After following the Bookshelf, Unable to Enable / Configure Auditing.

Discussion created by Chris_Thomas Employee on Sep 28, 2011

Title: After following the Bookshelf, Unable to Enable / Configure Auditing.


Some common symptoms indicative of an Audit/Report mis-configuration...:

When creating or modifying users, tasks, or roles in IDM I get a message that says: "No Auditing configuration was fond for ime..."
While trying to generate the "Audit-Assign Revoke Provisioning Roles Report" got the following error:
Error in formula <Section_Visibility>.'isnull({Command.ims_transactionid})'.The field name is not known.Details: errorKind"


According to the IM r12.5 Bookshelf:

Administration Guide -> CA Enterprise Log Manager Integration -> CA Enterprise Log Manager Functionality -> How to Integrate CA Enterprise Log Manager with CA Identity Manager -> Enable Auditing in CA Identity Manager

Step 4) Modify the saved file with the following and save the modifications:

<Audit enabled="true" auditlevel="BOTH" datasource="auditDbDataSource"

this exported audit xml datasource mapping syntax is incorrect: auditDbDataSource and will result in the aforementioned error.
The correct setting should be derived from the defined jndi-name within \jboss-5.1.0.GA\server\default\deploy\iam_im_imauditdb-ds.xml.
[color=#009f10]java:/iam/im/jdbc/auditDbDataSource [color]was defined in my environment, but this may change in the future or may be different in your environment. After you enter the correct string import and a restart. (don't click the restart my environment button, this does NOT work)

This is only an example, your actual entry may change.
<Audit enabled="true" auditlevel="BOTH" datasource="java:/iam/im/jdbc/auditDbDataSource"

[color=#ed0404]Also if you're using an application server like WAS or WLS, you'll need to define the JDBC / JNDI connection name / object within the application server administrative console. Please make sure to reference that name in the datasource within the audit xml you're importing. [color]

***CA ELM is recommended, but not required to obtain auditing functionality within your IME and report on it. Perhaps not all of the Out-of-the-Box Audit reports will capture all Audit information you're collecting, but there are quite a few scenarios pre-packaged Out-of-the-Box, which you should consider before going an further.

Audit-Assign/Revoke Provisioning Roles
Displays a list of provisioning role events.

Displays a list of provisioning role events.

Audit Details
Displays tasks and events with related status details

Audit-Pending Approval Tasks
Displays a list of pending approval tasks.

Audit-Reset Password
Displays the list of users' passwords that have been reset for a given period of time.

More information on how to run audit reports can be found within:

Administration Guide -> Reporting -> How to Run Non-Snapshot Reports

It's important to note that Audit reports don't require snapshots and it's important to associate your audit report JDBC datasource with the audit report task. (all covered within the admin guide)

Any additional custom reporting functionality will require you to purchase crystal reports developer, integrate with ELM or simply select the data directly from your Audit RDBMS.

Not clearly mentioned within the guide, but a best practice is to separate the audit database from your IM object store, because this database can grow quite large and within Identity Manager r12.5 there are quite a few Out of the Box reports, which will query this database.

Installation Guides -> JBoss Version -> Database Creation -> Edit the Data Source

According to this guide a restart of your application server will automatically create the database, but if it doesn't;

You can change the datasource by following this procedure:

To separate the audit DB from Object store, create a new database and user with DBO user mapping, then run the appropriate script for your RDBMS (SQL Server or Oracle).

If using SQL Server, run
\Program Files\CA\Identity Manager\IAM Suite\Identity Manager\tools\db\auditing\SqlServer\ims_mssql_audit.sql
As the SQL DBO user mapped to the audit database.

More specific information for configuring specific Audit events and tasks is available within:

Configuration Guide -> Auditing an Identity Manager Environment -> How to Configure Auditing -> Configure Audit Settings

If you're still having difficulty, please download the attached SQL file, which lists the sql each audit report will run to fetch the data for the reports. Sometimes it's helpful to run each sql query against your audit database to verify that the data exists, but please contact support with any additional questions or concerns.

FYI, this is also posted on within the Knowledge Base Article TEC541585, but it was published some time ago, I've corrected the sections above to work with the latest versions of IM, which at the time of this post is SP9.

Please post with any questions or concerns.
Thank you.

Chris Thomas
CA Technologies
Principal Support Engineer
Identity Manager Reporting Expert
Tel: +1-631-342-4360