After upgrading our IDM Servers to eDir 9.1 (and IDM 4.7) we decided to switch to CEF audit format as well!

Regarding IDM, NMAS and iMangager this is working, and since it is working for NMAS and IDM the auuditconbfiguration.poperties files should be setup correctly.

But we do not see any eDirectory related events, exept that the logging session has started:

Connection Created: CONNECTION: A NCP Engine connection (ConnID: 22) from was created(1) or terminated(0) to server CN=idm-ds07-dev,OU=server,OU=res,O=tu-darmstadt. Result: 1

After that we do not get anything for the eDirectory instrumentation!

For sure cefauditds is loaded, and the NCP server object has some CEF configuration on it. In fact we turned on all possible setting for CEF, but selected to audit only user and group objects.

At this time we do not see anything in Sentinel if users are modified or created!

Since Sentinel does not even receive any raw data at the time users are modified on the monitored server, the issue seems not to be Sentinel related, but somewere in eDirectory.

Does anybody sees the same issue? Any ideas to debug this further?

Kind regards,