IdStory Identity Manager

On many projects, we have to integrate CzechIdM with SIEM software. Such software usually consumes textual log messages via syslog protocol. Consuming them via application REST API may not be ideal, because:

• Customer may not be able (SIEM product features / lack of funding / ...) to modify their SIEM to work with CzechIdM REST API.
• Real-time queries into audit trail highten load on our application.

It would be awesome to have audit trail also written into text log of the application. That way, event will be logged at application's discretion and also will make it to syslog and then to SIEM.

Customers want to see those audit messages in their SIEMs (compiled from actual customer requests):

• Log-on and log-off attempts; both successful and failed ones.
• Manipulation with user account (=identity) and its privileges; both successful and failed ones.
  • Change of attributes. (Simply logging "somebody changed this identity" should be enough. I think we should not log changed attributes.)
  • Create/delete of identity.
  • Enable/disable of identity.
  • Password change.
  • Password reset.
  • Role assignment/unassignment.
• Approval or disapproval of a role request.
• Events on roles.
  • Create/delete/update.
  • Adding/removing privilege on role.
• Actions performed by administrators. (I guess this is covered by other items in this list, maybe we should explicitly log that "this user is an administrator"?)
• Failed actions due to missing privileges.
• Attempts to modify the audit trail. (And maybe also audit trail reads?)
• LRT start/end and also its success/error state.
• LRT errors.
• Application configuration changes.
  • When I define property through configuration agenda, application should log that create/update/delete of property happenned and by whom. Do not log actual value of the property.

The list above may need a bit of thought. It probably will cause heavier logging into application log... so we probably need to create application properties that will make possible to turn parts of it on/off.
Also, readability is a concern here - it is not possible to use internal UUIDs in this log because those data is useless outside of IdM (e.g. in the SIEM).
Hypothetical example of how the message could look like (maybe we need some other fileds there?):

$timestamp $thread $class: AUDIT/IDENTITY_PASSWORD_RESET status:SUCCESS target:uživatel123456 target_uuid:... performed_by:helpdeskový_administrátor performed_by_uuid:... reason:null
$timestamp $thread $class: AUDIT/IDENTITY_PASSWORD_RESET status:FAILURE target:uživatel123456 target_uuid:... performed_by:helpdeskový_administrátor2 performed_by_uuid:... reason:INSUFFICIENT_PRIVILEGES
$timestamp $thread $class: AUDIT/ROLE_CREATE status:SUCCESS target:ADčková_role target_uuid:... performed_by:admin performed_by_uuid:... reason:null

This ticket will probably consist of three main parts:

• Adding audit logging to various parts of the CzechIdM.
• Refining existing logging - for example, LRT start/end is already logged, but there are UUIDs. We need to put LRT names there to make the log usable in the SIEM.
• Making audit matrix and documenting what is audited.