6.2 Setting up CEF Configuration

After you install Identity Manager, ensure that all Identity Manager components are configured to generate the CEF events. To configure the components, see the following sections:

IMPORTANT:If Identity Manager loses communication with the Sentinel server, Java Remote Loader, Fanout agent, and DCS events are not logged in the cache file for an approximate duration of two minutes. After the connection is restored, any cached events are sent to Sentinel after a delay of two minutes. There is no loss of events when Sentinel is normally shut down.

The CEF configuration settings are stored in a simple, text-based files for each component. For more information, see Understanding the Properties Files for CEF Auditing.

Before configuring the Identity Manager components, ensure that the Identity Manager collector is configured in the Sentinel server. CEF support is introduced from Identity Manager collector version 2011.1r5 onwards. For information about installing and configuring the Identity Manager collector, see Installing and Configuring the Identity Manager Collector.

6.2.1 Configuring Identity Manager Engine

NOTE:After modifying the auditlogconfig.properties file, manually restart the Identity Vault.

The Identity Manager engine provides events for auditing.

To select events for auditing in CEF, use iManager.

  1. Log in to iManager.

  2. Select Identity Manager Administration > Identity Manager Overview.

  3. Browse to and select the driver set object that contains the driver.

  4. Select the driver set objects that contains the driver.

  5. Click Driver Set and then click Edit Driver Set properties.

  6. Click the Log Level tab, select the Log specific events radio button, and then click .

  7. Select the CEF radio button.

  8. Select the events you want to log and click OK.

By default, the auditlogconfig.properties.template for Identity Manager Engine is located in the following directories:

Linux: /etc/opt/novell/eDirectory/conf/

Windows: C:\netiq\eDirectory

For the list of Identity Manager engine events, see Engine Events.

6.2.2 Configuring Remote Loader

By default, the auditlogconfig.properties.template for Remote Loader is located in the following directories:

Linux: /etc/opt/novell/eDirectory/conf/

Windows: \products\IDM\windows\setup\remoteloader\<processor_type>\

NOTE:CEF logging in Remote Loader will be enabled only if the auditlogconfig.propertes file exists.

For the list of Remote Loader events, see Remote Loader Events.

6.2.3 Configuring .NET Remote Loader

The .NET Remote Loader is applicable for Windows only.

By default, the auditlogconfig.properties.template for .NET Remote Loader is located at the products\IDM\windows\setup\remoteloader.NET directory.

6.2.4 Configuring Java Remote Loader

NOTE:Ensure that the Rolling File Appender directory exists for Java Remote Loader. Otherwise, events are not logged.

The auditlogconfig.properties.template for Java Remote Loader is located in the following directories:

Linux: <extracted loc of dirxml_jremote.tar.gz>/doc

dirxml_jremote.tar.gz is located at IDM/packages/java_remoteloader

Windows: <extracted loc of dirxml_jremote.tar.gz>/doc

dirxml_jremote.tar.gz is located at products/IDM/java_remoteloader

To run the Java Remote Loader, specify the following command:

dirxml_jremote -config <Remote Loader configuration file> -auditlogfile /<PATH of the directory where auditlogconfig.properties file is located>/auditlogconfig.properties

For a list of Java Remote Loader events, see Remote Loader Events.

6.2.5 Configuring Fanout Agent

NOTE:Ensure that the Rolling File Appender directory exists for Fanout Agent. Otherwise, events are not logged.

When you run the Fanout agent for the first time, the auditlogconfig.properties.template file is created and located in the following directories:

Linux: /opt/novell/dirxml/fanoutagent/config

Windows: <install-location>\FanoutAgent\config

For the list of events, see Fanout Agent Events.

6.2.6 Configuring Identity Applications

The configuration settings for the identity applications logging are stored in the idmuserapp_logging.xml file, which is located by default in the following directories:

Linux: /opt/netiq/idm/apps/tomcat/conf

Windows: C:\netiq\idm\apps\tomcat\conf

NOTE:Restart Tomcat manually after configuring the idmuserapp_logging.xml file.

You must manually add the following in the idmuserapp_logging.xml file.

       <appender class="com.netiq.idm.logging.syslog.CEFSyslogAppender" name="CEF">
            <param name="Threshold" value="ALL"/>
            <param name="Facility" value="user"/>
            <param name="SyslogHost" value="<IP address of your Sentinel server>"/>
            <param name="SyslogPort" value="<sentinel TCP port>"/>
            <param name="SyslogProtocol" value="ssl"/>
            <param name="SyslogSslKeystoreFile" value="/opt/netiq/idm/jre/lib/security/cacerts"/>
            <param name="SyslogSslKeystorePassword" value="changeit"/>
            <param name="CacheDir" value="/opt/netiq/idm/apps/tomcat/cache"/>
            <param name="CacheRolloverSize" value="1024"/>
            <param name="ApplicationName" value="RBPM"/>
            <param name="EventPrefix" value="IDM:"/>
        </appender>

For the list of identity applications events, see User Application Events.

6.2.7 Configuring Data Collection Services

The configuration settings for DCS auditing is stored in the idmrptdcs_logging.xml file. By default, the file is located in the following directories:

NOTE:Once you configure the idmrptdcs_logging.xml file, restart Tomcat manually.

Linux: /opt/netiq/idm/apps/tomcat/conf

Windows: C:\netiq\idm\apps\tomcat\conf

NOTE:Ensure that you set the novlua permission for the Rolling File Appender directory and cache directory. Otherwise, Rolling File Appender or the cache directory will not work and no events will be logged. For example, you can change the permission and ownership of the directory using the chown novlua:novlua /<directorypath> command, where <directorypath> is the Rolling File Appender path or cache file directory path.

For a list of DCS events, see DCS Events.

6.2.8 Configuring One SSO Provider

The configuration settings for OSP (One SSO Provider) must be performed through the configuration update utility. For more information on enabling CEF for OSP on Linux and Windows, see the following links: