Detailed instructions for use are in the User's Guide.
[. . . ] novdocx (en) 11 July 2008
AUTHORIZED DOCUMENTATION
Integration Guide For Novell Audit
Novell®
3. 6
July 23, 2008
Identity Manager
www. novell. com
Identity Manager 3. 6 Integration Guide for Novell Audit
novdocx (en) 11 July 2008
Legal Notices
Novell, Inc. , makes no representations or warranties with respect to the contents or use of this documentation, and specifically disclaims any express or implied warranties of merchantability or fitness for any particular purpose. Further, Novell, Inc. , reserves the right to revise this publication and to make changes to its content, at any time, without obligation to notify any person or entity of such revisions or changes. Further, Novell, Inc. , makes no representations or warranties with respect to any software, and specifically disclaims any express or implied warranties of merchantability or fitness for any particular purpose. Further, Novell, Inc. , reserves the right to make changes to any and all parts of Novell software, at any time, without any obligation to notify any person or entity of such changes. [. . . ] You can configure the size of this field in the LogMaxBigData value in logevent. cfg. This value does not set the size of the Data field, but it does set the maximum size that the Platform Agent can log. For more information, see Chapter 3, "Installing and Configuring the Platform Agent, " on page 13. The maximum size of the Data field is defined by the database where the data is logged, so the size varies for each database that is used. If the size of the Data field logged by the Platform Agent exceeds the maximum size allowed by the database, the channel driver truncates the data in the Data field. If an event has more data than can be stored in the String and Numeric value fields, it is possible to store up to 3 KB of binary data in the Data field.
6 Click OK to return to the Policy Builder to construct the remainder of your policy. For more information and examples of the Generate Event action, see "Generate Event" in the Policies in Designer 3. 0 guide.
4. 2. 2 Using Status Documents to Generate Events
Status documents generated through style sheets using the <xsl:message> element are sent to Novell Audit with an event ID that corresponds to the status document level attribute. The level attributes and corresponding event IDs are defined in the following table:
Table 4-2 Status Documents
Status Level
Status Event ID
Success Retry Warning Error Fatal User Defined
EV_LOG_STATUS_SUCCESS (1) EV_LOG_STATUS_RETRY (2) EV_LOG_STATUS_WARNING (3) EV_LOG_STATUS_ERROR (4) EV_LOG_STATUS_FATAL (5) EV_LOG_STATUS_OTHER (6)
The following example generates an event 0x004 and value1=7777, with a level of EV_LOG_STATUS_ERROR:
<xsl:message> <status level="error" text1="This would be text1" value="7777">This data would be in the blob and in text 2, since no value is specified for text2 in the attributes. </status> </xsl:message>
24
Identity Manager 3. 6 Integration Guide for Novell Audit
novdocx (en) 11 July 2008
The following example generates a Novell Audit event 0x004 and value1=7778, with a level of EV_LOG_STATUS_ERROR:
<xsl:message> <status level="error" text1="This would be text1" text2="This would be text2" value1="7778">This data would be in the blob only for this case, since a value for text2 is specified in the attributes. </status> </xsl:message>
4. 3 eDirectory Objects that Store Identity Manager Event Data
The Identity Manager events you want to log are stored in the DirXML-LogEvent attribute on the driver set or the driver. The attribute is a multi-value integer with each value identifying an event ID to be logged. You do not need to modify these attributes directly, because these objects are automatically configured based on your selections in iManager. Before logging an event, the engine checks the current event type against the contents of the DirXML-LogEvent attribute to determine whether the event should be logged. The DirXML-DriverTraceLevel attribute of a driver has the highest precedence when determining log settings. If a driver does not contain a DirXML-DriverTraceLevel attribute, the engine uses the log settings from the parent driver set.
Managing Identity Manager Events
25
novdocx (en) 11 July 2008
26
Identity Manager 3. 6 Integration Guide for Novell Audit
novdocx (en) 11 July 2008
5
Using Status Logs
In addition to the functionality provided by Novell® Audit, Identity Manager logs a specified number of events on the driver set and the driver. After the log reaches the set size, the oldest half of the log is permanently removed to clear room for more recent events. Therefore, any events you want to track over time should be logged to Novell Audit. The following sections contain information on the Identity Manager logs: Section 5. 1, "Setting the Log Level and Maximum Log Size, " on page 27 Section 5. 2, "Viewing Status Logs, " on page 29
5
5. 1 Setting the Log Level and Maximum Log Size
Status logs can be configured to hold between 50 and 500 events. This setting can be configured for the driver set to be inherited by all drivers in the driver set, or configured for each driver in the driver set. The maximum log size operates independently of the events you have selected to log, so you can configure the events you want to log for the driver set, then specify a different log size for each driver in the set. This section reviews how to set the maximum log size on the driver set or an individual driver: Section 5. 1. 1, "Setting the Log Level and Log Size for the Driver Set, " on page 27 Section 5. 1. 2, "Setting the Log Level and Log Size for the Driver, " on page 28
5. 1. 1 Setting the Log Level and Log Size for the Driver Set
1 In iManager, select Identity Manager > Identity Manager Overview. 4 Select Driver Set > Edit Driver Set properties.
5 Select Log Level.
Using Status Logs
27
novdocx (en) 11 July 2008
6 Specify the maximum log size in the Maximum number of entries in the log field:
7 After you have specified the maximum number, click OK.
5. 1. 2 Setting the Log Level and Log Size for the Driver
1 In iManager select Identity Manager > Identity Manager Overview. 4 Click the upper right corner of the driver icon, then select Edit properties.
5 Select Log Level. 6 Deselect Use log settings from the driver set option, if it is selected. [. . . ] For more information, see Section 5. 1, "Setting the Log Level and Maximum Log Size, " on page 27.
A. 3 Job Events
The following link lists the Job events that can be audited through Novell Audit or Novell SentinelTM: Identity Manager Job Events (. . /samples/idm_combo_events. xls)
A. 4 Remote Loader Events
The following link lists the Remote Loader events that can be audited through Novell Audit or Novell Sentinel: Identity Manager Remote Loader Events (. . /samples/idm_combo_events. xls) IMPORTANT: To log these events, you must select the Log Specific Events log level and select the events you want to log. For more information, see Section 5. 1, "Setting the Log Level and Maximum Log Size, " on page 27.
A. 5 Object Events
The following link lists the object events that can be audited through Novell Audit or Novell Sentinel: Identity Manager Detail Events (. . /samples/idm_combo_events. xls)
40
Identity Manager 3. 6 Integration Guide for Novell Audit
novdocx (en) 11 July 2008
A. 6 Password Events
The following link lists the change password events that can be audited through Novell Audit or Novell Sentinel: Identity Manager Password Events (. . /samples/idm_combo_events. xls)
A. 7 Search List Events
The following link lists search list events that can be audited through Novell Audit or Novell Sentinel: Identity Manager Search List Events (. . /samples/idm_combo_events. xls)
A. 8 Engine Events
The following link lists the engine events that can be audited through Novell Audit or Novell Sentinel: Identity Manager Engine Events (. . /samples/idm_engine_events. xls)
A. 9 Server Events
The following link lists the server events that can be audited through Novell Audit or Novell Sentinel: Identity Manager Server Events (. . /samples/idm_server_events. xls)
A. 10 Security Events
The following link lists security events that can be audited through Novell Audit or Novell Sentinel: Identity Manager Security Events (. . /samples/idm_security_events. xls)
A. 11 Workflow Events
The following link lists User Application events that can be audited through Novell Audit or Novell Sentinel: Identity Manager Work Flow Events (. . /samples/idm_workflow_events. xls)
A. 12 Driver Start and Stop Events
Identity Manager can generate an event whenever a driver starts or stops. The following table contains details about these events:
Identity Manager Events
41
novdocx (en) 11 July 2008
Table A-2 Driver Start and Stop Events
Event
Log Level
Information
EV_LOG_DRIVER_START
LOG_INFO
To log driver starts, select the Log Specific Events log level and specify this event. For more information, see Section 5. 1, "Setting the Log Level and Maximum Log Size, " on page 27 To log driver stops, select the Log Errors and Warnings log level, or select the Log Specific Events log level and specify this event. [. . . ]