Knowledge Partner
Knowledge Partner
453 views

Auditing IDM events - where is the config stored?

Stupid question, but when you use iManager and enable auditing on the
IDM driver/driverset either through Audit or CEF or XDAS, where is the
config stored?

It persists between iManager sessions, ergo it is stored. BUt I was
looking at the objects in LDAP and cannot quite see where they are being
written.

On the NCP Server object eDir auditing is stored in one of three
multivalued attributes:
NAuditINstrumentation
xdasConfiguration
cefConfiguration (I think, I should look this one up).

They use different formats, but whatever.

I do not see the IDM auditing options I selected written there, nor on
the driver nor driverset objects, in any place obvious that I looked.

Anyone know?
Labels (1)
0 Likes
4 Replies
Knowledge Partner
Knowledge Partner

Re: Auditing IDM events - where is the config stored?

On 6/4/2018 11:18 AM, Geoffrey Carman wrote:
> Stupid question, but when you use iManager and enable auditing on the
> IDM driver/driverset either through Audit or CEF or XDAS, where is the
> config stored?
>
> It persists between iManager sessions, ergo it is stored. BUt I was
> looking at the objects in LDAP and cannot quite see where they are being
> written.
>
> On the NCP Server object eDir auditing is stored in one of three
> multivalued attributes:
> NAuditINstrumentation
> xdasConfiguration
> cefConfiguration (I think, I should look this one up).
>
> They use different formats, but whatever.
>
> I do not see the IDM auditing options I selected written there, nor on
> the driver nor driverset objects, in any place obvious that I looked.
>
> Anyone know?


Well that seems dumb of me. DirXML-LogEvents seems to hold integers, I
guess there is a mapping of values to events?

Is that somewhere?

0 Likes
Knowledge Partner
Knowledge Partner

Re: Auditing IDM events - where is the config stored?

On 6/4/2018 11:22 AM, Geoffrey Carman wrote:
> On 6/4/2018 11:18 AM, Geoffrey Carman wrote:
>> Stupid question, but when you use iManager and enable auditing on the
>> IDM driver/driverset either through Audit or CEF or XDAS, where is the
>> config stored?
>>
>> It persists between iManager sessions, ergo it is stored. BUt I was
>> looking at the objects in LDAP and cannot quite see where they are
>> being written.
>>
>> On the NCP Server object eDir auditing is stored in one of three
>> multivalued attributes:
>> NAuditINstrumentation
>> xdasConfiguration
>> cefConfiguration (I think, I should look this one up).
>>
>> They use different formats, but whatever.
>>
>> I do not see the IDM auditing options I selected written there, nor on
>> the driver nor driverset objects, in any place obvious that I looked.
>>
>> Anyone know?

>
> Well that seems dumb of me. DirXML-LogEvents seems to hold integers, I
> guess there is a mapping of values to events?
>
> Is that somewhere?


Wait, wait, what?

Schema Manager in Designer says this is Read Only? I feel as though I am
missing something simple.


0 Likes
Micro Focus Expert
Micro Focus Expert

Re: Auditing IDM events - where is the config stored?

Hi Geoffrey,

On 2018-06-04 17:24, Geoffrey Carman wrote:
> On 6/4/2018 11:22 AM, Geoffrey Carman wrote:
>> On 6/4/2018 11:18 AM, Geoffrey Carman wrote:
>>> Stupid question, but when you use iManager and enable auditing on the
>>> IDM driver/driverset either through Audit or CEF or XDAS, where is
>>> the config stored?
>>>
>>> It persists between iManager sessions, ergo it is stored. BUt I was
>>> looking at the objects in LDAP and cannot quite see where they are
>>> being written.
>>>
>>> On the NCP Server object eDir auditing is stored in one of three
>>> multivalued attributes:
>>> NAuditINstrumentation
>>> xdasConfiguration
>>> cefConfiguration (I think, I should look this one up).
>>>
>>> They use different formats, but whatever.
>>>
>>> I do not see the IDM auditing options I selected written there, nor
>>> on the driver nor driverset objects, in any place obvious that I looked.
>>>
>>> Anyone know?

>>
>> Well that seems dumb of me. DirXML-LogEvents seems to hold integers, I
>> guess there is a mapping of values to events?


Most of them are documented at
https://www.netiq.com/documentation/identity-manager-developer/dtd-documentation/javadocs/constant-values.html#com.novell.nds.dirxml.util.DxConst.LOG_EV_ADD_ASSOCIATION

There are a few more utility functions in
https://www.netiq.com/documentation/identity-manager-developer/dtd-documentation/javadocs/com/novell/nds/dirxml/util/DxConst.html

>>
>> Is that somewhere?

>
> Wait, wait, what?
>
> Schema Manager in Designer says this is Read Only? I feel as though I am
> missing something simple.


One has to use extended operations to set the attribute:
https://www.netiq.com/documentation/identity-manager-developer/dtd-documentation/javadocs/com/novell/nds/dirxml/ldap/SetLogEventsRequest.html

https://www.netiq.com/documentation/identity-manager-developer/dtd-documentation/javadocs/?com/novell/nds/dirxml/ldap/ClearLogEventsRequest.html


For the logging protocol, I think that DirXML-LogEvents = 69 -> XDAS and
DirXML-LogEvents = 70 -> Naudit/CEF.

In 4.7 there is an additional attribute to choose between NAudit and
CEF: DirXML-LogEventsType: 1 -> NAudit 2 -> CEF

--
Norbert
--
Norbert
0 Likes
Knowledge Partner
Knowledge Partner

Re: Auditing IDM events - where is the config stored?

>> Wait, wait, what?
>>
>> Schema Manager in Designer says this is Read Only? I feel as though I am
>> missing something simple.

>
> One has to use extended operations to set the attribute:
> https://www.netiq.com/documentation/identity-manager-developer/dtd-documentation/javadocs/com/novell/nds/dirxml/ldap/SetLogEventsRequest.html


Which explains why my LDAP tool is not seeing it. But Alekz's Console2
is, since he has a tool to copy Audit settings.

> https://www.netiq.com/documentation/identity-manager-developer/dtd-documentation/javadocs/?com/novell/nds/dirxml/ldap/ClearLogEventsRequest.html
>
>
> For the logging protocol, I think that DirXML-LogEvents = 69 -> XDAS and
> DirXML-LogEvents = 70 -> Naudit/CEF.
>
> In 4.7 there is an additional attribute to choose between NAudit and
> CEF: DirXML-LogEventsType: 1 -> NAudit 2 -> CEF


Thanks for the notes Norbert, I totally had missed out on these
attributes before.



0 Likes
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.