Can SecureLogin Audit Single Sign On enabled applications via Event Viewer or SNMP using the AuditEvent command instead of running an external program?

  • 7940954
  • 19-Aug-2009
  • 17-Jan-2014

Archived Content: This information is no longer maintained and is provided 'as is' for your convenience.

Environment

SecureLogin
SecureLogin SSO
v6.1 and later
All Versions


Situation

Question

Can SecureLogin Audit Single Sign On enabled applications via Event Viewer or SNMP using the AuditEvent command instead of running an external program?

Resolution

Answer

SecureLogin supports auditing through Novell Audit using the AuditEvent command, auditing through SNMP through the Run command via the slsnmp.exe utility, and auditing through the Windows Event Log through the Run command via the Windows Resource Kit utility LogEvent.exe.

Some customers desire the ability to use the AuditEvent command (and built –in events) with SNMP or the Windows Event Log without running an external application. Please refer to the knowledgebase article “Is it possible to audit SecureLogin events such as application access, logon failure and change password?” for additional information.

To meet this need, ActivIdentity Professional Services created two add-on applications that utilize the native Novell Audit support and the AuditEvent command. These utilities are now included as unsupported utilities on the ActivIdentity SecureLogin 6.1 product media (in the Additional Utilities\Unsupported utilities directory):

  • SSO Audit SNMP (SetupSSOAuditSNMP.msi) is used to send SNMP alerts using internal script commands rather than running the external slsnmp.exe utility.
  • SSO Audit WEL (SSO_WEL_Audit.msi) is used to send events to the Windows event log using internal script commands rather then running the external logevent.exe utility.

These utilities are provided as a convenience to customers, but are not supported through the normal product support channel, and are provided on an “as-is” basis (or supported through Professional Services).

These two utilities are currently not compatible with each other – customers must either use the AuditEvent command with Novell Audit, SNMP, or the Windows Event log. (It is possible to use the AuditEvent command with one method, and then use the Run command to support additional auditing methods if multiple methods are required).

Note that either of these options requires that SecureLogin setting “Enable logging to Novell Audit” be set to “Yes”.

Using the Novell Audit support automatically supports the following events without additional scripting:

EventDescription
1SSO AuditEvent Script Command
2SSO Client Started
3SSO Client Exited
4SSO Client Activated By User
5SSO Client Deactivated By User
6Password Provided By SSO
7Password Changed by the user in response to a ChangePassword command
8Password Changed automatically in response to a ChangePassword command


When used with the Windows Event log, a new Event type is created for the SecureLogin events, and events are automatically sent to the local event log.

event_viewer.jpg


event_properties.jpg


In addition to the automatic SNMP alerts or event log entries, these utilities also support the AuditEvent script command. Customers can send customized SNMP alerts or event log entries for any event that SecureLogin can detect, including but not limited to:

  • Login Attempt
  • Login Attempt Successful
  • Login Attempt Failed
  • Host system unavailable (if a message is returned by the backend system ASL can read and respond to it)
  • Change Password Success
  • Change Password Failure
  • Account Lockout
  • Step-up/application re-verification failed
  • Transactions within the application (for example, if a user clicks File>Print)

For more information on the AuditEvent script command, please refer to the product documentation “SecureLogin SSO Application Definition Guide”.

Both add-on products are installed using an MSI package. After installation, the SSO Audit WEL utility does not require any configuration, and currently only sends events to the local machine.

The SSO Audit SNMP utility requires setting the SNMP Server and SNMP community string.

These settings can be configured by running the following (case-sensitive) command:

Rundll32 logevent.dll,Config

These can also be configured through the following string-value registry registry keys:

  • HKLM\Software\ActivIdentity\SecureLogin\SSOAuditSNMP\Community
  • HKLM\Software\ActivIdentity\SecureLogin\SSOAuditSNMP\Hostnames\Host-0
  • HKLM\Software\ActivIdentity\SecureLogin\SSOAuditSNMP\Hostnames\Host-1 (increment as necessary for multiple hosts).

registry_editor_1.jpg


registry_editor_2.jpg