Common Event Format (CEF) enables you to use a common event log format so that auditing data can easily be collected and aggregated for further analysis. It is an open log management standard, for auditing events across all Identity Manager components. CEF format uses the Syslog message format as a transport mechanism. For more information, see NetIQ Identity Manager - Configuring Auditing in identity Manager guide.
Identity Manager 4.7.2 uses Universal CEF collector to support auditing with Sentinel. This allows you to process audit events from different CEF enabled applications with minimal customization and maintenance.
NOTE:
You must use Sentinel 8.2 or later, and also upgrade Universal CEF collector to version 2011.1r2 or later to log the events.
Identity Manager Collector supports only NSure Audit in Sentinel audit server.
The following Identity Manager components support auditing with CEF:
Identity Vault
Identity Manager Engine
Remote Loader
.NET and Java Remote Loader
Fanout Agent
Identity Applications
Data Collection Services (DCS)
Identity Reporting
One SSO Provider (OSP)
Self Service Password Reset (SSPR)
Identity Manager supports auditing information to servers such as, Sentinel and ArcSight.
This page lists all the events available with Universal CEF collector in Identity Manager 4.7.2.
Table 1 Identity Manager Engine Events
EventID |
Event Name |
Trigger |
---|---|---|
30001 |
Status Success |
Many different events can cause the status success event to occur. It usually signifies that an operation was successfully completed. |
30002 |
Status Retry |
Many different events can cause the status retry event to occur. It signifies an operation was not completed and the operation must be tried again later. |
30003 |
Status Warning |
Many different events can cause the status warning event to occur. It usually signifies that an operation was completed with minor problems. |
30004 |
Status Error |
Many different events can cause the status error event to occur. It usually signifies that an operation was not completed successfully. |
30005 |
Status Fatal |
Many different events can cause the status fatal event to occur. It usually signifies that an operation was not completed successfully and the engine or driver could not continue. |
30006 |
Status Other |
Any status document processed with a level other than the five previously defined creates a status other event. These events can only be generated within a style sheet or rule. |
30007 |
Search |
Occurs when a query document is sent to the Identity Manager engine or driver. |
30008 |
Add Entry |
Occurs when an object is added. |
30009 |
Delete Entry |
Occurs when an object is deleted. |
3000A |
Modify Entry |
Occurs when an object is modified. |
3000B |
Rename Entry |
Occurs when an object is renamed. |
3000C |
Move Entry |
Occurs when an object is moved. |
3000D |
Add Association |
Occurs when an association is added. It can happen on add or a match. |
3000E |
Remove Association |
When an object is deleted, there is no remove association event. The remove association occurs when a User object is deleted in the disparate application, and the delete is then converted into modify that removes the association. |
3000F |
Query Schema |
Occurs when a query schema operation is sent to the Identity Manager engine or driver. |
30010 |
Check Driver Password |
Occurs when a request is issued to check the driver password. |
30010 |
Check User Password Status |
Manual function that is initiated via iManager to check the status of the user’s password. |
30011 |
Check Object Password |
Occurs when a request is issued to check an object's password, other than the driver. |
30012 |
Change Password |
Occurs when a request is issued to change the driver's password. |
30013 |
Sync |
Occurs when a sync event is requested. |
30014 |
Input XML Document |
Generated whenever an input document is created by the engine or driver. |
30015 |
Input Transformation Document |
Generated after the input transformation policies are processed, allowing the user to view the transformed document. |
30016 |
Output Transformation Document |
Generated after the output transformation policies are processed, allowing the user to view the transformed document. |
30017 |
Event Transformation Document |
Generated after the event transformation policies are processed, allowing the user to view the transformed document. |
30018 |
Placement Rule Transformation Document |
Generated after the Placement rule policies are processed, allowing the user to view the transformed document. |
30019 |
Create Rule Transformation Document |
Generated after the Create rule policies are processed, allowing the user to view the transformed document. |
3001A |
Input Mapping Rule Transformation Document |
Generated after the Schema Mapping rules are processed which convert the document to the eDirectory schema. |
3001B |
Output Mapping Rule Transformation Document |
Generated after the Schema Mapping rules are processed which convert the document to the applications schema. |
3001C |
Matching Rule Transformation Document |
Generated after the Matching rule policies are processed, allowing the user to view the transformed document. |
3001D |
Command Transformation Document |
Generated after the command transformation policies are processed, allowing the user to view the transformed document. |
3001E |
Publisher Filter Transformation Document |
Generated after processing the notify filter on the Publisher channel, allowing the user to view the transformed document. |
3001F |
User Agent Request |
Occurs when a User Agent XDS command document is sent to the Driver on the Subscriber channel. |
30020 |
Resync Driver |
Occurs when a resync request is issued. |
30021 |
Migrate |
Occurs when migrate request is issued. |
30022 |
Driver Start |
Occurs when a driver is started. |
30023 |
Driver Stop |
Occurs when a driver is stopped. |
30024 |
Password Sync |
Generated when setting the distribution or simple password on an object. |
30025 |
Password Reset |
Generated when resetting the connected application password after a failed password sync operation. |
30026 |
DirXML Error |
Generated whenever the engine throws an internal error. |
30027 |
DirXML Warning |
Generated whenever the engine throws an internal warning. |
30028 |
Custom Operation |
Occurs when an unknown operation appears in an input document. An example of known operations would be add, delete, or modify. |
30029 |
Clear Attribute |
Occurs when a modify operation contains a remove-all-value element. |
3002A |
Add Value - Modify Entry |
Occurs when a value is added during the modification of an object. |
3002B |
Remove Value |
Occurs when a modify operation contains a remove-value element. |
3002C |
Merge Entries |
Occurs when two objects are being merged. |
3002D |
Get Named Password |
Generated on a Get Named Password operation. |
3002E |
Reset Attributes |
Occurs when a Reset document is issued on the publisher or Subscriber channels. |
3002F |
Add Value - Add Entry |
Occurs when a value is added during the creation of an object. |
30030 |
Set SSO Credential |
Occurs when a driver policy executes the do-set-sso-credential action. |
30031 |
Clear SSO Credential |
Occurs when a driver policy executes the do-clear-sso-credential action. |
30032 |
Set SSO Passphrase |
Occurs when a driver policy executes the do-clear-sso-credential action. |
303E4 |
Job Result Aborted |
Occurs when a running job is aborted. |
303E5 |
Job Result Error |
Occurs when there an error in the job results. |
303E6 |
Job Result Warning |
Occurs when there is a warning message in the job result. |
303E7 |
Job Result Success |
Occurs when a job is successfully completed. |
307D0 |
Config:Log Events |
Occurs when the Logging configuration is modified in Engine |
307D1 |
Config:Driver Cache Limit |
Occurs when the cache limit of a Driver is updated |
307D2 |
Config:Driver Set |
Occurs when Driver Set configuration is updated |
307D3 |
Config:Driver Start Option |
Occurs when a Driver's startup type is modified |
307D4 |
Driver Resync |
Occurs when the driver is resynchronized. |
307D5 |
Migrate Application |
Occurs when migrate operation is done from the connected system to the Identity Manager Engine. |
307D6 |
Shim Password Set |
Occurs when the Application password of a Driver is modified |
307D7 |
Keyed Password Set |
Occurs when a Named Password is created or updated in IDM |
307D8 |
Remote Loader Password Set |
Occurs when the password is set for Remote Loader. |
307D9 |
Regenerate Key Pair |
Occurs when regenerating the key pair for the Identity Manager server |
307DA |
Get Server Certificate |
Occurs when certificate is generated from the server. |
307DB |
Cache Utility |
Occurs when the Driver Cache is emptied |
307DC |
Check Object Password |
Occurs when a request is issued to check the driver object password |
307DD |
Initialize Driver Object |
Occurs when a driver object is initialized. |
307DE |
Notify Job Update |
Occurs when a Job in IDM has finished execution |
307DF |
Open Driver Action |
Occurs when an action is performed on the driver, such as Driver Start or Stop |
307E0 |
Queue Driver Event |
Occurs when driver events or operations are queued. |
307E1 |
Start Job |
Occurs when a job is started. |
307E2 |
Abort Job |
Occurs when a job is aborted. |
Table 2 Remote Loader Events
Event ID |
Event Name |
Trigger |
---|---|---|
30BB8 |
Remote Loader Start |
Occurs when the Remote Loader starts. |
30BB9 |
Remote Loader Stop |
Occurs when the Remote Loader stops. |
30BBA |
Remote Loader Connection Established |
Occurs when the engine establishes a TCP connection with the Remote Loader. |
30BBB |
Remote Loader Connection Dropped |
Occurs when the engine-to-Remote Loader connection is lost. |
30026 |
Command Port is already in use |
Occurs when you try to start the remote loader when it is already running. |
Invalid Response to challenge during command authentication |
Occurs when you specify an incorrect password. |
Table 3 Fanout Agent Events
Event ID |
Event Name |
Trigger |
---|---|---|
30FA0 |
Fanout Agent Start |
Occurs when the Fanout Agent starts. |
30FA1 |
Fanout Agent Stop |
Occurs when the Fanout Agent stops. |
30FA2 |
Service Start, Instance Service |
Occurs when the driver is started. |
30FA3 |
Service Stop, Instance Service |
Occurs when the driver is stopped. |
30026 |
DirXML Error |
Generated whenever the Fanout agent throws an internal error. |
Table 4 User Application Events
Event ID |
Event Name |
Trigger |
---|---|---|
31400 |
Delete Entity |
Occurs when an entity is deleted |
31401 |
Update Entity |
Occurs when an entity is updated |
31550 |
Login Success |
Occurs when the login succeeds |
31551 |
Login Failure |
Occurs when the login fails |
31440 |
Create Entity |
Occurs when an entity is created |
31450 |
Create Proxy Definition Success |
Occurs when the creation of an entity definition succeeds |
31451 |
Create Proxy Definition Failure |
Occurs when the creation of an proxy definition fails |
31452 |
Update Proxy Definition Success |
Occurs when an update to the proxy definition fails |
31453 |
Update Proxy Definition Failure |
Occurs when an update to the proxy definition fails |
31454 |
Delete Proxy Definition Success |
Occurs when the proxy definition is deleted successfully |
31456 |
Create Delegatee Definition Success |
Occurs when the creation of a delegatee definition succeeds |
31457 |
Create Delegatee Definition Failure |
Occurs when the creation of a delegatee definition fails |
31458 |
Update Delegatee Definition Success |
Occurs when an update to the delegatee definition succeeds |
31459 |
Update Delegatee Definition Failure |
Occurs when an update to the delegatee definition fails |
3145A |
Delete Delegatee Definition Success |
Occurs when the delegatee definition is deleted successfully |
31520 |
Workflow Error |
Occurs when there is a workflow error |
31521 |
Workflow Started |
Occurs when the workflow starts |
31522 |
Workflow Forwarded |
Occurs when the workflow is forwarded |
31523 |
Workflow Reassigned |
Occurs when the workflow is reassigned |
31524 |
Workflow Approved |
Occurs when the workflow is approved |
31525 |
Workflow Refused |
Occurs when the workflow is refused |
31526 |
Workflow Ended |
Occurs when the workflow ends |
31527 |
Workflow Claimed |
Occurs when the workflow is claimed |
31528 |
Workflow Unclaimed |
Occurs when the workflow is not claimed |
31529 |
Workflow Denied |
Occurs when the workflow is denied |
3152A |
Workflow Completed |
Occurs when the workflow is completed |
3152B |
Workflow Timedout |
Occurs when the workflow timed out |
3152C |
User Message |
This is a user adhoc log message |
3152D |
Provision Error |
Occurs when there is an error in the provisioning step |
3152E |
Provision Submitted |
Occurs during the provisioning step on submission of entitlements |
3152F |
Provision Success |
Occurs during the provisioning step on successful completion of the step |
31530 |
Provision Failure |
Occurs during the provisioning step upon failure of the step |
31531 |
Provision Granted |
Occurs during the provisioning step on granting of an entitlement |
31532 |
Provision Revoked |
Occurs during the provisioning step on the revoking of an entitlement |
31533 |
Workflow Retracted |
Occurs when the workflow is retracted |
31534 |
Workflow Escalated |
Occurs when the workflow is escalated |
31535 |
Workflow Reminder Sent |
Occurs when reminders are sent to addressees of a workflow task |
31537 |
Workflow ResetPriority |
Occurs when the priority of a workflow task is reset. |
31538 |
Role Approved |
Occurs when a role is approved |
31539 |
Role Denied |
Occurs when a role is denied |
3153A |
SOD Exception Approved |
Occurs when an SOD exception is approved |
3153B |
SOD Exception Denied |
Occurs when an SOD exception is denied |
3153C |
Start Correlated Workflow |
Occurs when a correlated workflow is started |
3153D |
Role Request Submitted |
Occurs when a role request is submitted |
3153E |
Resource Approved |
Occurs when a resource is approved |
3153F |
Resource Denied |
Occurs when a resource is denied |
31540 |
Provision Already Exists |
Occurs when a request for prd with workflow contains provisioning |
31541 |
Resource Request Submitted |
Occurs when a request for a resource is submitted |
31542 |
Resource Provisioning Workflow Succeeded |
Occurs when a resource provisioning workflow is successful |
31543 |
Resource Provisioning Workflow Failed |
Occurs when a resource provisioning workflow fails |
31544 |
Workflow Returned |
Occurs when the role is returned to User task |
31600 |
Role Provisioning |
Occurs when a role is provisioned |
31610 |
Role Request |
Occurs when a role is requested |
31612 |
Role Request Workflow |
Occurs when a role with an approver is requested |
31613 |
SOD Exception Auto Approval |
Occurs when the SOD exception is auto approved |
31614 |
Retract Role Request |
Occurs when the role request is retracted |
31620 |
Entitlement Grant |
Occurs when the entitlement is granted |
31621 |
Entitlement Grant Failure |
Occurs when the entitlement grant fails |
31622 |
Entitlement Revoke |
Occurs when the entitlement is revoked |
31623 |
Entitlement Revoke Failure |
Occurs when the entitlement revoke fails |
31624 |
Entitlement Invalid Reference |
Occurs when the DirXML-EntitlementRef xml is not valid |
31630 |
Create Role |
Occurs when a role is created |
31631 |
Create Role Failure |
Occurs when creating a role fails |
31632 |
Delete Role |
Occurs when a role is deleted |
31634 |
Modify Role |
Occurs when a role is modified |
31635 |
Modify Role Failure |
Occurs when modifying a role fails |
31640 |
Create SOD |
Occurs when SOD is created |
31641 |
Create SOD Failure |
Occurs when creating SOD fails |
31642 |
Delete SOD |
Occurs when SOD is deleted |
31644 |
Modify SOD |
Occurs when SOD is modified |
31645 |
Modify SOD Failure |
Occurs when modifying SOD fails |
31660 |
Resource Request |
Occurs when a resource is requested |
31662 |
Resource Request Workflow |
Occurs when a resource is requested as a normal user |
31663 |
Retract Resource Request |
Occurs when a resource request is retracted |
31665 |
Resource Provisioning |
Occurs when a resource is provisioned |
31666 |
Resource Provisioning Failure |
Occurs when resource provisioning fails |
31667 |
Resource Provisioning Workflow |
Occurs when a resource provisioning workflow is requested |
31670 |
Create Resource |
Occurs when a resource is created |
31671 |
Create Resource Failure |
Occurs when resource creation fails |
31672 |
Delete Resource |
Occurs when a resource is deleted |
31674 |
Modify Resource |
Occurs when a resource is modified |
31675 |
Modify Resource Failure |
Occurs when modifying a resource fails |
31676 |
Create Resource Association |
Occurs when creating resource association |
31677 |
Create Resource Association Failure |
Occurs when creating resource association fails |
31678 |
Delete Resource Association |
Occurs when deleting a resource association |
31680 |
Create Domain Administrator |
Occurs when creating a domain administrator |
31681 |
Create Domain Administrator Failure |
Occurs when creating a domain administrator fails |
31682 |
Delete Domain Administrator |
Occurs when deleting a domain administrator |
31683 |
Delete Domain Administrator Failure |
Occurs when deleting a domain administrator fails |
31684 |
Create Delegated Administrator |
Occurs when creating a delegated administrator |
31685 |
Create Delegated Administrator Failure |
Occurs when creating a delegated administrator fails |
31686 |
Delete Delegated Administrator |
Occurs when deleting a delegated administrator |
31687 |
Delete Delegated Administrator Failure |
Occurs when deleting a delegated administrator fails |
31688 |
Create Team |
Occurs when creating a team |
31689 |
Create Team Failure |
Occurs when creating a team fails |
31690 |
Delete Team |
Occurs when deleting a team |
31691 |
Delete Team Failure |
Occurs when deleting a team fails |
31692 |
Modify Team |
Occurs when a team is modified |
31693 |
Modify Team Failure |
Occurs when modifying a team fails |
Table 5 Reporting Data Collection Services (DCS) Events
Event ID |
Event Name |
Trigger |
---|---|---|
31721 |
DCS Driver Registration Add |
Occurs when the DCS driver is added |
31722 |
DCS Driver Registration Modify |
Occurs when the DCS driver is modified |
31723 |
DCS Driver Collection enabled |
Occurs when the data collection is enabled |
31724 |
DCS Driver Collection disabled |
Occurs when the data collection is disabled |
31725 |
Data Source Registered |
Occurs when a new data source is added |
31726 |
Data Source Modified |
Occurs when a data source is modified |
31727 |
Data Source Removed |
Occurs when a data source is removed |
31728 |
Data Collection Suspended |
Occurs when the data collection is suspended |
31729 |
Data Collection Activated |
Occurs when the data collection is activated |
31730 |
Data Collection Started |
Occurs when the data collection is started |
31731 |
Data Collection Completed |
Occurs when the data collection is completed |
31732 |
Data Collection Failed |
Occurs when the data collection fails |
31733 |
Data Collection Requested |
Occurs when the data collection is requested |
All events logged through Sentinel have a standardized set of fields. This allows Sentinel to log events to a structured database and query events across all logging applications.
Identity Manager events provide information in the following field structure:
CEF:Version|Device Vendor|Device Product|Device Version|Signature ID|Name|Severity|Extension
The Extension field consists of a set of custom fields for applicable events. The following custom fields are commonly used for all Identity Manager events:
cs5 - Correlation ID for applicable events.
cn2 - Group ID for applicable events.
cs6 - describes the type of data.
Where cs = custom string and cn = custom number
The following is a sample for Login success CEF event:
CEF:0|NetIQ|Identity Manager|4.7.2.0|31550|Login Success|1|dvc=164.99.90.132 msg=cn\\=uaadmin,ou\\=sa,o\\=data successfully logged in from 164.99.198.173: Login success. cs5Label=correlationid reason=Login success rt=1544695369843 cs5=UserApp#RoleRequest#20181213-2 suser=cn\\=uaadmin,ou\\=sa,o\\=data src=164.99.198.173 dvchost=SLES12SP2-NIJITHA-90132 cat=DirXML\\\\Login\\\\Login_Success duser=LDAPRealm\\\\cn\\=uaadmin,ou\\=sa,o\\=data dtz=Asia\/Kolkata
The following table describes the variable custom fields used for all Identity Manager events:
Table 6 Variable Custom Fields used in CEF events
Event ID Range |
cs1 |
cs2 |
cs3 |
cs4 |
cn1 |
---|---|---|---|---|---|
30001 to 30006 |
NA |
Type |
NA |
NA |
NA |
30007 |
Scope |
Association |
NA |
NA |
NA |
30008 to 3000A, 3000D, 3000E, 30012, 30021, 30025, 3002C, 3002F |
Attribute Name |
Association |
NA |
NA |
NA |
3000B to 3000C, 30011 |
NA |
Association |
NA |
NA |
NA |
30013 |
Attribute Name |
type |
NA |
NA |
NA |
30021, 30024, 30026, 30027 |
Attribute Name |
NA |
NA |
NA |
NA |
30029 to 3002B |
NA |
Association |
NA |
NA |
NA |
31450 to 3145F |
Detail |
NA |
NA |
NA |
NA |
31521,31523,31524,31525, 31527 to 31529, 31533 to 31535, 31544 |
Secondary User |
NA |
NA |
NA |
NA |
3152C |
Author |
NA |
NA |
NA |
NA |
3153C |
Target Process Name |
NA |
NA |
NA |
NA |
31610, 31612, 31613, 31614, 31660, 31661, 31662, 31663, 31664, 31667 |
Request Category |
Workflow Process ID |
Request Status Description |
Original Request Status |
NA |
31600, 31601, 31665, 31666 |
Provisioning Category |
NA |
Request Status Description |
Original Request Status |
NA |
31611 and 31615 |
Request category |
NA |
Request Status Description |
Original Request Status |
NA |
31688 to 31693 |
Team DN |
NA |
NA |
NA |
NA |
31680 to 31687 |
NA |
NA |
NA |
NA |
Administration Level |
31676 to 3167B |
Resource Association DN |
NA |
NA |
NA |
NA |
31620 to 31621 |
Granting Agent ID |
Entitlement Parameter |
NA |
NA |
NA |
31622 and 31623 |
Revoking Agent |
Entitlement Parameter |
NA |
NA |
NA |
31624 |
Processing Agent ID |
Entitlement Parameter |
NA |
NA |
NA |
31721, 31722, 31725 to 31750 |
Collector UUID |
Component Version |
NA |
NA |
NA |
31723 and 31724 |
NA |
Component Version |
NA |
NA |
NA |
30FA0 to 30FA3 |
NA |
Component Version |
NA |
NA |
NA |
The dtz field displays the current system timezone. For example, dtz = Asia/Kolkata.
This field is displayed only for Remote Loader, Identity Applications, Fanout Agent, DCS, and Reporting. This is not applicable for events related to Identity Manager Engine (dxevent - 303E4 to 307E2 in Table 1), Native Remote Loader, and .Net Remote Loader.