Content Comparison

• Active Directory (AD) Audit Dashboard

• NetIQ Audit Dashboard

• NetIQ Driver Dashboard

• NetIQ IDM System Overview

• NetIQ Security Dashboard

• NetIQ Workflow Dashboard

• Tips how to work with Dashboards

• The Search Bar

• Event categories

• The Fast Date Selector

...

...

• Step 1. Installation of the ACDI Driver Monitor package

• Step 2. Addition of the appropriate package for driver monitor

• Step 3. Configuration of the Driver Monitor

• Step 4. Sending our data to the OpenSearch

• Step 5. Checking the Data from the ACDI Driver Monitor

  • 5.1 Using Dashboards

  • 5.2 Using Reporting System

Here Hereby we will show how dashboards can help you audit and monitor events in your eDirectory and Active Directory.

 ACDI contains a list of default dashboards. You can find it under ‘Dashboards’ in the menu on the left.

...

Let’s look at the Active Directory (AD) Audit Dashboard. It displays information about events received from the Active Directory and shows all the changes in specified classes.

...

Each dashboard has a list of default visuals and search options that will help you find the data you need.

...

AnchorAudit-DashboardAudit-Dashboardyou how to install and configure the ACDI Driver Monitor package. This package saves processed data in third-party drivers.

• You need to right-click the package catalog and then “Import package.”

...

• A zip file with the ACDI has a folder with the Audit Driver inside, open it.

...

• You need the folder “Designer” and the next three packages for monitoring. Let’s click Open and then OK.

...

The packages have been successfully imported.

...

The NetIQ Audit dashboard displays information about events in the eDirectory.

...

The active Directory Audit Dashboard and NetIQ Audit Dashboard are similar.

...

The difference is that they have a different data source — Active Directory or eDirectory.

Essentially, the AD Audit Dashboard receives information from the ACDI’s Active Directory event service. The NetIQ Audit Dashboard gets information from the ACDI driver in IDM.

AnchorDriver-DashboardDriver-DashboardNow for a driver you want to monitor, you have to add the appropriate package:

• Right-click “Properties”

...

• Choose “Packages” and add SKyPRO ACDI Monitor. Click OK and “Apply”

...

Further, from the eDirectory, we can monitor third-party drivers using the ACDI monitor. Information about events in the third-party driver monitor comes to the NetIQ Driver Dashboard.

...

This dashboard presents information about events in third-party drivers where the ACDI monitor package is installed. For instance, we have here two drivers with monitors. These are the Active Directory and a loopback driver named HR. We can see the overall information about the number of successful events, number of events with errors/successes for all driver monitors, for specific drivers.

...

And we can also find more detailed information.

...

...

• By switching Auditing Mode to “Manual” you are now able to configure where - whether publisher or subscriber - you would like to save events.

...

• Here you can input the driver’s name (“ActiveDirectory1” as example). You will need it later to find data from this driver in the ACDI.

...

• In the program window you will also see a field for the list of events you would like to put in the ACDI.

...

• And a field for status level for events.

...

• Click “Next”, then “Finish” and then “Apply”.

...

The next dashboard is the NetIQ IDM System Overview.

...

This dashboard contains general information about all events that come from the eDirectory, ACDI Driver, or driver monitors.

Here we can see that the majority of events have come from the ACDI driver and some come from two driver monitors.

...

...

To send this data to the OpenSearch in the ACDI the type of connection you will use needs to be configured:

• Go to “Properties” in the driver set.

...

• After that, go to the “GCVs” tab.

...

Now define how you want the data to be transmitted. There are three options available:

➢ The first one is “Put to ACDI Driver Cache”.

...

This means that all events will be processed by the driver which DN you will define in the ACDI driver option.

...

➢ The second is “Send directly to Elasticsearch and/or Logstash”.

...

These settings are similar to the settings in the ACDI driver. Here you define a path to your OpenSearch, the type of file, user with credentials to write to OpenSearch and a path to the KeyStore with certificate and its password.

...

➢ And the third option is to try sending it to OpenSearch and, on timeout, put it to the ACD Driver Cache.

...

After all settings are configured, you need to Deploy the attributes.

...

And Restart the driver.

...

This next dashboard is the NetIQ Security Dashboard.

...

The data it shows comes from the ACDI driver based on information received about security events such as successful logins, login enables/disables, lockouts by intruders and failed logins.

...

In the ACDI there is also a dashboard designed to display information received from the Workflow Monitor package.

...

In this dashboard, we can see the process status of our workflows, which workflows are processing, which have been approved, and which have been denied.

...

Now let’s go over some tips that will help you work with Dashboards. Let's do this using the NetIQ Audit Dashboard as an example.

...

On the top of each dashboard is the search bar, the quick time selector, and selector where we can check absolute and relative dates.

...

Let's set it to ‘today’ and click “Refresh.” Using the timeline visualizations, you can zoom into a time period just by clicking and holding the left mouse button and selecting the period you need.

...

Search is based in Lucene syntax, which means you can use Apache Lucene syntax for it or activate the OpenSearch dashboard query language.

...

For instance, you want to check the object name “Heidi.” As you can see, this is a pretty fast way to search.

...

It should be mentioned that each visualization has interactive components for fast filter implementation. For example, you want to see only modified events for users and where the group membership has been changed.

...

Here we see all changes for the group memberships in a selected time period.

...

So, how do you actually use search, and why aren’t all fields in some events available?

 Well, all events are separated into two categories. There are events with the field “Event”:“true.” This is the basic event that contains all information about changed attributes.

...

For example, let's check an “Add” event.

...

Here we can see that one event for “Add,” object class “Organizational person” has five events with “Event”: “false”. Why is this?

 Within one “Add” event, there were five changes of attributes. That's why we have here one “true” and five events with event type “false” for each attribute changed: for given name, group membership, telephone number, CN, and surname.

...

If in the driver settings, the setting “save Event Doc” is set to ‘true’,

...

then each event will contain the field “event_doc” with a base XML that has an event from the eDirectory.

...

Sometimes, while checking data, the view may be broken. To prevent this, you need to click the “fast date selector” icon followed by “Stop.” The dashboard won't update and you'll be able to search without any breaks.

...

5.1 Using Dashboards

Anchor
step5-1 step5-1

ACDI has as its default dashboard NetIQ Driver Dashboard where you can audit and monitor all events that the driver processes.

...

This dashboard must be adjusted according to the name that is set in the appropriate driver.

...

“ActiveDirectory1” was used as a name for the monitor, so this name was set in the connected system.

...

To make all these visuals work, you will need to update the filter of each one of them:

• Click “Edit”.

...

• Then click “Edit visualization’’.

...

• Update the name of the connected system.

...

• Replace it with the one you’ve defined in your driver monitor. Save the changes, then click “Save and return.”

...

5.2 Using Reporting System

Anchor
step5-2 step5-2

The second way is the reporting system. Let’s use the NetIQ Audit Driver Events report.

...

Here, in the connected system, you will see the list of your driver monitors. You can select a channel as well as the status of events you want to see.

...

For instance, you need to check all events with an “error” status for the Active Directory driver. Here you have selected the “error” status and the connected system “Active Directory.”  Let's click “Run.”

...

Now you see that during the last seven days, there have been two and a half thousand events with errors. In the table you’ll find the name of your driver, object DN, status doc, which is the base XML with event that came to the driver,

...

You can find the final event doc here as well.

In event doc, there is the data about the reason for the error. Here it is to see that the internet email address has had a value added and it caused the error: “LDAP attribute or value exists.” It happened because in Active Directory, internet email address is single-valued and there is no opportunity to add more than one value.

...

Should you have any questions or require any assistance, please do not hesitate to contact us at any time swsupport.skypro@skypro.ch