1.1 Identity Manager Auditing Architecture

This section explains how different components work together to provide a uniform auditing infrastructure in Identity Manager.

Identity Manager provides event forwarding capabilities to Security Event Log Management solutions such as Sentinel and ArcSight. Sentinel is the preferred audit event destination for Identity Manager. The following diagram illustrates how Identity Manager is configured with Sentinel Event Source Management (ESM).

Figure 1-1 Auditing through CEF

  1. An Identity Manager event occurs and it is sent to the logging services.

  2. (Conditional) If the logging services cannot connect to the Sentinel Server, the events are stored in cache until the connection is reestablished.

  3. The logging services sends the events to the Sentinel Server, which stores the events in the audit queue.

  4. The events in the audit queue are sent to the Syslog Connector.

  5. The Syslog Connector sends the events to the Universal CEF Collector, which parses the information and then stores the parsed events in the data store.

  6. (Optional) The stored events can be used for reports.