Configure audit event factories for security auditing

The audit event factory collects the data associated with the auditable security events and builds the audit data object. The object is then sent to the audit service provider to be formatted and recorded to a specified repository.

Before configuring an event factory, enable global security in the environment. An event type filter and an audit service provider need to be created before completing these steps

1. Click Security > Security Auditing > Audit event factory configurations > New.

2. Enter the unique name that should be associated with this Audit event factory configuration in the Name field.

3. Select either IBM audit event factory or Third party event factory.

   1. Enter the Third party audit event factory class name. This step is only required if a Third party event factory is being created.

4. Select the appropriate audit service provider implementation from the Audit service provider dropdown menu,

5. Select the event type filter configuration to be used by this audit event factory. The Filters list consists of a list of the event type filter configurations that have been created and are currently enabled.

   1. Select the event type filters that should be used from the Selectable filter list.

   2. Click Add >> to add the selected event type filter configurations to the Enabled filter lists.

6. Enter any Custom properties that need to be included with this audit event factory configuration. Custom properties are only available for Third party event factory implementations.

7. Click Apply.

Results

After successful completion of these steps, you will have an event factory that can be used to gather auditable event data.

What to do next

After configuring an audit event factory, we can optionally protect the data by configuring the security auditing subsystem to sign and encrypt the audit logs.

Subtopics

• Audit event factory configuration collection
  The Audit event factory configuration panel displays a list of all currently configured audit event factory implementations. This panel allows a user with the auditor role to manage their configured audit event factories. This includes the ability to configure a new implementation, which is done using the New button on this panel.

• Audit event factory settings
  The Audit event factory settings panel displays the details of a specific audit event factory. The auditor uses this panel to manage and create audit event factory configurations.

• Example: Generic Event Factory Interface
  This interface is used for processing generic audit events. Other interfaces can be defined which extend this interface to process specific audit event groupings, such as security events, transaction events, or some other custom grouping.

Related tasks

Audit the security infrastructure

Configure auditable events