7.5 Enabling Auditing

You can enable auditing during the installation of Identity Governance or you can enable auditing any time after you have installed Identity Governance. If you have enabled auditing during the installation, you can also increase the level of audit information gathered by editing the ig-server.logging.xml file.

Identity Governance provides auditing for the following components:

  • Identity Governance

  • Identity Reporting

  • OSP

Identity Governance allows you audit the different services it provides by enabling auditing for the specific service. Identity Governance uses REST calls for auditing. You must use the following information to enable auditing for the different components.

7.5.1 Enabling Auditing for Identity Governance

Use the following information to enable auditing for Identity Governance. The steps for enabling auditing are the same whether you installed Identity Governance and Identity Reporting on the same server or different servers.

  1. If you enabled auditing during the install, proceed to Step 5.

    or

    If you want to enable auditing after the installation, proceed to Step 2.

  2. Create an audit directory to store the audit information.

    • Linux: /opt/netiq/idm/apps/audit

    • Windows: C:\netiq\idm\apps\audit

  3. (Optional) Create the Identity Governance log file if it does not exist.

    • Linux: /opt/netiq/idm/apps/audit/ig-server

    • Windows: C:\netiq\idm\apps\audit\ig-server

  4. (Linux only) Assign ownership to the audit directory.

    chown -R novlua.users /opt/netiq/idm/apps/audit

    NOTE: The novlua.users is the same ownership as the tomcat directory. It allows the Tomcat service to modify files within the audit logs directory.

  5. Modify the Identity Governance logging file to enter the syslog server information.

    1. Open the logging file in a text editor.

      • Linux: /opt/netiq/idm/apps/tomcat/conf/ig-server-logging.xml

      • Windows: C:\netiq\idm\apps\tomcat\conf\ig-server-logging.xml

    2. Make the following changes specific for your syslog server:

      <enabled>true</enabled>
      <protocol>TCP|TLS</protocol>
      <host>123.456.78.90</host>
      <port>6514</port>
      <cache-dir>/opt/netiq/idm/apps/audit</cache-dir>
      <cache-file>ig-server</cache-file>
      <application>Identity Governance</application>
      <vendor>Micro Focus</vendor>
      <version>3.0</version>

      NOTE:To disable auditing, ensure that the <enabled> line is set to false. For example:

      <enabled>false</enabled>
  6. Modify the Identity Governance logging file ig-server-logging.xml to enabling auditing for each specific service.

    • Linux: /opt/netiq/idm/apps/tomcat/conf/ig-server-logging.xml

    • Windows: C:\netiq\idm\apps\tomcate\conf\ig-server-logging.xml

    1. In a text editor change each Identity Governance service you want to audit from OFF to INFO. Instead of INFO, you can set the value to DEBUG, TRACE, or ALL.

      There are currently 46 available services listed in the ig-server.logging.xml file that you can enable for the auditing service.

    2. (Optional) You can also filter the Audit Logger for REST services by HTTP method, by adding the method to the end of the logger name. This enables more finely-grained auditing of updates for example (PUT and POST methods), or deletes (DELETE method).

      For example, change OFF to INFO for whichever service you want the Audit Logger to gather additional information.

      <logger name="audit.com.netiq.iac.server.rest.CollectionService.GET" additivity="false" level="INFO"/>
      <logger name="audit.com.netiq.iac.server.rest.CollectionService.PUT" additivity="false" level="INFO"/>
      <logger name="audit.com.netiq.iac.server.rest.CollectionService.POST" additivity="false" level="OFF"/>
      <logger name="audit.com.netiq.iac.server.rest.CollectionService.DELETE" additivity="false" level="OFF"/>
  7. (Conditional) If you are using TLS, add the certificate (public key) for the syslog server (at the provided port) to the Identity Governance and Identity Reporting trusted certificates files.

  8. Restart Tomcat. For more information, see Stopping, Starting, and Restarting Tomcat.

You can see a list of the audit events here AuditEventTable.pdf.

7.5.2 Enabling Auditing for Identity Reporting

Use the following information to enable auditing for Identity Reporting. The steps for enabling auditing are the same whether you installed Identity Reporting and Identity Governance on the same server or different servers.

  1. (Conditional) If you enabled auditing during the install, proceed to Step 3.

  2. (Conditional) If you want to enable auditing after the installation, complete the following steps.

    1. Create an audit directory to store the audit information.

      • Linux: /opt/netiq/idm/apps/audit

      • Windows: C:\netiq\idm\apps\audit

    2. Create the Identity Reporting log file.

      • Linux: ../tomcat/conf/idmrptcore_logging.xml

      • Windows: C:\netiq\idm\apps\tomcat\conf\idmrptcore_logging.xml

    3. (Linux only) Assign ownership to the audit directory.

      chown -R novlua.users /opt/netiq/idm/apps/audit

      NOTE: The novlua.users is the same ownership as the tomcat directory. It allows the Tomcat service to modify files within the audit logs directory.

  3. Modify the Identity Governance logging file to enter the syslog server information.

    1. Open the logging file in a text editor.

      • Linux: /opt/netiq/idm/apps/tomcat/conf/idmrptcore_logging.xml

      • Windows: C:\netiq\idm\apps\tomcat\conf\idmrptcore_logging.xml

    2. Make the following changes specific for your syslog server:

      <enabled>true</enabled>
      <protocol>TCP|TLS</protocol>
      <host>123.456.78.90</host>
      <port>6514</port>
      <cache-dir>/opt/netiq/idm/apps/audit</cache-dir>
      <cache-file>idm-rpt</cache-file>
      <application>Reporting Core</application>
      <vendor>Micro Focus</vendor>
      <version>6.0</version>

      NOTE:To disable auditing, ensure that the <enabled> line is set to false. For example:

      <enabled>false</enabled>
  4. (Conditional) If you are using TLS, add the certificate (public key) for the syslog server (at the provided port) to the Identity Governance and Identity Reporting trusted certificates files. For example:

    • Linux: jre/lib/security/cacerts

    • Windows: c:\netiq\jre\cacerts

  5. Restart Tomcat. For more information, see Stopping, Starting, and Restarting Tomcat.

7.5.3 Enabling Auditing for OSP after the Installation

The steps to enable auditing for OSP are different from enabling auditing for the other components.

You can see a list of the audit events here OSP CEF Events.pdf.

Use the following information to enable auditing for OSP.

  1. Create the audit directory.

    • Linux: /opt/netiq/idm/apps/audit

    • Windows: C:\netiq\idm\apps\audit

  2. Create the OSP log file.

    • Linux: /opt/netiq/idm/apps/audit/osp.log

    • Windows: C:\netiq\idm\apps\audit\osp.log

  3. (Linux only) Set the ownership on the audit directory.

    /bin/chown -R novlua.idvadmin /opt/netiq/idm/apps/audit
    /bin/chmod -R g+s /opt/netiq/idm/apps/audit

    NOTE: The novlua is the same ownership as the tomcat directory. It allows the Tomcat service to modify files within the audit logs directory.

  4. Use the Identity Governance Configuration Update utility to set properties for your environment in OSP.

    1. Execute the Identity Governance Configuration Update utility.

      • Linux: The utility is configupdate.sh on Linux.

        /opt/netiq/idm/apps/osp/bin/configupdate.sh edition=none
      • Windows: The utility is configupdate.bat on Windows.

        C:\netiq\idm\apps\osp\bin\configupdate.bat edition=none

      NOTE:Adding edition=none on the command line avoids needing to modify this value within configupdate.sh.properties or configupdate.bat.properties file. It also avoids certain unnecessary fields which the config update utility would otherwise require values for in order to save.

    2. Access the CEF Auditing tab.

    3. Select the Send audit events option.

    4. Specify the values for your environment:

      • Destination host: Specify localhost

      • Destination port: Specify the port. The default value is 6514.

      • Network protocol: Select TCP or UDP.

      • Use TLS: Select this option to secure communication over TCP. By default, this option is not selected.

      • Intermediate event store directory: Specify the audit directory you created in Step 1. The default directory is:

        • Linux: /opt/netiq/idm/apps/audit

        • Windows: C:\netiq\idm\apps\audit

    5. Restart Tomcat. For more information, see Stopping, Starting, and Restarting Tomcat.