From eDirectory version 888Patch9 and 902 we can monitor successful and failed login events through XDAS auditing with the help of the latest eDirectory Collector (2011.1r7) and NMAS Collector (2011.1r4). Modify the Directory System to report the LOGIN and AUTHENTICATE events separately. Add two new DS events DSE_LOGIN_EX (mapped to Create Session XDAS event) and DSE_AUTHENTICATE (mapped to Authentication Session XDAS event) which are used for Login and Authentication. These new events are only used by XDAS.
Also XDAS instrumentation provides reasons for login failures like "Login Failed" for the wrong password, “Account Expired” for Account disabled, and “Account Locked” for account locked due to intruder detection.
Steps to monitor successful and failed login events:
Install and configure 888Patch9/902 eDirectory server.
Install and configure Sentinel server with the latest eDirectory and NMAS collector.
Enable the XDAS auditing for eDirectory and NMAS component. Check the links below for more detail:
Unfortunately the approach of using XDAS as auditing interface does not work properly at all. Reason of it is based on decision of XDAS developers, who decided that XDAS will always send all events as INFO via log4j. In addition to this XDAS will log all events as Severity 7 (informational) so that there is a need to do the sorting/filtering of the events up to the collector and pay for events/second no one is interested in. I am curious if owner of this idea will pay expenses caused by this stupid decision (I expect monthly payments in reference to number of events/second no one is interested in). The described behavior does not conform to published documentation.