3.2 Logging to a Novell Audit or Sentinel Server

To log to a Novell Audit or Sentinel server:

  1. Add the Identity Manager application schema to the Novell Audit server as a log application

    This step applies to Novell Audit only. For more information, see Section 3.2.1, Adding the Identity Manager Application Schema to your Novell Audit Server as a Log Application

  2. Configure the Novell Audit platform agent on your application server

    The Platform Agent is required on any client that reports events to Novell Audit or Sentinel. You configure the platform agent through the logevent configuration file. This file provides the configuration information that the platform agent needs to communicate with the Novell Audit server. The default location for this file, on the application server, is:

    • Linux: /etc/logevent.conf

    • Windows: /<WindowsDir>/logevent.cfg (Usually c:\windows)

    Specify the following four properties:

    Loghost: The IP address or DNS name of your Novell Audit or Sentinel server. For example:

    LogHost=xxx.xxx.xxx.xxx
    

    LogJavaClassPath: The location of the lcache jar file NauditPA.jar. For example:

    LogJavaClassPath=/opt/novell/idm/NAuditPA.jar
    

    LogCacheDir: Specifies where lcache stores cache files. For example:

    LogCacheDir=/opt/novell/idm/naudit/cache
    

    LogCachePort: Specifies on which port lcache listens for connections. The default is 288, but in a Linux server, set the port number greater than 1000. For example:

    LogCachePort=1233
    

    BigData Specifies the maximum number of bytes that the client will allow. Larger amounts of logging data will be truncated. The default value is 3072 bytes, but you should change this to at least 8192 bytes to handle a typical form that has approximately 15 fields on a half page.

    LogMaxBigData=8192
    

    IMPORTANT:If your data is very large, you may want to increase this value. If you are logging events that include digital signatures, it is critical that the value of LogMaxBigData be large enough to handle the data being logged.

    Specify any other settings needed for your environment.

    NOTE:You must restart the Platform Agent any time you change the configuration.

    For more information about the structure of the logevent configuration file, see the section on configuring platform agents in the section on the logging system in the Novell Audit Administration Guide.

  3. Enable Novell Audit or Sentinel logging.

    This step applies to both Novell Audit and Sentinel. For more information, see Section 3.2.2, Enabling Audit or Sentinel Logging.

3.2.1 Adding the Identity Manager Application Schema to your Novell Audit Server as a Log Application

If you are using Novell Audit (not Sentinel), you need to add the schema to your Novell Audit Server as a log application. This section applies to Novell Audit only.

To configure Audit to use the Identity Manager User Application as a log application:

  1. Locate the following file:

    dirxml.lsc
    

    This file is located in the Identity Manager User Application installation directory after the install, for example /opt/novell/idm.

  2. Use a Web browser to access an iManager with the Novell Audit plug-in installed, and log in as an administrator.

  3. Go to Roles and Tasks > Auditing and Logging and select Logging Server Options.

  4. Browse to the Logging Services container in your tree and select the appropriate Audit Secure Logging Server. Then click OK.

  5. Go to the Log Applications tab, select the appropriate Container Name, and click the New Log Application link.

  6. When the New Log Application dialog box displays, specify the following:

    For this setting

    Do this

    Log Application Name

    Type any name that is meaningful for your environment

    Import LSC File

    Use the Browse button to select the dirxml.lsc file

    Click OK. The Log Applications displays the added application name.

  7. Click OK to complete your Novell Audit server configuration.

  8. Make sure the status on the Log Application is set to ON. (The circle under the status should be green. If it is red, click it to switch it to ON.)

  9. Restart the Novell Audit server to activate the new log application settings.

3.2.2 Enabling Audit or Sentinel Logging

To enable Novell Audit or Sentinel logging in your Identity Manager User Application:

  1. Log in to the User Application as the User Application Administrator.

  2. Select the Administration tab.

  3. Select the Logging link.

  4. Select the Also send logging messages to Novell Audit check box (near the bottom of the page).

  5. To save the changes for any subsequent application server restarts, make sure Persist the logging changes is selected.

  6. Click Submit.

NOTE:To enable logging for Role events, the Role Service driver Generate audit events property must be selected. For more information on this property, see Section 2.10.1, Role Service Driver Configuration.

3.2.3 Log Reports

If you log events to the Novell Audit database channel, you can run reports on the data. There are several ways to generate reports against data logged to a Novell Audit database:

  • Use the Novell Audit Report application to run your own reports or to run the predefined reports described in Predefined Log Reports for Novell Audit.

  • Write queries against the logged data by using iManager to select Auditing and Logging > Queries (Novell Audit only).

  • Write your own SQL queries against the logged data.

  • Produce Identity Manager reports in Sentinel (see Sentinel Reports).

The default Novell Audit table is called NAUDITLOG.

Predefined Log Reports for Novell Audit

The following predefined log reports are created in Crystal Reports (.rpt) format for filtering data logged to the Novell Audit database:

Report Name

Description

Administrative Action

Shows all administrative actions initiated from the Identity Manager User Application portal. This report includes the administrator who initiated the action.

It excludes any administrative changes made using iManager or the Designer for Identity Manager.

Historical Approval Flow

Shows all approval flow activities for a specified time frame.

Resource Provisioning

Shows all provisioning activities, sorted by resource.

User Audit Trail

Shows all activity relating to a user. Activities include both provisioning and self-service activities.

Specific User Provisioning

Shows all provisioning activities for a specific user.

User Provisioning

Shows all provisioning activities, sorted by user.

The following graphic shows an example of the Specific User Audit Trail report:

Figure 3-1 Sample Audit Trail Report

Illustration

The report files are in the following locations:

Platform

Location

Windows

/nt/dirxml/reports

You can use these reports as templates for creating custom reports in the Crystal Reports Designer or you can run the reports using Audit Report (lreport.exe), a Windows program supplied with Novell Audit. The predefined reports query data from the default Novell Audit log database named naudit and a database table named nauditlog. If your Novell Audit log database has a different name, use the Set Datasource Location menu item in Crystal Reports Designer to replace the naudit database name with the one in your environment.

For more information, see the section on working with reports in the Novell Audit documentation.

Sentinel Reports

If you have configured the platform agent to send events to Sentinel, you can produce the following reports about Identity Manager events in Sentinel:

  • Account_Access_Assignments_[Oracle/SQL].rpt

  • Collector_Pack_Audit_Trail_[Oracle/SQL].rpt

  • Object_Provisioning_[Oracle/SQL].rpt

  • Periodic_Password_Change_Violations_[Oracle/SQL].rpt

  • Self_Password_Changes_[Oracle/SQL].rpt

  • User_Account_Provisioning_[Oracle/SQL].rpt

  • Account_Trust_Assignments_[Oracle/SQL].rpt

  • Collector_Pack_Status_Dashboard_[Oracle/SQL].rpt

  • Password_Management_[Oracle/SQL].rpt

  • Periodic_Password_Change_Violations_Test_[Oracle/SQL].rpt

  • Top_10_Dashboard_[Oracle/SQL].rpt

  • User_Status_Management_[Oracle/SQL].rpt

  • Administrative_Activity_[Oracle/SQL].rpt

  • Configuration_Changes_[Oracle/SQL].rpt

  • Password_Resets_[Oracle/SQL].rpt

  • Resource_Request_Errors_[Oracle/SQL].rpt

  • Top_10_Object_Access_Dashboard_[Oracle/SQL].rpt

  • Workflow_Proxy_Delegation_Management_[Oracle/SQL].rpt

  • Authentication_by_Server_[Oracle/SQL].rpt

  • Event_Count_Trend_[Oracle/SQL].rpt

  • Per_Object_Modification_[Oracle/SQL].rpt

  • Resource_Requests_Rejected_[Oracle/SQL].rpt

  • Trust_Access_Assignments_[Oracle/SQL].rpt

  • Authentication_by_User_[Oracle/SQL].rpt

  • Inactive_Users_[Oracle/SQL].rpt

  • Per_Trust_Modification_[Oracle/SQL].rpt

  • Resource_Requests_by_Process_[Oracle/SQL].rpt

  • Trust_Management_[Oracle/SQL].rpt

  • Collector_Management_[Oracle/SQL].rpt

  • Inactive_Users_Test_[Oracle/SQL].rpt

  • Per_User_Modification_[Oracle/SQL].rpt

  • Resource_Requests_by_User_[Oracle/SQL].rpt

  • Trust_Provisioning_[Oracle/SQL].rpt

You can access the full set of reports by downloading the Novell Identity Manager collector pack.