Article

(View Disclaimer)

Introduction

The main objective of this article is to provide an overview of how to use Sentinel server and collector manager for NSL windows events log. This article is a guide for enabling Event logging for SecureLogin events, so you can review system activity with respect to NSL. This is useful for finding possible issues and troubleshooting with the help of real-time monitoring for NSL, so you can assess and act on events as they occur.

About NSL and Sentinel

As NSL is the most versatile Single-Sign On (SSO) solution on a client machine, it's important to be able to track NSL system activity by real-time monitoring. It's also vital to be able to analyze logged events whenever issues arise and capture this at the sentinel server. To address these reasons, NSL can now be integrated with the Sentinel server. With the new NSL 7.0 release, there is a support for a set of windows events for SecureLogin client, LDAP authentication, and Secure workstation that are logged in the windows events log.

The data displayed on the Novell Sentinel server will empower you to keep track of the various NSL events, such as user login, password changes, device removal activity , manual lock, workstation unlocked etc. By default, all the event logging for Secureworkstation and LDAP is disabled, so it needs to be turned ON using registries. This will enable those events to start get logged in windows events logs. For the SecureLogin client, windows events are enabled during installation. The Sentinel Server can display and analyse the logs using the NSL collector and collector manager.

Note: In this article we emphasize how Novell SecureLogin can enable logging for Client, SecureWorkstation and LDAP events in windows event logs. Setting up sentinel server is not in the scope of this article. NSL collector deployment will also be a part of this article.

Pre-requisites: Sentinel logging manager server is already set up on a machine.

In order to use the Novell Sentinel server, you need to configure the NSL collector using the collector manager provided with Sentinel and the Windows SecureLogin client to act as a source for windows events logs. The following steps must be followed to integrate the Novell SecureLogin windows event logging system and SecureLogin collector with the Novell Sentinel server.

1. Preparing Novell SecureLogin client to perform windows event logs
2. Setting up the SecureLogin Sentinel Collector on Sentinel Server to log the Events on it

1. Preparing Novell SecureLogin client to perform windows event logs
   
   1. Install Novell Securelogin with SecureWorkstation and LDAP options.
   2. To enable windows events logging for SecureWorkstation
      
      1. Open the registry editor.
      2. Browse to HKEY_LOCAL_MACHINE\SOFTWARE\Novell\Nmas\MethodData\
      3. Right-click Secure Workstation > New > DWORD.
      4. Name the String Value as SWAudit.
      5. Specify the value as 1.
   3. To enable Auditing we should set For LDAP
      
      1. Open the registry editor.
      2. Browse to HKEY_LOCAL_MACHINE\SOFTWARE\Novell\Login\
      3. Right-click LDAP > New > DWORD.
      4. Name the String Value as LdapAudit.
      5. Specify the value as 1.

      After preparing your client for the windows events logs, we can start the NSL client and also secureworkstation service and other events which are getting logged.

      

      Fig 1. Enabling windows logging for LDAP

      Click to view.

      

      Fig 2 Enabling windows logging for SecureWorkstation

      Click to view.

      

      Fig 3. Sample of windows logs

      Click to view.

      To check the events logged in windows events,

      Computer(right click) -> Manage-> System Tools -> Event Viewer -> Application.

      All events for SecureLogin, LDAP and SecureWorkstation are logged in Application tab only.

      SecureLogin, SecureWorkstation and LDAP logs the follwing Windows events:

      Event of  Securelogin Client  are
      EventId 257 GPO Failure
      EventId 258 Audit event command 
      EventId 259 SecureLogin client started
      EventId 260 SecureLogin client terminated
      EventId 261 SecureLogin client enabled
      EventId 262 SecureLogin client disabled
      EventId 263 Password provided to the applications
      EventId 264 SecureLogin Changed Password for an application
      EventId 265 SecureLogin Changed Password automatically for an application
      
      Event of  LDAP are
      EventId 1 SecureLogin user x has logged in
      EventId 2 SecureLogin user has changed the LDAP password
      EventId 3 Workstation has been unlocked by a different user, from who locked it
      
      Event  of SecureWorkstation are
      EventId 4 Session has timed out due to inactivity.
      EventId 5 Device removal has been triggered
      EventId 6 Manual lock has been triggered
      
      

2. Setting up the SecureLogin Sentinel Collector on Collector Manager
   
   1. This collector collects the logs from the connector, which in turn collects data from the event source, which in our case its the workstation where NSL is installed. This collector in turn forwards the logs to sentinel server to get displayed. Following are the steps to install NSL collector using the collector manager..
   2. Log in to the Sentinel Control Center as a user with sufficient rights to configure event sources
   3. In ESM, using the Add button, select the latest downloaded Novell SecureLogin collector file available on content site (http://support.novell.com/products/sentinel/index....). Click Finish after reviewing the summary details.
   4. Similarly, select WMI/WMS Connector file using the above mentioned steps. For more information about using WMS connector use http://support.novell.com/products/sentinel/secure...
   5. Select the Connect to Event Source button, here select Novell for vendors and then SecureLogin from list of supported products. Click Next
   6. Select WMS from the list of connection methods, then click Next to create set of new components.
   7. Select the Windows-based Collector Manager host which you configured for this purpose.
   8. Click Next to accept the default Collector properties (parameters)
   9. Click Next to accept the default Collector runtime configuration
   10. Click Configure Active Directory Settings to configure the Active Directory and features such as automatic detection of new event sources (detailed in the WMS Connector installation instructions).
   11. In the Service Installation window enter the credentials of an account on the Collector Manager service with rights to install services and click Install Service to install the WMS Service on the Collector Manager machine.
   12. After the WMS Service is installed on the Collector Manager host click Next.
   13. Click Next to accept the default settings for the Connector.
   14. Configure monitoring of the Novell Secure Login machine by specifying the IP Address of the SecureLogin client and click Next.
   15. Click Next to accept the default settings for connection modes.
   16. Click Finish.

Now we are ready to log windows events for NSL client, LDAP and Secureworkstation and capture and display the same on the sentinel server.

Below is one snapshot of windows events logs for SecureLogin client on sentinel server.

Fig 4. Events getting logged and displayed on the sentinel server

Click to view.

Conclusion

By following all the above mentioned steps, you will be able to completely make use of windows event logging provided with NSL 7.0 and the NSL collector to get it logged in sentinel server.

From this systematic approach to logging, it's clear that NSL 7.0 can be easily managed and troubleshooted using these logs and tracking the workstations which have NSL installed on them.

In addition, NSL is a versatile product that is feature-rich in every sense and meets your daily needs effectively and efficiently. Now it's up to you to decide whether you want to have the best of the NSL features.

Editor's Note: Be sure to check out Novell's log management offerings.

Disclaimer: As with everything else at Cool Solutions, this content is definitely not supported by Novell (so don't even think of calling Support if you try something and it blows up).

It was contributed by a community member and is published "as is." It seems to have worked for at least one person, and might work for you. But please be sure to test, test, test before you do anything drastic with it.