Novell IDENTITY MANAGER 3.6.1 Reporting Manual
For novell sentinel
Hide thumbs
Also See for IDENTITY MANAGER 3.6.1:
- Installation manual (104 pages) ,
- Overview (32 pages) ,
- Manual (20 pages)
Related Manuals for Novell IDENTITY MANAGER 3.6.1
Summary of Contents for Novell IDENTITY MANAGER 3.6.1
- Page 1 AUTHORIZED DOCUMENTATION Reporting Guide for Novell Sentinel ® Novell ® Identity Manager 3.6.1 January 07, 2010 www.novell.com Identity Manager 3.6.1 Reporting Guide for Novell Sentinel...
- Page 2 Further, Novell, Inc., reserves the right to make changes to any and all parts of Novell software, at any time, without any obligation to notify any person or entity of such changes.
- Page 3 Novell Trademarks For Novell trademarks, see the Novell Trademark and Service Mark list (http://www.novell.com/company/legal/ trademarks/tmlist.html). Third-Party Materials All third-party trademarks are the property of their respective owners.
- Page 4 Identity Manager 3.6.1 Reporting Guide for Novell Sentinel...
-
Page 5: Table Of Contents
Configuring the Novell Audit Connector ........ - Page 6 How LSC Files Are Used ..........53 Identity Manager 3.6.1 Reporting Guide for Novell Sentinel...
-
Page 7: About This Guide
For the current Sentinel documentation, see the Sentinel Documentation Web site (http:// www.novell.com/documentation/sentinel61/index.html). Documentation Conventions In Novell documentation, a greater-than symbol (>) is used to separate actions within a step and items in a cross-reference path. ® A trademark symbol ( , etc.) denotes a Novell trademark. - Page 8 When a single pathname can be written with a backslash for some platforms or a forward slash for other platforms, the pathname is presented with a backslash. Users of platforms that require a forward slash, such as Linux* or UNIX*, should use forward slashes as required by your software. Identity Manager 3.6.1 Reporting Guide for Novell Sentinel...
-
Page 9: Overview
1.1 Sentinel Integrated Architecture Sentinel is a security information management and compliance monitoring solution that monitors, responds to, and reports on security and compliance events. Sentinel easily integrates with Novell Identity Manager so you get automated, real-time security management and compliance monitoring across all systems and networks. - Page 10 4. The events in the audit queue are sent to the Novell Audit Connector. 5. The Novell Audit Connector sends the events to the Identity Manager Collector, which parses the information and then stores the parsed events in the data store.
-
Page 11: Configuring Novell Sentinel With Identity Manager
Novell Sentinel Installation Guide (http://www.novell.com/documentation/sentinel61/pdfdoc/ sentinel_61_installation_guide.pdf). Install and Configure the Novell Sentinel Identity Manager Collector. For more information, Chapter 3, “Installing and Configuring the Identity Manager Collector,” on page Install and configure the Novell Audit Connector. For more information, see Chapter 4, “Installing and Configuring the Novell Audit Connector,”... - Page 12 Identity Manager 3.6.1 Reporting Guide for Novell Sentinel...
-
Page 13: Installing And Configuring The Identity Manager Collector
Identity Manager Collector ® The Identity Manager Collector parses and normalizes the raw data passed to it by the Novell Audit Connector and converts the data into a Sentinel event. The Sentinel event can be visualized in the Active View, processed by the correlation engine, queried in a report, and added to an incident response workflow. - Page 14 Limit Data Rate: (Optional) Select this option to set a maximum limit on the rate of data the connector sends to Sentinel. If the data rate limit is reached, Sentinel throttles back on the source in order to limit the flow of data. Identity Manager 3.6.1 Reporting Guide for Novell Sentinel...
- Page 15 Trust Event Source Time: (Optional) Select this option if you trust the Event Source server’s time. 8 Click Finish. The next step is to proceed to Chapter 4, “Installing and Configuring the Novell Audit Connector,” on page Installing and Configuring the Identity Manager Collector...
- Page 16 Identity Manager 3.6.1 Reporting Guide for Novell Sentinel...
-
Page 17: Installing And Configuring The Novell Audit Connector
Identity Manager is instrumented to send all events to the Platform Agent for logging purposes. The Novell Audit Connector allows Sentinel to connect to Identity Manager via the Platform Agent. For more detailed information about the Novell Audit Connector, see the... - Page 18 8 Select whether you want to use the built-in server key pair or import server key pair, then click Next. The Novell Audit connector comes with a built-in certificate. You can use it or overwrite it with your own certificate.
- Page 19 Save Raw Data to a File: (Optional) Save the raw data passing through this connector to a file for further analysis. Proceed to Chapter 5, “Installing and Configuring the Platform Agent,” on page Installing and Configuring the Novell Audit Connector...
- Page 20 Identity Manager 3.6.1 Reporting Guide for Novell Sentinel...
-
Page 21: Installing And Configuring The Platform Agent
5.1 Installing the Platform Agent The Platform Agent is automatically installed if either the Novell Identity Manager Metadirectory Server or Novell Identity Manager Connected System option is selected during the Identity Manager install. For more information on the Identity Manager installation, see the Identity Manager 3.6.1... - Page 22 The following table provides an explanation of each setting in the file. The Platform logevent Agent is used by Sentinel and Novell Audit. The documentation for the Platform Agent is in the Novell Audit 2.0 Administration Guide (http://www.novell.com/documentation/novellaudit20/). IMPORTANT: You must restart the Platform Agent any time you make a change to the configuration.
- Page 23 LogSigned=Never|Always The signature setting for Platform Agent events. IMPORTANT: Sentinel can receive and map Audit signatures to a Novell Sentinel event field; however, Novell Sentinel does not currently verify event signatures. Set to to never sign or chain events.
- Page 24 Identity Manager 3.6.1 Reporting Guide for Novell Sentinel...
-
Page 25: Securing The Logging System
Securing the Logging System ® The Novell Sentinel server and Identity Manager Instrumentation utilize embedded certificates generated by an internal Certificate Authority (CA). These SSL certificates ensure that communications between the Identity Manager instrumentation and the Sentinel server are secure. - Page 26 Identity Manager 3.6.1 Reporting Guide for Novell Sentinel...
-
Page 27: Managing Identity Manager Events
Managing Identity Manager Events ® The event information sent to Novell Sentinel is managed through product-specific instrumentations, or plug-ins. The Identity Manager Instrumentation allows you to configure which events are logged to your data store. You can select predefined log levels, or you can individually select the events you want to log. - Page 28 Writes Fatal, Error, Warn, and Info level messages to the log. Debug Writes Fatal, Error, Warn, Info, and debugging information to the log. Trace Writes Fatal, Error, Warn Info, debugging, and tracing information to the log. Identity Manager 3.6.1 Reporting Guide for Novell Sentinel...
-
Page 29: Selecting Events For The Driver Set
5 Select the Also send logging messages to Novell Audit check box to send the events to the Platform Agent. 6 (Optional) Select Also send logging messages to Open XDAS, if you want to send the messages to Open XDAS. -
Page 30: Selecting Events For A Specific Driver
2 Browse to and select the driver set object that contains the driver 3 Select the driver set from the list of driver sets. 4 Click the upper right corner of the driver icon, then select Edit properties. 5 Select the Log Level tab. Identity Manager 3.6.1 Reporting Guide for Novell Sentinel... -
Page 31: Identity Manager Log Levels
6 (Optional) By default, the Driver object is configured to inherit log settings from the Driver Set object. To select logged events for this driver only, deselect Use log settings from the Driver Set. 7 Select a log level for the current driver. For an explanation of each log level, see “Identity Manager Log Levels”... -
Page 32: User-Defined Events
7.2 User-Defined Events Identity Manager enables you to configure your own events to log to Novell Sentinel. Events can be logged by using an action in the Policy Builder, or within a style sheet. Any information you have access to when defining policies can be logged. - Page 33 Log Level Description log-emergency Events that cause the Metadirectory engine or driver to shut down. log-alert Events that require immediate attention. log-critical Events that can cause parts of the Metadirectory engine or driver to malfunction. log-error Events describing errors that can be handled by the Metadirectory engine or driver.
- Page 34 6 Click OK to return to the Policy Builder to construct the remainder of your policy. For more information and examples of the Generate Event action, see “Generate Event” in the Policies in Designer 3.5 guide. Identity Manager 3.6.1 Reporting Guide for Novell Sentinel...
-
Page 35: Edirectory Objects That Store Identity Manager Event Data
7.2.2 Using Status Documents to Generate Events Status documents generated through style sheets using the element are sent to <xsl:message> Sentinel with an event ID that corresponds to the status document level attribute. The level attributes and corresponding event IDs are defined in the following table: Status Documents Table 7-2 Status Level... - Page 36 Driver object has the highest precedence when determining log settings. If a Driver object does not contain a DirXML-DriverTraceLevel attribute, the engine uses the log settings from the parent driver set. The next step is to generate reports. Proceed to Chapter 9, “Querying and Reporting,” on page Identity Manager 3.6.1 Reporting Guide for Novell Sentinel...
-
Page 37: Using Status Logs
Using Status Logs In addition to the functionality provided by Sentinel, Identity Manager logs a specified number of events on the driver set and the driver. These status logs provide a view of recent Identity Manager activity. After the log reaches the set size, the oldest half of the log is permanently removed to clear room for more recent events. -
Page 38: Setting The Log Level And Log Size For The Driver
5 Select Log Level. 6 Deselect Use log settings from the driver set option, if it is selected. 7 Specify the maximum log size in the Maximum number of entries in the log field: Identity Manager 3.6.1 Reporting Guide for Novell Sentinel... -
Page 39: Viewing Status Logs
8 After you have specified the maximum number, click OK. 8.2 Viewing Status Logs The status logs are short-term logs for the driver set, the Publisher channel, and the Subscriber channel. They are accessed through different locations in iManager. Section 8.2.1, “Accessing the Driver Set Status Log,” on page 39 Section 8.2.2, “Accessing the Publisher Channel and Subscriber Channel Status Logs,”... -
Page 40: Accessing The Publisher Channel And Subscriber Channel Status Logs
2 Browse to and select the driver set. 3 Click the driver set to access the driver set overview page. 4 Click the desired driver object. 5 Click the Publisher channel or the Subscriber channel status log icon. Identity Manager 3.6.1 Reporting Guide for Novell Sentinel... -
Page 41: Querying And Reporting
Sentinel 6.1 Connectors Web site (http://support.novell.com/products/sentinel/ secure/sentinel61.html). Novell Sentinel is integrated with Crystal Reports to generate and display reports. To run the report templates, you must first configure the location of the Crystal Enterprise Server that publishes reports in the General Options window of the Admin page. - Page 42 2 Specify the location of the Crystal Enterprise server, then click Save. After Novell Sentinel is configured to access the Crystal Enterprise server, the Analysis page allows administrators to run historical reports. Vulnerability reports are available from the Advisor page.
-
Page 43: A Identity Manager Events
Title, Group Type, Data Title, Data Type, Display Schema. For a complete explanation of the event structure, see Event Structure (http://www.novell.com/ documentation/novellaudit20/novellaudit20/data/al9m381.html) in the Novell Audit 2.0 Administration Guide. A.2 Error and Warning Events Identity Manager generates an event whenever an error or warning is encountered. The following... -
Page 44: Job Events
Section A.13, “Log Schema Files,” on page 52 for information on understanding the logged events. A.4 Remote Loader Events The following table provides the list of Remote Loader events that can be audited through Sentinel: Identity Manager 3.6.1 Reporting Guide for Novell Sentinel... -
Page 45: Object Events
Occurs when an object is created. Section A.13, “Log Schema Files,” on page 52 for information on understanding the logged events. A.6 Password Events The following table provides the list of change password events that can be audited through Novell Sentinel: Identity Manager Events... -
Page 46: Search List Events
30004 Status Error Many different events can cause the status error event to occur. It usually signifies that an operation was not completed successfully. Identity Manager 3.6.1 Reporting Guide for Novell Sentinel... - Page 47 Event ID Description Trigger 30005 Status Fatal Many different events can cause the status fatal event to occur. It usually signifies that an operation was not completed successfully and the engine or driver could not continue. 30006 Status Other Any status document processed with a level other than the five previously defined creates a status other event.
- Page 48 Remove Value Occurs when a modify operation contains a remove-value element. 3002C Merge Entries Occurs when two objects are being merged. 3002D Get Named Generated on a Get Named Password operation. Password Identity Manager 3.6.1 Reporting Guide for Novell Sentinel...
-
Page 49: Server Events
Event ID Description Trigger 3002E Reset Attributes Occurs when a Reset document is issued on the publisher or Subscriber channels. 3002F Add Value - Add Occurs when a value is added during the creation of an object. Entry 30030 Set SSO Occurs when a driver policy executes the do-set-sso-credential action. -
Page 50: Security Events
Occurs on successful creation of a delegatee definition. 31457 Create_Delegatee_Definition_Failure Occurs on failed creation of a delegatee definition. 31458 Update_Delegatee_Definition_Succe Occurs on successful update of a delegatee definition. 31459 Update_Delegatee_Definition_Failur Occurs on failed update of a delegatee definition. Identity Manager 3.6.1 Reporting Guide for Novell Sentinel... -
Page 51: Workflow Events
Event ID Description Trigger 3145A Delete_Delegatee_Definition_Succe Occurs on successful deletion of a delegatee definition. 3145B Delete_Delegatee_Definition_Failure Occurs on failed deletion of a delegatee definition. 3145C Create_Availability_Success Occurs on successful creation of the availability status. 3145D Create_Availability_Failure Occurs on failed creation of the availability status. 3145E Delete_Availability_Success Occurs on successful deletion of the availability status. -
Page 52: Driver Start And Stop Events
Log Schema (LSC) files catalog the events that can be logged for a given application. They also provide event descriptions and field titles, although this is optional. For information on creating Log Schema files, see the Novell Audit SDK (http://developer.novell.com/ndk/naudit.htm). Identity Manager 3.6.1 Reporting Guide for Novell Sentinel... -
Page 53: How Lsc Files Are Used
Event ID for the Remote Loader Stop event in the dirxml log schema. You can then configure a Notification Filter that selects events with an Event ID of 00030BB9. For more information on Log Schema files, refer to Log Schema Files (http://www.novell.com/ documentation/novellaudit20/novellaudit20/data/alg2t8z.html) in the Novell Audit 2.0 Administration Guide. Identity Manager Events... - Page 54 Identity Manager 3.6.1 Reporting Guide for Novell Sentinel...