Archived Content: This information is no longer maintained and is provided 'as is' for your convenience.
Can SecureLogin Audit Single Sign On enabled applications via Event Viewer or SNMP using the AuditEvent command instead of running an external program?
SecureLogin supports auditing through Novell Audit using the AuditEvent command, auditing through SNMP through the Run command via the slsnmp.exe utility, and auditing through the Windows Event Log through the Run command via the Windows Resource Kit utility LogEvent.exe.
Some customers desire the ability to use the AuditEvent command (and built âin events) with SNMP or the Windows Event Log without running an external application. Please refer to the knowledgebase article âIs it possible to audit SecureLogin events such as application access, logon failure and change password?â for additional information.
To meet this need, ActivIdentity Professional Services created two add-on applications that utilize the native Novell Audit support and the AuditEvent command. These utilities are now included as unsupported utilities on the ActivIdentity SecureLogin 6.1 product media (in the Additional Utilities\Unsupported utilities directory):
- SSO Audit SNMP (SetupSSOAuditSNMP.msi) is used to send SNMP alerts using internal script commands rather than running the external slsnmp.exe utility.
- SSO Audit WEL (SSO_WEL_Audit.msi) is used to send events to the Windows event log using internal script commands rather then running the external logevent.exe utility.
These utilities are provided as a convenience to customers, but are not supported through the normal product support channel, and are provided on an âas-isâ basis (or supported through Professional Services).
These two utilities are currently not compatible with each other â customers must either use the AuditEvent command with Novell Audit, SNMP, or the Windows Event log. (It is possible to use the AuditEvent command with one method, and then use the Run command to support additional auditing methods if multiple methods are required).
Note that either of these options requires that SecureLogin setting âEnable logging to Novell Auditâ be set to âYesâ.
Using the Novell Audit support automatically supports the following events without additional scripting:
|1||SSO AuditEvent Script Command|
|2||SSO Client Started|
|3||SSO Client Exited|
|4||SSO Client Activated By User|
|5||SSO Client Deactivated By User|
|6||Password Provided By SSO|
|7||Password Changed by the user in response to a ChangePassword command|
|8||Password Changed automatically in response to a ChangePassword command|
When used with the Windows Event log, a new Event type is created for the SecureLogin events, and events are automatically sent to the local event log.
In addition to the automatic SNMP alerts or event log entries, these utilities also support the AuditEvent script command. Customers can send customized SNMP alerts or event log entries for any event that SecureLogin can detect, including but not limited to:
- Login Attempt
- Login Attempt Successful
- Login Attempt Failed
- Host system unavailable (if a message is returned by the backend system ASL can read and respond to it)
- Change Password Success
- Change Password Failure
- Account Lockout
- Step-up/application re-verification failed
- Transactions within the application (for example, if a user clicks File>Print)
For more information on the AuditEvent script command, please refer to the product documentation âSecureLogin SSO Application Definition Guideâ.
Both add-on products are installed using an MSI package. After installation, the SSO Audit WEL utility does not require any configuration, and currently only sends events to the local machine.
The SSO Audit SNMP utility requires setting the SNMP Server and SNMP community string.
These settings can be configured by running the following (case-sensitive) command:
These can also be configured through the following string-value registry registry keys:
- HKLM\Software\ActivIdentity\SecureLogin\SSOAuditSNMP\Hostnames\Host-1 (increment as necessary for multiple hosts).