Skip to content

Activity Data Source Configuration

Use the Activity Data Source Configuration page to add or edit activity data sources. Activity collectors access activity data sources such as event or audit logs, collect the activity information that is to be monitored, and transform that data into a format that can be read by IdentityIQ. These Activity Data Sources are use for all activity aggregation and reporting.

Changes made on this page are not committed until a save is performed on the application with which they are associated. For example, if you add or delete a data source on this page and click Save, you do not see that change reflected on the application until you click Save on the application page and commit the change.

For each activity data source enter or edit the following:

  • The general data source information in Activity Data Source Configuration.

  • Activity target information found on the Activity Target tab for each source type, see [Activity Targets]

  • The unique connection and query setting for each activity data source type.

    • [JDBC Collector Settings]

    • [Windows Event Log Collector Settings]

    • [Log File Collector Settings]

    • [RACF Audit Log Collector]

    • [CEF Log File]

Activity Data Source Fields

  • Name - A short, descriptive name for the activity data source.

  • Description - A brief description of the activity data source.

  • Transformation Rule - The transformation rule required to convert the data collected from the data source into a format that can be used by IdentityIQ.

    Note

    Click the [...] icon to launch the Rule Editor to make changes to your rules if needed.

  • Correlation Rule - The correlation rule that should be used to correlate the activity data collected with identities.

    Note

    Click the [...] icon to launch the Rule Editor to make changes to your rules if needed.

  • Activity Data Source Type - The type of data source from which the activity is being collected. The Activity Data Source Type dropdown list contains the types of data source from which activity information can be collected. This list will grow and change to meet the needs of IdentityIQ users.

Note

When CEF Log File is selected from the dropdown list, the Transformation Rule and Correlation Rule fields are displayed with the following respective values:

  • Transformation Rule: CEFTransformRule
  • Correlation Rule: CEFActivityCorrelation

Activity Targets

The Activity Targets tab is used to specify targets within this data source for use in activity searches. A target is a specific object within a data source that is acted upon. For example, a target might be a machine name for a login action, or a file name for a create action.

The targets specified here are used to populate lists on the Activity Search page. These targets can be grouped with targets specified on other applications to create categories of targets. For example, if you have inventory applications at three different locations and a procurement database on each, you can set each procurement database as a target, create a Procurement category, and then collect activity for all three procurement databases using a single activity search.

On the Activity Targets tab you can add activity targets for the data source with which you are working. Type the name of the activity target in the field at the bottom of the list and click Add Activity Target. To remove activity targets, use the selection boxes on the left of the table and click Delete.

JDBC Collector Settings

Use these settings when using a JDBC collector.

Connection Settings

IdentityIQ uses the connection settings to access the activity data source.

  • Connection User - A valid JDBC user with access to the data source being accessed by this collector.

  • Connection Password - The password associated with the Connection User if a password is required. The password is encrypted and is not displayed with the activity data source information.

  • Database URL - The full URL to the activity data source. For example, jdbc:mysql://localhost/db

  • JDBC Driver - The driver class of the activity data source. For example, com.mysql.jdbc.Driver

Query Settings

The query settings are used to control the activity information that is collected when an Activity Aggregation task is run.

  • SQL Statement - The SQL statement used to query activity from the database.

  • Condition Builder - Transforms the data mapped in the rule selected as the Position Builder into a SQL statement used by subsequent queries to determine start position.

  • Position Builder - Rule that converts the last row in the result set returned by the query into a configuration map that is persisted into the IdentityIQ database.

    The data that is mapped in this rule is used by the condition builder to create a SQL statement used in future queries to determine the start location. This enables IdentityIQ to perform scheduled activity aggregations without having to scan entire data sets with each subsequent aggregation.

Windows Event Log Collector Settings

Note

Before you can use the Windows Event Log Collector, the IQService must be installed and registered. See Install and Register the IQService for Use with Windows for information on installing and registering the IQService.

Event Log Settings

SailPoint IdentityIQ uses the connection settings to access the activity data source and the query settings to control the activity information that is collected when an Activity Aggregation task is run.

  • User - Valid Windows user name with access to the event log containing the activity data.

  • Password - The password associated with the user specified.

  • IQ Service Host - The host name where the IQ service is running.

  • IQ Service Port - The listening port of the IQ service.

  • Event Log Server - The server where the activity data source resides.

  • Query String - The MQL query use to specify the activity data to collect during the activity aggregation.

  • Block Size - The number of events to retrieve with each activity aggregation performed on this activity data source.

Log File Collector Settings

Transport Settings

The transportation settings are used to access the server where the log file containing the activity data resides.

  • Transport Type – depending on the transport type selected you will see the following:

    • local - If the log file containing the activity data is on the same server as IdentityIQ, no further connection-type information is required.

    • ftp

      • FTP User – a valid user name with authentication access to the FTP host.

      • FTP Password – the password associated with the FTP user.

      • FTP Host – the host where the log file resides.

    • scp

      • SCP User – a valid user name with authentication access to the SCP host.

      • SCP Password – the password associated with the SCP user.

      • SCP Host – the host where the log file resides.

      • SCP Private Key – the private key that is used to encrypt the collected data.

Log File Settings

The log file settings are used to define the query used to collect the activity data on.

  • File Name - The name of the log file containing the activity data.

  • Lines to Skip - The number of lines to skip before starting the scan for activity information.

  • Filter Nulls - Skip lines that don't conform to the defined format.

  • Multi-lined Data - A single record in this file spans multiple rows.

  • Regular Expression - A regular expression groups that can be used to tokenize each record in the file.

Log Fields

The log field settings are used to create the log fields based on the column headings in the log file.

  • Name - The name of the log field to create based on a column name from the log file.

  • Trim Value - Remove white space around the column name before creating the log field.

  • Drop Nulls - If the column by this name is null, ignore this record. For example, if the user field is null, then the record cannot be correlated to a IdentityIQ identity and, therefore, cannot be used by IdentityIQ.

RACF Audit Log Collector

Transport Settings

The transportation settings are used to access the server where the log file containing the activity data resides.

  • Transport Type – depending on the transport type selected you will see the following:

    • local - If the log file containing the activity data is on the same server as IdentityIQ, no further connection-type information is required.

    • ftp

      • FTP User – a valid user name with authentication access to the FTP host.
      • FTP Password – the password associated with the FTP user.
      • FTP Host – the host where the log file resides.

    • scp

      • SCP User – a valid user name with authentication access to the SCP host.

      • SCP Password – the password associated with the SCP user.

      • SCP Host – the host where the log file resides.

      • SCP Private Key – the private key that is used to encrypt the collected data.

Log File Settings

The log file settings are used to define the query used to collect the activity data.

  • File Name - The name of the log file containing the activity data.

  • Lines to Skip - The number of lines to skip before starting the scan for activity information.

  • Filter Nulls - Skip lines that don't conform to the defined format.

CEF Log File

CEF Log File Transport Settings

The transportation settings are used to access the server where the log file containing the activity data resides.

  • Transport Type – depending on the transport type selected you will see the following:

    • local - If the CEF log file containing the activity data is on the same server as IdentityIQ, no further connection-type information is required.

    • ftp

      • FTP User – a valid user name with authentication access to the FTP host.
      • FTP Password – the password associated with the FTP user.
      • FTP Host – the host where the log file resides.

    • scp

      • SCP User – a valid user name with authentication access to the SCP host.
      • SCP Password – the password associated with the SCP user.
      • SCP Host – the host where the log file resides.
      • SCP Private Key – the private key that is used to encrypt the collected data.

CEF Log File Settings

The log file settings are used to define the query used to collect the activity data.

  • File Name - The name of the CEF log file containing the activity data.

  • Lines to Skip - The number of lines to skip before starting the scan for activity information.

  • Filter Nulls - Skip lines that do not conform to the defined format.

  • Multi-lined Data - A single record in this file spans multiple rows.

  • Regular Expression - A regular expression groups that can be used to tokenize each record in the file. The format of CEF Log File. For example, (\w\w\w\s\d\d\s\d\d:\d\d:\d\d)\s(.)CEF:(.)|(.)|(.)|(.)|(.)|(.)|(.)|(.)(.)

CEF Log Fields

The log field settings are used to create the log fields based on the column headings in the log file.

  • Name - The name of the CEF log field to create based on a column name from the CEF log file.

  • Trim Value - Remove white space around the column name before creating the CEF log field.

  • Drop Nulls - If the column by this name is null, ignore this record. For example, if the user field is null, then the record cannot be correlated to a IdentityIQ identity and, therefore, cannot be used by IdentityIQ.

IdentityIQ uses connectors to extract data and transform it into a format it can read. A connector is a Java class that extends the IdentityIQ AbstractConnector class and implements the IdentityIQ Connector interface. Connectors provide the means by which IdentityIQ communicates with targeted platforms, applications and systems. Each application type requires different information to create and maintain a connection. For detailed connector information refer to the connector documentation delivered with IdentityIQ.