Audit log events
IBM® Security Access Manager for Enterprise Single Sign-On generates event logs at all end-points.
Administrators and Help desk officers can access the audit logs for individual users. Only Administrators can run full queries on audit logs, access the Help desk logs, and generate reports on Help desk and user activity. Users do not have read/write access to these logs.
Types of logs
- User logs - logs of user activities.
- Administrator logs - logs of the Administrator and Help desk activities.
- System logs - The system logs are message and error logs for the IMS Server itself. System logs are primarily used for troubleshooting server issues and monitoring system health.
- What applications users access
- Who accessed these applications
- Details about the accounts used
- When users accessed these applications, and from where they are accessed
Storage and sync
If AccessAgent is connected to the IMS Server, AccessAgent audit logs are immediately submitted to the IMS Server. The IMS Server stores the audit logs on a relational database. If there is no network connection to the IMS Server, AccessAgent temporarily caches the event logs on the local computer. The logs are submitted to IMS Server when network connection to the IMS Server is restored.
User event
The following are the user-related events that are logged.
| Audit Log Event | Description |
|---|---|
| Add account credential to the Wallet | When a user adds account credentials into the Wallet manually and not captured by the AccessAgent. |
| Auto-capture authentication service password | When the AccessAgent captures account credentials for the user and stores it into the Wallet. |
| Auto-fill authentication service password | When the AccessAgent injects (auto-fills) account credentials into an application logon screen for the user after reading them from the Wallet. This event is logged for enterprise authentication services only. AccessAgent logs the event irrespective of whether the logon is successful. |
| Fortify authentication service password | When the AccessAgent generates random passwords on a change password screen and auto-fills it into the new password fields and clicks submit. |
| Log on authentication service | When a user logs on to an authentication service. This event is not automatically generated by AccessAgent. It must be explicitly modeled in the respective AccessProfiles. This event differs from the Autofill. This event is a validated logon, and is logged only when a user successfully logs on to the application. |
| Log off authentication service | When a user logs from an authentication service. This event is not automatically generated by AccessAgent. It needs to be explicitly modeled in the respective AccessProfiles. |
| Log on to AccessAgent | When a user logs on to AccessAgent. |
| Sign up user | When a user signs up with the IMS Server. |
| Register authentication factor | When a user registers an authentication factor like RFID badge, fingerprint, and others. |
| Store cached Wallet on hard disk or ISAM ESSO USB Key | When a user Wallet is cached. |
| Unlock computer | When the computer is unlocked. |
| Reset ISAM ESSO password offline | When the ISAM ESSO password is reset offline using the backup software key (BSK) mechanism. |
| Reset ISAM ESSO password online | When the ISAM ESSO password is reset online with the Help desk generated authorization code or self-service secrets. |
Administrator / Help desk event
The following are the Administrator and Help desk events that are logged.
| Audit Log Event | Description |
|---|---|
| Authorization code issuance for online verification | When a Help desk or administrator generates an authorization code for the user when the user has connectivity to the IMS. |
| Authorization code issuance for offline verification | When the Help desk or administrator generates an authorization code for the user to reset the password when the user does not have connectivity to the IMS Server. (Backup Software Key BSK workflow) |
| Provision ISAM ESSO user account | When administrator provisions an ISAM ESSO user account. |
| Update System Policy | When an administrator updates the system policy. |
| Update User Policy | When an administrator or Help desk updates a user policy. |
| Authentication factor revocation | When a user authentication factor is revoked by the Administrator or Help desk. |
| Revoke user | When a user is revoked by an administrator or Help desk. |
System logs
- C:\Program Files\IBM\SAM E-SSO\IMS Server\ISAM_ESSO_IMS_Server_InstallLog.log
- C:\Program Files\IBM\WebSphere\AppServer\profiles\<AppSrv01>\logs
- C:\Program Files\IBM\HTTPServer\logs
- C:\Program Files\IBM\ISAM ESSO\Logs
When troubleshooting IMS Server issues, make a copy of the system logs before you start the IMS Server. Starting the IMS Server clears the system logs.
Audit log queries
- Date and time of occurrence
- Event that caused the entry
- User name for the authentication service
- Name of the authentication service
- Help desk user name
- SOCI ID
- IP address
- Event result
Event logs
Each event displayed in AccessAdmin is specified in the IMS Server configuration file and can be modified through the IMS Configuration Utility.
You can translate event codes and result codes through the Code Translation utility. See IBM Security Access Manager for Enterprise Single Sign-On Configuration Guide.