I.2 CEF Events

The CEF events are classified into the following categories:

I.2.1 Security Events

This set of events are applicable for auditing security operations of eDirectory. A security operation may be granting or revoking access, login, password modification or query. This set of events also help to detect intruder attempts on the eDirectory system.

Examples of Security Events:

This section includes the examples for the following Security Events:

NOTE:The examples provided in the following sections are for reference only.

Connection

Click Connection to generate an event when a communication channel is created between system components, as shown in the following example:

Oct 31 17:00:22 NetIQ CEF:0|NetIQ|eDirectory|9.1|CEF0B035E|CONNECTION|0|dvc=164.99.179.194 dvchost=SLES12SP2-194 rt=Oct 31 2017 17:00:22 dtz=IST sourceServiceName=CN\=SLES12SP2-194,OU\=server,OU\=co,O\=in sproc=eDirectory#DS src=164.99.179.164 spt=23017 duser=CN\=SLES12SP2-194,OU\=server,OU\=co,O\=in cn1Label=Connection ID cn1=246358976 cn2Label=Created(1)/Terminated(0) cn2=1 cs1Label=Client Address cs1=164.99.179.164:23017 cs2Label=Module cs2=LDAP Server cs3Label=Tree Name cs3=TEST-CEF-AGN cs4Label=Correlation ID cs4=eDirectory#4294967295# flexString2Label=SubEvent flexString2=DSE_CONNECTION cat=Security reason=0 outcome=Success

Login

Click Login to generate an event when a new session is created. For example, logging in to the eDirectory system.

Oct 31 17:00:22 NetIQ CEF:0|NetIQ|eDirectory|9.1|CEF0B035C|LOGIN|1|dvc=164.99.179.194 dvchost=SLES12SP2-194 rt=Oct 31 2017 17:00:22 dtz=IST sourceServiceName=CN\=SLES12SP2-194,OU\=server,OU\=co,O\=in sproc=eDirectory#NMAS src=164.99.179.164 spt=59737 suser=CN\=admin,OU\=novell,OU\=co,O\=in duser=CN\=admin,OU\=novell,OU\=co,O\=in cs1Label=Client Address cs1=164.99.179.164:59737 cs2Label=Class Name cs2=User cs3Label=Tree Name cs3=TEST-CEF-AGN cs4Label=Correlation ID cs4=nmas#262183# cs6Label=Server Name cs6=CN\=SLES12SP2-194,OU\=server,OU\=co,O\=in flexString1Label=Login Method flexString1=0 flexString2Label=SubEvent flexString2=DSE_NMAS_LOG_FINISH_LOGIN_STATUS flexNumber2Label=Grouping flexNumber2=386 cat=Security reason=0 outcome=Success 

Logout

Click Logout to generate an event when an existing session is terminated. For example, logging out of the eDirectory system.

Jan 09 18:34:15 eDirectory CEF:0|NetIQ|eDirectory|9.1|CEF0B0303|LOGOUT|1|dvc=164.99.179.194 dvchost=SLES12SP2-194 rt=Nov 03 2017 13:10:32 dtz=IST sourceServiceName=CN\=SLES12SP2-194,OU\=server,OU\=co,O\=in sproc=eDirectory#DS src=164.99.44.5 spt=53738 suser=[Public] duser=CN\=SLES12SP2-194,OU\=server,OU\=co,O\=in cs1Label=Client Address cs1=164.99.44.5 cs2Label=Class Name cs2=User cs3Label=Tree Name cs3=TEST-CEF-NOV3 cs4Label=Correlation ID cs4=eDirectory#17# cs6Label=Object DN cs6=CN\=admin,OU\=novell,OU\=co,O\=in flexString2Label=SubEvent flexString2=DSE_LOGOUT flexNumber2Label=Grouping flexNumber2=127 cat=Security reason=0 outcome=Success

Add Member

Click Add Member to generate an event when a new user is added to the group, as shown in the following example:

Jan 09 18:34:15 eDirectory CEF:0|eDirectory|eDirectory|9.1|CEF0B0336|ADD_MEMBER|1|dvc=164.99.179.156 dvchost=SLES12-SP3-156.labs.blr.novell.com rt=Jan 09 2018 18:34:15 dtz=IST sourceServiceName=CN\=SLES12-SP3-156,OU\=lnx-server,OU\=server,OU\=co,O\=in sproc=eDirectory#DS src=164.99.179.158 spt=54936 suser=CN\=admin,OU\=novell,OU\=co,O\=in duser=CN\=grp1,OU\=lnx-users,OU\=novell,OU\=co,O\=in cs2Label=Class Name cs2=Group cs3Label=Tree Name cs3=NEW-TREE-9th cs4Label=Correlation ID cs4=eDirectory#14#bc560efc-53d4-4ad9-85b4-fc0e56bcd453 cs6Label=Member DN cs6=CN\=lynx-user,OU\=lnx-users,OU\=novell,OU\=co,O\=in flexString2Label=SubEvent flexString2=DSE_ADD_VALUE flexNumber2Label=Grouping flexNumber2=3676 cat=Security reason=0 outcome=Success

Delete Member

Click Delete Member to generate an event when a user is removed from the group, as shown in the following example:

Jan 09 18:35:06 eDirectory CEF:0|eDirectory|eDirectory|9.1|CEF0B0337|DELETE_MEMBER|1|dvc=164.99.179.156 dvchost=SLES12-SP3-156.labs.blr.novell.com rt=Jan 09 2018 18:35:06 dtz=IST sourceServiceName=CN\=SLES12-SP3-156,OU\=lnx-server,OU\=server,OU\=co,O\=in sproc=eDirectory#DS src=164.99.179.158 spt=54936 suser=CN\=admin,OU\=novell,OU\=co,O\=in duser=CN\=grp1,OU\=lnx-users,OU\=novell,OU\=co,O\=in cs2Label=Class Name cs2=Group cs3Label=Tree Name cs3=NEW-TREE-9th cs4Label=Correlation ID cs4=eDirectory#14#9136617f-4412-48da-bf33-7f6136911244 cs6Label=Member DN cs6=CN\=lynx-user,OU\=lnx-users,OU\=novell,OU\=co,O\=in flexString2Label=SubEvent flexString2=DSE_DELETE_VALUE flexNumber2Label=Grouping flexNumber2=3687 cat=Security reason=0 outcome=Success

Intruder Detected

Click Intruder Detected to generate an event when an intruder is detected, as shown in the following example:

Jan 09 18:35:06 eDirectory CEF:0|NetIQ|eDirectory|9.1|CEF0B0357|INTRUDER_DETECTED|5|dvc=164.99.179.194 dvchost=SLES12SP2-194 rt=Oct 17 2017 19:50:20 dtz=IST sourceServiceName=CN\=SLES12SP2-194,OU\=server,OU\=co,O\=in sproc=eDirectory#DS src=164.99.179.194 spt=0 suser=CN\=SLES12SP2-194,OU\=server,OU\=co,O\=in duser=CN\=raghu,OU\=lens,OU\=QA,OU\=HD,OU\=DSLR,OU\=SLR,OU\=digital,OU\=camera,O\=sony,L\=tokyo,dc\=co,C\=jp cs1Label=Intruder Address cs1=TCP: 164.99.179.164:33584 cs2Label=Reset Time cs2=10/17/17 19:52:20 cs3Label=Tree Name cs3=TEST-CEF222 cs4Label=Correlation ID cs4=eDirectory#0#349e5670-0b80-4c99-b7f0-70569e34800b cs6Label=Class cs6=User flexString2Label=SubEvent flexString2=DSE_ADD_VALUE flexNumber2Label=Grouping flexNumber2=102 cat=Security reason=0 outcome=Success

Account Unlock

Click Account Unlock to generate an event when a locked account is unlocked, as shown in the following example:

Jan 09 19:10:32 eDirectory CEF:0|eDirectory|eDirectory|9.1|CEF0B035F|ACCOUNT_UNLOCK|2|dvc=164.99.179.156 dvchost=SLES12-SP3-156.labs.blr.novell.com rt=Jan 09 2018 19:10:32 dtz=IST sourceServiceName=CN\=SLES12-SP3-156,OU\=lnx-server,OU\=server,OU\=co,O\=in sproc=eDirectory#DS src=164.99.179.156 spt=0 suser=CN\=SLES12-SP3-156,OU\=lnx-server,OU\=server,OU\=co,O\=in duser=CN\=rr,OU\=lnx-users,OU\=novell,OU\=co,O\=in cs2Label=Class Name cs2=User cs3Label=Tree Name cs3=NEW-TREE-9th cs4Label=Correlation ID cs4=eDirectory#0#ad3a0226-764e-488c-b90a-26023aad4e76 flexString2Label=SubEvent flexString2=DSE_DELETE_VALUE flexNumber2Label=Grouping flexNumber2=122 cat=Security reason=0 outcome=Success

Login Disabled

Click Login Disabled to generate an event when a user account is disabled, as shown in the following example:

Jan 09 18:18:48 eDirectory CEF:0|eDirectory|eDirectory|9.1|CEF0B0356|LOGIN_DISABLED|2|dvc=164.99.179.156 dvchost=SLES12-SP3-156.labs.blr.novell.com rt=Jan 09 2018 18:18:48 dtz=IST sourceServiceName=CN\=SLES12-SP3-156,OU\=lnx-server,OU\=server,OU\=co,O\=in sproc=eDirectory#DS src=164.99.179.158 spt=54936 suser=CN\=admin,OU\=novell,OU\=co,O\=in duser=CN\=lynx-user1,OU\=lnx-users,OU\=novell,OU\=co,O\=in cs2Label=Class Name cs2=User cs3Label=Tree Name cs3=NEW-TREE-9th cs4Label=Correlation ID cs4=eDirectory#14#f04b6deb-df9b-4f4b-a8e8-eb6d4bf09bdf flexString2Label=SubEvent flexString2=DSE_ADD_VALUE flexNumber2Label=Grouping flexNumber2=100 cat=Security reason=0 outcome=Success

Login Enabled

Click Login Enabled to generate an event when a disabled user account is enabled, as shown in the following example:

Jan 09 18:18:56 eDirectory CEF:0|eDirectory|eDirectory|9.1|CEF0B0355|LOGIN_ENABLED|2|dvc=164.99.179.156 dvchost=SLES12-SP3-156.labs.blr.novell.com rt=Jan 09 2018 18:18:56 dtz=IST sourceServiceName=CN\=SLES12-SP3-156,OU\=lnx-server,OU\=server,OU\=co,O\=in sproc=eDirectory#DS src=164.99.179.158 spt=54936 suser=CN\=admin,OU\=novell,OU\=co,O\=in duser=CN\=lynx-user1,OU\=lnx-users,OU\=novell,OU\=co,O\=in cs2Label=Class Name cs2=User cs3Label=Tree Name cs3=NEW-TREE-9th cs4Label=Correlation ID cs4=eDirectory#14#f99f0883-251e-424e-a724-83089ff91e25 flexString2Label=SubEvent flexString2=DSE_DELETE_VALUE flexNumber2Label=Grouping flexNumber2=107 cat=Security reason=0 outcome=Success

ACL Changed

Click ACL Changed to generate an event when an ACL is changed on an object, as shown in the following example:

Jan 09 18:04:56 eDirectory CEF:0|eDirectory|eDirectory|9.1|CEF0B0354|ACL_CHANGED|3|dvc=164.99.179.156 dvchost=SLES12-SP3-156.labs.blr.novell.com rt=Jan 09 2018 18:04:56 dtz=IST sourceServiceName=CN\=SLES12-SP3-156,OU\=lnx-server,OU\=server,OU\=co,O\=in sproc=eDirectory#DS src=164.99.179.158 spt=52120 suser=CN\=admin,OU\=novell,OU\=co,O\=in duser=CN\=lynx-user,OU\=lnx-users,OU\=novell,OU\=co,O\=in cn1Label=ACL Added cn1=1 cs1Label=Value cs1=Entry ID: .CN\=lynx-user.OU\=lnx-users.OU\=novell.OU\=co.O\=in.T\=NEW-TREE-9th., Attribute ID: [All Attributes Rights], Privileges: Attribute Read cs2Label=Class Name cs2=User cs3Label=Tree Name cs3=NEW-TREE-9th cs4Label=Correlation ID cs4=eDirectory#18#c4f344f7-db17-4366-8a19-f744f3c417db cs6Label=Trustee cs6=CN\=lynx-user,OU\=lnx-users,OU\=novell,OU\=co,O\=in flexString2Label=SubEvent flexString2=DSE_ADD_VALUE flexNumber2Label=Grouping flexNumber2=83 cat=Security reason=0 outcome=Success

Change Security Equals

Click Change Security Equals to generate an event when Security Equals is changed on an object, as shown in the following example:

Jan 09 18:29:38 eDirectory CEF:0|eDirectory|eDirectory|9.1|CEF0B0341|CHANGE_SECURITY_EQUALS|3|dvc=164.99.179.156 dvchost=SLES12-SP3-156.labs.blr.novell.com rt=Jan 09 2018 18:29:38 dtz=IST sourceServiceName=CN\=SLES12-SP3-156,OU\=lnx-server,OU\=server,OU\=co,O\=in sproc=eDirectory#DS src=164.99.179.156 spt=0 suser=CN\=SLES12-SP3-156,OU\=lnx-server,OU\=server,OU\=co,O\=in duser=CN\=raghu,OU\=lnx-users,OU\=novell,OU\=co,O\=in cn1Label=Add/Remove cn1=1 cs2Label=Class Name cs2=User cs3Label=Tree Name cs3=NEW-TREE-9th cs4Label=Correlation ID cs4=eDirectory#0#6d1355d0-0401-4858-8475-d055136d0104 cs6Label=Equivalent DN cs6=CN\=grp,OU\=novell,OU\=co,O\=in flexString2Label=SubEvent flexString2=DSE_ADD_VALUE flexNumber2Label=Grouping flexNumber2=3639 cat=Security reason=0 outcome=Success

Verify Password

Click Verify Password to generate an event when an account password is verified.

Audit Config

Click Audit Config to generate an event when any modification is done to the parameters that are controlling the audit service, as shown in the following example:

Jan 09 18:27:12 eDirectory CEF:0|eDirectory|eDirectory|9.1|CEF0B0006|AUDIT_CONFIG|2|dvc=164.99.179.156 dvchost=SLES12-SP3-156.labs.blr.novell.com rt=Jan 09 2018 18:27:12 dtz=IST sourceServiceName=CN\=SLES12-SP3-156,OU\=lnx-server,OU\=server,OU\=co,O\=in sproc=eDirectory#DS src=164.99.179.160 spt=54980 suser=CN\=srv-160,OU\=server,OU\=co,O\=in duser=CN\=SLES12-SP3-156,OU\=lnx-server,OU\=server,OU\=co,O\=in cs1Label=Attribute Value cs1=cefEvents\=ACL_CHANGED $$QUERY_CREDENTIALS cs2Label=Class Name cs2=NCP Server cs3Label=Tree Name cs3=NEW-TREE-9th cs4Label=Correlation ID cs4=eDirectory#16#8dcd3ede-baf8-4e71-9f1e-de3ecd8df8ba cs6Label=Attribute Name cs6=cefConfiguration flexString2Label=SubEvent flexString2=DSE_ADD_VALUE flexNumber2Label=Grouping flexNumber2=3631 cat=Security reason=0 outcome=Success

Change Password

Click Change Password to generate an event when an account password is changed, as shown in the following example:

Oct 31 17:06:11 NetIQ CEF:0|NetIQ|eDirectory|9.1|CEF0290064|CHANGE_PASSWORD|1|dvc=164.99.179.194 dvchost=SLES12SP2-194 rt=Oct 31 2017 17:06:11 dtz=IST sourceServiceName=CN\=SLES12SP2-194,OU\=server,OU\=co,O\=in sproc=eDirectory#NMAS src=164.99.179.194 spt=0 suser=CN\=admin,OU\=novell,OU\=co,O\=in duser=raghu,novell,co,in cs2Label=Class Name cs2=User cs3Label=Tree Name cs3=TEST-CEF-AGN cs4Label=Correlation ID cs4=nmas#0# cs6Label=Server Name cs6=CN\=SLES12SP2-194,OU\=server,OU\=co,O\=in flexString2Label=SubEvent flexString2=DSE_NMAS_LOG_SET_LOGIN_SECRET flexNumber2Label=Grouping flexNumber2=405 cat=Security reason=0 outcome=Success

Change Login Config

Click Change Login Config to generate an event when an account login configuration is changed, as shown in the following example:

Nov 02 10:21:00 NetIQ CEF:0|NetIQ|eDirectory|9.1|CEF0290061|CHANGE_LOGIN_CONFIG|1|dvc=164.99.179.194 dvchost=SLES12SP2-194 rt=Nov 02 2017 10:21:00 dtz=IST sourceServiceName=CN\=SLES12SP2-194,OU\=server,OU\=co,O\=in sproc=eDirectory#NMAS src=164.99.179.194 spt=0 suser=CN\=admin,OU\=novell,OU\=co,O\=in duser=raghu,novell,co,in cs2Label=Class Name cs2=User cs3Label=Tree Name cs3=TEST-CEF-AGN cs4Label=Correlation ID cs4=nmas#0# cs6Label=Server Name cs6=CN\=SLES12SP2-194,OU\=server,OU\=co,O\=in flexString2Label=SubEvent flexString2=DSE_NMAS_LOG_SET_LOGIN_CONFIG flexNumber2Label=Grouping flexNumber2=2034 cat=Security reason=0 outcome=Success

Query Credentials

Click Query Credentials to generate an event whenever a request for the credential information of a particular account is made, as shown in the following example:

Nov 02 10:21:00 NetIQ CEF:0|NetIQ|eDirectory|9.1|CEF0290062|QUERY_CREDENTIALS|1|dvc=164.99.179.194 dvchost=SLES12SP2-194 rt=Nov 02 2017 10:21:00 dtz=IST sourceServiceName=CN\=SLES12SP2-194,OU\=server,OU\=co,O\=in sproc=eDirectory#NMAS src=164.99.179.194 spt=0 suser=CN\=admin,OU\=novell,OU\=co,O\=in duser=raghu,novell,co,in cs2Label=Class Name cs2=User cs3Label=Tree Name cs3=TEST-CEF-AGN cs4Label=Correlation ID cs4=nmas#0# cs6Label=Server Name cs6=CN\=SLES12SP2-194,OU\=server,OU\=co,O\=in flexString2Label=SubEvent flexString2=DSE_NMAS_LOG_GET_LOGIN_CONFIG flexNumber2Label=Grouping flexNumber2=2035 cat=Security reason=0 outcome=Success

Impersonate

Click Impersonate to generate an event whenever an impersonation of an account takes place, as shown in the following example:

Nov 02 10:29:38 NetIQ CEF:0|NetIQ|eDirectory|9.1|CEF0B0231|IMPERSONATE|1|dvc=164.99.179.194 dvchost=SLES12SP2-194 rt=Nov 02 2017 10:29:38 dtz=IST sourceServiceName=CN\=SLES12SP2-194,OU\=server,OU\=co,O\=in sproc=eDirectory#DS src=164.99.179.194 spt=56451 suser=CN\=admin,OU\=novell,OU\=co,O\=in duser=CN\=raghu,OU\=novell,OU\=co,O\=in cs3Label=Tree Name cs3=TEST-CEF-AGN cs4Label=Correlation ID cs4=eDirectory#10# cs6=CN\=SLES12SP2-194,OU\=server,OU\=co,O\=in flexString2Label=SubEvent flexString2=DSE_IMPERSONATE flexNumber2Label=Grouping flexNumber2=2048 cat=Security reason=0 outcome=Success 

Authenticate

Click Authenticate to generate an event when a user authenticates a session, as shown in the following example:

Nov 02 10:32:39 NetIQ CEF:0|NetIQ|eDirectory|9.1|CEF0B035D|AUTHENTICATE|1|dvc=164.99.179.194 dvchost=SLES12SP2-194 rt=Nov 02 2017 10:32:39 dtz=IST sourceServiceName=CN\=SLES12SP2-194,OU\=server,OU\=co,O\=in sproc=eDirectory#DS src=164.99.179.194 spt=0 suser=CN\=impuser,OU\=novell,OU\=co,O\=in duser=CN\=impuser,OU\=novell,OU\=co,O\=in cs2Label=Class Name cs2=User cs3Label=Tree Name cs3=TEST-CEF-AGN cs4Label=Correlation ID cs4=eDirectory#12# cs6Label=Server Name cs6=CN\=SLES12SP2-194,OU\=server,OU\=co,O\=in flexString2Label=SubEvent flexString2=DSE_AUTHENTICATE flexNumber2Label=Grouping flexNumber2=2058 cat=Security reason=0 outcome=Success

I.2.2 Objects Events

This set of events are applicable for auditing object related operations of eDirectory. An object operation may be creating, deleting, renaming, moving or querying objects.

Examples of Objects Events:

This section includes the examples for the following Objects Events:

NOTE:The examples provided in the following sections are for reference only.

Create Object

Click Create Object to generate an event when a new object is created in the eDirectory tree, as shown in the following example:

Oct 23 23:57:19 NetIQ CEF:0|NetIQ|eDirectory|9.1|CEF0B0001|CREATE_OBJECT|0|dvc=164.99.179.60 dvchost=WIN-37D8M9SKD2U rt=Oct 23 2017 23:57:19 dtz=Pacific Daylight Time sourceServiceName=CN\=WIN-37D8M9SKD2U-NDS,O\=novell sproc=eDirectory#DS src=164.99.179.58 spt=52362 suser=CN\=Admin,O\=novell duser=CN\=user001,O\=novell cs2Label=Class Name cs2=User cs3Label=Tree Name cs3=TREE910W cs4Label=Correlation ID cs4=eDirectory#17#dc0fee11-5cd9-47d4-b981-cdb8ecd47e07 flexString2Label=SubEvent flexString2=DSE_CREATE_ENTRY flexNumber2Label=Grouping flexNumber2=677768 cat=Objects reason=0 outcome=Success 

Delete Object

Click Delete Object to generate an event when an object is removed from the eDirectory tree, as shown in the following example:

Oct 24 00:02:35 NetIQ CEF:0|NetIQ|eDirectory|9.1|CEF0B0309|DELETE_OBJECT|0|dvc=164.99.179.60 dvchost=WIN-37D8M9SKD2U rt=Oct 24 2017 00:02:35 dtz=Pacific Daylight Time sourceServiceName=CN\=WIN-37D8M9SKD2U-NDS,O\=novell sproc=eDirectory#DS src=164.99.179.58 spt=52362 suser=CN\=Admin,O\=novell duser=CN\=user001,O\=novell cs2Label=Class Name cs2=User cs3Label=Tree Name cs3=TREE910W cs4Label=Correlation ID cs4=eDirectory#17#2b97f69d-2984-4f96-a83c-0b6c828bc462 flexString2Label=SubEvent flexString2=DSE_REMOVE_ENTRY flexNumber2Label=Grouping flexNumber2=677993 cat=Objects reason=0 outcome=Success

Rename Object

Click Rename Object to generate an event when an object is renamed, as shown in the following example:

Oct 24 02:06:23 NetIQ CEF:0|NetIQ|eDirectory|9.1|CEF0B0003|RENAME_OBJECT|0|dvc=164.99.179.60 dvchost=WIN-37D8M9SKD2U rt=Oct 24 2017 02:06:23 dtz=Pacific Daylight Time sourceServiceName=CN\=WIN-37D8M9SKD2U-NDS,O\=novell sproc=eDirectory#DS src=164.99.179.58 spt=55434 suser=CN\=Admin,O\=novell duser=CN\=u1,O\=novell cs2Label=Class Name cs2=User cs3Label=Tree Name cs3=TREE910W cs4Label=Correlation ID cs4=eDirectory#17#28250918-af9c-4098-b56a-5757e456102a cs6Label=New Object DN cs6=CN\=u1changed,O\=novell flexString2Label=SubEvent flexString2=DSE_RENAME_ENTRY flexNumber2Label=Grouping flexNumber2=683314 cat=Objects reason=0 outcome=Success 

Move Object

Click Move Object to generate an event when an object is moved, as shown in the following example:

Oct 24 02:18:57 NetIQ CEF:0|NetIQ|eDirectory|9.1|CEF0B0004|MOVE_OBJECT|0|dvc=164.99.179.60 dvchost=WIN-37D8M9SKD2U rt=Oct 24 2017 02:18:57 dtz=Pacific Daylight Time sourceServiceName=CN\=WIN-37D8M9SKD2U-NDS,O\=novell sproc=eDirectory#DS src=164.99.179.58 spt=55434 suser=CN\=Admin,O\=novell duser=CN\=u1changed,O\=novell cs2Label=Class Name cs2=User cs3Label=Tree Name cs3=TREE910W cs4Label=Correlation ID cs4=eDirectory#17#28789395-394f-49d5-bb4e-b95410b0f9b5 cs6Label=New DN cs6=CN\=u1changed,OU\=org,O\=novell flexString2Label=SubEvent flexString2=DSE_MOVE_SOURCE_ENTRY flexNumber2Label=Grouping flexNumber2=683861 cat=Objects reason=0 outcome=Success

DSA Read

Click DSA Read to generate an event when an object is read, as shown in the following example:

Oct 24 02:36:27 NetIQ CEF:0|NetIQ|eDirectory|9.1|CEF0B0230|DSA_READ|0|dvc=164.99.179.60 dvchost=WIN-37D8M9SKD2U rt=Oct 24 2017 02:36:27 dtz=Pacific Daylight Time sourceServiceName=CN\=WIN-37D8M9SKD2U-NDS,O\=novell sproc=eDirectory#DS src=164.99.179.60 spt=20928 suser=CN\=WIN-37D8M9SKD2U-NDS,O\=novell duser=CN\=WIN-37D8M9SKD2U-NDS,O\=novell cs2Label=Class Name cs2=NCP Server cs3Label=Tree Name cs3=TREE910W cs4Label=Correlation ID cs4=eDirectory#1# flexString2Label=SubEvent flexString2=DSE_DSA_READ cat=Objects reason=0 outcome=Success

Search

Click Search to generate an event when a request for a search operation is made, as shown in the following example:

Oct 24 02:36:29 NetIQ CEF:0|NetIQ|eDirectory|9.1|CEF0B033C|SEARCH|0|dvc=164.99.179.60 dvchost=WIN-37D8M9SKD2U rt=Oct 24 2017 02:36:29 dtz=Pacific Daylight Time sourceServiceName=CN\=WIN-37D8M9SKD2U-NDS,O\=novell sproc=eDirectory#DS src=164.99.179.60 spt=21184 suser=CN\=WIN-37D8M9SKD2U-NDS,O\=novell duser=CN\=Security cn1Label=Scope cn1=2 cn2Label=Nodes To Search cn2=100 cs2Label=Class Name cs2=SAS:Security cs3Label=Tree Name cs3=TREE910W cs4Label=Correlation ID cs4=eDirectory#2# flexString2Label=SubEvent flexString2=DSE_SEARCH flexNumber2Label=Grouping flexNumber2=684639 cat=Objects reason=0 outcome=Success

I.2.3 Attribute Events

This set of events are applicable for auditing attribute related operations of eDirectory. An attribute operation may be creating, deleting, renaming, moving or searching attribute.

Examples of Objects Events:

This section includes the examples for the following Objects Events:

NOTE:The examples provided in the following sections are for reference only.

Read Attribute

Click Read Attribute to generate an event when an attribute is read on an object, as shown in the following example:

Oct 26 11:38:35 NetIQ CEF:0|NetIQ|eDirectory|9.1|CEF0B0323|READ_ATTRIBUTE|0|dvc=164.99.179.60 dvchost=WIN-37D8M9SKD2U rt=Oct 25 2017 23:08:35 dtz=India Standard Time sourceServiceName=CN\=WIN-37D8M9SKD2U-NDS,O\=novell sproc=eDirectory#DS src=164.99.179.60 spt=18369 suser=CN\=WIN-37D8M9SKD2U-NDS,O\=novell duser=CN\=WIN-37D8M9SKD2U-NDS,O\=novell cs2Label=Class Name cs2=NCP Server cs3Label=Tree Name cs3=TREE910W cs4Label=Correlation ID cs4=eDirectory#1# cs6Label=Attribute Name cs6=cefConfiguration flexString2Label=SubEvent flexString2=DSE_READ_ATTR cat=Attributes reason=0 outcome=Success

Delete Attribute

Click Delete Attribute to generate an event when an attribute is removed from an object, as shown in the following example:

Oct 24 22:54:36 NetIQ CEF:0|NetIQ|eDirectory|9.1|CEF0B0009|DELETE_ATTRIBUTE|0|dvc=164.99.179.60 dvchost=WIN-37D8M9SKD2U rt=Oct 24 2017 22:54:36 dtz=Pacific Daylight Time sourceServiceName=CN\=WIN-37D8M9SKD2U-NDS,O\=novell sproc=eDirectory#DS src=164.99.179.60 spt=21184 suser=CN\=WIN-37D8M9SKD2U-NDS,O\=novell duser=CN\=WIN-37D8M9SKD2U-NDS,O\=novell cs2Label=Class Name cs2=NCP Server cs3Label=Tree Name cs3=TREE910W cs4Label=Correlation ID cs4=eDirectory#2#a9ea8944-6a78-4a69-9c11-727635aa79e8 cs6Label=Attribute Name cs6=Network Address flexString2Label=SubEvent flexString2=DSE_DELETE_ATTRIBUTE flexNumber2Label=Grouping flexNumber2=736694 cat=Attributes reason=0 outcome=Success

Add Value

Click Add Value to generate an event when a value is added to an attribute, as shown in the following example:

Oct 24 02:38:12 NetIQ CEF:0|NetIQ|eDirectory|9.1|CEF0B0006|ADD_VALUE|0|dvc=164.99.179.60 dvchost=WIN-37D8M9SKD2U rt=Oct 24 2017 02:38:12 dtz=Pacific Daylight Time sourceServiceName=CN\=WIN-37D8M9SKD2U-NDS,O\=novell sproc=eDirectory#DS src=164.99.179.60 spt=0 suser=CN\=WIN-37D8M9SKD2U-NDS,O\=novell duser=.[Pseudo Server] cs1Label=Attribute Value cs1=720575940530274304 cs3Label=Tree Name cs3=TREE910W cs4Label=Correlation ID cs4=eDirectory#0#f9787bd7-0541-47ca-9391-5a4bada90f02 cs6Label=Attribute Name cs6=treeReferral flexString2Label=SubEvent flexString2=DSE_ADD_VALUE flexNumber2Label=Grouping flexNumber2=684713 cat=Attributes reason=0 outcome=Success 

Delete Value

Click Delete Value to generate an event when a value is removed from an attribute, as shown in the following example:

Oct 24 02:38:12 NetIQ CEF:0|NetIQ|eDirectory|9.1|CEF0B0007|DELETE_VALUE|0|dvc=164.99.179.60 dvchost=WIN-37D8M9SKD2U rt=Oct 24 2017 02:38:12 dtz=Pacific Daylight Time sourceServiceName=CN\=WIN-37D8M9SKD2U-NDS,O\=novell sproc=eDirectory#DS src=164.99.179.60 spt=0 suser=CN\=WIN-37D8M9SKD2U-NDS,O\=novell duser=.[Pseudo Server] cs1Label=Attribute Value cs1=720575940530274304 cs3Label=Tree Name cs3=TREE910W cs4Label=Correlation ID cs4=eDirectory#0#1c411e7f-9657-474e-8e8e-80fc92921f96 cs6Label=Attribute Name cs6=localReferral flexString2Label=SubEvent flexString2=DSE_DELETE_VALUE flexNumber2Label=Grouping flexNumber2=684714 cat=Attributes reason=0 outcome=Success

Compare Attribute Value

Click Compare Attribute Value to generate an event when an attribute value is compared, as shown in the following example: