Federation auditing events

Edit online

This section lists the audit elements that are available for each audit event type.

Use the instructions in Configuring auditing on the appliance to configure auditing on the appliance.

Federation supports the following auditing events:
  • IBM_SECURITY_TRUST
  • IBM_SECURITY_RUNTIME

This section describes the available elements for each event type.

Common elements for all events

The following elements are included with all security events:
  • ContextDataElements
  • SourceComponentId
  • Situation
  • Outcome
  • ExtendedDataElements

ContextDataElements

The contextId value, which is specified on the type attribute, is included in the ContextDataElements element to correlate all events that are associated with a single transaction.
Table 1. Attributes and elements of the ContextDataElements element
Attribute Value
name Security Event Factory
The XPath is:
CommonBaseEvent/contextDataElements/@name
type eventTrailId
The XPath is:
CommonBaseEvent/contextDataElements/@type
contextId This element is a container element for the eventTrailId value; it does not have an XPath value.
eventTrailId The event trail identifier value, for example, FIM_116320b90110104ab7ce9df3453615a1+729829786
The XPath is:
CommonBaseEvent/contextDataElements/[@type='eventTrailId']/contextId
The following are XML-formatted examples of CBE event headers containing entries for the ContextDataElements element. These entries illustrate how separate events are correlated for a single transaction.
<CommonBaseEvent 
	creationTime="2007-01-31T20:59:57.625Z" 
	extensionName="IBM_SECURITY_TRUST" 
	globalInstanceId="CE4454A122E10AB044A1DBB16E020E1D80" 
	sequenceNumber="1" version="1.0.1">
	<contextDataElements name="Security Event Factory" 	type="eventTrailId">
		<contextId>FIM_79f4e4c801101db5aba48cd8e0212be7+656317861</contextId>
	</contextDataElements>
...
</CommonBaseEvent>
<CommonBaseEvent 
	creationTime="2007-01-31T20:59:57.765Z" 
	extensionName="IBM_SECURITY_TRUST" 
	globalInstanceId="CE4454A122E10AB044A1DBB16E02213050" 
	sequenceNumber="2" version="1.0.1">
	<contextDataElements name="Security Event Factory" type="eventTrailId">
		<contextId>FIM_79f4e4c801101db5aba48cd8e0212be7+656317861</contextId>
	</contextDataElements>
...
</CommonBaseEvent>

SourceComponentId element

The SourceComponentId is an identifier that represents the source that generates the event.
Table 2. Attributes for the SourceComponentId element
Attribute Value
application IBM® Verify Identity Access
The XPath is:
CommonBaseEvent/sourceComponentId/
@application
component
The XPath is:
CommonBaseEvent/sourceComponentId/
@component
componentIdType ProductName
The XPath is:
CommonBaseEvent/sourceComponentId/
@componentIdType
componentType http://www.ibm.com/namespaces/autonomic/Tivoli_componentTypes
The XPath is:
CommonBaseEvent/sourceComponentId/
@componentType
executionEnvironment <OS name>#<OS Architecture>#<OS.version>
The XPath is:
CommonBaseEvent/sourceComponentId/
@executionEnvironment
location <hostname>
The XPath is:
CommonBaseEvent/extendedDataElements
[@name='registryInfo']/children
[@name='location']/values
locationType FQHostname
The XPath is:
CommonBaseEvent/sourceComponentId/
@locationType
subComponent <classname>
The XPath is:
CommonBaseEvent/sourceComponentId/
@subComponent

Situation element

The Situation element describes the circumstance that caused the audit event.
Table 3. Attributes for the Situation element
Attribute Value
categoryName ReportSituation
The XPath is:
CommonBaseEvent/situation/
@categoryName
reasoningScope INTERNAL
The XPath is:
CommonBaseEvent/situation/situationType/
@reasoningScope
reportCategory SECURITY
The XPath is:
CommonBaseEvent/situation/situationType/
@reportCategory

Outcome element

The Outcome element is the result of the action for which the security event is being generated.
Table 4. Attributes for the Outcome element
Attribute Value
failureReason
The XPath is:
CommonBaseEvent/extendedDataElements
[@name='outcome']/children
[@name='failureReason']/values
majorStatus
The XPath is:
CommonBaseEvent/extendedDataElements
[@name='outcome']/children
[@name='majorStatus']/values
result
The XPath is:
CommonBaseEvent/extendedDataElements
[@name='outcome']/children
[@name='result']/values
Note: Federation does not use the ReporterComponentId field.

ExtendedDataElements

The iv-correlation-id is included in the ExtendedDataElements to associate advanced access control audit events with reverse proxy audit events.
Note: If the correlation ID includes the suffix '_local', the event does not have a matching reverse proxy audit event correlation ID. For example, 0c0983b6-2fb7-11f0-bd73-2f84ed32d923_local.
Table 5. Attributes and elements of the ExtendedDataElements element
Attribute Value
name iv-correlation-id
The XPath is:
CommonBaseEvent/extendedDataElements/[@name='iv-correlation-id']
type string
The XPath is:
CommonBaseEvent/extendedDataElements/@type
value The correlation id, for example, 0c0983b6-2fb7-11f0-bd73-2f84ed32d923
The XPath is:
CommonBaseEvent/extendedDataElements/[@name='iv-correlation-id']/values
The following is an XML-formatted example of a Common Base Event (CBE) event header that includes an iv-correlation-id in the ExtendedDataElements element.
<CommonBaseEvent 
	creationTime="2007-01-31T20:59:57.625Z" 
	extensionName="IBM_SECURITY_TRUST" 
	globalInstanceId="CE4454A122E10AB044A1DBB16E020E1D80" 
	sequenceNumber="1" version="1.0.1">
	<contextDataElements name="Security Event Factory" 	type="eventTrailId">
		<contextId>FIM_79f4e4c801101db5aba48cd8e0212be7+656317861</contextId>
	</contextDataElements>
        <extendedDataElements name="iv-correlation-id" type="string"><values>0c0983b6-2fb7-11f0-bd73-2f84ed32d923</values></extendedDataElements>
...
</CommonBaseEvent>