1.1 Identity Manager Auditing Architecture

The following diagrams illustrate how different components work together to provide a uniform auditing infrastructure in Identity Manager. Sentinel is the preferred audit event destination for Identity Manager. Identity Manager provides event forwarding capabilities to Sentinel by configuring Sentinel Link using Sentinel Event Source Management (ESM).

Figure 1-1 Auditing through CEF

  1. An Identity Manager event occurs and it is sent to the logging services.

  2. (Conditional) If the logging services cannot connect to the Sentinel Server, the events are stored in cache until the connection is reestablished.

  3. The logging services sends the events to the Sentinel Server, which stores the events in the audit queue.

  4. The events in the audit queue are sent to the Syslog Connector.

  5. The Syslog Connector sends the events to the Identity Manager Collector, which parses the information and then stores the parsed events in the data store.

  6. (Optional) The stored events can be used for reports.

Figure 1-2 Auditing through Platform Agent

For a thorough discussion of the Sentinel architecture, see “Appendix A Sentinel Architecture” in the NetIQ Sentinel User’s Guide.