The Event Auditing Service Settings page allows you to specify the settings for the Event Auditing Service, which captures log events associated with actions performed in various NetIQ tools, such as RBPM, Catalog Administrator, Designer, and the Reporting Module. Within the Reporting Module, the events captured include the import, modification, deletion, or scheduling of a report definition.
Click Auditing under Data Collection in the left navigation menu.
The Reporting Module displays the Event Auditing Service Settings page.
To define the port for the Syslog SSL Connector, specify the port number in the Syslog SSL Connector port field.
To define the port for the audit connector, specify the port number in the Audit Connector port field.
To test the connection to EAS, click Test Connection.
To forward events from Sentinel to EAS, follow the instructions presented under Section 9.6, Configuring Sentinel Link to Use Sentinel as the Sender and EAS as the Receiver.
IMPORTANT:You can forward events from EAS to Sentinel or Sentinel to EAS. However, NetIQ recommends that you forward events from Sentinel to EAS.
To forward events from EAS to Sentinel:
Specify the network address for the Event Router in the Address field.
Specify the port number for the Event Router in the Port field.
To specify a filter for event forwarding, specify the filter in the Filter field.
The event forwarding filter allows you to control which events are actually forwarded to Sentinel. The Filter field supports the Lucene Query syntax implemented by Apache. Therefore, you can use this field to specify any query filter that would be supported by the Lucene query filter. For more information on Apache Lucene, see the Apache Lucene Web site.
To start event forwarding, select Enable event forwarding.
Event forwarding is the ability to forward events to a Sentinel server for further processing. In order for the Sentinel server to receive events, a Link Connector must be configured. Refer to the Sentinel documentation for more information about creating a Link Connector.
For more information, see the Sentinel User Guide.
To test the event forwarding configuration, click Test Ports.
To save your changes, click Save.
EAS stores all auditing data in the Identity Information Warehouse. Auditing events are stored in tables within the public schema in the SIEM database.
EAS automatically captures the following log events from the Reporting Module:
Event ID |
Process |
NetIQ Identity Audit Event |
Severity |
---|---|---|---|
31700 |
Authentication token created |
Create_Auth_Token |
Info |
31701 |
Authentication token failed |
Create_Auth_Token_Failure |
Error |
31702 |
Authentication token revoked |
Auth_Token_Revoked |
Info |
31721 |
DCS driver registration added |
DCS_Driver_Registration_Add |
Info |
31722 |
DCS driver registration modified |
DCS_Driver_Registration_Modify |
Info |
31723 |
DCS driver collection enabled |
DCS_Driver_Collection_Enabled |
Info |
31724 |
DCS driver collection disabled |
DCS_Driver_Collection_Disabled |
Info |
31725 |
Data source registered |
Data_Source_Registered |
Info |
31726 |
Data source modified |
Data_Source_Modified |
Info |
31727 |
Data source removed |
Data_Source_Removed |
Info |
31728 |
Data collection suspended |
Data_Collection_Suspended |
Info |
31729 |
Data collection activated |
Data_Collection_Activated |
Info |
31730 |
Data collection started |
Data_Collection_Started |
Info |
31731 |
Data collection completed |
Data_Collection_Completed |
Info |
31732 |
Data collection failed |
Data_Collection_Failed |
Error |
31733 |
Data collection requested Data cleanup requested |
Data_Collection_Requested Data_Cleanup_Requested |
Info |
31771 |
Report definition created |
Report_Defn_Created |
Info |
31772 |
Report definition modified |
Report_Defn_Modified |
Info |
31773 |
Report definition deleted |
Report_Defn_Deleted |
Info |
31774 |
Schedule created |
Schedule_Created |
Info |
31775 |
Schedule modified |
Schedule_Modified |
Info |
31776 |
Schedule deleted |
Schedule_Deleted |
Info |
31777 |
Report generated |
Report_Generated |
Info |
31778 |
Report delivered |
Report_Delivered |
Info |