Identity Manager enables you to configure your own events to log to NetIQ Sentinel. Events can be logged by using an action in the Policy Builder, or within a style sheet. Any information you have access to when defining policies can be logged.
User-defined events are logged any time logging is enabled and are never filtered by the Metadirectory engine. There are two different ways to generate user-defined events:
In the Policy Builder, define the condition that must be met to generate the event, then select the Generate Event action.
Specify an event ID.
Event IDs between 1000 and 1999 are allotted for user-defined events. You must specify a value within this range for the event ID when defining your own events. This ID is combined with the Identity Manager application ID of 003.
Select a log level.
Log levels enable you to group events based on the type of event being logged. The following predefined log levels are available:
Log Level |
Description |
---|---|
log-emergency |
Events that cause the Metadirectory engine or driver to shut down. |
log-alert |
Events that require immediate attention. |
log-critical |
Events that can cause parts of the Metadirectory engine or driver to malfunction. |
log-error |
Events describing errors that can be handled by the Metadirectory engine or driver. |
log-warning |
Negative events not representing a problem. |
log-notice |
Positive or negative events an administrator can use to understand or improve use and operation. |
log-info |
Positive events of any importance. |
log-debug |
Events of relevance for support or for engineers to debug the Metadirectory engine or driver. |
Click the icon next to the Enter Strings field to launch the Named String Builder.
In the Named String Builder, you can specify the string, integer, and binary values to include with the event.
Use the Named String Builder to define the event values.
The Identity Manager event structure contains a target, a subTarget, three strings (text1, text2, text3), two integers (value1, value3), and a generic field (data). The text fields are limited to 256 bytes, and the data field can contain up to 3 KB of information, unless a larger data field is enabled in your environment.
The following table provides an explanation of the Identity Manager event structure:
Field |
Description |
---|---|
target |
This field captures the event target. All eDirectory events store the event’s object in the Target field. |
target-type |
This field specifies which predefined format the target is represented in. Defined values for this type are as follows:
|
subTarget |
This field captures the subcomponent of the target that was affected by the event. All eDirectory events store the event’s attribute in the SubTarget field. |
text1 |
The value of this field depends upon the event. It can contain any text string up to 255 characters. |
text2 |
The value of this field depends upon the event. It can contain any text string up to 255 characters. |
text3 |
The value of this field depends upon the event. It can contain any text string up to 255 characters. |
value1 |
The value of this field depends upon the event. It can contain any numeric value up to 32 bits. |
value3 |
The value of this field depends upon the event. It can contain any numeric value up to 32 bits. |
data |
The value of this field depends upon the event. The default size of this field is 3072 characters. You can configure the size of this field in the LogMaxBigData value in logevent.cfg. This value does not set the size of the Data field, but it does set the maximum size that the Platform Agent can log. For more information, see Section 5.0, Installing and Configuring the Platform Agent. The maximum size of the Data field is defined by the database where the data is logged, so the size varies for each database that is used. If the size of the Data field logged by the Platform Agent exceeds the maximum size allowed by the database, the channel driver truncates the data in the Data field. If an event has more data than can be stored in the String and Numeric value fields, it is possible to store up to 3 KB of binary data in the Data field. |
Click OK to return to the Policy Builder to construct the remainder of your policy.
For more information and examples of the Generate Event action, see Generate Event
in the NetIQ Identity Manager - Using Designer to Create Policies guide.
Status documents generated through style sheets using the <xsl:message> element are sent to Sentinel with an event ID that corresponds to the status document level attribute. The level attributes and corresponding event IDs are defined in the following table:
Table 8-2 Status Documents
Status Level |
Status Event ID |
---|---|
Success |
EV_LOG_STATUS_SUCCESS (1) |
Retry |
EV_LOG_STATUS_RETRY (2) |
Warning |
EV_LOG_STATUS_WARNING (3) |
Error |
EV_LOG_STATUS_ERROR (4) |
Fatal |
EV_LOG_STATUS_FATAL (5) |
User Defined |
EV_LOG_STATUS_OTHER (6) |
The following example generates an event 0x004 and value1=7777, with a level of EV_LOG_STATUS_ERROR:
<xsl:message> <status level="error" text1="This would be text1" value1="7777">This data would be in the blob and in text 2, since no value is specified for text2 in the attributes.</status> </xsl:message>
The following example generates an event 0x004 and value1=7778, with a level of EV_LOG_STATUS_ERROR:
<xsl:message> <status level="error" text1="This would be text1" text2="This would be text2" value1="7778">This data would be in the blob only for this case, since a value for text2 is specified in the attributes.</status> </xsl:message>