Novell IDENTITY MANAGER 3.6.1, Reporting Manual

Page 1: ...ll www novell com novdocx en 17 September 2009 AUTHORIZED DOCUMENTATION Identity Manager 3 6 1 Reporting Guide for Novell Sentinel Identity Manager 3 6 1 January 07 2010 Reporting Guide for Novell Sentinel ...

Page 2: ...xport or re export to entities on the current U S export exclusion lists or to any embargoed or terrorist countries as specified in the U S export laws You agree to not use deliverables for prohibited nuclear missile or chemical biological weaponry end uses See the Novell International Trade Services Web page http www novell com info exports for more information on exporting Novell software Novell...

Page 3: ...ell Trademarks For Novell trademarks see the Novell Trademark and Service Mark list http www novell com company legal trademarks tmlist html Third Party Materials All third party trademarks are the property of their respective owners ...

Page 4: ...4 Identity Manager 3 6 1 Reporting Guide for Novell Sentinel novdocx en 17 September 2009 ...

Page 5: ... 21 6 Securing the Logging System 25 7 Managing Identity Manager Events 27 7 1 Selecting Events to Log 27 7 1 1 Selecting Events for the User Application 27 7 1 2 Selecting Events for the Driver Set 29 7 1 3 Selecting Events for a Specific Driver 30 7 1 4 Identity Manager Log Levels 31 7 2 User Defined Events 32 7 2 1 Using Policy Builder to Generate Events 32 7 2 2 Using Status Documents to Gener...

Page 6: ... Event Structure 43 A 2 Error and Warning Events 43 A 3 Job Events 44 A 4 Remote Loader Events 44 A 5 Object Events 45 A 6 Password Events 45 A 7 Search List Events 46 A 8 Engine Events 46 A 9 Server Events 49 A 10 Security Events 50 A 11 Workflow Events 51 A 12 Driver Start and Stop Events 52 A 13 Log Schema Files 52 A 13 1 How LSC Files Are Used 53 ...

Page 7: ...y Manager Events on page 43 Audience This guide is intended for network administrators Feedback We want to hear your comments and suggestions about this manual and the other documentation included with this product Please use the User Comments feature at the bottom of each page of the online documentation or go to www novell com documentation feedback html and enter your comments there Documentati...

Page 8: ...2009 When a single pathname can be written with a backslash for some platforms or a forward slash for other platforms the pathname is presented with a backslash Users of platforms that require a forward slash such as Linux or UNIX should use forward slashes as required by your software ...

Page 9: ...c documenting and reporting of security systems and access events across the enterprise built in incident management and remediation and the ability to demonstrate and monitor compliance with internal policies and government regulations The following diagram illustrates the Identity Manager logging and reporting architecture when integrated with Sentinel Figure 1 1 Identity Manager and Sentinel In...

Page 10: ...vents in the audit queue 4 The events in the audit queue are sent to the Novell Audit Connector 5 The Novell Audit Connector sends the events to the Identity Manager Collector which parses the information and then stores the parsed events in the data store 6 The stored events are displayed through Crystal Reports For a thorough discussion of the Sentinel architecture see Appendix A Sentinel Archit...

Page 11: ... Audit Connector on page 17 Install and configure the Platform Agent The Platform Agent logevent is the client piece of the Novell auditing architecture It is automatically installed if either the Novell Identity Manager Metadirectory Server or Novell Identity Manager Connected System option is selected during the Identity Manager install It is also installed during the installation of the User Ap...

Page 12: ...12 Identity Manager 3 6 1 Reporting Guide for Novell Sentinel novdocx en 17 September 2009 ...

Page 13: ...anager Collector is then displayed as a collector to select during configuration To install the Identity Manager Collector 1 Download the Identity Manager Collector Novell_Identity Manager_6 1r3 clz zip from the Sentinel 6 1 Connectors Web site http support novell com products sentinel secure sentinel61 html to the server where the Sentinel Control Center is running The Identity Manager Collector ...

Page 14: ... Mode release Sets the execution mode for the collector Three options are available release Use this mode for normal operation custom Use this mode if the Identity Manager Collector is customized debug Use this mode for troubleshooting issues It generates debug trace files Resolve IP and Hostname no Defines whether the Collector will attempt to translate any received IP information into hostnames ...

Page 15: ...Filter Optional Specify a filter on the raw data passing through the connector Trust Event Source Time Optional Select this option if you trust the Event Source server s time 8 Click Finish The next step is to proceed to Chapter 4 Installing and Configuring the Novell Audit Connector on page 17 ...

Page 16: ...16 Identity Manager 3 6 1 Reporting Guide for Novell Sentinel novdocx en 17 September 2009 ...

Page 17: ...ol Center 3 Select Event Source Management Live View then select Tools Import plugin 4 Select Import Collector Script or Connector plugin package file zip option then click Next 5 Browse to and select the audit_connector zip file then click Next 6 Follow the remaining prompts then click Finish 7 Continue with Section 4 2 Configuring the Novell Audit Connector on page 17 you must configure the Nove...

Page 18: ... new messages This is the default behavior because the Platform Agent performs caching when a connection is dropped Drop messages The Event Source Server drops the oldest message in order to accept the new message These dropped messages are lost and cannot be recovered 10 Select whether the Event Source Server disconnects an SSL connection with the Platform Agent if the connection is idle and does...

Page 19: ...y the connector in the specified time period Limit Data Rate Optional Set a maximum limit on the rate of data the connector sends to Sentinel If the data rate limit is reached Sentinel throttles back on the source in order to limit the flow of data Set Filter Optional Specify a filter on the raw data passing through the connector Save Raw Data to a File Optional Save the raw data passing through t...

Page 20: ...20 Identity Manager 3 6 1 Reporting Guide for Novell Sentinel novdocx en 17 September 2009 ...

Page 21: ...stall For more information on the Identity Manager installation see the Identity Manager 3 6 1 Installation Guide IMPORTANT The Platform Agent must be installed on every server running Identity Manager if you want to log Identity Manager events 5 2 Configuring the Platform Agent Text File After you install Identity Manager you can configure the Platform Agent The Platform Agent s configuration set...

Page 22: ...cing or system redundancy separate the IP address of each server with commas in the LogHost entry For example LogHost 192 168 0 1 192 168 0 3 192 168 0 4 The Platform Agent connects to the servers in the order specified If the first logging server goes down the Platform Agent tries to connect to the second logging server and so on LogCacheDir path The directory where the Platform Agent stores the ...

Page 23: ...ntinel does not currently verify event signatures Set to Never to never sign or chain events Set to Always to always log events with a digital signature and to sequentially chain events LogMaxBigData bytes The maximum size of the event data field The default value is 3072 bytes Set this value to the maximum number of bytes the client allows Data that exceeds the maximum is truncated or not sent if...

Page 24: ...24 Identity Manager 3 6 1 Reporting Guide for Novell Sentinel novdocx en 17 September 2009 ...

Page 25: ...er Instrumentation utilize embedded certificates generated by an internal Certificate Authority CA These SSL certificates ensure that communications between the Identity Manager instrumentation and the Sentinel server are secure The next step is to define which events to log Proceed to Chapter 7 Managing Identity Manager Events on page 27 ...

Page 26: ...26 Identity Manager 3 6 1 Reporting Guide for Novell Sentinel novdocx en 17 September 2009 ...

Page 27: ...efined Events on page 32 Section 7 3 eDirectory Objects that Store Identity Manager Event Data on page 35 7 1 Selecting Events to Log The Identity Manager Instrumentation allows you to select events to be logged for the User Application driver set or a specific driver NOTE Drivers can inherit logging configuration from the driver set Selecting Events for the Driver Set on page 29 Selecting Events ...

Page 28: ... Fatal Writes Fatal level messages to the log Error Writes Fatal and Error level messages to the log Warn Writes Fatal Error and Warn level messages to the log Info Writes Fatal Error Warn and Info level messages to the log Debug Writes Fatal Error Warn Info and debugging information to the log Trace Writes Fatal Error Warn Info debugging and tracing information to the log ...

Page 29: ...cumentation idmrbpm361 index html 7 To save the changes for any subsequent application server restarts select Persist the logging changes 8 Click Submit The User Application logging configuration is saved in installdir jboss server IDMProv conf idmuserapp_logging xml 7 1 2 Selecting Events for the Driver Set 1 In iManager select Identity Manager Identity Manager Overview 2 Browse to and select the...

Page 30: ...ttings are logged by default 7 1 3 Selecting Events for a Specific Driver 1 In iManager select Identity Manager Identity Manager Overview 2 Browse to and select the driver set object that contains the driver 3 Select the driver set from the list of driver sets 4 Click the upper right corner of the driver icon then select Edit properties 5 Select the Log Level tab ...

Page 31: ...ult 7 1 4 Identity Manager Log Levels The following table provides an explanation of the Identity Manager Instrumentation log levels Table 7 1 Identity Manager Log Levels Option Description Log errors This is the default log level The Identity Manager Instrumentation logs user defined events and all events with an error status You receive only events with a decimal ID of 196646 and an error messag...

Page 32: ... the event ID when defining your own events This ID is combined with the Identity Manager application ID of 0003 3 Select a log level Log levels enable you to group events based on the type of event being logged The following predefined log levels are available Log specific events This option allows you to select the Identity Manager events you want to log Click to select the specific events you w...

Page 33: ...ger data field is enabled in your environment The following table provides an explanation of the Identity Manager event structure Log Level Description log emergency Events that cause the Metadirectory engine or driver to shut down log alert Events that require immediate attention log critical Events that can cause parts of the Metadirectory engine or driver to malfunction log error Events describ...

Page 34: ...255 characters text3 The value of this field depends upon the event It can contain any text string up to 255 characters value The value of this field depends upon the event It can contain any numeric value up to 32 bits value3 The value of this field depends upon the event It can contain any numeric value up to 32 bits data The value of this field depends upon the event The default size of this fi...

Page 35: ...level error text1 This would be text1 text2 This would be text2 value1 7778 This data would be in the blob only for this case since a value for text2 is specified in the attributes status xsl message 7 3 eDirectory Objects that Store Identity Manager Event Data The Identity Manager events you want to log are stored in the DirXML LogEvent attribute on the Driver Set object or Driver object The attr...

Page 36: ...set The DirXML DriverTraceLevel attribute of a Driver object has the highest precedence when determining log settings If a Driver object does not contain a DirXML DriverTraceLevel attribute the engine uses the log settings from the parent driver set The next step is to generate reports Proceed to Chapter 9 Querying and Reporting on page 41 ...

Page 37: ...d to hold between 50 and 500 events This setting can be configured for the driver set to be inherited by all drivers in the driver set or configured for each driver in the driver set The maximum log size operates independently of the events you have selected to log so you can configure the events you want to log for the driver set then specify a different log size for each driver in the set This s...

Page 38: ... Level and Log Size for the Driver 1 In iManager select Identity Manager Identity Manager Overview 2 Browse to and select the driver set 3 Click the driver set to access the driver set overview page 4 Click the upper right corner of the driver icon then select Edit properties 5 Select Log Level 6 Deselect Use log settings from the driver set option if it is selected 7 Specify the maximum log size ...

Page 39: ...y drivers in the driver set All engine messages are logged There are two ways to access the driver set status log Viewing the Log from the Driver Set Overview Page on page 39 Viewing the Log from the Driver Overview Page on page 39 Viewing the Log from the Driver Set Overview Page 1 In iManager select Identity Manager Identity Manager Overview 2 Browse to and select the driver set 3 Click the driv...

Page 40: ...d Subscriber channels report channel specific messages generated by the driver such as an operation veto for an unassociated object To access the Publisher channel and the Subscriber channel logs 1 In iManager select Identity Manager Identity Manager Overview 2 Browse to and select the driver set 3 Click the driver set to access the driver set overview page 4 Click the desired driver object 5 Clic...

Page 41: ...ity Manager The term reports refers specifically to Crystal Decisions report template files rpt Crystal Decisions reports graphically summarize specific sets of log data in pie charts bar charts and so forth These reports are included with the current version of the Identity Manager Collector which can be downloaded from Sentinel 6 1 Connectors Web site http support novell com products sentinel se...

Page 42: ...rd status and implementation of audit trails Collector Controls Contains reports about event trends and Collector management Account Management Controls Contains reports about user account provisioning user account management account access management and user password management Trust Management Controls Contains reports about trust provisioning trust management and trust access management Object...

Page 43: ... A 1 Event Structure All events logged through Sentinel have a standardized set of fields This allows SentinelTM to log events to a structured database and query events across all logging applications Identity Manager events provide information in the following field structure EventID Description Originator Title Target Title Subtarget Title Text1 Title Text2 Title Text3 Title Value1 Title Value1 ...

Page 44: ...lect the Log Specific Events option and select this event For more information see Section 7 1 Selecting Events to Log on page 27 DirXML_Warning LOG_WARNING All Identity Manager warnings log this event The actual warning code encountered is stored in the event To log errors select the Log Errors or Log Errors and Warnings log level on the driver set or the individual driver You can also select the...

Page 45: ...age 52 for information on understanding the logged events A 6 Password Events The following table provides the list of change password events that can be audited through Novell Sentinel Event ID Description Trigger 30BB8 Remote Loader Start Occurs when the Remote Loader starts 30BB9 Remote Loader Stop Occurs when the Remote Loader stops 30BBA Remote Loader Connection Established Occurs when the en...

Page 46: ...d_Change_Failure Occurs when the Forgot Password change fails 31421 Forgot_Password_Change_Success Occurs when the Forgot Password change is successful Event ID Description Trigger 31430 Search_Request Occurs when a user performs a search request 31431 Search_Saved Occurs when the user selects My Saved Searches Event ID Description Trigger 30001 Status Success Many different events can cause the s...

Page 47: ...ate application and the delete is then converted into a modify that removes the association 3000F Query Schema Occurs when a query schema operation is sent to the IDM engine or driver 30010 Check Password Manual function that is initiated via iManager 30011 Check Object Password Occurs when a request is issued to check an object s password other than the driver 30012 Change Password Occurs when a ...

Page 48: ...equest Occurs when a User Agent XDS command document is sent to the Driver on the Subscriber channel 30020 Resync Driver Occurs when a resync request is issued 30021 Migrate Occurs when a migrate request is issued 30022 Driver Start Occurs when a driver is started 30023 Driver Stop Occurs when a driver is stopped 30024 Password Sync Generated when setting the distribution or simple password on an ...

Page 49: ...river Set object 307D1 Config Driver Cache Limit Occurs when the Driver Cache Limit attribute is changed on a Driver object 307D2 Config Driver Set Occurs when the Driver Set Server association is changed 307D3 Config Driver Start Option Occurs when the Driver Start Option is changed for a Driver object 307D4 Driver Resync Occurs when a resynchronization is issued for the driver 307D5 Migrate Appl...

Page 50: ...rectly to a driver 307E0 Queue Driver Event Occurs when the IDM engine receives a client request to submit a command document to a driver s event queue 307E1 Start Job Occurs when a job starts 307E2 Abort Job Occurs when a job aborts Event ID Description Trigger 31450 Create_Proxy_Definition_Success Occurs on successful creation of a proxy definition 31451 Create_Proxy_Definition_Failure Occurs on...

Page 51: ...n Trigger 31520 Workflow_Error Occurs when there is a workflow error 31521 Workflow_Started Occurs when the workflow starts 31522 Workflow_Forwarded Occurs when the workflow is forwarded 31523 Workflow_Reassigned Occurs when the workflow is reassigned 31524 Workflow_Approved Occurs when the workflow is approved 31525 Workflow_Refused Occurs when the workflow is refused 31526 Workflow_Ended Occurs ...

Page 52: ...n the revoking of an entitlement 31533 Workflow_Retracted Occurs when the workflow is retracted 31534 Workflow_Escalated Occurs when the workflow is escalated 31535 Workflow_Reminder_Se nt Occurs when reminders are sent to addressees of a workflow task 31536 Digital_Signature Occurs whenever a digital signature is passed to the workflow engine 31470 Digital_Signature_Verifi cation_Request Occurs w...

Page 53: ...t Notifications For example if you want to receive a notification when Remote Loader stops you must first look up the Event ID for the Remote Loader Stop event in the dirxml log schema You can then configure a Notification Filter that selects events with an Event ID of 00030BB9 For more information on Log Schema files refer to Log Schema Files http www novell com documentation novellaudit20 novell...

Page 54: ...54 Identity Manager 3 6 1 Reporting Guide for Novell Sentinel novdocx en 17 September 2009 ...