This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

eDirectory audit, move from naudit to CEF

Hi Community,

planning to "migrate" our eDirectory audit configuration from naudit to CEF.
I would like to know if any particular actions are required avoiding to lose a minimum of events/information.
we are using following config :
- Sentinel 8.4 (currently holding 2 SR's blocking our upgrade to 8.5)
- OES 2018 sp3
- auditing both eDirectory events and NSS events

Thanks,
Pascal

Everyone is a genius. But if you judge a fish by its ability to climb a tree, it will live its whole life believing that it is stupid. [A. Einstein]

Parents
  • 0

    Hi Pascal,

    I believe you're running SLM 8.4.


    As you know, SLM is only licensed for Novell & NetIQ collectors, nothing else. SLM is restricted in a lot of ways compared to Sentinel Enterprise version.


    Now, I don't look after eDir, just Sentinel, but a colleague of mine who looks after IDM, sent this recently to a customer:
    www.netiq.com/.../identity-manager-set-up-cef-configuration.html

    ...that customer wanted to move away from platform agent to cef. You want to change audit configuration from naudit to CEF.


    Regarding any actions needed to avoid events/information loss, in eDir, I came across this, so as long as that is covered, you should be fine.
     
    www.netiq.com/.../t44e7j6b8ufi.html

    www.netiq.com/.../t44hxvikbvr5.html

    www.netiq.com/.../t44hxcdp5af4.html

    NOTE:
    If you are using eDirectory 9.1 with Identity Manager 4.7, you can either enable CEF or XDAS audit module. If you upgrade your Identity Manager from a previous version to 4.7, disable the XDAS audit module to use CEF with eDirectory.


    Now I know for eDir traffic, you can use our eDir collector as well. You will configure CEF, so this requires the CEF collector. You need to make sure this gets installed on Sentinel (and exist in the Sentinel library). If not installed yet, please go to market place:
     
    marketplace.microfocus.com/
     
    marketplace.microfocus.com/.../universal-common-event-format
     
    …this is the latest CEF collector:
    Universal Common Event Format 2011.1r5 Beta.zip

    Just extract it, and the collector is within the folder. Install it through control center.


    You should be on Sentinel 8.2.2 at least. CEF is supported by Sentinel 8.2. This version comes with new schema changes which are needed for CEF parsing and it also supports Universal CEF collector.  You're running 8.4, so should be fine.


    Also the Syslog 2018.1r1 is enhanced to support CEF format data. But, this can be used starting from Sentinel 8.2. The latest syslog connector is -> Syslog 2021.1r1.zip, so again download/extract it, and deploy Syslog-2021.1r1-RELEASE.cnz.zip file.
     
    marketplace.microfocus.com/.../syslog
     
    Syslog 2021.1r1.zip
     

    I hope this helps for now...


    Thanks,


    Henk



Reply
  • 0

    Hi Pascal,

    I believe you're running SLM 8.4.


    As you know, SLM is only licensed for Novell & NetIQ collectors, nothing else. SLM is restricted in a lot of ways compared to Sentinel Enterprise version.


    Now, I don't look after eDir, just Sentinel, but a colleague of mine who looks after IDM, sent this recently to a customer:
    www.netiq.com/.../identity-manager-set-up-cef-configuration.html

    ...that customer wanted to move away from platform agent to cef. You want to change audit configuration from naudit to CEF.


    Regarding any actions needed to avoid events/information loss, in eDir, I came across this, so as long as that is covered, you should be fine.
     
    www.netiq.com/.../t44e7j6b8ufi.html

    www.netiq.com/.../t44hxvikbvr5.html

    www.netiq.com/.../t44hxcdp5af4.html

    NOTE:
    If you are using eDirectory 9.1 with Identity Manager 4.7, you can either enable CEF or XDAS audit module. If you upgrade your Identity Manager from a previous version to 4.7, disable the XDAS audit module to use CEF with eDirectory.


    Now I know for eDir traffic, you can use our eDir collector as well. You will configure CEF, so this requires the CEF collector. You need to make sure this gets installed on Sentinel (and exist in the Sentinel library). If not installed yet, please go to market place:
     
    marketplace.microfocus.com/
     
    marketplace.microfocus.com/.../universal-common-event-format
     
    …this is the latest CEF collector:
    Universal Common Event Format 2011.1r5 Beta.zip

    Just extract it, and the collector is within the folder. Install it through control center.


    You should be on Sentinel 8.2.2 at least. CEF is supported by Sentinel 8.2. This version comes with new schema changes which are needed for CEF parsing and it also supports Universal CEF collector.  You're running 8.4, so should be fine.


    Also the Syslog 2018.1r1 is enhanced to support CEF format data. But, this can be used starting from Sentinel 8.2. The latest syslog connector is -> Syslog 2021.1r1.zip, so again download/extract it, and deploy Syslog-2021.1r1-RELEASE.cnz.zip file.
     
    marketplace.microfocus.com/.../syslog
     
    Syslog 2021.1r1.zip
     

    I hope this helps for now...


    Thanks,


    Henk



Children
No Data