Hash: SHA1

Searching around the Forums, and a bit of the rest of the world with
Google, I have yet to find this called out somewhere. The documentation
for the UserApp about auditing has some pretty odd claims, so I'm not
sure if this falls into that category, or a category of things having
changed over the years making some steps no longer necessary, or what.
Let me explain what I am reading and how I am interpreting it:


This page has the following statement:

The Identity Manager User Application implements logging by using log4j,
an open-source logging package distributed by The Apache Software
Foundation. See Logging Services for details. By default, event messages
are logged to the system console and to the application servers log
file at logging level INFO and above. You can also configure the User
Application to log to Novell Identity Audit and OpenXDAS. Events are
logged to all activated loggers.

Shortly thereafter is this page:


The Identity Manager User Application logs a set of events automatically
from workflow, search, detail, and password requests. By default, the
Identity Manager User Application automatically logs the following
events to all active logging channels:

This is followed by a list of many types of events.

To me the first doc page, and the paragraph there, means that auditing
is not going to happen, regardless of the configuration of the Platform
Agent, unless something is specifically done within the UserApp to
enable it. I've found somewhere else in the docs where it talks about a
checkbox on the Logging page 'Also send logging messages to audit
service' and on this page in the UserApp it specifically says logging
events are not sent to Audit otherwise: "Logging messages are not sent
to audit service. Select the box below to send logging messages to audit
service as well." That last statement makes me think that logging and
auditing are separate beasts, and usually (in the wider IT security
world) that is true. Logging is informational for troubleshooting or
status monitoring, and auditing is all about security. The second page,
linked-to above, makes me think differently. It talks about "By
default, the Identity manager User Application" sends stuff to all
logging channels. Is auditing a logging channel? I wouldn't normally
think so, but I'm new to this.

Now if I were to go specifically on the bits above I would assume that
logging and auditing were separate, and without the checkbox in the
UserApp things would not go to Sentinel, our receiver of audit events.
Contrary to this, though, events are going to Sentinel without this
checkbox being checked. We are not on Patch A yet, and I understand
there is a bug here for the proper display of the current settings
resolved with Patch A, but believing that "logging" and "auditing" were
not the same I never checked the checkbox. Still, events show up nicely
in Sentinel from the IP address of the UserApp box (which has nothing
else on it) when workflows are processed.

Any help is appreciated. I'm probably just reading into this too much,
but I'd like to understand it fully.
Version: GnuPG v2.0.19 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://www.enigmail.net/

/3P6AWpnthDtDS7KbvvhOvXDC5rC0UiXcn6AYKpz4hyBhffxtBb QoE0+7PQNem5t
lwy83LTmcG5vl41cdKgKmVIq6R2HrT6mkSUxpSMaKtxTN3XKzF F3GtZ8EZJRvPEg
S8FY9YaqvVmYbGExLwq6o8TOaapcVrvuxBIXZYdOiHSfGtdTKz mBEgLlVkjoEsTm
AUgPoE+0K9kOoyw9qdRkRGBoC7suoYuajbh01gj8KQTzSEXygo 3Se8nG9z1Z4xKW
BWrzzNpV+nbb0GnqA1QGpbpx4Hh2AbJKrTjpJTAng3HKrmbjL0 kamB5meTO3hq9H