Identity Governance generates common event format (CEF) events that you can forward on to an audit server to analyze the events and to create reports. These reports allow you to provide that you are in compliance with regulations.
Identity Governance provides auditing for the following components:
Identity Governance
Identity Reporting
OSP
You can enable auditing during the installation of Identity Governance, or you can use the Identity Governance Configuration Update utility to enable auditing any time after you have installed Identity Governance.
In prior releases of Identity Governance you would edit the ig-server-logging.xml file to enable auditing for the different components. Use the Identity Governance Configuration Update utility to enable auditing if you did not enable auditing during the installation of the components. Use the Identity Governance Configuration Update utility to change the server details, TLS settings, and to enable auditing for the different components instead of editing the ig-server-logging.xml file.
WARNING:If you make changes for the server details, TLS settings, or if you enable auditing for Identity Governance in the ig-server-logging.xml file, it can cause the Identity Governance Configuration Update utility to no longer affect these audit settings.
Use the following information to enable auditing for Identity Governance, Identity Reporting, or OSP after installation. The steps for enabling auditing are the same whether you installed Identity Governance and Identity Reporting on the same server or different servers.
To enable auditing after the installation:
Stop the application server. For more information, see Section 2.5, Stopping, Starting, and Restarting Tomcat.
Launch the Identity Governance Configuration Update utility:
Navigate to one of the following directories:
Linux: /opt/netiq/idm/apps/configupdate
Windows: C:\netiq\idm\apps\configupdate
Launch the Identity Governance Configuration Update utility:
Linux: ./configupdate.sh
Windows: configupdate.bat
Click the CEF Auditing tab, then use the following information to enable auditing: click Auditing Settings, then click Send audit events. Options you can choose are:
Select this option to enable auditing for this server.
Specify DNS name of the audit server. If it is this server, you can use localhost.
Specify the port the audit server uses to communicate. The default port is 6514.
Select if the audit server communicates over TCP or UDP.
This option only appears if you select TCP. Select this option if you have configured the audit server to communicate over TLS. For more information, see Section 6.4, Using the TLS/SSL Protocol for Secure Connections.
Specify a path to a directory on this server where Identity Governance stores the audit cache files until the information is sent to the audit server.
Click OK to save the changes and the Identity Governance Configuration Update utility automatically closes.
Start the application server. For more information, see Section 2.5, Stopping, Starting, and Restarting Tomcat
You can see a list of the audit events here AuditEventTable.pdf.
The Identity Governance installation program creates a properties file, tomcat/conf/ig-server-logging.xml, to use for audit settings. It contains default values on the right-side of the colon for each property that cannot be found during the installation. Identity Governance supports TCP and TLS protocols. OSP supports TCP, TLS, and UDP protocols.
Identity Governance and OSP define and use the following properties for audit events:
com.netiq.ism.audit.cef.cache-file-dir
com.netiq.ism.audit.cef.enabled
com.netiq.ism.audit.cef.host
com.netiq.ism.audit.cef.port
com.netiq.ism.audit.cef.protocol
Identity Governance also defines and uses the following properties for audit events:
<cache-file>ig-server</cache-file>
com.netiq.iac.product
com.netiq.iac.companyName
com.netiq.iac.productVersion
When com.netiq.ism.audit.cef.protocol is set to TLS, the following properties indicate which trust stores contain the certificates for connecting to the audit server:
com.netiq.idm.osp.ssl-keystore.file
com.netiq.idm.osp.ssl-keystore.pwd
com.netiq.idm.osp.ssl-keystore.type
In OSP environments, the following properties contain trust store information:
com.netiq.idm.osp.oauth-truststore.file
com.netiq.idm.osp.oauth-truststore.pwd
com.netiq.idm.osp.oauth-truststore.type