Environment
NetIQ Access Manager 4.1
Auditing enabled on Identity Server
Audit events sent to Sentinel back end server
Sentinel running Audit Connector 2011.1r3
Auditing enabled on Identity Server
Audit events sent to Sentinel back end server
Sentinel running Audit Connector 2011.1r3
Situation
Customer reported that after upgrading Sentinel NAM collector from 2011.1r1 to 2011.1r2 the SourceHostIp field contains now NAM server's IP instead of client's IP. Following parser in the Sentinel's debugger in the old version value was taken from Value1 field in the original event and then converted to the actual IP address. In the new version we parse it as well but then sip gets assigned again in this line:
this.sip = this.SourceIP; which seems to point to invalid IP in those events. The SourceHostIP should be populated with the client's IP address.
Resolution
Fixed in NAM 4.2 and r4 release of collector.