |
Select the system-wide events that you want to audit.
|
Click OK.
It might take up to 15 minutes for the events you selected to start appearing in the audit files.
(Conditional) If you want to change the IP Address of Analytics Server, you must change the IP Address of the primary Analytics Server. For information about changing the primary IP address, see Section 3.7.3, Managing Details of a Cluster.
NOTE:The eDirectory audit configuration remains unchanged even after you upgrade to the latest version of Access Manager. To fetch eDirectory audit events, manually unload and re-load the audit modules. Perform this activity each time you start eDirectory.
To install and enable eDirectory packages, see Installing Novell Audit Packages in the eDirectory Administration Guide.