The following picture shows the streams of audit events within EAM.
Audit events are created on users’ workstations and stored locally in audit cache files. Events are then collected (on a regular basis) by an EAM Controller that provides the EAM audit Services. The server stores the collected audit events in a local audit database.
The audit servers should then be configured to upload collected events into a central audit SQL database.
Administrators get the audit events stored in the central audit database using EAM Console.
An audit cache mechanism is located on:
The EAM Controller compiles all the events related to user authentication and administration actions in all LDAP domains. It provides a consistent overview of the history of the accesses to all your applications.
|NOTE:By administration actions, we mean any operation that modifies the directory content: creation, modification, deletion and renaming of any directory object.|
If the audit cache file is deleted, EAM sends an audit event to the User Access Controller. The event indicates the name of the workstation and when the file deletion was detected.
In this section:
For example, let us consider an application object: the Events tab of this object displays any administration action directly associated with this object (as the modification of an option or of the administrator's list for example), but also any event linked to the creation of accounts associated with this application.
The following procedure focuses on how to display globally audit events. For more details on how to display the audit records of a specific object, see Section Displaying Password Generation Policy Event Logs and Section Managing directory objects.
To perform the task described in this section, you must have the following administration role:
||NOTE: For more information on administration roles, see Section Managing administrators.|
||NOTE: By default, the audit report displays all the audit events of the last two days.|
||NOTE: For more information on audit population, see Section Defining an audit population.|
An audit population is a group, a directory or an organizational unit that you want to explicitly mark for audit, so that audit events on the objects (users or access points) that are members of the group, directory or organizational unit can be displayed.
When you audit a group/directory/organization without having defined it as an audit population, the only displayed events are the one related to the group/directory/organization; the events related to its members are not available.
Once the audit population is defined, you can:
||NOTE: To gather several groups/organizations/directories in the same audit population, use the same label for all of them.|
In this section: