Anonymous_User Absent Member.
Absent Member.
383 views

Events related "Add Value" from platform agent audit


I want auditing "Login Disabled", "Create Object" and "Intruder
detected" on eDirectory.

I configured audit by iManager:

Meta:
Login Disabled
Intruder Detected
Objects:
Change Password
Create (User and NrfRole)
Delete (User and NrfRole)
LDAP:
LDAP Password Modify


If i don't set "Add Value" in Attributes, the audit don't send those
events. But if i set it, the audit sent many events "add value" for each
event ("Login Disabled", "Create Object" or "Intruder detected").

Are there any way to auditing those events without the "add value"
events?


--
shinojosa
------------------------------------------------------------------------
shinojosa's Profile: https://forums.netiq.com/member.php?userid=539
View this thread: https://forums.netiq.com/showthread.php?t=46446

0 Likes
2 Replies
Anonymous_User Absent Member.
Absent Member.

Re: Events related "Add Value" from platform agent audit


Component versions are:

eDirectory for Linux x86_64 v8.8 SP6
Audit Platform Agent 2.0.2
EAS 4.0.1
Sentinel Collector for eDirectory 6.1r9 (the latest version)


For example, If on iManager Audit configuration i set the "add value" in
"attributes" i received the events:

Add Value - Locked By Intruder
Add Value - pwdAccountLockedTime
Add Value - Login Intruder Reset Time
Add Value - Login Intruder Address
Add Value - pwdFailureTime
Intruder Detected

but i want only "Intruder Detected"


--
shinojosa
------------------------------------------------------------------------
shinojosa's Profile: https://forums.netiq.com/member.php?userid=539
View this thread: https://forums.netiq.com/showthread.php?t=46446

0 Likes
Anonymous_User Absent Member.
Absent Member.

Re: Events related "Add Value" from platform agent audit

The eDirectory collector documentation covers this requirement. The
reason for it is that when eDirectory creates an object the create event
itself happens before the Object Class attribute is added, so the actual
create doesn't even have an object class right away. That is added
immediately, but as an 'Add Value' event. As a result, historically you
needed to get a ton of Add Value events in order to get object creations
audited properly.

The Add Value configuration lets you configure the class as well as
attributes to audit, so I believe you should be able to limit which
attributes come through the 'Add Value' events. Add in 'Object Class' to
see if that does what you're after.

Good luck.
0 Likes
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.