Novell IDENTITY MANAGER Reporting Guide for Novell Sentinel
Novell®
www.novell.com
AUTHORIZED DOCUMENTATION
novdocx (en) 17 September 2009
Reporting Guide for Novell Sentinel
®
Identity Manager
3.6.1
January 07, 2010
Identity Manager 3.6.1 Reporting Guide for Novell Sentinel
Legal Notices
Novell, Inc., makes no representations or warranties with respect to the contents or use of this documentation, and
specifically disclaims any express or implied warranties of merchantability or fitness for any particular purpose.
Further, Novell, Inc., reserves the right to revise this publication and to make changes to its content, at any time,
without obligation to notify any person or entity of such revisions or changes.
Further, Novell, Inc., makes no representations or warranties with respect to any software, and specifically disclaims
any express or implied warranties of merchantability or fitness for any particular purpose. Further, Novell, Inc.,
reserves the right to make changes to any and all parts of Novell software, at any time, without any obligation to
notify any person or entity of such changes.
Any products or technical information provided under this Agreement may be subject to U.S. export controls and the
trade laws of other countries. You agree to comply with all export control regulations and to obtain any required
licenses or classification to export, re-export or import deliverables. You agree not to export or re-export to entities
on the current U.S. export exclusion lists or to any embargoed or terrorist countries as specified in the U.S. export
laws. You agree to not use deliverables for prohibited nuclear, missile, or chemical biological weaponry end uses.
See the Novell International Trade Services Web page (http://www.novell.com/info/exports/) for more information
on exporting Novell software. Novell assumes no responsibility for your failure to obtain any necessary export
approvals.
novdocx (en) 17 September 2009
Copyright © 2010 Novell, Inc. All rights reserved. No part of this publication may be reproduced, photocopied,
stored on a retrieval system, or transmitted without the express written consent of the publisher.
Novell, Inc., has intellectual property rights relating to technology embodied in the product that is described in this
document. In particular, and without limitation, these intellectual property rights may include one or more of the U.S.
patents listed on the Novell Legal Patents Web page (http://www.novell.com/company/legal/patents/) and one or
more additional patents or pending patent applications in the U.S. and in other countries.
Novell, Inc.
404 Wyman Street, Suite 500
Waltham, MA 02451
U.S.A.
www.novell.com
Online Documentation: To access the latest online documentation for this and other Novell products, see
the Novell Documentation Web page (http://www.novell.com/documentation).
Novell Trademarks
For Novell trademarks, see the Novell Trademark and Service Mark list (http://www.novell.com/company/legal/
trademarks/tmlist.html).
Third-Party Materials
All third-party trademarks are the property of their respective owners.
novdocx (en) 17 September 2009
novdocx (en) 17 September 2009
4 Identity Manager 3.6.1 Reporting Guide for Novell Sentinel
Contents
About This Guide 7
1Overview 9
1.1 Sentinel Integrated Architecture. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9
2 Configuring Novell Sentinel with Identity Manager 11
3 Installing and Configuring the Identity Manager Collector 13
3.1 Installing the Identity Manager Collector . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13
3.2 Configuring the Identity Manager Collector . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13
4 Installing and Configuring the Novell Audit Connector 17
novdocx (en) 17 September 2009
4.1 Installing the Novell Audit Connector . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17
4.2 Configuring the Novell Audit Connector . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17
5 Installing and Configuring the Platform Agent 21
5.1 Installing the Platform Agent . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21
5.2 Configuring the Platform Agent Text File . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21
6 Securing the Logging System 25
7 Managing Identity Manager Events 27
7.1 Selecting Events to Log . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27
7.1.1 Selecting Events for the User Application . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27
7.1.2 Selecting Events for the Driver Set . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29
7.1.3 Selecting Events for a Specific Driver . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 30
7.1.4 Identity Manager Log Levels . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31
7.2 User-Defined Events . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 32
7.2.1 Using Policy Builder to Generate Events. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 32
7.2.2 Using Status Documents to Generate Events . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 35
7.3 eDirectory Objects that Store Identity Manager Event Data. . . . . . . . . . . . . . . . . . . . . . . . . . . 35
8 Using Status Logs 37
8.1 Setting the Log Level and Maximum Log Size. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 37
8.1.1 Setting the Log Level and Log Size for the Driver Set. . . . . . . . . . . . . . . . . . . . . . . . 37
8.1.2 Setting the Log Level and Log Size for the Driver . . . . . . . . . . . . . . . . . . . . . . . . . . . 38
8.2 Viewing Status Logs. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 39
8.2.1 Accessing the Driver Set Status Log . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 39
8.2.2 Accessing the Publisher Channel and Subscriber Channel Status Logs . . . . . . . . . 40
Contents 5
9 Querying and Reporting 41
A Identity Manager Events 43
A.1 Event Structure . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 43
A.2 Error and Warning Events . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 43
A.3 Job Events . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 44
A.4 Remote Loader Events . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 44
A.5 Object Events. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 45
A.6 Password Events . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 45
A.7 Search List Events . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 46
A.8 Engine Events . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 46
A.9 Server Events. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 49
A.10 Security Events . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 50
A.11 Workflow Events . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 51
A.12 Driver Start and Stop Events . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 52
A.13 Log Schema Files . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 52
A.13.1 How LSC Files Are Used . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 53
novdocx (en) 17 September 2009
6 Identity Manager 3.6.1 Reporting Guide for Novell Sentinel
About This Guide
novdocx (en) 17 September 2009
Welcome to the Identity Manager Integration Guide for Novell Sentinel. This guide provides the
information necessary to integrate Novell
reporting services.
Chapter 1, “Overview,” on page 9
Chapter 2, “Configuring Novell Sentinel with Identity Manager,” on page 11
Chapter 3, “Installing and Configuring the Identity Manager Collector,” on page 13
Chapter 4, “Installing and Configuring the Novell Audit Connector,” on page 17
Chapter 5, “Installing and Configuring the Platform Agent,” on page 21
Chapter 6, “Securing the Logging System,” on page 25
Chapter 7, “Managing Identity Manager Events,” on page 27
Chapter 8, “Using Status Logs,” on page 37
Chapter 9, “Querying and Reporting,” on page 41
Appendix A, “Identity Manager Events,” on page 43
Audience
This guide is intended for network administrators.
Feedback
®
SentinelTM with Identity Manager to provide auditing and
We want to hear your comments and suggestions about this manual and the other documentation
included with this product. Please use the User Comments feature at the bottom of each page of the
online documentation, or go to www.novell.com/documentation/feedback.html and enter your
comments there.
Documentation Updates
For the most recent version of the Identity Manager 3.6.1 Integration Guide for Novell Sentinel,
visit the Identity Manager Documentation Web site (http://www.novell.com/documentation/idm36/
).
Additional Documentation
For the current Sentinel documentation, see the Sentinel Documentation Web site (http://
www.novell.com/documentation/sentinel61/index.html).
Documentation Conventions
In Novell documentation, a greater-than symbol (>) is used to separate actions within a step and
items in a cross-reference path.
®
A trademark symbol (
trademark.
, TM, etc.) denotes a Novell trademark. An asterisk (*) denotes a third-party
About This Guide 7
When a single pathname can be written with a backslash for some platforms or a forward slash for
other platforms, the pathname is presented with a backslash. Users of platforms that require a
forward slash, such as Linux* or UNIX*, should use forward slashes as required by your software.
novdocx (en) 17 September 2009
8 Identity Manager 3.6.1 Reporting Guide for Novell Sentinel
1
Collector
Collector
Sentinel
Control Center
Identity
Manager
Platform
Agent
Events
Cache
When disconnected
from the Event
Source Server
When reconnected
to the Event
Source Server
Crystal
Reports
Data Store
Port 289
Audit
Queue
Event Source Server
Port 9099
Novell
Audit
Connector
Identity
Manager
Collector
Collector
Manager
Overview
Adding Novell SentinelTM to your Identity Manager solution provides a reporting services. By
adding reporting, you can demonstrate that the business policies are enforced within your Identity
Manager solution. This is the last component to add to your Identity Manager solution.
1.1 Sentinel Integrated Architecture
Sentinel is a security information management and compliance monitoring solution that monitors,
responds to, and reports on security and compliance events. Sentinel easily integrates with Novell
Identity Manager so you get automated, real-time security management and compliance monitoring
across all systems and networks. The Sentinel-Identity Manager framework provides automatic
documenting and reporting of security, systems, and access events across the enterprise; built-in
incident management and remediation; and the ability to demonstrate and monitor compliance with
internal policies and government regulations.
novdocx (en) 17 September 2009
1
The following diagram illustrates the Identity Manager logging and reporting architecture when
integrated with Sentinel.
Figure 1-1 Identity Manager and Sentinel Integrated Architecture
1. An Identity Manager event occurs and it is sent to the Platform Agent. To capture all Identity
Manager events, the Platform Agent must be installed and configured on each Identity Manager
server.
Overview
9
2. (Conditional) If the Platform Agent cannot connect to the Event Source Server, the events are
stored in cache until the connection is reestablished.
3. The Platform Agent sends the events to the Event Source Sever, which stores the events in the
audit queue.
4. The events in the audit queue are sent to the Novell Audit Connector.
5. The Novell Audit Connector sends the events to the Identity Manager Collector, which parses
the information and then stores the parsed events in the data store.
6. The stored events are displayed through Crystal Reports*.
For a thorough discussion of the Sentinel architecture, see “Appendix A Sentinel Architecture” in
the Novell Sentinel User’s Guide (http://www.novell.com/documentation/sentinel61/pdfdoc/
sentinel_61_user_guide.pdf).
novdocx (en) 17 September 2009
10 Identity Manager 3.6.1 Reporting Guide for Novell Sentinel
2
Configuring Novell Sentinel with
novdocx (en) 17 September 2009
Identity Manager
Use the following checklist to verify that all of the steps are completed to install and configure
Sentinel
TM
with Identity Manager.
Install and configure the Sentinel components. The Sentinel components should be a different
server from the Identity Manager server. For more information, see the Novell Sentinel
Installation Guide (http://www.novell.com/documentation/sentinel61/pdfdoc/
sentinel_61_installation_guide.pdf).
Install and Configure the Novell Sentinel Identity Manager Collector. For more information,
see Chapter 3, “Installing and Configuring the Identity Manager Collector,” on page 13.
Install and configure the Novell Audit Connector. For more information, see Chapter 4,
“Installing and Configuring the Novell Audit Connector,” on page 17.
Install and configure the Platform Agent.
The Platform Agent (
automatically installed if either the Novell Identity Manager Metadirectory Server or Novell
Identity Manager Connected System option is selected during the Identity Manager install. It is
also installed during the installation of the User Application.
For more information on installing and configuring the Platform Agent, see Chapter 5,
“Installing and Configuring the Platform Agent,” on page 21.
logevent
) is the client piece of the Novell auditing architecture.It is
2
(Optional) Secure the connection between Identity Manager and the Platform Agent.
For more information, see Chapter 6, “Securing the Logging System,” on page 25.
Select which Identity Manager events you want to log to Novell Audit.
For more information, see Chapter 7, “Managing Identity Manager Events,” on page 27.
Configure the Sentinel Control Center to access the Crystal Enterprise* server for the
predefined reports for Identity Manager. For more information, see Chapter 9, “Querying and
Reporting,” on page 41.
Configuring Novell Sentinel with Identity Manager
11
novdocx (en) 17 September 2009
12 Identity Manager 3.6.1 Reporting Guide for Novell Sentinel
3
Installing and Configuring the
novdocx (en) 17 September 2009
Identity Manager Collector
The Identity Manager Collector parses and normalizes the raw data passed to it by the Novell®
Audit Connector and converts the data into a Sentinel event. The Sentinel event can be visualized in
the Active View, processed by the correlation engine, queried in a report, and added to an incident
response workflow.
The Identity Manager Collector can also parse non-event data and transform the raw scan data into a
format understood by Sentinel. Sentinel then stores the vulnerability data in the database and
includes it in the Exploit Detection map. For more detailed information about Sentinel collectors,
see the Sentinel Collector Script User’s Guide (http://www.novell.com/documentation/sentinel6/
pdfdoc/sentinel60_collectorguide.pdf).
3.1 Installing the Identity Manager Collector
The Identity Manager Collector must be added to the Event Source Manager to be installed. This
step is only done once. The Identity Manager Collector is then displayed as a collector to select
during configuration. To install the Identity Manager Collector:
1 Download the Identity Manager Collector (
from the Sentinel 6.1 Connectors Web site (http://support.novell.com/products/sentinel/secure/
sentinel61.html) to the server where the Sentinel Control Center is running.
The Identity Manager Collector is located under the Collectors tab.
Novell_Identity-Manager_6.1r3.clz.zip
)
3
2 Log in to the Sentinel Control Center.
3 Select the Event Source Management > Live View, then select Tools > Import plugin.
4 Browse to and select the
5 Follow the remaining prompts, then click Finish.
6 Continue with Section 3.2, “Configuring the Identity Manager Collector,” on page 13. The
Identity Manager Collect must be configured to work.
Novell_Identity-Manager_6.1r3.clz.zip
file, then click Next.
3.2 Configuring the Identity Manager Collector
1 In the Event Source Management live view, right-click the Collection Manager, then click Add
Collector.
2 Select Novell in the Vendor column.
3 Select Identity Manager in the Name column, then click Next.
4 From the Installed Scripts column, select Novell_Identity-Manager_6.1r3, then click Next.
5 Configure the Identity Manager Collector for your needs by using the following information.
Installing and Configuring the Identity Manager Collector
13
Configuration Parameter Default Value Description
Execution Mode release Sets the execution mode for the
collector. Three options are
available:
release: Use this mode for
normal operation.
custom: Use this mode if
the Identity Manager
Collector is customized.
debug: Use this mode for
troubleshooting issues. It
generates debug trace
files.
Resolve IP and Hostname no Defines whether the Collector
will attempt to translate any
received IP information into
hostnames and vice versa.
Given the high data rates
handled by the Sentinel
environment, interactive DNS
lookups are not performed. See
the Collector Configuration
Options section for information
about configuring this
functionality.
novdocx (en) 17 September 2009
Resolve IP to Country no Sentinel can leverage geo-
location databases to map the IP
addresses in event data to the
country in which that IP is
located. Set this parameter to
yes to turn this feature on.
MSSP Customer Name unknown Name or numeric code for a
specific customer in an MSSP
environment; all received data is
flagged with this value so that
data segregation can be
maintained.
6 Click Next.
7 Complete the configuration of the Identity Manager Collector with the following information:
Name: Specify a name for this connector.
Run: Select whether the connector is started whenever the Collector Manager is started.
Alert if no data received in specified time period: (Optional) Select this option to send
the No Data Alert event to Sentinel if data is not received by the Connector in the
specified time period.
Limit Data Rate: (Optional) Select this option to set a maximum limit on the rate of data
the connector sends to Sentinel. If the data rate limit is reached, Sentinel throttles back on
the source in order to limit the flow of data.
14 Identity Manager 3.6.1 Reporting Guide for Novell Sentinel
Set Filter: (Optional) Specify a filter on the raw data passing through the connector.
Trust Event Source Time: (Optional) Select this option if you trust the Event Source
server’s time.
8 Click Finish.
The next step is to proceed to Chapter 4, “Installing and Configuring the Novell Audit Connector,”
on page 17.
novdocx (en) 17 September 2009
Installing and Configuring the Identity Manager Collector 15
novdocx (en) 17 September 2009
16 Identity Manager 3.6.1 Reporting Guide for Novell Sentinel
4
Installing and Configuring the
novdocx (en) 17 September 2009
Novell Audit Connector
The Novell® Audit Connector facilitates integration between Identity Manager and SentinelTM.
Identity Manager is instrumented to send all events to the Platform Agent for logging purposes. The
Novell Audit Connector allows Sentinel to connect to Identity Manager via the Platform Agent. For
more detailed information about the Novell Audit Connector, see the Novell Audit Connector
documentation (http://support.novell.com/products/sentinel/doc/connectors/audit_connector.pdf).
You must have the Identity Manager Collector installed and configured before proceeding with the
installation and configuration of the Novell Audit Connector.
4.1 Installing the Novell Audit Connector
1 Download the
support.novell.com/products/sentinel/secure/sentinel61.html) to the server where the Sentinel
Control Center is running.
The Novell Audit connector is located under the Connectors tab.
2 Log in to the Sentinel Control Center.
3 Select Event Source Management > Live View, then select Tools > Import plugin.
4 Select Import Collector Script or Connector plugin package file (.zip) option, then click Next.
5 Browse to and select the
audit_connector.zip
audit_connector.zip
file from the Sentinel 6.1 Connectors Web site (http://
file, then click Next.
4
6 Follow the remaining prompts, then click Finish.
7 Continue with Section 4.2, “Configuring the Novell Audit Connector,” on page 17. you must
configure the Novell Audit connector for it to work.
4.2 Configuring the Novell Audit Connector
The Novell Audit Connector is configured to receive messages sent from Identity Manager to the
Platform Agent. These events are then processed by the Identity Manager Collector.
There are multiple ways to configure the Novell Audit Connector. These instructions use the rightclick menu items on the Event Source Management Graph view.
1 Right-click the Identity Manager Collector, then click Add Connector.
2 Select View Compatible Connection Methods Only.
3 Select Audit from the list of installed connectors, then click Next.
4 Click Add to add an Event Source server.
5 Select the network interface setting for the server running the Platform Agent and Identity
Manager.
All network interfaces: Binds the port on all the IP addresses of the server, including the
loopback address.
Internal loopback interface: Only binds the local loopback address.
Installing and Configuring the Novell Audit Connector
17
Loading...