CEF vs OSP in 4.7

alekz · ‎2018-04-26

Hello!

Short story, I've gotten UA to send logs to Sentinel using Syslog/CEF,
but I can't get it to work with OSP.

How can I get to only use 1 logging solution (i.e. CEF) instead of both
CEF and the Platform Agent?

If I change this parameter to "true" in the setenv.sh file then OSP
sends logs to Sentinel using the Platform Agent:
-Dcom.netiq.idm.osp.audit.enabled=false

BUT in 4.7, there is a CEF cache dir.
In my /opt/netiq/idm/apps/audit directory I have a VQFcef.osp.bin file,
which just grows. It seems to contain OSP events that are *not* being
sent to Sentinel.

In the Identity Applications admin guide there is mention of using the
Platform Agent, very confusing.

https://www.netiq.com/documentation/identity-manager-47/identity_apps_admin/data/b1bvq28p.html

It also tells me to go to Administration -> Logging in UA which seems to
be inaccessible in 4.7.

Anyway, in the ism-configuration.properties I have this configuration
which comes from configupdate.sh but doesn't seem to have any effect
since I have to edit idmuserapp_logging.xml file manually according to
some other docs:
https://www.netiq.com/documentation/identity-manager-47/configure_auditing/data/t443905wpo68.html

com.netiq.ism.audit.cef.enabled = true
com.netiq.ism.audit.cef.host = 192.168.0.7
com.netiq.ism.audit.cef.port = 1468
com.netiq.ism.audit.cef.protocol =tcp
com.netiq.ism.audit.cef.cache-file-dir = /opt/netiq/idm/apps/audit

-alekz

Permalink · ‎2018-04-26

Hi alekz,

Thanks for sharing your observation.

Listed below are the steps to enable OSP events in CEF format

- Launch configupdate.sh utility, and select CEF Auditing tab
- Check the send audit events option and provide the required inputs to send the CEF audit events to sentinel server
- Provide novlua user permissions to the cache directory
- Restart tomcat

This should enable OSP to generate and send audit events to sentinel server in CEF format

Please let me know if more information is required

Thanks & Regards,
SivaSaran.K.R

klasen · ‎2018-04-27

Hi SivaSaran,

On 2018-04-26 12:34, sivasaran wrote:
>
> Hi alekz,
>
> Thanks for sharing your observation.
>
> Listed below are the steps to enable OSP events in CEF format
>
> - Launch configupdate.sh utility, and select CEF Auditing tab
> - Check the send audit events option and provide the required inputs to
> send the CEF audit events to sentinel server
> - Provide novlua user permissions to the cache directory
> - Restart tomcat
>
> This should enable OSP to generate and send audit events to sentinel
> server in CEF format
>
> Please let me know if more information is required

What effect does the com.netiq.idm.osp.audit.enabled parameter have on
CEF logging? Or is it only related to NAudit?

--
Norbert

--
Norbert

Permalink · ‎2018-04-27

Hi alekz,

com.netiq.idm.osp.audit.enabled parameter is for honoring OSP to send naudit events to audit server

Thanks & Regards,
SivaSaran.K.R

klasen · ‎2018-04-27

On 2018-04-27 11:34, sivasaran wrote:
>
> Hi alekz,
>
> com.netiq.idm.osp.audit.enabled parameter is for honoring OSP to send
> naudit events to audit server

So OSP will send events via NAudit and Syslog in parallel if you set
this to true and com.netiq.ism.audit.cef.enabled to true as well?

--
Norbert

--
Norbert

alekz · ‎2018-04-27

On 2018-04-26 12:34, sivasaran wrote:
>
> Hi alekz,
>
> Thanks for sharing your observation.
>
> Listed below are the steps to enable OSP events in CEF format
>
> - Launch configupdate.sh utility, and select CEF Auditing tab
> - Check the send audit events option and provide the required inputs to
> send the CEF audit events to sentinel server
> - Provide novlua user permissions to the cache directory
> - Restart tomcat
>
> This should enable OSP to generate and send audit events to sentinel
> server in CEF format
>
> Please let me know if more information is required
>
> Thanks & Regards,
> SivaSaran.K.R
>
>
Hello SivaSaran.K.R,

Thanks for the reply.

I have configured configupdate.sh.

The issue I have is that the events are going to the cache directory
*only*, to a file called VQFcef.osp.bin
I cannot see them going to Sentinel.

Another issue that might have to do with this is that the Sentinel
collector I have for NetIQ OneSSO 2011.1r1 is old, I don't know if it
supports CEF since it is from 28/10/13.
When I try to add a new event source to it in the Sentinel ESM I can
only choose Audit and File... Not Syslog.

I'm running Sentinel 8.1.1.0_4309

-alekz

klasen · ‎2018-04-27

On 2018-04-27 09:57, alekz wrote:
> Another issue that might have to do with this is that the Sentinel
> collector I have for NetIQ OneSSO 2011.1r1 is old, I don't know if it
> supports CEF since it is from 28/10/13.
> When I try to add a new event source to it in the Sentinel ESM I can
> only choose Audit and File... Not Syslog.

I think as it sends CEF, the general idea is that events will be parsed
by the Universal CEF collector and thus no specialized collector is
needed. (I doubt that will work very well.)

Also SLM4IGAâ€™s license only works with collector plugins that include a
CollectorSupportedDevice with â€œNovellâ€ as Vendor. The Vendor in the
Universal CEF Collector is â€œUniversalâ€ so this will probably fail after
the trial license expires and silently drop all incoming events. (See
See Bug 1070180 - IDM collector will not start because supported devices
vendor does not include Novell. Receiving message â€œstarting script
engine. Collector is not licensed to runâ€. )

--
Norbert

--
Norbert

Identity Applications

Re: CEF vs OSP in 4.7

Re: CEF vs OSP in 4.7

Re: CEF vs OSP in 4.7

Re: CEF vs OSP in 4.7

Re: CEF vs OSP in 4.7

Re: CEF vs OSP in 4.7