Document toolboxDocument toolbox

iam.ibm

Owned by Anthony Shevlin (Deactivated)
Last updated: Mar 19, 2024 by Juan Tomás Alonso Nieto (Deactivated)
1 min read

Introduction

The tags beginning with iam.ibm identify events generated by IBM.

Valid tags and data tables 

The full tag must have at least six levels. The first two are fixed as iam.ibm. The third level identifies the type of events sent. The fourth indicates the event subtype.

These are the valid tags and corresponding data tables that will receive the parsers' data:

Product / Service

Tags

Data tables

Product / Service

Tags

Data tables

IBM

iam.ibm.webseal.audit.webseal-authn-sso-dev[7880]

iam.ibm.webseal.audit

iam.ibm.webseal.audit.webseal-azn-sso-dev[7880]

iam.ibm.webseal.audit.webseal-azn-wrp-dev[4604]

For more information, read more about Devo tags.

Table structure

These are the fields displayed in this table:

iam.ibm.webseal.audit

Field

Type

Extra field

Field transformation

Source field name

Field

Type

Extra field

Field transformation

Source field name

eventdate

timestamp

no

 

 

process_name

str

no

 

 

pid

str

no

 

 

event_rev

str

no

 

 

serverdate

timestamp

no

parsedate(serverdate_tmp, "YYYY-MM-DD-HH:mm:ss.SSSZZ")

serverdate_tmp

outcome

str

no

 

 

outcome_descr

str

no

decode(outcome, "0", "Success", "1", "Failure", "2", "Pending", "3", "Unknown")

outcome

outcome_status

str

no

 

 

outcome_reason

str

no

 

 

originator_blade

str

no

 

 

originator_instance

str

no

 

 

originator_component_rev

str

no

 

 

originator_component

str

no

 

 

originator_event_id

str

no

 

 

originator_event_descr

str

no

decode(originator_event_id, "101", "Login", "102", "Password change", "103", "Logout", "104", "Authenticate", "105", "Step-up", "106", "Re-authentication", "107", "Credentials refresh", "108", "Authorization check", "109", "Resource access", "110", "Get credentials", "111", "Modify credentials/combine credentials", "112", "Get credentials from pac", "113", "Get pac", "114", "Get entitlements", "115", "Runtime start", "116", "Runtime stop", "117", "Runtime audit start", "118", "Runtime audit stop", "119", "Runtime audit level change", "120", "Runtime statistic", "121", "Runtime heartbeat up", "122", "Runtime heartbeat down", "123", "Runtime lost contact", "124", "Runtime contact restored", "125", "Runtime monitor", "126", "Switch-user login", "127", "Switch-user logout")

originator_event_id

originator_action

str

no

 

 

originator_location

str

no

 

 

accessor_name

str

no

 

 

accessor_principal_auth

str

no

 

 

accessor_principal_domain

str

no

 

 

accessor_principal

str

no

 

 

accessor_name_in_rgy

str

no

 

 

accessor_session_id

str

no

 

 

accessor_user_location

str

no

 

 

accessor_user_location_ip4

ip4

no

 

 

accessor_user_location_type

str

no

 

 

starttime

timestamp

no

starttime_tmp

stoptime

timestamp

no

stoptime_tmp

target_resource

str

no

 

 

target_resource_descr

str

no

target_resource

target_object

str

no

 

 

target_url

str

no

 

 

authntype

str

no

 

 

terminateinfo_terminatereason

str

no

 

 

data

str

no

 

 

data_audit_event

str

no

 

 

hostchain

str

yes

 

 

tag

str

yes

 

 

rawMessage

str

yes

 

Â