Configure audit event factories for security auditing

The audit event factory collects the data associated with the auditable security events and builds the audit data object. The object is then sent to the audit service provider to be formatted and recorded to a specified repository.

Before configuring an event factory, enable global security in the environment. An event type filter and an audit service provider need to be created before completing these steps

Tasks

1. Click Security > Security Auditing > Audit event factory configurations > New.

2. Enter the unique name that should be associated with this Audit event factory configuration in the Name field.

3. Select either IBM audit event factory or Third party event factory.

   1. Enter the Third party audit event factory class name. This step is only required if a Third party event factory is being created.

4. Select the appropriate audit service provider implementation from the Audit service provider dropdown menu,

5. Select the event type filter configuration to be used by this audit event factory. The Filters list consists of a list of the event type filter configurations created and are currently enabled.

   1. Select the event type filters that should be used from the Selectable filter list.

   2. Click Add >> to add the selected event type filter configurations to the Enabled filter lists.

6. Enter any Custom properties to be included with this audit event factory configuration. Custom properties are only available for Third party event factory implementations.

7. Click Apply.

After successful completion of these steps, we will have an event factory used to gather auditable event data.

What to do next

After configuring an audit event factory, we can optionally protect the data by configuring the security auditing subsystem to sign and encrypt our audit logs.

Subtopics

• Audit event factory configuration collection
  The Audit event factory configuration page displays a list of all currently configured audit event factory implementations

  This page allows a user with the auditor role to manage their configured audit event factories. This includes the ability to configure a new implementation, which is done using the New button on this page.

• Audit event factory settings
  The Audit event factory settings page displays the details of a specific audit event factory. The auditor uses this page to manage and create audit event factory configurations.
• Example: Generic Event Factory Interface
  This interface is used for processing generic audit events. Other interfaces can be defined which extend this interface to process specific audit event groupings, such as security events, transaction events, or some other custom grouping.

Auditing the security infrastructure

Configure auditable events using scripting