To meet compliance standards, many companies require auditing for password changes, whether the changes came from the users or the help desk. Self Service Password Reset provides an auditing solution that tracks specific events that occur in the system. It also allows you to forward events to a Syslog server for further analysis of the information.
Self Service Password Reset allows you to enable and configure event alerts such as intruder alerts and fatal event alerts.
To configure the logging and auditing options, perform the following steps:
Log in to Self Service Password Reset at https://dns-name/sspr as an administrator.
In the toolbar, click your name.
Click Configuration Editor.
Click Settings > Auditing > Audit Configuration.
Select the type of events to audit. Use the help for more information.
In the toolbar, click Save changes.
You can forward auditing events to external systems to analyze the information. Self Service Password Reset supports forwarding audit information to Sentinel, ArcSight, and syslog servers. You forward the audit events to the external systems for further analysis.
NOTE:In SSPR 4.5, if you have configured the Sentinel Syslog server to collect the audit events in the CEF format, there might be a parsing error. The Parsing error occurs because the CEF audit events are routed to the Universal CEF collector instead of the NetIQ SSPR collector.
If you require to get the CEF audit events on the Sentinel Syslog server, it is recommended to remove the SSPR collector so that the events are stored and managed in the Universal CEF collector.
Before removing the NetIQ SSPR collector, ensure that the audit configuration is not set to JSON format, else there can be loss of audit events data.
Log in to Self Service Password Reset at https://dns-name/sspr as an administrator.
In the toolbar, click your name.
Click Configuration Editor.
Click Settings > Auditing > Audit Forwarding.
Use the help to configure the audit service for Self Service Password Reset.
NOTE:Self Service Password Reset allows specifying multiple syslog servers for fail-over purposes. If you only have one syslog server and it is not available, Self Service Password Reset queues the audit events until the syslog server is available again.
In the toolbar, click Save changes.
Self Service Password Reset allows you to store the user history in different locations. Use the following settings to configure that storage.
Log in to Self Service Password Reset at https://dns-name/sspr as an administrator.
In the toolbar, click your name.
Click Configuration Editor.
Click Settings > User History.
Use the help to configure the audit settings for the user history.
Click Save changes.
Self Service Password Reset can be configured to send information about the system events and actions in logs in the CEF format to any Syslog sever. The CEF format log message is sent in the format:
<date> <host> CEF:0|<vendor>|<product>|<version>|<event code>|<time stamp>|<message>|<perpetrator ID>|<perpetrator DN>|<source address>|<source host>|<target ID>|<target DN>
Before customizing CEF audits, ensure to that Syslog Output Format is set to CEF in Configuration Editor > Settings > Auditing > Audit forwarding.
Log in to Self Service Password Reset (https://dns-name/sspr) as an administrator.
In the toolbar, click your name.
Click Configuration Editor > Settings > Application > Application.
To customize the fields in the CEF message, use App Property Overrides. It is advisable to contact the SSPR Support team for further assistance.
For example, specify the following customized log message to include the outcome information along with default message:
audit.syslog.cef.extensions=type,cat:eventCode,act:timestamp,rt:narrative,msg:message,reason:perpetratorID,suid:perpetratorDN,suser:sourceAddress,src:sourceHost,srchost:targetID,duid:targetDN,duser:xdasOutcome,outcome
Following is the message that gets generated with the above customized log:
Jan 23 08:49:19 host1-Latitude-7480 SSPR CEF:0|Micro Focus|SSPR|v b0 r0|AUTHENTICATE|Authentication|2| dvchost=localhost dtz=Zulu cat=USER act=AUTHENTICATE rt=2020-01-23T03:19:19Z msg=admin (cn\=admin,o\=novell) has authenticated reason=type\=AUTHENTICATED, source\=LOGIN_FORM suid=admin suser=cn\=admin,o\=novell src=127.0.0.1 srchost=127.0.0.1 outcome=XDAS_OUT_SUCCESS
Click Save changes.