Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

Navigation
Guide That Contains This Content
[+] Expand All
[-] Collapse All

    IBM Security Access Manager for Enterprise Single Sign-On

    You can use the IBM®® Security Access Manager for Enterprise Single Sign-On DSM for JSA to receive events that are forwarded by using syslog.

    JSA can collect events from IBM® Security Access Manager for Enterprise Single Sign-On version 8.1 or 8.2.

    Events that are forwarded by the IBM® Security Access Manager for Enterprise Single Sign-On include audit, system, and authentication events.

    Events are read from the following database tables and forwarded by using syslog:

    • IMSLOGUserService

    • IMSLOGUserAdminActivity

    • IMSLOGUserActivity

    All events that are forwarded to JSA from IBM® Security Access Manager for Enterprise Single Sign-On use ### as a syslog field-separator. IBM® Security Access Manager for Enterprise Single Sign-On forwards events to JSA by using UDP on port 514.

    Before You Begin

    To configure syslog forwarding for events, you must be an administrator or your user account must include credentials to access the IMS™ Configuration Utility.

    Any firewalls that are configured between your IBM® Security Access Manager for Enterprise Single Sign-On and JSA are ideally configured to allow UDP communication on port 514. This configuration requires you to restart your IBM® Security Access Manager for Enterprise Single Sign-On appliance.

    Configuring a Log Server Type

    IBM® Security Access Manager for Enterprise Single Sign-On appliance requires you to configure a log server type to forward syslog formatted events:

    1. Log in to the IMS™ Configuration Utility for IBM® Security Access Manager for Enterprise Single Sign-On.

      For example, https://localhost:9043/webconf

    2. From the navigation menu, select Advanced Settings > IMS™ Server > Logging > Log Server Information.
    3. From the Log server types list, select syslog.
    4. Click Add.
    5. Click Update to save the configuration.

    Configuring Syslog Forwarding

    To forward events to JSA, you must configure a syslog destination on your IBM® Security Access Manager for Enterprise Single Sign-On appliance.

    1. From the navigation menu, select Advanced Settings > IMS™ Server Logging Syslog.
    2. Configure the following options:

      Table 1: Syslog Parameters

      Field

      Description

      Enable syslog

      From the Available Tables list, you must select the following tables, and click Add.

      • logUserService

      • logUserActivity

      • logUserAdminActivity

      Syslog server port

      Type 514 as the port number used for forwarding events to JSA.

      Syslog server hostname

      Type the IP address or host name of your JSA console or Event Collector.

      Syslog logging facility

      Type an integer value to specify the facility of the events that are forwarded to JSA. The default value is 20.

      Syslog field-separator

      Type ### as the characters used to separate name-value pair entries in the syslog payload.

    3. Click Update to save the configuration.
    4. Restart your IBM® Security Access Manager for Enterprise Single Sign-On appliance.

      The syslog configuration is complete. The log source is added to JSA as IBM® Security Access Manager for Enterprise Single Sign-On syslog events are automatically discovered. Events that are forwarded to JSA are displayed on the Log Activity tab.

    Configuring a Log Source in JSA

    JSA automatically discovers and creates a log source for syslog events from IBM Security Access Manager for Enterprise Single Sign-On.

    The following procedure is optional.

    1. Click the Admin tab.
    2. Click the Log Sources icon.
    3. Click Add.
    4. In the Log Source Name field, type a name for your log source.
    5. From the Log Source Type list, select IBM Security Access Manager for Enterprise Single Sign-On.
    6. Using the Protocol Configuration list, select Syslog.
    7. Configure the following values:

      Table 2: Syslog Parameters

      Parameter

      Description

      Log Source Identifier

      Type the IP address or host name for the log source as an identifier for events from your IBM Security Access Manager for Enterprise Single Sign-On appliance.

      Enabled

      Select this check box to enable the log source.

      By default, the check box is selected.

      Credibility

      Select the Credibility of the log source. The range is 0 - 10.

      The credibility indicates the integrity of an event or offense as determined by the credibility rating from the source devices. Credibility increases if multiple sources report the same event. The default is 5.

      Target Event Collector

      Select the Event Collector to use as the target for the log source.

      Coalescing Events

      Select this check box to enable the log source to coalesce (bundle) events.

      By default, automatically discovered log sources inherit the value of the Coalescing Events list from the System Settings in JSA. When you create a log source or edit an existing configuration, you can override the default value by configuring this option for each log source.

      Incoming Event Payload

      From the Incoming Event Payload list, select the incoming payload encoder for parsing and storing the logs.

      Store Event Payload

      Select this check box to enable the log source to store event payload information.

      By default, automatically discovered log sources inherit the value of the Store Event Payload list from the System Settings in JSA. When you create a log source or edit an existing configuration, you can override the default value by configuring this option for each log source.

    8. Click Save.
    9. On the Admin tab, click Deploy Changes.

    Modified: 2017-09-13