Sentinel collector parses the NAM IDP server's IP as SourceHostIP instead of the client's IP

  • 7016985
  • 13-Nov-2015
  • 02-Dec-2015

Environment

NetIQ Access Manager 4.1
Auditing enabled on Identity Server
Audit events sent to Sentinel back end server
Sentinel running Audit Connector 2011.1r3

Situation

Customer reported that after upgrading Sentinel NAM collector from 2011.1r1 to 2011.1r2 the SourceHostIp field contains now NAM server's IP instead of client's IP.
Following parser in the Sentinel's debugger in the old version value was taken from Value1 field in the original event and then converted to the actual IP address. In the new version we parse it as well but then sip gets assigned again in this line:

this.sip = this.SourceIP; which seems to point to invalid IP in those events. The SourceHostIP should be populated with the client's IP address.

Resolution

Fixed in NAM 4.2 and r4 release of collector.