Here we will show how dashboards can help you audit and monitor events in your eDirectory and Active Directory.
ACDI contains a list of default dashboards. You can find it under ‘Dashboards’ in the menu on the left.
Let’s look at the Active Directory (AD) Audit Dashboard. It displays information about events received from the Active Directory and shows all the changes in specified classes.
Each dashboard has a list of default visuals and search options that will help you find the data you need.
The NetIQ Audit dashboard displays information about events in the eDirectory.
The active Directory Audit Dashboard and NetIQ Audit Dashboard are similar.
The difference is that they have a different data source — Active Directory or eDirectory.
Essentially, the AD Audit Dashboard receives information from the ACDI’s Active Directory event service. The NetIQ Audit Dashboard gets information from the ACDI driver in IDM.
Further, from the eDirectory, we can monitor third-party drivers using the ACDI monitor. Information about events in the third-party driver monitor comes to the NetIQ Driver Dashboard.
This dashboard presents information about events in third-party drivers where the ACDI monitor package is installed. For instance, we have here two drivers with monitors. These are the Active Directory and a loopback driver named HR. We can see the overall information about the number of successful events, number of events with errors/successes for all driver monitors, for specific drivers.
And we can also find more detailed information.
The next dashboard is the NetIQ IDM System Overview.
This dashboard contains general information about all events that come from the eDirectory, ACDI Driver, or driver monitors.
Here we can see that the majority of events have come from the ACDI driver and some come from two driver monitors.
This next dashboard is the NetIQ Security Dashboard.
The data it shows comes from the ACDI driver based on information received about security events such as successful logins, login enables/disables, lockouts by intruders and failed logins.
In the ACDI there is also a dashboard designed to display information received from the Workflow Monitor package.
In this dashboard, we can see the process status of our workflows, which workflows are processing, which have been approved, and which have been denied.
Now let’s go over some tips that will help you work with Dashboards. Let's do this using the NetIQ Audit Dashboard as an example.
On the top of each dashboard is the search bar, the quick time selector, and selector where we can check absolute and relative dates.
Let's set it to ‘today’ and click “Refresh.” Using the timeline visualizations, you can zoom into a time period just by clicking and holding the left mouse button and selecting the period you need.
Search is based in Lucene syntax, which means you can use Apache Lucene syntax for it or activate the OpenSearch dashboard query language.
For instance, you want to check the object name “Heidi.” As you can see, this is a pretty fast way to search.
It should be mentioned that each visualization has interactive components for fast filter implementation. For example, you want to see only modified events for users and where the group membership has been changed.
Here we see all changes for the group memberships in a selected time period.
So, how do you actually use search, and why aren’t all fields in some events available?
Well, all events are separated into two categories. There are events with the field “Event”:“true.” This is the basic event that contains all information about changed attributes.
For example, let's check an “Add” event.
Here we can see that one event for “Add,” object class “Organizational person” has five events with “Event”: “false”. Why is this?
Within one “Add” event, there were five changes of attributes. That's why we have here one “true” and five events with event type “false” for each attribute changed: for given name, group membership, telephone number, CN, and surname.
If in the driver settings, the setting “save Event Doc” is set to ‘true’,
then each event will contain the field “event_doc” with a base XML that has an event from the eDirectory.
Sometimes, while checking data, the view may be broken. To prevent this, you need to click the “fast date selector” icon followed by “Stop.” The dashboard won't update and you'll be able to search without any breaks.
That's all for today. Should you have any questions or need assistance, please don’t hesitate to contact us at any time.