

Knowledge Partner
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Email to a Friend
- Report Inappropriate Content
2018-04-26
09:31
696 views
CEF vs OSP in 4.7
Hello!
Short story, I've gotten UA to send logs to Sentinel using Syslog/CEF,
but I can't get it to work with OSP.
How can I get to only use 1 logging solution (i.e. CEF) instead of both
CEF and the Platform Agent?
If I change this parameter to "true" in the setenv.sh file then OSP
sends logs to Sentinel using the Platform Agent:
-Dcom.netiq.idm.osp.audit.enabled=false
BUT in 4.7, there is a CEF cache dir.
In my /opt/netiq/idm/apps/audit directory I have a VQFcef.osp.bin file,
which just grows. It seems to contain OSP events that are *not* being
sent to Sentinel.
In the Identity Applications admin guide there is mention of using the
Platform Agent, very confusing.
https://www.netiq.com/documentation/identity-manager-47/identity_apps_admin/data/b1bvq28p.html
It also tells me to go to Administration -> Logging in UA which seems to
be inaccessible in 4.7.
Anyway, in the ism-configuration.properties I have this configuration
which comes from configupdate.sh but doesn't seem to have any effect
since I have to edit idmuserapp_logging.xml file manually according to
some other docs:
https://www.netiq.com/documentation/identity-manager-47/configure_auditing/data/t443905wpo68.html
com.netiq.ism.audit.cef.enabled = true
com.netiq.ism.audit.cef.host = 192.168.0.7
com.netiq.ism.audit.cef.port = 1468
com.netiq.ism.audit.cef.protocol =tcp
com.netiq.ism.audit.cef.cache-file-dir = /opt/netiq/idm/apps/audit
-alekz
Short story, I've gotten UA to send logs to Sentinel using Syslog/CEF,
but I can't get it to work with OSP.
How can I get to only use 1 logging solution (i.e. CEF) instead of both
CEF and the Platform Agent?
If I change this parameter to "true" in the setenv.sh file then OSP
sends logs to Sentinel using the Platform Agent:
-Dcom.netiq.idm.osp.audit.enabled=false
BUT in 4.7, there is a CEF cache dir.
In my /opt/netiq/idm/apps/audit directory I have a VQFcef.osp.bin file,
which just grows. It seems to contain OSP events that are *not* being
sent to Sentinel.
In the Identity Applications admin guide there is mention of using the
Platform Agent, very confusing.
https://www.netiq.com/documentation/identity-manager-47/identity_apps_admin/data/b1bvq28p.html
It also tells me to go to Administration -> Logging in UA which seems to
be inaccessible in 4.7.
Anyway, in the ism-configuration.properties I have this configuration
which comes from configupdate.sh but doesn't seem to have any effect
since I have to edit idmuserapp_logging.xml file manually according to
some other docs:
https://www.netiq.com/documentation/identity-manager-47/configure_auditing/data/t443905wpo68.html
com.netiq.ism.audit.cef.enabled = true
com.netiq.ism.audit.cef.host = 192.168.0.7
com.netiq.ism.audit.cef.port = 1468
com.netiq.ism.audit.cef.protocol =tcp
com.netiq.ism.audit.cef.cache-file-dir = /opt/netiq/idm/apps/audit
-alekz
6 Replies
Reddy Siva Saran

Micro Focus Expert
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Email to a Friend
- Report Inappropriate Content
2018-04-26
11:27
Hi alekz,
Thanks for sharing your observation.
Listed below are the steps to enable OSP events in CEF format
- Launch configupdate.sh utility, and select CEF Auditing tab
- Check the send audit events option and provide the required inputs to send the CEF audit events to sentinel server
- Provide novlua user permissions to the cache directory
- Restart tomcat
This should enable OSP to generate and send audit events to sentinel server in CEF format
Please let me know if more information is required
Thanks & Regards,
SivaSaran.K.R
Thanks for sharing your observation.
Listed below are the steps to enable OSP events in CEF format
- Launch configupdate.sh utility, and select CEF Auditing tab
- Check the send audit events option and provide the required inputs to send the CEF audit events to sentinel server
- Provide novlua user permissions to the cache directory
- Restart tomcat
This should enable OSP to generate and send audit events to sentinel server in CEF format
Please let me know if more information is required
Thanks & Regards,
SivaSaran.K.R
klasen

Micro Focus Expert
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Email to a Friend
- Report Inappropriate Content
2018-04-27
07:51
Hi SivaSaran,
On 2018-04-26 12:34, sivasaran wrote:
>
> Hi alekz,
>
> Thanks for sharing your observation.
>
> Listed below are the steps to enable OSP events in CEF format
>
> - Launch configupdate.sh utility, and select CEF Auditing tab
> - Check the send audit events option and provide the required inputs to
> send the CEF audit events to sentinel server
> - Provide novlua user permissions to the cache directory
> - Restart tomcat
>
> This should enable OSP to generate and send audit events to sentinel
> server in CEF format
>
> Please let me know if more information is required
What effect does the com.netiq.idm.osp.audit.enabled parameter have on
CEF logging? Or is it only related to NAudit?
--
Norbert
On 2018-04-26 12:34, sivasaran wrote:
>
> Hi alekz,
>
> Thanks for sharing your observation.
>
> Listed below are the steps to enable OSP events in CEF format
>
> - Launch configupdate.sh utility, and select CEF Auditing tab
> - Check the send audit events option and provide the required inputs to
> send the CEF audit events to sentinel server
> - Provide novlua user permissions to the cache directory
> - Restart tomcat
>
> This should enable OSP to generate and send audit events to sentinel
> server in CEF format
>
> Please let me know if more information is required
What effect does the com.netiq.idm.osp.audit.enabled parameter have on
CEF logging? Or is it only related to NAudit?
--
Norbert
--
Norbert
Norbert
Reddy Siva Saran

Micro Focus Expert
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Email to a Friend
- Report Inappropriate Content
2018-04-27
10:28
Hi alekz,
com.netiq.idm.osp.audit.enabled parameter is for honoring OSP to send naudit events to audit server
Thanks & Regards,
SivaSaran.K.R
com.netiq.idm.osp.audit.enabled parameter is for honoring OSP to send naudit events to audit server
Thanks & Regards,
SivaSaran.K.R
klasen

Micro Focus Expert
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Email to a Friend
- Report Inappropriate Content
2018-04-27
10:44
On 2018-04-27 11:34, sivasaran wrote:
>
> Hi alekz,
>
> com.netiq.idm.osp.audit.enabled parameter is for honoring OSP to send
> naudit events to audit server
So OSP will send events via NAudit and Syslog in parallel if you set
this to true and com.netiq.ism.audit.cef.enabled to true as well?
--
Norbert
>
> Hi alekz,
>
> com.netiq.idm.osp.audit.enabled parameter is for honoring OSP to send
> naudit events to audit server
So OSP will send events via NAudit and Syslog in parallel if you set
this to true and com.netiq.ism.audit.cef.enabled to true as well?
--
Norbert
--
Norbert
Norbert


Knowledge Partner
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Email to a Friend
- Report Inappropriate Content
2018-04-27
08:57
On 2018-04-26 12:34, sivasaran wrote:
>
> Hi alekz,
>
> Thanks for sharing your observation.
>
> Listed below are the steps to enable OSP events in CEF format
>
> - Launch configupdate.sh utility, and select CEF Auditing tab
> - Check the send audit events option and provide the required inputs to
> send the CEF audit events to sentinel server
> - Provide novlua user permissions to the cache directory
> - Restart tomcat
>
> This should enable OSP to generate and send audit events to sentinel
> server in CEF format
>
> Please let me know if more information is required
>
> Thanks & Regards,
> SivaSaran.K.R
>
>
Hello SivaSaran.K.R,
Thanks for the reply.
I have configured configupdate.sh.
The issue I have is that the events are going to the cache directory
*only*, to a file called VQFcef.osp.bin
I cannot see them going to Sentinel.
Another issue that might have to do with this is that the Sentinel
collector I have for NetIQ OneSSO 2011.1r1 is old, I don't know if it
supports CEF since it is from 28/10/13.
When I try to add a new event source to it in the Sentinel ESM I can
only choose Audit and File... Not Syslog.
I'm running Sentinel 8.1.1.0_4309
-alekz
>
> Hi alekz,
>
> Thanks for sharing your observation.
>
> Listed below are the steps to enable OSP events in CEF format
>
> - Launch configupdate.sh utility, and select CEF Auditing tab
> - Check the send audit events option and provide the required inputs to
> send the CEF audit events to sentinel server
> - Provide novlua user permissions to the cache directory
> - Restart tomcat
>
> This should enable OSP to generate and send audit events to sentinel
> server in CEF format
>
> Please let me know if more information is required
>
> Thanks & Regards,
> SivaSaran.K.R
>
>
Hello SivaSaran.K.R,
Thanks for the reply.
I have configured configupdate.sh.
The issue I have is that the events are going to the cache directory
*only*, to a file called VQFcef.osp.bin
I cannot see them going to Sentinel.
Another issue that might have to do with this is that the Sentinel
collector I have for NetIQ OneSSO 2011.1r1 is old, I don't know if it
supports CEF since it is from 28/10/13.
When I try to add a new event source to it in the Sentinel ESM I can
only choose Audit and File... Not Syslog.
I'm running Sentinel 8.1.1.0_4309
-alekz
klasen

Micro Focus Expert
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Email to a Friend
- Report Inappropriate Content
2018-04-27
10:49
On 2018-04-27 09:57, alekz wrote:
> Another issue that might have to do with this is that the Sentinel
> collector I have for NetIQ OneSSO 2011.1r1 is old, I don't know if it
> supports CEF since it is from 28/10/13.
> When I try to add a new event source to it in the Sentinel ESM I can
> only choose Audit and File... Not Syslog.
I think as it sends CEF, the general idea is that events will be parsed
by the Universal CEF collector and thus no specialized collector is
needed. (I doubt that will work very well.)
Also SLM4IGA’s license only works with collector plugins that include a
CollectorSupportedDevice with “Novell†as Vendor. The Vendor in the
Universal CEF Collector is “Universal†so this will probably fail after
the trial license expires and silently drop all incoming events. (See
See Bug 1070180 - IDM collector will not start because supported devices
vendor does not include Novell. Receiving message “starting script
engine. Collector is not licensed to runâ€. )
--
Norbert
> Another issue that might have to do with this is that the Sentinel
> collector I have for NetIQ OneSSO 2011.1r1 is old, I don't know if it
> supports CEF since it is from 28/10/13.
> When I try to add a new event source to it in the Sentinel ESM I can
> only choose Audit and File... Not Syslog.
I think as it sends CEF, the general idea is that events will be parsed
by the Universal CEF collector and thus no specialized collector is
needed. (I doubt that will work very well.)
Also SLM4IGA’s license only works with collector plugins that include a
CollectorSupportedDevice with “Novell†as Vendor. The Vendor in the
Universal CEF Collector is “Universal†so this will probably fail after
the trial license expires and silently drop all incoming events. (See
See Bug 1070180 - IDM collector will not start because supported devices
vendor does not include Novell. Receiving message “starting script
engine. Collector is not licensed to runâ€. )
--
Norbert
--
Norbert
Norbert