Federation auditing events

This section lists the audit elements available for each audit event type.

Use the instructions in Configure auditing on the appliance to configure auditing on the appliance. Federation supports the following auditing events:

This section describes the available elements for each event type.

Common elements for all events

The following elements are included with all security events:

ContextDataElements

The contextId value, which is specified on the type attribute, is included in the ContextDataElements element to correlate all events associated with a single transaction.

Attribute Value
name Security Event FactoryThe XPath is:
CommonBaseEvent/contextDataElements/@name

type eventTrailIdThe XPath is:
CommonBaseEvent/contextDataElements/@type

contextId This element is a container element for the eventTrailId value; it does not have an XPath value.
eventTrailId The event trail identifier value, for example, FIM_116320b90110104ab7ce9df3453615a1+729829786 The XPath is:
CommonBaseEvent/contextDataElements/[@type='eventTrailId']/contextId

The following are XML-formatted examples of CBE event headers containing entries for the ContextDataElements element. These entries illustrate how separate events are correlated for a single transaction.

<CommonBaseEvent 
	creationTime="2007-01-31T20:59:57.625Z" 
	extensionName="IBM_SECURITY_TRUST" 
	globalInstanceId="CE4454A122E10AB044A1DBB16E020E1D80" 
	sequenceNumber="1" version="1.0.1">
	<contextDataElements name="Security Event Factory" 	type="eventTrailId">
		<contextId>FIM_79f4e4c801101db5aba48cd8e0212be7+656317861</contextId>
	</contextDataElements>
...
</CommonBaseEvent>
<CommonBaseEvent 
	creationTime="2007-01-31T20:59:57.765Z" 
	extensionName="IBM_SECURITY_TRUST" 
	globalInstanceId="CE4454A122E10AB044A1DBB16E02213050" 
	sequenceNumber="2" version="1.0.1">
	<contextDataElements name="Security Event Factory" type="eventTrailId">
		<contextId>FIM_79f4e4c801101db5aba48cd8e0212be7+656317861</contextId>
	</contextDataElements>
...
</CommonBaseEvent>

SourceComponentId element

The SourceComponentId is an identifier representing the source that generates the event.

Attribute Value
application IBM Security Verify AccessThe XPath is:
CommonBaseEvent/sourceComponentId/
@application

component The XPath is:
CommonBaseEvent/sourceComponentId/
@component

componentIdType ProductNameThe XPath is:
CommonBaseEvent/sourceComponentId/
@componentIdType

componentType http://www.ibm.com/namespaces/autonomic/Tivoli_componentTypesThe XPath is:
CommonBaseEvent/sourceComponentId/
@componentType

executionEnvironment <OS name>#<OS Architecture>#<OS.version>The XPath is:
CommonBaseEvent/sourceComponentId/
@executionEnvironment

location <hostname>The XPath is:
CommonBaseEvent/extendedDataElements
[@name='registryInfo']/children
[@name='location']/values

locationType FQHostnameThe XPath is:
CommonBaseEvent/sourceComponentId/
@locationType

subComponent <classname>The XPath is:
CommonBaseEvent/sourceComponentId/
@subComponent

Situation element

The Situation element describes the circumstance that caused the audit event.

Attribute Value
categoryName ReportSituationThe XPath is:
CommonBaseEvent/situation/
@categoryName

reasoningScope INTERNALThe XPath is:
CommonBaseEvent/situation/situationType/
@reasoningScope

reportCategory SECURITYThe XPath is:
CommonBaseEvent/situation/situationType/
@reportCategory

Outcome element

The Outcome element is the result of the action for which the security event is being generated.

Attribute Value
failureReason The XPath is:
CommonBaseEvent/extendedDataElements
[@name='outcome']/children
[@name='failureReason']/values

majorStatus The XPath is:
CommonBaseEvent/extendedDataElements
[@name='outcome']/children
[@name='majorStatus']/values

result The XPath is:
CommonBaseEvent/extendedDataElements
[@name='outcome']/children
[@name='result']/values

Federation does not use the ReporterComponentId field.

Parent topic: Audit Federation