7.2 User-Defined Events

Identity Manager enables you to configure your own events to log to NetIQ Sentinel. Events can be logged by using an action in the Policy Builder, or within a style sheet. Any information you have access to when defining policies can be logged.

User-defined events are logged any time logging is enabled and are never filtered by the Identity Manager engine. You must use the policy builder to generate user-defined events.

You can specify any CEF key names in the Identity Manager policies and the specified key names will be reflected in the custom CEF event. For more information about updating the Identity Manager policies, see the NetIQ Identity Manager - Using Designer to Create Policies.

If you want to modify the custom CEF events, you can modify the Universal CEF collector to service the events:

  1. Download and extract the latest Universal CEF collector from the Sentinel plug-ins website.

  2. From the extracted folder, modify the following files:

    • NetIQ_IDM_taxonomy.map - To customize the taxonomy for the user defined events.

    • NetIQ_Identity.Manager.map - To add and map new CEF fields to Sentinel fields.

    • idm.js - To modify the Record.prototype.processCustomEvents(e) function.

For more information, follow the steps mentioned in Sentinel plug-ins documentation.

You can download the Sentinel plug-ins from the Sentinel download page. For more information about upgrading an existing collector, see Upgrade Procedures.

7.2.1 Using Policy Builder to Generate Events

  1. In the Policy Builder, define the condition that must be met to generate the event, then select the Generate Event action.

  2. Specify an event ID.

    Event IDs between 1000 and 1999 are allotted for user-defined events. You must specify a value within this range for the event ID when defining your own events. However, the event IDs between 1200 to 1203 are reserved for account related entitlement events and must not be used.

    The IDM event ID is combination of 30 and the hexadecimal of event ID.

    For example, if the ID provided in generate event policy action was 1344, then the IDM event ID is, ”30” “hexadecimal of (1344)” = “30” “540” = “30540”.

  3. Select a log level.

    Log levels enable you to group events based on the type of event being logged. The following predefined log levels are available:

    Log Level

    Severity

    Description

    log-emergency

    10

    Events that cause the Identity Manager engine or driver to shut down.

    log-alert

    9

    Events that require immediate attention.

    log-critical

    8

    Events that can cause parts of the Identity Manager engine or driver to malfunction.

    log-error

    7

    Events describing errors that can be handled by the Identity Manager engine or driver.

    log-warning

    4

    Negative events not representing a problem.

    log-notice

    2

    Positive or negative events an administrator can use to understand or improve use and operation.

    log-info

    1

    Positive events of any importance.

    log-debug

    0

    Events of relevance for support or for engineers to debug the Identity Manager engine or driver.

  4. Click the Named String Builder Icon icon next to the Enter Strings field to launch the Named String Builder.

    In the Named String Builder, you can specify any key and value pair. The output will display these values as the CEF extension fields for the event.

For more information and examples of the Generate Event action, see Generate Event in the NetIQ Identity Manager - Using Designer to Create Policies guide.