After you install Identity Manager, ensure that all Identity Manager components are configured to generate the CEF events. To configure the components, see the following sections:
IMPORTANT:If Identity Manager loses communication with the Sentinel server, Java Remote Loader, Fanout agent, and DCS events are not logged in the cache file for an approximate duration of two minutes. After the connection is restored, any cached events are sent to Sentinel after a delay of two minutes. There is no loss of events when Sentinel is normally shut down.
The CEF configuration settings are stored in a simple, text-based files for each component. For more information, see Understanding the Properties Files for CEF Auditing.
Before configuring the Identity Manager components, ensure that the Identity Manager collector is configured in the Sentinel server. CEF support is introduced from Identity Manager collector version 2011.1r5 onwards. For information about installing and configuring the Identity Manager collector, see Installing and Configuring the Identity Manager Collector.
NOTE:After modifying the auditlogconfig.properties file, manually restart the Identity Vault.
The Identity Manager engine provides events for auditing.
To select events for auditing in CEF, use iManager.
Log in to iManager.
Browse to and select the driver set object that contains the driver.
Select the driver set objects that contains the driver.
Clickand then click .
Click thetab, select the radio button, and then click .
Select theradio button.
Select the events you want to log and click.
By default, the auditlogconfig.properties.template for Identity Manager Engine is located in the following directories:
For the list of Identity Manager engine events, see Engine Events.
By default, the auditlogconfig.properties.template for Remote Loader is located in the following directories:
NOTE:CEF logging in Remote Loader will be enabled only if the auditlogconfig.propertes file exists.
For the list of Remote Loader events, see Remote Loader Events.
The .NET Remote Loader is applicable for Windows only.
By default, the auditlogconfig.properties.template for .NET Remote Loader is located at the products\IDM\windows\setup\remoteloader.NET directory.
NOTE:Ensure that the Rolling File Appender directory exists for Java Remote Loader. Otherwise, events are not logged.
The auditlogconfig.properties.template for Java Remote Loader is located in the following directories:
Linux: <extracted loc of dirxml_jremote.tar.gz>/doc
dirxml_jremote.tar.gz is located at IDM/packages/java_remoteloader
Windows: <extracted loc of dirxml_jremote.tar.gz>/doc
dirxml_jremote.tar.gz is located at products/IDM/java_remoteloader
To run the Java Remote Loader, specify the following command:
dirxml_jremote -config <Remote Loader configuration file> -auditlogfile /<PATH of the directory where auditlogconfig.properties file is located>/auditlogconfig.properties
For a list of Java Remote Loader events, see Remote Loader Events.
NOTE:Ensure that the Rolling File Appender directory exists for Fanout Agent. Otherwise, events are not logged.
When you run the Fanout agent for the first time, the auditlogconfig.properties.template file is created and located in the following directories:
For the list of events, see Fanout Agent Events.
The configuration settings for the identity applications logging are stored in the idmuserapp_logging.xml file, which is located by default in the following directories:
NOTE:Restart Tomcat manually after configuring the idmuserapp_logging.xml file.
You must manually add the following in the idmuserapp_logging.xml file.
<appender class="com.netiq.idm.logging.syslog.CEFSyslogAppender" name="CEF"> <param name="Threshold" value="ALL"/> <param name="Facility" value="user"/> <param name="SyslogHost" value="<IP address of your Sentinel server>"/> <param name="SyslogPort" value="<sentinel TCP port>"/> <param name="SyslogProtocol" value="ssl"/> <param name="SyslogSslKeystoreFile" value="/opt/netiq/idm/jre/lib/security/cacerts"/> <param name="SyslogSslKeystorePassword" value="changeit"/> <param name="CacheDir" value="/opt/netiq/idm/apps/tomcat/cache"/> <param name="CacheRolloverSize" value="1024"/> <param name="ApplicationName" value="RBPM"/> <param name="EventPrefix" value="IDM:"/> </appender>
For the list of identity applications events, see User Application Events.
The configuration settings for DCS auditing is stored in the idmrptdcs_logging.xml file. By default, the file is located in the following directories:
NOTE:Once you configure the idmrptdcs_logging.xml file, restart Tomcat manually.
NOTE:Ensure that you set the novlua permission for the Rolling File Appender directory and cache directory. Otherwise, Rolling File Appender or the cache directory will not work and no events will be logged. For example, you can change the permission and ownership of the directory using the chown novlua:novlua /<directorypath> command, where <directorypath> is the Rolling File Appender path or cache file directory path.
For a list of DCS events, see DCS Events.