Related Tips & Info

Configuring Access Manager to send audit events to Sentinel and Analytics Server simultaneously

sudeepsubrahmanya
 
0 Likes

Introduction:

In this example environment, your Sentinel server is configured as an Audit Server for Access Manager, and Sentinel is used for all your enterprise auditing needs. But you also want to use the new Analytics Server for Access Manager-specific visual analytics. The Analytics Server filters and analyzes the events that are generated from the Access Manager components and populates the dashboard with graphs. To achieve this, the Analytics Server has to be configured as the Audit Server in your Access Manager Console.

The Admin Console configuration allows only one IP address to be configured for the Audit Server. This document explains how you can configure Access Manager to send events to both Sentinel and the Analytics Server simultaneously.

Configuration:

After installing the Analytics Server, it will be imported as a new device to the Access Manager Admin console. You have to enable all the events required for the dashboard, and the Analytics Server needs to be configured as the Audit server. The Analytics Server will not be useful until you set it as the Audit server.

The following Note will be displayed in Admin Console until you set the Analytics Server as the Audit Server.

Fig-1: Analytics server warning Fig-1: Analytics server warning



For more information on events required for each graph refer to the following link:

https://www.netiq.com/documentation/access-manager-43-appliance/admin/data/analytics-graph-events.html

In Access Manager you have already configured Sentinel as your Audit Server. You will not be able to add the Analytics Server IP address as another audit server. You can configure either the Sentinel Server or Analytics Server as the auditing server, but not both. To send events to both Sentinel and Analytics servers you have to modify the rsyslog conf file.

Open the conf file /etc/rsyslog.d/nam.conf. If you have already configured Sentinel as the Audit Server the content may be as follows. 10.10.1.10 being the IP address of your Sentinel Server.

 

#$DefaultNetstreamDriver gtls
$DefaultNetstreamDriverCAFile /var/opt/novell/novlwww/syslogserverrootca.pem
$DefaultNetstreamDriverCertFile /var/opt/novell/novlwww/syslogservercert.pem
$DefaultNetstreamDriverKeyFile /var/opt/novell/novlwww/syslogserverkey.pem
$ModLoad imtcp # load TCP listener
#$InputTCPServerStreamDriverMode 1
#$InputTCPServerStreamDriverAuthMode x509/name
$InputTCPServerRun 1290
$template ForwardFormat,"<%PRI%>%TIMESTAMP:::date-rfc3164% %HOSTNAME% %syslogtag:1:32%%msg:::sp-if-no-1st-sp%%msg%\n"
local0.* @@10.10.1.10:1468;ForwardFormat
& ~



To configure Access Manager to send audit events to both the Sentinel Server and the Analytics Server, you have to add the IP address of your Analytics Server to this file. Add the line local0.* @@10.10.2.10:1468;ForwardFormat to nam.conf file. 10.10.2.10 being the IP address of Analytics Server and 1468 is Port.

#$DefaultNetstreamDriver gtls
$DefaultNetstreamDriverCAFile /var/opt/novell/novlwww/syslogserverrootca.pem
$DefaultNetstreamDriverCertFile /var/opt/novell/novlwww/syslogservercert.pem
$DefaultNetstreamDriverKeyFile /var/opt/novell/novlwww/syslogserverkey.pem
$ModLoad imtcp # load TCP listener
#$InputTCPServerStreamDriverMode 1
#$InputTCPServerStreamDriverAuthMode x509/name
$InputTCPServerRun 1290
$template ForwardFormat,"<%PRI%>%TIMESTAMP:::date-rfc3164% %HOSTNAME% %syslogtag:1:32%%msg:::sp-if-no-1st-sp%%msg%\n"
local0.* @@10.10.1.10:1468;ForwardFormat
local0.* @@10.10.2.10:1468;ForwardFormat
& ~



Save the changes and restart the local syslog daemon.

This configuration change needs to be done in all the components of Access Manager, Admin Console, Identity Servers, and Access Gateway Servers.

The Audit Server configuration Note as shown in Fig-1 will still be visible in Admin Console. You can ignore the note as we have configured the config file to send events to the Analytics Server.

Note: If you have configured clustering for the Analytics Server, then add the Virtual IP address instead of the Physical IP address of the Analytics Server.

Conclusion:

After the above explained configuration change, Access Manager Events will be sent to both Sentinel and the Analytics Server. You can launch the Analytics dashboard from Admin Console UI and visualize Access Manager specific graphs in the dashboard.

 

Labels:

How To-Best Practice
Comment List
Related
Recommended

Resources

Support
Documentation
Learning Services
Partner Programs
Privacy
Compliance
Help
Company
Privacy Policy
Terms of Use
Accessibility
Anti-Slavery Statement
Support
Contact Us
Careers
Code of Business Conduct and Ethics
The opinions expressed above are the personal opinions of the authors, not of OpenText. By using this site, you accept the Terms of Use. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.), Hewlett Packard Enterprise Company, or Micro Focus. As of January 31, 2023, the Material is now offered by OpenText, a separately owned and operated company. Any reference to the HP, Hewlett Packard Enterprise/HPE, and Micro Focus marks is historical in nature and the HP, Hewlett Packard Enterprise/HPE, and Micro Focus marks are the property of their respective owners.