Knowledge Partner
Knowledge Partner
484 views

CEF vs OSP in 4.7

Hello!

Short story, I've gotten UA to send logs to Sentinel using Syslog/CEF,
but I can't get it to work with OSP.

How can I get to only use 1 logging solution (i.e. CEF) instead of both
CEF and the Platform Agent?

If I change this parameter to "true" in the setenv.sh file then OSP
sends logs to Sentinel using the Platform Agent:
-Dcom.netiq.idm.osp.audit.enabled=false

BUT in 4.7, there is a CEF cache dir.
In my /opt/netiq/idm/apps/audit directory I have a VQFcef.osp.bin file,
which just grows. It seems to contain OSP events that are *not* being
sent to Sentinel.

In the Identity Applications admin guide there is mention of using the
Platform Agent, very confusing.

https://www.netiq.com/documentation/identity-manager-47/identity_apps_admin/data/b1bvq28p.html

It also tells me to go to Administration -> Logging in UA which seems to
be inaccessible in 4.7.

Anyway, in the ism-configuration.properties I have this configuration
which comes from configupdate.sh but doesn't seem to have any effect
since I have to edit idmuserapp_logging.xml file manually according to
some other docs:
https://www.netiq.com/documentation/identity-manager-47/configure_auditing/data/t443905wpo68.html

com.netiq.ism.audit.cef.enabled = true
com.netiq.ism.audit.cef.host = 192.168.0.7
com.netiq.ism.audit.cef.port = 1468
com.netiq.ism.audit.cef.protocol =tcp
com.netiq.ism.audit.cef.cache-file-dir = /opt/netiq/idm/apps/audit

-alekz


Labels (1)
0 Likes
6 Replies
Not applicable

Re: CEF vs OSP in 4.7

Hi alekz,

Thanks for sharing your observation.

Listed below are the steps to enable OSP events in CEF format

- Launch configupdate.sh utility, and select CEF Auditing tab
- Check the send audit events option and provide the required inputs to send the CEF audit events to sentinel server
- Provide novlua user permissions to the cache directory
- Restart tomcat

This should enable OSP to generate and send audit events to sentinel server in CEF format

Please let me know if more information is required

Thanks & Regards,
SivaSaran.K.R
0 Likes
Micro Focus Expert
Micro Focus Expert

Re: CEF vs OSP in 4.7

Hi SivaSaran,

On 2018-04-26 12:34, sivasaran wrote:
>
> Hi alekz,
>
> Thanks for sharing your observation.
>
> Listed below are the steps to enable OSP events in CEF format
>
> - Launch configupdate.sh utility, and select CEF Auditing tab
> - Check the send audit events option and provide the required inputs to
> send the CEF audit events to sentinel server
> - Provide novlua user permissions to the cache directory
> - Restart tomcat
>
> This should enable OSP to generate and send audit events to sentinel
> server in CEF format
>
> Please let me know if more information is required


What effect does the com.netiq.idm.osp.audit.enabled parameter have on
CEF logging? Or is it only related to NAudit?


--
Norbert
--
Norbert
0 Likes
Not applicable

Re: CEF vs OSP in 4.7

Hi alekz,

com.netiq.idm.osp.audit.enabled parameter is for honoring OSP to send naudit events to audit server

Thanks & Regards,
SivaSaran.K.R
0 Likes
Micro Focus Expert
Micro Focus Expert

Re: CEF vs OSP in 4.7

On 2018-04-27 11:34, sivasaran wrote:
>
> Hi alekz,
>
> com.netiq.idm.osp.audit.enabled parameter is for honoring OSP to send
> naudit events to audit server


So OSP will send events via NAudit and Syslog in parallel if you set
this to true and com.netiq.ism.audit.cef.enabled to true as well?


--
Norbert
--
Norbert
0 Likes
Knowledge Partner
Knowledge Partner

Re: CEF vs OSP in 4.7

On 2018-04-26 12:34, sivasaran wrote:
>
> Hi alekz,
>
> Thanks for sharing your observation.
>
> Listed below are the steps to enable OSP events in CEF format
>
> - Launch configupdate.sh utility, and select CEF Auditing tab
> - Check the send audit events option and provide the required inputs to
> send the CEF audit events to sentinel server
> - Provide novlua user permissions to the cache directory
> - Restart tomcat
>
> This should enable OSP to generate and send audit events to sentinel
> server in CEF format
>
> Please let me know if more information is required
>
> Thanks & Regards,
> SivaSaran.K.R
>
>

Hello SivaSaran.K.R,

Thanks for the reply.

I have configured configupdate.sh.

The issue I have is that the events are going to the cache directory
*only*, to a file called VQFcef.osp.bin
I cannot see them going to Sentinel.

Another issue that might have to do with this is that the Sentinel
collector I have for NetIQ OneSSO 2011.1r1 is old, I don't know if it
supports CEF since it is from 28/10/13.
When I try to add a new event source to it in the Sentinel ESM I can
only choose Audit and File... Not Syslog.

I'm running Sentinel 8.1.1.0_4309

-alekz

0 Likes
Micro Focus Expert
Micro Focus Expert

Re: CEF vs OSP in 4.7

On 2018-04-27 09:57, alekz wrote:
> Another issue that might have to do with this is that the Sentinel
> collector I have for NetIQ OneSSO 2011.1r1 is old, I don't know if it
> supports CEF since it is from 28/10/13.
> When I try to add a new event source to it in the Sentinel ESM I can
> only choose Audit and File... Not Syslog.


I think as it sends CEF, the general idea is that events will be parsed
by the Universal CEF collector and thus no specialized collector is
needed. (I doubt that will work very well.)

Also SLM4IGA’s license only works with collector plugins that include a
CollectorSupportedDevice with “Novell” as Vendor. The Vendor in the
Universal CEF Collector is “Universal” so this will probably fail after
the trial license expires and silently drop all incoming events. (See
See Bug 1070180 - IDM collector will not start because supported devices
vendor does not include Novell. Receiving message “starting script
engine. Collector is not licensed to run”. )

--
Norbert
--
Norbert
0 Likes
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.