9.4 Defining the Auditing Configuration

The Event Auditing Service Settings page allows you to specify the settings for the Event Auditing Service, which captures log events associated with actions performed in various Novell tools, such as RBPM, RMA, Designer, and the Identity Reporting Module. Within the reporting module, the events captured include the import, modification, deletion, or scheduling of a report definition.

  1. Click Auditing under Data Collection in the left navigation menu.

    The reporting module displays the Event Auditing Service Settings page.

  2. To define the port for the Syslog SSL Connector, specify the port number in the Syslog SSL Connector port field.

  3. To define the port for the UDP connector, specify the port number in the UDP port field.

  4. To define the port for the audit connector, specify the port number in the Audit Connector port field.

  5. To test the connection to EAS, click Test Connection.

  6. To forward events from Sentinel to EAS, follow the instructions presented under Section 9.5, Configuring Sentinel Link to Use Sentinel as the Sender and EAS as the Receiver.

    IMPORTANT:You can forward events from EAS to Sentinel or Sentinel to EAS. However, Novell recommends that you forward events from Sentinel to EAS.

  7. To forward events from EAS to Sentinel:

    1. Specify the network address for the Event Router in the Address field.

    2. Specify the port number for the Event Router in the Port field.

    3. To specify a filter for event forwarding, specify the filter in the Filter field.

      The event forwarding filter allows you to control which events are actually forwarded to Sentinel. The Filter field supports the Lucene Query syntax implemented by Apache. Therefore, you can use this field to specify any query filter that would be supported by the Lucene query filter. For more information on Apache Lucene, see the Apache Lucene Web site.

    4. To start event forwarding, select the Enable event forwarding checkbox.

      Event forwarding is the ability to forward events to a Sentinel server for further processing. In order for the Sentinel server to receive events, a Link Connector must be configured. Refer to the Sentinel documentation for more information about creating a Link Connector.

      For more information, see the Sentinel User Guide.

    5. To test the event forwarding configuration, click Test Ports.

  8. To save your changes, click Save.

EAS stores all auditing data in the Identity Information Warehouse. Auditing events are stored in tables within the public schema in the SIEM database.