Anonymous_User Absent Member.
Absent Member.
576 views

IDM Generate-Event in Sentinel


I have an IDM environment setup and I configured the Audit PA to send
events to the Sentinel IDM Collector. Sentinel is setup with the IDM
collector via audit to receive the messages. The setup works fine for
all built-in events.

What I am now trying to do is get custom events created with the
Generate-event token in IDM in Sentinel. They show up as an undefined
event and reference the LSC file. I have located the LSC files, but am
not able to modify those files directly. I have tried modifying them in
the cache, in the zip file after importing, and in the zip file before
posting. I tried modifying them in the zip file, then updating the xml
file with the hash values, but still am not having any luck with this.

The next thing I stumbled upon was the 'Custom Execution Mode'. I have
added the custom.js file and a LSC file which is referenced, but am not
sure of exactly what to add in the custom.js file to make the events get
properly recognized by Sentinel. Currently, my custom.js file has the
following for the customInit section:

Collector.prototype.customInit = function() {
// load additional maps, parameters, etc
var file = new File(instance.CONFIG.collDir + "dirxml_GCA.lsc");
this.MAPS.LSCMap.extend(this.CONFIG.collDir + "dirxml_GCA.lsc",
"#EventID");
return true;
}

I have uploaded the file dirxml_GCA.lsc and verified that it exists in
the plugins_repository for the aux_Identity-Manager... zip file.


--
robertivey
------------------------------------------------------------------------
robertivey's Profile: http://forums.novell.com/member.php?userid=27938
View this thread: http://forums.novell.com/showthread.php?t=426647

0 Likes
2 Replies
Anonymous_User Absent Member.
Absent Member.

Re: IDM Generate-Event in Sentinel


Hi robertivey,

This is a great question; as you've seen we've included some general
methods to customize and extend existing Collectors, but to do so you
also need to know a little bit about how the particular Collector you
are extending works. We have plans to add a bit of specific
documentation to the IDM Collector since it's so common to generate
custom IDM events.

What you need to know is that normal nAudit events contain a number of
pre-defined fields such as Date, EventID, Originator, Target, Text1,
Text2, and so forth. These pre-defined buckets define a datatype and a
little teeny bit of semantics to the values contained within them, but
then on top of that the protocol uses the LSC file to add an additional
layer of semantics on top of the basic elements by adding an additional
descriptor to each field in the event per event ID. So for example
you'll see "Text2 Title" as something like "Client IP" which tells you
that the value in Text2 for event ID 00031550 is the client IP of the
system that connected to and logged in to the UserApp (note that LSC
files use an 8-digit hex value for the event IDs; I believe IDM's policy
code uses decimal so you'll have to convert).

In our IDM Collector, what we've done is written a little parser that
knows what to do for any given value in any given nAudit event field.
For this example, we've written a parser that knows to take the value in
Text2 and put it in Sentinel's "InitiatorIP" field, adjusting for
endianess and the like if necessary. If you look through the LSC file
and through 'dirxml.js', you'll see that for every combination of nAudit
field and semantic LSC definition, there's a defined parser. We use the
nAudit field codes defined at the top of the LSC, so you'll see a
function: "String.prototype["T-Client IP"]", as an example.

Now, to extend this structure is quite simple - you need to define the
equivalent of an LSC file for your custom events. To do this, copy some
lines from the existing LSC into a new file and edit them to match your
events:
1) Change the event ID to match your events. Always prefix with '0003'
- the last four digits are the hex version of your event code, so '1000'
becomes '03e8'.
2) Give your event a name
3) Assign semantic labels to your custom event fields; you should have
paid attention to the first layer of semantic meaning in Originator,
Target, etc, but fill in more detail as applicable.

Note that if you can, re-use the same semantic labels that you see
applied to other, similar IDM events.

OK, once that's done, you need to add your new LSC file to the
Collector using the "Add auxiliary file" process detailed on the
Customization page.

Next, you need to load your new LSC file and use it to extend the
existing one. Simple: from the SDK, grab a copy of custom.js and add
lines like you have above (you don't need to create a new File object
though, the single 'extend' line is sufficient).

Finally, edit your Collector and set its Execution Mode to 'custom',
then restart.

Your events should now be parsed!

The only caveat is that if you don't re-use semantic labels from other
IDM events, you'll need to define your own parser for your own
field/label combination, which you can do in custom.js just by copying
one of the parsers in dirxml.js and modifying the function name to
match.


--
DCorlette
------------------------------------------------------------------------
DCorlette's Profile: http://forums.novell.com/member.php?userid=4437
View this thread: http://forums.novell.com/showthread.php?t=426647

0 Likes
Anonymous_User Absent Member.
Absent Member.

Re: IDM Generate-Event in Sentinel


Hi there,
I'm about to embark on your guidance above from 2012. Have there been
any changes to this since IDM 4.0.2 and Sentinel 7.0.2? I want to use
the IDM Action "Generate Event" to send to Sentinel.
Thanks,
Kirk


--
kmaule
------------------------------------------------------------------------
kmaule's Profile: https://forums.netiq.com/member.php?userid=306
View this thread: https://forums.netiq.com/showthread.php?t=2400

0 Likes
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.