Anonymous_User Absent Member.
Absent Member.
571 views

Make IDM trace appear in Sentinel


Hi,

We want to have better tracking of what happens to users in IDM, we want
to be able to send trace information from a driver to Sentinel...

For example, when we receive an add event for an object in a certain
driver we want to send that to Sentinel and log it for future use, like
troubleshooting...

I already have some trace lvl 0 messages in my drivers, but it would be
nice if that would appear in Sentinel rather than having to dig through
the driver logs.

How can I achieve this? Maybe its documented, but i can't find
anything...


--
ccikara
------------------------------------------------------------------------
ccikara's Profile: https://forums.netiq.com/member.php?userid=506
View this thread: https://forums.netiq.com/showthread.php?t=46065

0 Likes
4 Replies
Anonymous_User Absent Member.
Absent Member.

Re: Make IDM trace appear in Sentinel

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

> We want to have better tracking of what happens to users in IDM, we
> want to be able to send trace information from a driver to
> Sentinel...


I understand better tracking; we'll call it auditing, because that's
what it is. We'll no longer call it tracing because the trace facility
is used for troubleshooting, severely impacts performance negatively,
and implies your system is broken if you NEED to track it full time.
Further, Sentinel isn't a monitoring system, it's an auditing system, so
we'll stick with auditing. 🙂

> For example, when we receive an add event for an object in a certain
> driver we want to send that to Sentinel and log it for future use,
> like troubleshooting...


Are you in trouble, or having a problem, every time an add event goes
through? Regularly? No... you just want to know that IDM did this and
to audit IDM with Sentinel. Again, auditing, not tracing. Just
reiterating my point before telling you the answer to be sure we are on
the same page.

> I already have some trace lvl 0 messages in my drivers, but it would
> be nice if that would appear in Sentinel rather than having to dig
> through the driver logs.


We're getting closer. The trace facility also happens to, depending on
the set trace level, catch audit events as configured under a driver
config object's 'Logging' section (poorly named... should be 'Auditing',
but whatever). Besides being able to send these audits to Sentinel or
Log Manager, they are also automatically written to little attributes on
the driver and channel objects within eDirectory which is probably what
you mean when you write you see them on the driver logs (via iManager I
presume). Those are limited in size, and only have what is configured
to go there, so again sending these audits to Sentinel will be much
nicer for you. Further, while these are also in traces (for
troubleshooting), those are even worse to wade through so Sentinel is
the right place, with the right information, to put things. The answer
is coming, I promise.

> How can I achieve this? Maybe its documented, but i can't find
> anything...


IDM 4.0 SP2 docs: http://www.netiq.com/documentation/idm402
Click on Reporting Guide for Novell/NetIQ Sentinel
Section 8.0 talks about managing events.

Auditing, mislabeled as Logging, can be configured in the User
Application, on driver config objects (probably better than the
DriverSet object), or on the DriverSet object to apply to all
not-otherwise-configured Driver config objects. This guide talks about
setting everything up and even tells you how you can, in policy, create
your own audit events. If you do that you'll also need to configure
Sentinel to know how to handle those if you want to get the most value
from them. Doing this you use Sentinel to audit who does what, when,
and why from IDM,which is really pretty neat.

There is he possibility of more integration between the two products as
well with the Sentinel driver in IDM; this feeds Identity information to
Sentinel specifically so that Sentinel can tie identities (real people)
to multiple usernames/IDs as they come in from disparate systems. For
example, 'ab' in eDirectory, 'ab@novell.com' in a mail system,
'cn=ab,dc=user,dc=data' in an LDAP system, and
'pk=1234,table=user,database=hrsystem' as a unique identity in a
database are all tied to one person, but each system will send events to
Sentinel with that different unique string. With identity integration
completed all events show up as a single user, complete with picture if
available, so that Sentinel is much more powerful in how it analyzes
things or displays them back to you, the administrator. No more "Was it
this username or that username or the other username, who are all Bob?",
but rather you search for things linked to the Identity of Bob.
Reporting... the same. Correlation, I believe also integrated.

On another theoretical note, if you are ever wondering why some objects
synchronize via IDM you may not be using entitlements. Whther using
Role-Bsaed Entitlements (RBE) or enabling workflows around every
entitlement granted, there are ways of ensuring there is more business
process around each user synchronized which can have security benefits
(not every user needs to be provisioned to the financial or HR systems),
licensing benefits (some applications to which you provision may have
user-based (as in, a count of them) licensing which you can avoid by
only putting necessary users there), or other benefits specific to your
company. Workflows can be audited more closely ("Who, exactly, allowed
Bob into the HR system without a background check first?") and in
customized ways, and even Role-Based Entitlements at least make it
possible for you to setup simple rules on which users get which
entitlements, which them let those users through to certain applications.

Good luck.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.19 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://www.enigmail.net/

iQIcBAEBAgAGBQJQk9H0AAoJEF+XTK08PnB51C4P/RqLwiB2Ib259tr3CWgelW/g
MloZTD+BEIpzNVNwKfkes9rijjzywheJT3YzoZpdqW4FtUJsZY2qJdWaMUueAJmM
MpTtE76Bq3LEI5A9v97xh7PFXjk5fxU5Vbg5S6KJkdwLPvNSfkloi84zGTscFwE/
q3pQ+dyH6THinPVja72EhYBCBK9zaYhcIXvrC+RLkduWcV991OFw2ck2iZ3jArLg
o/z4qUHuDDyOlQ8zhsl1R1uiEZgFrHe68cTIN8G0RAl7Nt2fDDMNkAbLQmZKo/cj
iOItuW+kKXJpv2CEBtnxZw0f6fSJnhNEWksJI98sQC53w5mmVi/+s4WXKeyl6QhC
N0XvcoqQ0obligBi4wLDbmqzsrY8PpcOJqYqf0khf93ZnSBXNGCNkC9y8dWgDzvU
td7Do2FzzjS2aWO4YtQigwrsUAdQbrH5wQ0l03DtV+f14NCUFaLD5C8ShFTQXPxb
oQPf3kXL/vWSskuoumzaMrDKdvOJb5IbU/MnpVuFNEuracLAhYvHwUxs/DsTARQ3
SrgJ7PYJY5YEI3sTJkf6kEK5QtYYFbXdIQu0CxQ4da3giQ+u7sODFfbMYxU+RgkH
84xteaPxC8fbwXM5YCcffAzrssCkgyzS0pYlRF3Qrp5IvuNQ+vJSI3avAIN7xOkI
W89qcltgBq/wv4py1ho4
=EAp0
-----END PGP SIGNATURE-----
0 Likes
Anonymous_User Absent Member.
Absent Member.

Re: Make IDM trace appear in Sentinel


Thank you very much!

This has helped me a lot.

Regards,
Craig Cikara


--
ccikara
------------------------------------------------------------------------
ccikara's Profile: https://forums.netiq.com/member.php?userid=506
View this thread: https://forums.netiq.com/showthread.php?t=46065

0 Likes
Anonymous_User Absent Member.
Absent Member.

Re: Make IDM trace appear in Sentinel


I have another question...

I have setup a generate event rule in one of the policies in a driver.

I see in the trace that the rule is "executed"

> 08:56:55 4B433710 Drvrs: UserManagementDriver ST: Action:
> do-generate-event(id="1202",level="log-warning","User
> "+token-attr("CN")+"bla","text2","text3").
> 08:56:55 4B433710 Drvrs: UserManagementDriver ST: text1("User
> "+token-attr("CN")+"bla")
> 08:56:55 4B433710 Drvrs: UserManagementDriver ST: token-text("User ")
> 08:56:55 4B433710 Drvrs: UserManagementDriver ST: token-attr("CN")
> 08:56:55 4B433710 Drvrs: UserManagementDriver ST: Query from policy
> 08:56:55 4B433710 Drvrs: UserManagementDriver ST:
> <nds dtdversion="4.0" ndsversion="8.x">
> <source>
> <product edition="Advanced" version="4.0.1.0">DirXML</product>
> <contact>Novell, Inc.</contact>
> </source>
> <input>
> <query class-name="User" dest-dn="\FRGSITIDV\co\fnb\users\3574504"
> dest-entry-id="357658" scope="entry">
> <read-attr attr-name="CN"/>
> </query>
> </input>
> </nds>
> 08:56:56 4B433710 Drvrs: UserManagementDriver ST: Pumping XDS to
> eDirectory.
> 08:56:56 4B433710 Drvrs: UserManagementDriver ST: Performing operation
> query for \FRGSITIDV\co\fnb\users\3574504.
> 08:56:56 4B433710 Drvrs: UserManagementDriver ST: --JCLNT--
> \FRGSITIDV\co\fnb\services\DriverSet\User Management : Duplicating :
> context = 179241027, tempContext = 179241083
> 08:56:56 4B433710 Drvrs: UserManagementDriver ST: --JCLNT--
> \FRGSITIDV\co\fnb\services\DriverSet\User Management : Calling free on
> tempContext = 179241083
> 08:56:56 4B433710 Drvrs: UserManagementDriver ST: Query from policy
> result
> 08:56:56 4B433710 Drvrs: UserManagementDriver ST:
> <nds dtdversion="4.0" ndsversion="8.x">
> <source>
> <product edition="Advanced" version="4.0.1.0">DirXML</product>
> <contact>Novell, Inc.</contact>
> </source>
> <output>
> <instance class-name="User"
> qualified-src-dn="O=co\OU=fnb\OU=users\CN=3574504"
> src-dn="\FRGSITIDV\co\fnb\users\3574504" src-entry-id="357658">
> <attr attr-name="CN">
> <value naming="true" timestamp="1345219636#64"
> type="string">3574504</value>
> </attr>
> </instance>
> <status level="success"></status>
> </output>
> </nds>
> 08:56:56 4B433710 Drvrs: UserManagementDriver ST: Token Value:
> "3574504".
> 08:56:56 4B433710 Drvrs: UserManagementDriver ST: token-text("bla")
> 08:56:56 4B433710 Drvrs: UserManagementDriver ST: Arg Value: "User
> 3574504bla".
> 08:56:56 4B433710 Drvrs: UserManagementDriver ST: text2("text2")
> 08:56:56 4B433710 Drvrs: UserManagementDriver ST: token-text("text2")
> 08:56:56 4B433710 Drvrs: UserManagementDriver ST: Arg Value: "text2".
> 08:56:56 4B433710 Drvrs: UserManagementDriver ST: text3("text3")
> 08:56:56 4B433710 Drvrs: UserManagementDriver ST: token-text("text3")
> 08:56:56 4B433710 Drvrs: UserManagementDriver ST: Arg Value: "text3".
> 08:56:56 4B433710 Drvrs: UserManagementDriver ST: Direct command from
> policy


But that is all in the trace that is relevant to the generate event, I
could not find a success status either.

Should I not see that event in the driver's status log? The rule is on
the subscriber, so I should see it in the subscriber status log right?
Even if Sentinel is not setup correctly?

I have set the logging for the driver to "Log errors and warnings" then
"log specific events", either should work from what I see in the
documentation. Looks like user generated events will always show.

Thanks in advance

Regards,
Craig Cikara


--
ccikara
------------------------------------------------------------------------
ccikara's Profile: https://forums.netiq.com/member.php?userid=506
View this thread: https://forums.netiq.com/showthread.php?t=46065

0 Likes
Anonymous_User Absent Member.
Absent Member.

Re: Make IDM trace appear in Sentinel

Hi Craig,

are you seeing your custom event in Sentinel's raw data tap?

If you are, make sure you follow the "Handling Custom Identity Manager
Events" section in the IDM Collector documentation.

Norbert

>>> On 06.11.2012 at 08:44, ccikara<ccikara@no-mx.forums.netiq.com> wrote:


> I have another question...
>
> I have setup a generate event rule in one of the policies in a driver.
>
> I see in the trace that the rule is "executed"
>
>> 08:56:55 4B433710 Drvrs: UserManagementDriver ST: Action:
>> do‑generate‑event(id="1202",level="log‑warning","User
>> "+token‑attr("CN")+"bla","text2","text3").
>> 08:56:55 4B433710 Drvrs: UserManagementDriver ST: text1("User
>> "+token‑attr("CN")+"bla")
>> 08:56:55 4B433710 Drvrs: UserManagementDriver ST: token‑text("User ")
>> 08:56:55 4B433710 Drvrs: UserManagementDriver ST: token‑attr("CN")
>> 08:56:55 4B433710 Drvrs: UserManagementDriver ST: Query from policy
>> 08:56:55 4B433710 Drvrs: UserManagementDriver ST:
>> <nds dtdversion="4.0" ndsversion="8.x">
>> <source>
>> <product edition="Advanced" version="4.0.1.0">DirXML</product>
>> <contact>Novell, Inc.</contact>
>> </source>
>> <input>
>> <query class‑name="User" dest‑dn="\FRGSITIDV\co\fnb\users\3574504"
>> dest‑entry‑id="357658" scope="entry">
>> <read‑attr attr‑name="CN"/>
>> </query>
>> </input>
>> </nds>
>> 08:56:56 4B433710 Drvrs: UserManagementDriver ST: Pumping XDS to
>> eDirectory.
>> 08:56:56 4B433710 Drvrs: UserManagementDriver ST: Performing operation
>> query for \FRGSITIDV\co\fnb\users\3574504.
>> 08:56:56 4B433710 Drvrs: UserManagementDriver ST: ‑‑JCLNT‑‑
>> \FRGSITIDV\co\fnb\services\DriverSet\User Management : Duplicating :
>> context = 179241027, tempContext = 179241083
>> 08:56:56 4B433710 Drvrs: UserManagementDriver ST: ‑‑JCLNT‑‑
>> \FRGSITIDV\co\fnb\services\DriverSet\User Management : Calling free on
>> tempContext = 179241083
>> 08:56:56 4B433710 Drvrs: UserManagementDriver ST: Query from policy
>> result
>> 08:56:56 4B433710 Drvrs: UserManagementDriver ST:
>> <nds dtdversion="4.0" ndsversion="8.x">
>> <source>
>> <product edition="Advanced" version="4.0.1.0">DirXML</product>
>> <contact>Novell, Inc.</contact>
>> </source>
>> <output>
>> <instance class‑name="User"
>> qualified‑src‑dn="O=co\OU=fnb\OU=users\CN=3574504"
>> src‑dn="\FRGSITIDV\co\fnb\users\3574504" src‑entry‑id="357658">
>> <attr attr‑name="CN">
>> <value naming="true" timestamp="1345219636#64"
>> type="string">3574504</value>
>> </attr>
>> </instance>
>> <status level="success"></status>
>> </output>
>> </nds>
>> 08:56:56 4B433710 Drvrs: UserManagementDriver ST: Token Value:
>> "3574504".
>> 08:56:56 4B433710 Drvrs: UserManagementDriver ST: token‑text("bla")
>> 08:56:56 4B433710 Drvrs: UserManagementDriver ST: Arg Value: "User
>> 3574504bla".
>> 08:56:56 4B433710 Drvrs: UserManagementDriver ST: text2("text2")
>> 08:56:56 4B433710 Drvrs: UserManagementDriver ST: token‑text("text2")
>> 08:56:56 4B433710 Drvrs: UserManagementDriver ST: Arg Value: "text2".
>> 08:56:56 4B433710 Drvrs: UserManagementDriver ST: text3("text3")
>> 08:56:56 4B433710 Drvrs: UserManagementDriver ST: token‑text("text3")
>> 08:56:56 4B433710 Drvrs: UserManagementDriver ST: Arg Value: "text3".
>> 08:56:56 4B433710 Drvrs: UserManagementDriver ST: Direct command from
>> policy

>
> But that is all in the trace that is relevant to the generate event, I
> could not find a success status either.
>
> Should I not see that event in the driver's status log? The rule is on
> the subscriber, so I should see it in the subscriber status log right?
> Even if Sentinel is not setup correctly?
>
> I have set the logging for the driver to "Log errors and warnings" then
> "log specific events", either should work from what I see in the
> documentation. Looks like user generated events will always show.
>
> Thanks in advance
>
> Regards,
> Craig Cikara


0 Likes
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.