5.2 Setting up CEF Configuration

After you install Identity Manager, ensure that all Identity Manager components are configured to generate the CEF events. To configure the components, see the following sections:

IMPORTANT:If Identity Manager loses communication with the Sentinel server, Java Remote Loader, Fanout agent, and DCS events are not logged in the cache file for an approximate duration of two minutes. After the connection is restored, any cached events are sent to Sentinel after a delay of two minutes. There is no loss of events when Sentinel is normally shut down.

The CEF configuration settings are stored in a simple, text-based files for each component. For more information, see Understanding the Properties Files for CEF Auditing.

Before configuring the Identity Manager components, ensure that the Universal CEF Collector is configured in the Sentinel server. To log events with Universal CEF collector, ensure that the collector version is latest. For information about installing and configuring the Universal CEF collector, see Installing and Configuring the Sentinel Collectors.

5.2.1 Configuring Identity Manager Engine

The Identity Manager engine provides events for auditing. The configuration settings for Identity Manager Engine is stored in the auditlogconfig.properties.template file.

Perform the following steps to configure settings for enabling CEF auditing:

  1. Log in to the server where Identity Manager Engine is installed.

  2. Navigate to the directory where the auditlogconfig.properties.template file is present. By default, the file is located in the following directory:

    Linux: /etc/opt/novell/eDirectory/conf/

    Windows: <eDirectory_install_path>\eDirectory\Conf

  3. Rename the auditlogconfig.properties.template file as auditlogconfig.properties.

  4. Edit the auditlogconfig.properties file. Uncomment and update the appenders by removing # before each property. For more information, see Identity Manager Engine, Remote Loader, and .NET Remote Loader in Understanding the auditlogconfig.properties File section.

  5. Restart the Identity Vault.

To select events for auditing in CEF, use iManager.

  1. Log in to iManager.

  2. Select Identity Manager Administration > Identity Manager Overview.

  3. Browse to and select the driver set object that contains the driver.

  4. Select the driver set objects that contains the driver.

  5. Click Driver Set and then click Edit Driver Set properties.

  6. Click the Log Level tab, select the Log specific events radio button, and then click .

  7. Select the events you want to log and click OK.

For the list of Identity Manager engine events, see Engine Events.

5.2.2 Configuring Remote Loader

The configuration settings for Remote Loader is stored in the auditlogconfig.properties.template file.

NOTE:CEF logging in Remote Loader will be enabled only if the auditlogconfig.propertes file exists.

Perform the following steps to configure settings for enabling CEF auditing:

  1. Log in to the server where Remote Loader is installed.

  2. Navigate to the directory where the auditlogconfig.properties.template file is present. By default, the file is located in the following directory:

    Linux: /etc/opt/novell/eDirectory/conf/

    Windows: <remote_loader_installted_location>\<processor_type>\

  3. Rename the auditlogconfig.properties.template file as auditlogconfig.properties.

  4. Edit the auditlogconfig.properties file. Uncomment and update the appenders by removing # before each property. For more information, see Identity Manager Engine, Remote Loader, and .NET Remote Loader in Understanding the auditlogconfig.properties File section.

  5. Restart Tomcat service.

For the list of Remote Loader events, see Remote Loader Events.

5.2.3 Configuring .NET Remote Loader

The configuration settings for .NET Remote Loader is stored in the auditlogconfig.properties.template file.

NOTE:The .NET Remote Loader is applicable for Windows only.

Perform the following steps to configure settings for enabling CEF auditing:

  1. Log in to the server where .NET Remote Loader is installed.

  2. Navigate to the directory where the auditlogconfig.properties.template file is present. By default, the file is located at:

    products\IDM\windows\setup\remoteloader.NET

  3. Rename the auditlogconfig.properties.template file as auditlogconfig.properties.

  4. Edit the auditlogconfig.properties file. Uncomment and update the appenders by removing # before each property. For more information, see Identity Manager Engine, Remote Loader, and .NET Remote Loader in Understanding the auditlogconfig.properties File section.

  5. Restart Tomcat service.

5.2.4 Configuring Java Remote Loader

NOTE:Ensure that the Rolling File Appender directory is present in /var/opt/novell/eDirectory/log/cef-events.log location for Java Remote Loader. Otherwise, Rolling File Appender directory will not work and no events will be logged.

The configuration settings for Java Remote Loader is stored in the auditlogconfig.properties.template file.

Perform the following steps to configure settings for enabling CEF auditing:

  1. Log in to the server where Java Remote Loader is installed.

  2. Navigate to the directory where the auditlogconfig.properties.template file is present. By default, the file is located at:

    Linux: <extracted loc of dirxml_jremote.tar.gz>/doc

    dirxml_jremote.tar.gz is located at IDM/packages/java_remoteloader

    Windows: <extracted loc of dirxml_jremote.tar.gz>/doc

    dirxml_jremote.tar.gz is located at products/IDM/java_remoteloader

  3. Rename the auditlogconfig.properties.template file as auditlogconfig.properties.

  4. Edit the auditlogconfig.properties file. Uncomment and update the appenders by removing # before each property. For more information, see Java Remote Loader and Fanout Agent in Understanding the auditlogconfig.properties File section.

  5. To run the Java Remote Loader, specify the following command:

    dirxml_jremote -config <Remote Loader configuration file> -auditlogfile /<PATH of the directory where auditlogconfig.properties file is located>/auditlogconfig.properties

  6. Restart Tomcat service.

For a list of Java Remote Loader events, see Remote Loader Events.

5.2.5 Configuring Fanout Agent

NOTE:Ensure that the Rolling File Appender directory is present in /var/opt/novell/eDirectory/log/cef-events.log location for Fanout Agent. Otherwise, Rolling File Appender directory will not work and no events will be logged.

When you run the Fanout agent for the first time, the auditlogconfig.properties.template file is created and located in the following directories:

Linux: /opt/novell/dirxml/fanoutagent/config

Windows: <install-location>\FanoutAgent\config

For the list of events, see Fanout Agent Events.

5.2.6 Configuring Identity Applications

To configure settings for enabling CEF auditing, perform the following steps:

  1. Log in to the Identity Applications server.

  2. Navigate to the directory where idmuserapp_logging.xml and workflow_logging.xml files are located.

    • Linux: /opt/netiq/idm/apps/tomcat/conf

    • Windows: <apps_install_path>\idm\apps\tomcat\conf

    NOTE:

    • The workflow_logging.xml file is applicable for Identity Manager 4.8 version only.

    • By default, Identity Manager saves the logging configuration in idmuserapp_logging.xml file. However, the workflow events are generated only if CEF auditing is enabled in workflow_logging.xml file.

  3. Add the CEF appenders and loggers in idmuserapp_logging.xml and workflow_logging.xml files. For more information, see Understanding the idmuserapp_logging.xml File and Understanding the workflow_logging.xml File. NetIQ recommends you to retain the default value for the parameters in the appenders and loggers section.

    NOTE:If you have upgraded to Identity Manager 4.8, you must ensure that all XDAS configuration and Naudit appenders and loggers have been deleted from the idmuserapp_logging.xml file.

  4. (Conditional) Specify an intermediate event store directory to store and back up the events. Make sure that the permission and ownership are changed to novlua for that directory. To change the permission of the directory, run the following commands:

    chown novlua:novlua <directory_path>

    chmod 755 <directory_path>

    where <directory_path> is path to the intermediate event store directory.

    IMPORTANT:If you do not provide the required permissions to the intermediate event store directory, then:

    • you may not be able to access Identity Applications.

    • the OSP events will not be logged to the intermediate event store directory.

    For Windows platform, provide the Administrative permission to the directory.

  5. You can enable CEF auditing through either Identity Manager Dashboard or using configuration update utility.

    To enable CEF auditing through Identity Manager Dashboard:

    1. Log in to Identity Manager Dashboard as an administrator.

    2. Select Configuration > Logging.

    3. Click Auditing Configuration drop-down menu and select Enable CEF format. Specify the following auditing server details to use CEF format:

      Fields

      Description

      Destination host

      Specifies the destination hostname or IP address of the auditing server.

      Destination port

      Specifies the destination port number of the auditing server.

      Network protocol

      Specifies the protocol that should be used to establish communication with the auditing server.

      To establish a secure communication with the auditing server, select TCP protocol and enable Use TLS option. Provide the Keystore file name and the Keystore password.

      Intermediate event store directory

      Specifies the temporary directory where the events can be stored. This directory serves as a backup for an auditing server.

      If Identity Applications is freshly installed, the directory path will be populated by default. You can also provide path to intermediate event store directory of your choice. For more information, see Step 4.

    4. Click Apply.

    To enable CEF auditing through configuration update utility:

    1. Navigate to the /opt/netiq/idm/apps/configupdate directory.

    2. Run the following command: ./configupdate.sh

    3. In the CEF Auditing tab, select Send audit events check box and specify the following auditing server details to use CEF format:

      Fields

      Description

      Destination host

      Specifies the destination hostname or IP address of the auditing server.

      Destination port

      Specifies the destination port number of the auditing server.

      Network protocol

      Specifies the protocol that should be used to establish communication with the auditing server.

      To establish a secure communication with the auditing server, select TCP protocol and enable Use TLS option. Provide the Keystore file name and the Keystore password.

      Intermediate event store directory

      Specifies the temporary directory where the events can be stored. This directory serves as a backup for an auditing server.

      If Identity Applications is freshly installed, the directory path will be populated by default. You can also provide path to intermediate event store directory of your choice. For more information, see Step 4.

    4. Click OK.

  6. Restart Tomcat.

For the list of identity applications events, see Identity Applications Events.

5.2.7 Configuring Identity Reporting

The configuration settings for Identity Reporting auditing is stored in the idmrptcore_logging.xml file.

NOTE:You must use Sentinel 8.2 (or later) and Universal CEF collector version 2011.1r4 (or later) to log the events.

Perform the following steps to configure settings for enabling CEF auditing:

  1. Log in to the server where you have installed Identity Reporting.

  2. Navigate to the directory where idmrptcore_logging.xml file is present. By default, the file is located in the following directories:

    Linux: /opt/netiq/idm/apps/tomcat/conf

    Windows: C:\netiq\idm\apps\tomcat\conf

  3. Add the following in the idmrptcore_logging.xml file:

    <audit>
        <syslog>
            <enabled>true</enabled>
            <protocol>TCP</protocol>
            <host>IP Address of your auditing server</host>
            <port>Audting server port</port>
            <cache-dir>name of the cache directory</cache-dir>
            <cache-file>name of the cache file within the cache directory</cache-file>
       <application>Reporting Core</application>
       <vendor>Micro Focus</vendor>
           <version>6.0</version>
        </syslog>
    </audit>

    You must specify the Identity Reporting version number in the <version> element. For example, 6.0.

    For sample idmrptcore_logging.xml file, see Understanding the idmrptcore_logging.xml File.

  4. Restart Tomcat service.

For the list of Identity Reporting events, see Identity Reporting Events.

5.2.8 Configuring Data Collection Services

The configuration settings for DCS auditing is stored in the idmrptdcs_logging.xml file.

Perform the following steps to configure settings for enabling CEF auditing:

  1. Log in to the server where Data Collection Services is running.

  2. Navigate to the directory where idmrptdcs_logging.xml file is present. By default, the file is located in the following directories:

    Linux: /opt/netiq/idm/apps/tomcat/conf

    Windows: C:\netiq\idm\apps\tomcat\conf

  3. Edit the idmrptdcs_logging.xml file. Uncomment and update the appenders by removing # before each property. For more information, see Understanding the idmrptdcs_logging.xml File.

  4. Restart Tomcat service.

NOTE:You can define the Rolling File Appender directory and the cache directory. Make sure that you set the novlua permission for these directory, otherwise, Rolling File Appender or the cache directory will not work and no events will be logged. For example, you can change the permission and ownership of the directory using the chown novlua:novlua /<directorypath> command, where <directorypath> is the Rolling File Appender path or cache file directory path.

For a list of DCS events, see DCS Events.

5.2.9 Configuring One SSO Provider

When you have OSP and Identity Applications on the same server, the CEF auditing configuration performed on Identity Applications will apply to OSP (One SSO Provider) also. If OSP is installed on standalone server, then the configuration settings for OSP must be performed through the configuration update utility. For information on enabling CEF for OSP on Linux and Windows, see the following sections:

Linux

Launch the configupdate.sh from the /opt/netiq/idm/apps/configupdate/ directory of the Identity Applications and define the values for the following CEF auditing parameters for the single sign-on client:

Send audit events

Specifies whether you want to use CEF for auditing events.

Destination host

Specifies the DNS name or the IP address of the auditing server.

Destination port

Specifies the port of the auditing server.

Network protocol

Specifies the network protocol used by the auditing server to receive CEF events.

Use TLS

Applies only when you want to use TCP as your network protocol.

Specifies if the auditing server is configured to use TLS with TCP. Select Use TLS > Show Advanced Options, and provide the Identity Manager Keystore file name and the Identity Manager Keystore password.

Intermediate event store directory

Specifies the location of the cache directory before the CEF events are sent to the auditing server. If you are providing an intermediate event store directory of your choice, you must first ensure that the permission and ownership are set to novlua for that directory. To change the permission of the directory, run the following commands:

chown novlua:novlua <directory_path>

chmod 755 <directory_path>

where <directory_path> is the path to the intermediate event store directory.

Windows

Launch the configupdate.bat from the installation subdirectory for the Identity Applications (C:\NetIQ\idm\apps\UserApplication) and define the values for the following CEF Auditing parameters for the single sign-on client:

Send audit events

Specifies whether you want to use CEF for auditing events in Identity Applications.

Destination host

Specifies the DNS name or the IP address of the auditing server.

Destination port

Specifies the port of the auditing server.

Network Protocol

Specifies the network protocol used by the auditing server to receive CEF events.

Use TLS

Applies only when you want to use TCP as your network protocol.

Specifies if the auditing server is configured to use TLS with TCP.

Intermediate event store directory

Specifies the location of the cache directory before the CEF events are sent to the auditing server.

NOTE:Ensure that the novlua permissions are set for the Intermediate event store directory. Otherwise, you cannot access the IDMDash and IDMProv applications. Also, none of the OSP events will be logged in the Intermediate event store directory. For example, you can change the permission and ownership of the directory using the chown novlua:novlua <directorypath> command, where <directorypath> is the Intermediate event store directory.

5.2.10 Configuring Self Service Password Reset

For information on enabling CEF audit for SSPR, see Auditing for Self Service Password Reset in Self Service Password Reset Administration Guide.