Access Manager maintains audit log entries that can be subsequently included in reports. The audit logs stores details of events that occur in the identity and access management system and are primarily intended for auditing and compliance purposes.
Audit logs contains the results of users and administrators requests and other system events. Although the primary purpose for audit logging is auditing and compliance, you can also use the event logs for detecting abnormal and error conditions. You can use the event logs as a first alert mechanism for system support.
Audit events are device-specific. You can select events for Administration Console, Identity Server, and Access Gateway.
In addition to the selectable events, Management Communication Channel events are automatically sent to the audit server. Access Manager events begin with 002e. For information about audit event IDs and field data, see Section 32.17, Access Manager Audit Events and Data.
You can configure Access Manager to use a Sentinel server, a third-party syslog server, or Analytics Server.
Access Manager supports logging for the following types of events:
Starting, stopping, and configuring a component
Server imports and deletes
Success or failure of user authentication
Role assignment
Allowed or denied access to a protected resource
Error events
Denial of service attacks
Security violations and other events necessary for verifying the correct and expected operation of the identity and access management system
Intruder lockout detection (available only for eDirectory user stores)
User account provisioning
Audit logging does not track the operational processing of Access Manager components. For example, processing and interactions between Access Manager components required to fulfill a user request. For this type of logging, see Configuring Logging for Identity Server.
By default, Access Manager uses the syslog server. If you install more than one instance of Access Manager Appliance for failover, the syslog server is installed with each instance. However, if you use a third-party syslog server, you can configure Access Manager to use your audit server. If you are using Analytics Server, you can configure Access Manager to use Analytics Server’s in-built audit server.
You can specify only one audit server. The failover works even if the audit server is not reachable. The failover mechanism changes based on the type of logging as follows:
File-based: Does not require a failover mechanism.
Syslog: The events are sent to a local file. The syslog client must be configured for failover. For more information, see the third-party syslog server documentation.