16.3 Configuring Audit Events Collection

Identity Intelligence uses the SmartConnector for Syslog NG Daemon to collect audit events from Identity Manager. Identity Manager sends audit events to the SmartConnector, which then sends these audit events to the th-cef Kafka topic in Transformation Hub. The SmartConnector collects audit events that are in Common Event Format (CEF). Therefore, you must configure the Identity Manager Engine and Identity Applications to log audit events in CEF.

16.3.1 Prerequisites

  • To configure audit events collection, you must install and configure the SmartConnector for Syslog NG Daemon. For more information, see Configuring the SmartConnector.

    You must configure Identity Applications and Identity Manager Engine to send audit events to the SmartConnector. Therefore, if you had configured Identity Applications and Identity Manager Engine to send audit events to other destinations such as Sentinel Log Management for IGA, you must add two destinations for the SmartConnector:

    • Transformation Hub: for SmartConnector to send audit events to the th-cef Kafka topic in Transformation Hub.

    • CEF Syslog: for SmartConnector to send audit events to the existing destination configured in Identity Applications and Identity Manager Engine.

    For more information, see Installing and Configuring the SmartConnector.

  • To configure audit events collection using SSL:

  • Ensure to enable ingestion of backdated data to database. For more information, see Tuning Ingestion of Backdated Events.

16.3.2 Obtaining the SmartConnector Certificate

The SmartConnector and some of the Identity Manager components utilize embedded certificates generated by an internal Certificate Authority (CA). These SSL certificates ensure that communication between the Identity Manager components and the SmartConnector is secure.

Obtaining the Certificate from Browser

You can obtain the SmartConnector certificate from a Web browser. This section provides information about obtaining the SmartConnector certificate in Google Chrome.

  1. Specify the following URL in the browser:

    https://<smartconnector_node_hostname>:<port>

  2. Click the icon next to the left of the URL, then click Certificate.

  3. Click Certification Path and select the CA certificate.

  4. For the selected certificate, click Details, then click Copy to File...

  5. Click Next.

  6. Select Base-64 encoded X.509 (.CER) and click Next.

  7. Specify a file name (for example, smartconn.cer) and click Next.

  8. Click Finish.

Obtaining the Certificate from Command-Line

  1. Log in to the machine where you have installed SmartConnector.

  2. Execute the following command to obtain the certificate:

    echo | openssl s_client -connect <smartconnector ip>:<port> 2>&1 | sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p' > smartconn.cer

16.3.3 Configuring Identity Applications

The configuration settings for the Identity Applications logging are stored in the Identity Manager server in the idmuserapp_logging.xml and workflow_logging.xml files located in the following path. You must update these files to include the SmartConnector details.

Linux: /opt/netiq/idm/apps/tomcat/conf

Windows: C:\netiq\idm\apps\tomcat\conf

  1. (Conditional) To configure audit events collection using SSL, perform the following:

    1. Navigate to /opt/netiq/common/jre/bin

    2. Copy the SmartConnector certificate in the Identity Manager machine and add it to the KeyStore file using the following command:

      ./keytool -import -file <smartconnector_certificate> -keystore <keystore_file> -storepass <keystore_password>

    3. Change the ownership of the keystore file to novlua:

      chown novlua:novlua <keystore_file>

  2. Navigate to the following location:

    Linux: /opt/netiq/idm/apps/tomcat/conf

    Windows: C:\netiq\idm\apps\tomcat\conf

  3. To log audit events in CEF, edit the idmuserapp_logging.xml file as follows:

    Remove the <!-- remove this line to turn on CEF auditing and remove this line to turn on CEF auditing --> lines from the following <logger> sections:

    <logger name="com.novell" level="INFO" additivity="true">
        <!-- remove this line to turn on Novell Audit
        <appender-ref ref="NAUDIT"/>
        remove this line to turn on Novell Audit -->
        <!-- remove this line to turn on CEF auditing
        <appender-ref ref="CEF"/>
        remove this line to turn on CEF auditing -->
    </logger>
    <logger name="com.sssw" level="INFO" additivity="true">
        <!-- remove this line to turn on Novell Audit
        <appender-ref ref="NAUDIT"/>
        remove this line to turn on Novell Audit -->
        <!-- remove this line to turn on CEF auditing
        <appender-ref ref="CEF"/>
        remove this line to turn on CEF auditing -->
    </logger>
    <logger name="com.netiq" level="INFO" additivity="true">
        <!-- remove this line to turn on Novell Audit
        <appender-ref ref="NAUDIT"/>
        remove this line to turn on Novell Audit -->
        <!-- remove this line to turn on CEF auditing
        <appender-ref ref="CEF"/>
        remove this line to turn on CEF auditing -->
    </logger>
  4. Save and close the file.

  5. To log workflow events in CEF, edit the workflow_logging.xml file as follows:

    Remove the <!-- remove this line to turn on CEF audit and remove this line to turn on CEF audit --> lines from the following <logger> sections:

    <logger name="workflow.log" level="INFO" additivity="true">                   
                <!-- remove this line to turn on CEF Audit
                <appender-ref ref="WFCEF"/>
                remove this line to turn on CEF Audit -->
    </logger>
                <logger name="com.novell" level="INFO" additivity="true">
                <!-- remove this line to turn on CEF Audit
                <appender-ref ref="WFCEF"/>
                remove this line to turn on CEF Audit -->
    </logger>
                 <logger name="com.netiq" level="INFO" additivity="true">            
                <!-- remove this line to turn on CEF Audit
                <appender-ref ref="WFCEF"/>
                remove this line to turn on CEF Audit -->
    </logger>
                <logger name="com.sssw" level="INFO" additivity="true">            
                <!-- remove this line to turn on CEF Audit
                <appender-ref ref="WFCEF"/>
                remove this line to turn on CEF Audit -->
    </logger>
                       <logger name="com.microfocus" level="INFO" additivity="true">            
                      <!-- remove this line to turn on CEF Audit
                <appender-ref ref="WFCEF"/>
                remove this line to turn on CEF Audit -->
    </logger>
  6. Save and close the file.

  7. Specify the SmartConnector details:

    1. Log in to Identity Manager Dashboard.

    2. Navigate to Configuration > Logging > Auditing Configuration.

    3. Select Enable CEF format to log the events in CEF.

    4. In the Destination host, specify the host name of the SmartConnector server.

    5. In the Destination port, specify the port number of the SmartConnector server.

    6. Select the network protocol from the drop-down list.

    7. (Conditional) Enable Use TLS for SSL communication.

      If you enabled SSL, specify the file path and password of the keystore file.

    8. In the Intermediate event store directory, specify the cache file path to store the events until the connection is established.

      Ensure the cache file path (/opt/netiq/idm/apps/tomcat/cache) you are specifying exists and the user novlua have owner permission to that folder.

    9. Click Apply.

  8. Restart the Tomcat service for Identity Manager:

    systemctl restart netiq-tomcat.service

For more information, see Configuring Identity Applications and Understanding the idmuserapp_logging.xml File sections in the Identity Manager Administrator’s Guide to Configure Auditing.

16.3.4 Configuring the Identity Manager Engine

Before you configure the Identity Manager Engine to log audit events in CEF, you must add the SmartConnector details in the auditlogconfig.properties file so that the Identity Manager Engine can send CEF events to the specified SmartConnector.

To add the SmartConnector details in the auditlogconfig.properties file:

  1. Log in to the Identity Manager server as the root user.

  2. Change to the following directory:

    cd /etc/opt/novell/eDirectory/conf

  3. Open the auditlogconfig.properties file.

  4. Update the file as indicated in the following source snippet:

    # Set the level of the root logger to DEBUG and attach appenders.
    log4j.rootLogger=debug, S, R
    
    # Defines appender S to be a SyslogAppender.
    log4j.appender.S=org.apache.log4j.net.SyslogAppender
    
    # Defines location of Syslog server.
    log4j.appender.S.Host=<ip address or hostname of the SmartConnector>
    log4j.appender.S.Port=<Port of the SmartConnector>
    
    # Specify protocol to be used (UDP/TCP/SSL)
    log4j.appender.S.Protocol=<Protocol of the SmartConnector>
    
    # Specify SSL certificate file for SSL connection.
    # File path should be given with double backslash.
    log4j.appender.S.SSLCertFile=<Certificate of the SmartConnector>
    
    # Minimum log-level allowed in syslog.
    log4j.appender.S.Threshold=INFO
    
    # Defines the type of facility.
    log4j.appender.S.Facility=USER
    
    # Defines Caching for SyslogAppender.
    # Inputs should be yes/no
    log4j.appender.S.CacheEnabled=yes
    
    # Cache location directory
    # Directory should be availble for creating cache files
    log4j.appender.S.CacheDir=<cache files directory>
    
    # Cache File Size
    # Cache File size should be in the range of 50MB to 4000 MB
    log4j.appender.S.CacheMaxFileSize=500MB
    
    # Layout definition for appender Syslog S.
    log4j.appender.S.layout=org.apache.log4j.PatternLayout 
    log4j.appender.S.layout.ConversionPattern=%c: %m%n
    
    # Defines appender R to be a Rolling File Appender.
    log4j.appender.R=org.apache.log4j.RollingFileAppender 
    
    # Log file for appender R.
    log4j.appender.R.File=<directory of log file appender>
    
    # Max size of log file for appender R.
    log4j.appender.R.MaxFileSize=100MB
    
    # Set the maximum number of backup files to keep for appender R.
    # Max can be 13. If set to zero, then there will be no backup files.
    log4j.appender.R.MaxBackupIndex=10
    
    # Layout definition for appender Rolling log file R.
    log4j.appender.R.layout=org.apache.log4j.PatternLayout
    log4j.appender.R.layout.ConversionPattern=%d{MMM dd HH:mm:ss} %c %m%n
  5. Configure the Identity Manager Engine to log events in CEF.

    IMPORTANT:While configuring the Identity Manager Engine, when you select Log specific events, by default all the necessary events are sent to the SmartConnector. However, ensure to select at least one event in Step 8. For information about audit events that Identity Intelligence uses, see Audit Events Used by Identity Intelligence.

  6. Stop the Identity Manager Engine using the following command:

    ndsmanage stopall

  7. Start the Identity Manager Engine using the following command:

    ndsmanage startall

  8. Configure the collection of entity change events.

16.3.5 Audit Events Used by Identity Intelligence

The following table lists the events that Identity Intelligence uses from Identity Manager:

Event ID

Description

Trigger

31520

Workflow Error

Occurs when there is a workflow error

31521

Workflow Started

Occurs when the workflow starts

31522

Workflow Forwarded

Occurs when the workflow is forwarded

31523

Workflow Reassigned

Occurs when the workflow is reassigned

31524

Workflow Approved

Occurs when the workflow is approved

31525

Workflow Refused

Occurs when the workflow is refused

31526

Workflow Ended

Occurs when the workflow ends

31527

Workflow Claimed

Occurs when the workflow is claimed

31528

Workflow Unclaimed

Occurs when the workflow is not claimed

31529

Workflow Denied

Occurs when the workflow is denied

31533

Workflow Retracted

Occurs when the workflow is retracted

31534

Workflow Escalated

Occurs when the workflow is escalated

31535

Workflow Reminder Sent

Occurs when reminders are sent to addressees of a workflow task

31610

Role Request

Occurs when a role is requested

31611

Role Request Failure

Occurs when the request for a role fails

31614

Retract Role Request

Occurs when the role request is retracted

3152B

Workflow Timedout

Occurs when the workflow timed out

31663

Retract Resource Request

Occurs when the resource request is canceled.

31660

Resource Request

Occurs when a resource is requested

3152C

User Message

This is a user adhoc log message

31662

Resource Request Workflow

Occurs when a resource with approval process is initiated

31612

Role Request Workflow

Occurs when the approval workflow is initiated for a role request