8.2 User-Defined Events

Identity Manager enables you to configure your own events to log to NetIQ Sentinel. Events can be logged by using an action in the Policy Builder, or within a style sheet. Any information you have access to when defining policies can be logged.

User-defined events are logged any time logging is enabled and are never filtered by the Metadirectory engine. There are two different ways to generate user-defined events:

8.2.1 Using Policy Builder to Generate Events

  1. In the Policy Builder, define the condition that must be met to generate the event, then select the Generate Event action.

  2. Specify an event ID.

    Event IDs between 1000 and 1999 are allotted for user-defined events. You must specify a value within this range for the event ID when defining your own events. This ID is combined with the Identity Manager application ID of 003.

  3. Select a log level.

    Log levels enable you to group events based on the type of event being logged. The following predefined log levels are available:

    Log Level

    Description

    log-emergency

    Events that cause the Metadirectory engine or driver to shut down.

    log-alert

    Events that require immediate attention.

    log-critical

    Events that can cause parts of the Metadirectory engine or driver to malfunction.

    log-error

    Events describing errors that can be handled by the Metadirectory engine or driver.

    log-warning

    Negative events not representing a problem.

    log-notice

    Positive or negative events an administrator can use to understand or improve use and operation.

    log-info

    Positive events of any importance.

    log-debug

    Events of relevance for support or for engineers to debug the Metadirectory engine or driver.

  4. Click the Named String Builder Icon icon next to the Enter Strings field to launch the Named String Builder.

    In the Named String Builder, you can specify the string, integer, and binary values to include with the event.

  5. Use the Named String Builder to define the event values.

    Named String Builder

    The Identity Manager event structure contains a target, a subTarget, three strings (text1, text2, text3), two integers (value1, value3), and a generic field (data). The text fields are limited to 256 bytes, and the data field can contain up to 3 KB of information, unless a larger data field is enabled in your environment.

    The following table provides an explanation of the Identity Manager event structure:

    Field

    Description

    target

    This field captures the event target.

    All eDirectory events store the event’s object in the Target field.

    target-type

    This field specifies which predefined format the target is represented in. Defined values for this type are as follows:

    • 0: None

    • 1: Slash Notation

    • 2: Dot Notation

    • 3: LDAP Notation

    subTarget

    This field captures the subcomponent of the target that was affected by the event.

    All eDirectory events store the event’s attribute in the SubTarget field.

    text1

    The value of this field depends upon the event. It can contain any text string up to 255 characters.

    text2

    The value of this field depends upon the event. It can contain any text string up to 255 characters.

    text3

    The value of this field depends upon the event. It can contain any text string up to 255 characters.

    value1

    The value of this field depends upon the event. It can contain any numeric value up to 32 bits.

    value3

    The value of this field depends upon the event. It can contain any numeric value up to 32 bits.

    data

    The value of this field depends upon the event. The default size of this field is 3072 characters.

    You can configure the size of this field in the LogMaxBigData value in logevent.cfg. This value does not set the size of the Data field, but it does set the maximum size that the Platform Agent can log. For more information, see Section 5.0, Installing and Configuring the Platform Agent.

    The maximum size of the Data field is defined by the database where the data is logged, so the size varies for each database that is used. If the size of the Data field logged by the Platform Agent exceeds the maximum size allowed by the database, the channel driver truncates the data in the Data field.

    If an event has more data than can be stored in the String and Numeric value fields, it is possible to store up to 3 KB of binary data in the Data field.

  6. Click OK to return to the Policy Builder to construct the remainder of your policy.

For more information and examples of the Generate Event action, see Generate Event in the NetIQ Identity Manager - Using Designer to Create Policies guide.

8.2.2 Using Status Documents to Generate Events

Status documents generated through style sheets using the <xsl:message> element are sent to Sentinel with an event ID that corresponds to the status document level attribute. The level attributes and corresponding event IDs are defined in the following table:

Table 8-2 Status Documents

Status Level

Status Event ID

Success

EV_LOG_STATUS_SUCCESS (1)

Retry

EV_LOG_STATUS_RETRY (2)

Warning

EV_LOG_STATUS_WARNING (3)

Error

EV_LOG_STATUS_ERROR (4)

Fatal

EV_LOG_STATUS_FATAL (5)

User Defined

EV_LOG_STATUS_OTHER (6)

The following example generates an event 0x004 and value1=7777, with a level of EV_LOG_STATUS_ERROR:

<xsl:message>
   <status level="error" text1="This would be text1" value1="7777">This data would be in the blob and in text 2, since no value is specified for text2 in the attributes.</status>
</xsl:message>

The following example generates an event 0x004 and value1=7778, with a level of EV_LOG_STATUS_ERROR:

<xsl:message>
   <status level="error" text1="This would be text1" text2="This would be text2" value1="7778">This data would be in the blob only for this case, since a value for text2 is specified in the attributes.</status>
</xsl:message>