Auditing IDM events - where is the config stored? - Micro Focus Community

geoffc · ‎2018-06-04

Stupid question, but when you use iManager and enable auditing on the
IDM driver/driverset either through Audit or CEF or XDAS, where is the
config stored?

It persists between iManager sessions, ergo it is stored. BUt I was
looking at the objects in LDAP and cannot quite see where they are being
written.

On the NCP Server object eDir auditing is stored in one of three
multivalued attributes:
NAuditINstrumentation
xdasConfiguration
cefConfiguration (I think, I should look this one up).

They use different formats, but whatever.

I do not see the IDM auditing options I selected written there, nor on
the driver nor driverset objects, in any place obvious that I looked.

Anyone know?

geoffc · ‎2018-06-04

On 6/4/2018 11:18 AM, Geoffrey Carman wrote:
> Stupid question, but when you use iManager and enable auditing on the
> IDM driver/driverset either through Audit or CEF or XDAS, where is the
> config stored?
>
> It persists between iManager sessions, ergo it is stored. BUt I was
> looking at the objects in LDAP and cannot quite see where they are being
> written.
>
> On the NCP Server object eDir auditing is stored in one of three
> multivalued attributes:
> NAuditINstrumentation
> xdasConfiguration
> cefConfiguration (I think, I should look this one up).
>
> They use different formats, but whatever.
>
> I do not see the IDM auditing options I selected written there, nor on
> the driver nor driverset objects, in any place obvious that I looked.
>
> Anyone know?

Well that seems dumb of me. DirXML-LogEvents seems to hold integers, I
guess there is a mapping of values to events?

Is that somewhere?

geoffc · ‎2018-06-04

On 6/4/2018 11:22 AM, Geoffrey Carman wrote:
> On 6/4/2018 11:18 AM, Geoffrey Carman wrote:
>> Stupid question, but when you use iManager and enable auditing on the
>> IDM driver/driverset either through Audit or CEF or XDAS, where is the
>> config stored?
>>
>> It persists between iManager sessions, ergo it is stored. BUt I was
>> looking at the objects in LDAP and cannot quite see where they are
>> being written.
>>
>> On the NCP Server object eDir auditing is stored in one of three
>> multivalued attributes:
>> NAuditINstrumentation
>> xdasConfiguration
>> cefConfiguration (I think, I should look this one up).
>>
>> They use different formats, but whatever.
>>
>> I do not see the IDM auditing options I selected written there, nor on
>> the driver nor driverset objects, in any place obvious that I looked.
>>
>> Anyone know?
>
> Well that seems dumb of me. DirXML-LogEvents seems to hold integers, I
> guess there is a mapping of values to events?
>
> Is that somewhere?

Wait, wait, what?

Schema Manager in Designer says this is Read Only? I feel as though I am
missing something simple.

klasen · ‎2018-06-05

Hi Geoffrey,

On 2018-06-04 17:24, Geoffrey Carman wrote:
> On 6/4/2018 11:22 AM, Geoffrey Carman wrote:
>> On 6/4/2018 11:18 AM, Geoffrey Carman wrote:
>>> Stupid question, but when you use iManager and enable auditing on the
>>> IDM driver/driverset either through Audit or CEF or XDAS, where is
>>> the config stored?
>>>
>>> It persists between iManager sessions, ergo it is stored. BUt I was
>>> looking at the objects in LDAP and cannot quite see where they are
>>> being written.
>>>
>>> On the NCP Server object eDir auditing is stored in one of three
>>> multivalued attributes:
>>> NAuditINstrumentation
>>> xdasConfiguration
>>> cefConfiguration (I think, I should look this one up).
>>>
>>> They use different formats, but whatever.
>>>
>>> I do not see the IDM auditing options I selected written there, nor
>>> on the driver nor driverset objects, in any place obvious that I looked.
>>>
>>> Anyone know?
>>
>> Well that seems dumb of me. DirXML-LogEvents seems to hold integers, I
>> guess there is a mapping of values to events?

Most of them are documented at
https://www.netiq.com/documentation/identity-manager-developer/dtd-documentation/javadocs/constant-values.html#com.novell.nds.dirxml.util.DxConst.LOG_EV_ADD_ASSOCIATION

There are a few more utility functions in
https://www.netiq.com/documentation/identity-manager-developer/dtd-documentation/javadocs/com/novell/nds/dirxml/util/DxConst.html

>>
>> Is that somewhere?
>
> Wait, wait, what?
>
> Schema Manager in Designer says this is Read Only? I feel as though I am
> missing something simple.

One has to use extended operations to set the attribute:
https://www.netiq.com/documentation/identity-manager-developer/dtd-documentation/javadocs/com/novell/nds/dirxml/ldap/SetLogEventsRequest.html

https://www.netiq.com/documentation/identity-manager-developer/dtd-documentation/javadocs/?com/novell/nds/dirxml/ldap/ClearLogEventsRequest.html

For the logging protocol, I think that DirXML-LogEvents = 69 -> XDAS and
DirXML-LogEvents = 70 -> Naudit/CEF.

In 4.7 there is an additional attribute to choose between NAudit and
CEF: DirXML-LogEventsType: 1 -> NAudit 2 -> CEF

--
Norbert

--
Norbert

geoffc · ‎2018-06-05

>> Wait, wait, what?
>>
>> Schema Manager in Designer says this is Read Only? I feel as though I am
>> missing something simple.
>
> One has to use extended operations to set the attribute:
> https://www.netiq.com/documentation/identity-manager-developer/dtd-documentation/javadocs/com/novell/nds/dirxml/ldap/SetLogEventsRequest.html

Which explains why my LDAP tool is not seeing it. But Alekz's Console2
is, since he has a tool to copy Audit settings.

> https://www.netiq.com/documentation/identity-manager-developer/dtd-documentation/javadocs/?com/novell/nds/dirxml/ldap/ClearLogEventsRequest.html
>
>
> For the logging protocol, I think that DirXML-LogEvents = 69 -> XDAS and
> DirXML-LogEvents = 70 -> Naudit/CEF.
>
> In 4.7 there is an additional attribute to choose between NAudit and
> CEF: DirXML-LogEventsType: 1 -> NAudit 2 -> CEF

Thanks for the notes Norbert, I totally had missed out on these
attributes before.

Auditing IDM events - where is the config stored?

Engine-Drivers