eDirectory REST server is capable of sending CEF auditing event logs to the Sentinel server. REST server sends the audit data using ArcSight Smart Connectors. For more information on how to configure and use SmartConnectors, see ArcSight SmartConnector User Guide.
To enable auditing for REST services, you must configure the auditing related parameters in the configuration file. For more information, see Planning to Install REST Services for eDirectory.
By default, all REST events are enabled. You can disable any specific event in case it is not required for your Organization. eDirectory REST server is capable of auditing the following events:
|
Event |
Description |
|---|---|
|
ENABLESERVICESTARTAUDIT |
This generates an event in case of starting the REST service |
|
ENABLESERVICESTOPAUDIT |
This generates an event in case of stopping the REST service |
|
ENABLELOGSESSIONCREATIONAUDIT |
This generates an event when a REST session is created |
|
ENABLELOGSESSIONTERMINATIONAUDIT |
This generates an event when a REST session is terminated |
NOTE:The logs are being found /var/opt/novell/eDirAPI/log/edirapi_auditlog.log.
Find the following example of Create Session event:
Oct 10 15:37:17 eDirAPI CEF:0|NetIQ|eDirAPI|1.0|000B0510|SESSION_CREATE|3|dvc=10.71.128.233 dvchost=SLES12SP3-SHREYAS-128233 rt=Oct 10 2019 15:37:17 dtz=IST src=164.99.136.60 spt=59132 suser=cn\=admin,o\=novell duser=cn\=admin,o\=novell cn1Label=CorrelationID cn1=rtpL9xt-tzBR92fEGt9rrczA_1M2vHrGM4Q_8AjEmSU= cs1Label=Client Address cs1=164.99.136.60 cs2Label=Tree Name cs2=SHREYAS_TREE2 sproc=eDirAPI sourceServiceName=edirapi reason=201 outcome=Success