IBM_SECURITY_MGMT_AUDIT events

IBM_SECURITY_MGMT_AUDIT events

This event type provides information about changes to the auditing settings; for example, if auditing is enabled or disabled or if auditing is set for specific transactions. IBM_SECURITY_MGMT_AUDIT events are generated when the audit configuration is modified. Changes to the following data are audited:
User name
Action
Domain
Audit configuration properties:
Enable auditing
Enable auditing for specific audit event types. Event types are shown in the following table under the mgmtInfo element.
Audit log location
Maximum number of audit files
Maximum audit file size
Disk cache location
Web service SSL keystore
Enable Web service basic authentication

Disable auditing:
User name
Action

The following table lists the elements that can be displayed in the output of an IBM_SECURITY_MGMT_AUDIT event.
Element Description

action The type of action that occurred against the audit settings. Possible values are Modify and Disable.The XPath is:
CommonBaseEvent/extendedDataElements [@name='action']/values

mgmtInfo Information about the auditing operation. The supported items and values are:
EnableAudit=true | false
Domain=domain_ name
AuditLogLocation=path
CacheLocation=path
WebServiceBasicAuthUsername=username
WebServiceBasicAuthPassword=password
WebServiceKeyIdentifier=keyname
WebServiceURL=URL
MaxAuditFiles=number
AuditFileSize=number
UseWebServiceBasicAuth=true | false
WebServiceKeystore=keystore_name
AuditSecurityAuthnEvents=true | false
AuditSecurityAuthnTerminateEvents=true | false
AuditSecurityEncryptionEvents=true | false
AuditSecuritySigningEvents=true | false
AuditSecurityFederationEvents=true | false
AuditSecurityTrustEvents=true | false
AuditSecurityMgmtPolicyEvents=true | false
AuditSecurityMgmtAuditEvents=true | false
The XPath is:
CommonBaseEvent/extendedDataElements [@name='mgmtInfo']/children [@name='command']/values

userInfo Information about the user who is performing the operation.The XPath is:
CommonBaseEvent/extendedDataElements [@name='userInfo']/children [@name='appUserName']/children [@name='registryUserName']/values

type Always set to the audit value.The XPath is:
CommonBaseEvent/extendedDataElements [@name='type']/values

Sample of an IBM_SECURITY_MGMT_AUDIT event
The following example shows an IBM_SECURITY_MGMT_AUDIT event:
<CommonBaseEvent creationTime="2007-04-25T07:01:51.726Z" extensionName="IBM_SECURITY_MGMT_AUDIT" globalInstanceId="CEFA81F627EBCFC5DFA1DBF2FAD8573020" sequenceNumber="1" version="1.0.1"> <contextDataElements name="Security Event Factory" type="eventTrailId"> <contextId>FIM_278bcbef011213a9865f8a816f9717a6+1969112872</contextId> </contextDataElements> <extendedDataElements name="mgmtInfo" type="noValue"> <children name="command" type="string"> <values>EnableAudit=true; Domain=mydomain-server1; AuditLogLocation=audit_location; AuditFileSize=10; MaxAuditFiles=100;AuditAuthnEvents=true; AuditAuthnTerminateEvents=true; AuditFederationEvents=true; AuditTrustEvents=true; AuditSigningEvents=true; AuditEncryptionEvents=true; AuditMgmtPolicyEvents=true; AuditMgmtAuditEvents=true; </values> </children> </extendedDataElements> <extendedDataElements name="type" type="string"> <values>audit</values> </extendedDataElements> <extendedDataElements name="userInfo" type="noValue"> <children name="appUserName" type="string"> <values>unauthenticatedUser</values> </children> <children name="registryUserName" type="string"> <values>Not Available</values> </children> </extendedDataElements> <extendedDataElements name="action" type="string"> <values>Modify</values> </extendedDataElements> <extendedDataElements name="outcome" type="noValue"> <children name="result" type="string"> <values>SUCCESSFUL</values> </children> <children name="majorStatus" type="int"> <values>0</values> </children> </extendedDataElements> <sourceComponentId application="IBM Security Verify Access" component="Authentication and Federated Identity" componentIdType="ProductName" executionEnvironment="Linux[x86]#2.6.9-34.ELsmp" location="fimfun2.austin.ibm.com" locationType="FQHostname" subComponent="com.tivoli.am.fim.mgmt.fim.FIMManagementImpl" threadId="SoapConnectorThreadPool : 0" componentType= "http://www.ibm.com/namespaces/autonomic/Tivoli_componentTypes"/> <situation categoryName="ReportSituation"> <situationType xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="ReportSituation" reasoningScope="INTERNAL" reportCategory="SECURITY"/> </situation> </CommonBaseEvent>

Parent topic: Audit Federation

Element	Description
action	The type of action that occurred against the audit settings. Possible values are Modify and Disable.The XPath is: CommonBaseEvent/extendedDataElements [@name='action']/values
mgmtInfo	Information about the auditing operation. The supported items and values are: EnableAudit=true \| false Domain=domain_ name AuditLogLocation=path CacheLocation=path WebServiceBasicAuthUsername=username WebServiceBasicAuthPassword=password WebServiceKeyIdentifier=keyname WebServiceURL=URL MaxAuditFiles=number AuditFileSize=number UseWebServiceBasicAuth=true \| false WebServiceKeystore=keystore_name AuditSecurityAuthnEvents=true \| false AuditSecurityAuthnTerminateEvents=true \| false AuditSecurityEncryptionEvents=true \| false AuditSecuritySigningEvents=true \| false AuditSecurityFederationEvents=true \| false AuditSecurityTrustEvents=true \| false AuditSecurityMgmtPolicyEvents=true \| false AuditSecurityMgmtAuditEvents=true \| false The XPath is: CommonBaseEvent/extendedDataElements [@name='mgmtInfo']/children [@name='command']/values
userInfo	Information about the user who is performing the operation.The XPath is: CommonBaseEvent/extendedDataElements [@name='userInfo']/children [@name='appUserName']/children [@name='registryUserName']/values
type	Always set to the audit value.The XPath is: CommonBaseEvent/extendedDataElements [@name='type']/values