Advanced Access Control auditing events

This section lists the audit elements available for each audit event type.

Use the instructions in Configure auditing on the appliance to configure auditing on the appliance. Advanced Access Control supports the following auditing events:

This section describes the available elements for each event type.

Common elements for all events

The following elements are included with all security events:

ContextDataElements

The contextId value, which is specified on the type attribute, is included in the ContextDataElements element to correlate all events associated with a single transaction.

--> -->
Attribute Value
name Security Event FactoryThe XPath is:
CommonBaseEvent/contextDataElements/@name
type eventTrailIdThe XPath is:
CommonBaseEvent/contextDataElements/@type
contextId This element is a container element for the eventTrailId value; it does not have an XPath value.
eventTrailId The event trail identifier value, for example, FIM_116320b90110104ab7ce9df3453615a1+729829786 The XPath is:
CommonBaseEvent/contextDataElements/[@type='eventTrailId']/contextId

The following are XML-formatted examples of CBE event headers containing entries for the ContextDataElements element. These entries illustrate how separate events are correlated for a single transaction.

<CommonBaseEvent 
	creationTime="2007-01-31T20:59:57.625Z" 
	extensionName="IBM_SECURITY_TRUST" 
	globalInstanceId="CE4454A122E10AB044A1DBB16E020E1D80" 
	sequenceNumber="1" version="1.0.1">
	<contextDataElements name="Security Event Factory" 	type="eventTrailId">
		<contextId>FIM_79f4e4c801101db5aba48cd8e0212be7+656317861</contextId>
	</contextDataElements>
...
</CommonBaseEvent>
<CommonBaseEvent 
	creationTime="2007-01-31T20:59:57.765Z" 
	extensionName="IBM_SECURITY_TRUST" 
	globalInstanceId="CE4454A122E10AB044A1DBB16E02213050" 
	sequenceNumber="2" version="1.0.1">
	<contextDataElements name="Security Event Factory" type="eventTrailId">
		<contextId>FIM_79f4e4c801101db5aba48cd8e0212be7+656317861</contextId>
	</contextDataElements>
...
</CommonBaseEvent>

SourceComponentId element

The SourceComponentId is an identifier representing the source that generates the event.

--> -->
Attribute Value
application IBM Security Verify AccessThe XPath is:
CommonBaseEvent/sourceComponentId/
@application
component The XPath is:
CommonBaseEvent/sourceComponentId/
@component
componentIdType ProductNameThe XPath is:
CommonBaseEvent/sourceComponentId/
@componentIdType
componentType http://www.ibm.com/namespaces/autonomic/Tivoli_componentTypesThe XPath is:
CommonBaseEvent/sourceComponentId/
@componentType
executionEnvironment <OS name>#<OS Architecture>#<OS.version>The XPath is:
CommonBaseEvent/sourceComponentId/
@executionEnvironment
location <hostname>The XPath is:
CommonBaseEvent/extendedDataElements
[@name='registryInfo']/children
[@name='location']/values
locationType FQHostnameThe XPath is:
CommonBaseEvent/sourceComponentId/
@locationType
subComponent <classname>The XPath is:
CommonBaseEvent/sourceComponentId/
@subComponent

Situation element

The Situation element describes the circumstance that caused the audit event.

--> -->
Attribute Value
categoryName ReportSituationThe XPath is:
CommonBaseEvent/situation/
@categoryName
reasoningScope INTERNALThe XPath is:
CommonBaseEvent/situation/situationType/
@reasoningScope
reportCategory SECURITYThe XPath is:
CommonBaseEvent/situation/situationType/
@reportCategory

Outcome element

The Outcome element is the result of the action for which the security event is being generated.

--> -->
Attribute Value
failureReason The XPath is:
CommonBaseEvent/extendedDataElements
[@name='outcome']/children
[@name='failureReason']/values
majorStatus The XPath is:
CommonBaseEvent/extendedDataElements
[@name='outcome']/children
[@name='majorStatus']/values
result The XPath is:
CommonBaseEvent/extendedDataElements
[@name='outcome']/children
[@name='result']/values

Advanced Access Control does not use the ReporterComponentId field.

Parent topic: Audit Advanced Access Control