AppNote: HTTP Proxy Logging to Novell Audit in Novell BorderManager 3.8
Novell Cool Solutions: AppNote
By Krishna CC
Digg This -
Posted: 2 Mar 2005
Senior Software Engineer
The ability to create accurate log information is an important operational aspect of any software. This AppNote provides an overview of Novell Audit, an efficient logging method used to capture the log events reported by BorderManager. The configuration steps to make event logging effective are detailed. The AppNote also explains how to query Novell Audit to get and analyze the log report. Also provided is the MySQL commands to query log report.
Table of ContentsIntroduction
What is Novell Audit?
Novell Audit Architecture Overview
Installing Novell Audit
Configuring Novell BorderManager 3.8 for Novell Audit
Getting an Novell Audit Log Report using MySQL Commands
Novell BorderManager 3.8 Event Data
Other Novell Audit Capabilities
The ability to create accurate log information is an important operational aspect of any software. The Novell BorderManager HTTP Proxy maintains Common Logs, Extended Logs, and Indexed Logs. In general, the Common Log format provides sufficient information for analysis of outgoing proxy activity. In certain circumstances, for instance, while using specialized log analyzers, it may be appropriate to use the Extended Log.
With Novell Audit, you can capture log information in a centralized manner, based on the server-client model. Here the common and extended log information are reported to Novell Audit. You can later query and get the log reports.
This appnote provides the detailed information regarding the steps to be followed to configure NBM and Novell Audit so that Novell Audit can successfully capture the log information reported by NBM.
Novell Audit provides secure logging, reporting, monitoring, and notification capabilities. Through integration with Novell Audit, the BorderManager 3.8 HTTP proxy supports logging of all events previously reported in the Common and Extended log formats. It also categorizes each Web request provided by third-party URL database products, from partners such as SurfControl* and N2H2*.
An Additional Logging MethodNovell Audit is an additional logging method. The legacy Common, Extended and Indexed Logging still exist in BorderManager 3.8. However, Novell Audit has several key advantages over other logging methods:
- Security - Novell Audit events are signed and chained. This means that you have forensically viable evidence of all HTTP proxy activity. Novell Audit guarantees that no log data has been deleted or modified.
- Log Data Aggregation - The Novell Audit Secure Logging Server allows you to collect log data from multiple BorderManager 3.8 proxy servers into one data store. Reports may then be generated that reflect Web activity for an entire organization, not just for one server.
- Performance - Novell Audit is very fast and scalable. It allows you to do comprehensive logging with minimal impact on proxy performance.
Note: For maximum performance while using Novell Audit, you should disable legacy proxy logging methods in NetWare® Administrator.
Novell Audit is a centralized, cross-platform logging service that can log data from multiple applications to a centralized data store. After event data is logged, you can run detailed reports, do custom queries, and trigger notifications based on logged events.
Novell Audit consists of two primary components:
- Platform Agent
- Secure Logging Server
The following figure illustrates the high-level architecture of Novell Audit:
Figure 1: Novell Audit High Level Architecture
In this illustration, BorderManager 3.8 is one of the applications which uses the Platform Agent to report events to the Novell Audit Secure Logging Server.
Platform Agent (logevent)
The Platform Agent is the client portion of the Novell Auditing system. The Platform Agent receives logging information and system requests from authenticated applications and transmits the information to the Secure Logging Server.
Figure 2: Platform Agent Architecture
If the connection between the Platform Agent and the Secure Logging Server fails, applications continue to log events to the local Platform Agent, just as they always do. The Platform Agent simply switches into Disconnected Cache Mode, and the Cache Module writes all logged events to the local cache until the connection is restored. Switching into Disconnected Cache Mode is completely transparent to the logging applications.
The Platform Agent supports following applications:
- Novell eDirectory 6.0 and higher
- DirXML 2.0
- NetMail 3.5 and higher
- iChain 2.2 SP1
- BorderManager 3.8
- NetWare NSS File System
- NetWare Traditional File System
Platform Agent ConfigurationThe Platform Agent is not configured through eDirectory. Instead, the configuration settings are stored in a simple, text-based configuration file (logevent). This makes the Platform Agent small, unobtrusive, and self-contained. In other words, it has no external dependencies and therefore is always available to receive logged events. Storing the Platform Agent configuration in a text-based file also allows the Platform Agent to eventually run on platforms that do not have eDirectory support. The logevent file stores the host name or IP address of the logging server, the Disconnected Mode Cache directory, port assignments, and other related information.
Secure Logging Server
The Secure Logging Server is the server component of the Novell Auditing system. The Secure Logging Server manages the flow of information to and from the Novell Auditing system. It receives incoming events and requests from the Platform Agents, logs information to the data store, monitors designated events, and provides filtering and notification services. It can also be configured to automatically reset critical system attributes according to a specified policy.
Figure 3: Secure Logging Server ArchitectureThe Secure Logging Server supports the following platforms:
- NetWare 6.5
- NetWare 6.0 SP3 or later
- NetWare 5.1 SP6 or later
- Windows 2003 Server
- Windows 2000 Server SP4 or later
- Solaris 8 and 9
- SUSE Linux Enterprise Server 8
- Red Hat Linux AS and ES 2.1
The Secure Logging Server is configured through eDirectory. The Logging Server object contains all the configuration settings for the Secure Logging Server. Consequently, the logging server must have access to eDirectory and the Logging Server object before it can launch the Secure Logging Server.
The Secure Logging Server provides the following services:
- Event Management
- Logging and Notification Channels
- Logging Service
- Notification Service
Before an application can log events to Novell Audit, it must be able to authenticate with the system and report events in the auditing system.
The Secure Logging Server can log events to MySQL*, Oracle*, Java* applications, and several other data stores, including a flat file. Novell Audit features a tool called Novell Audit Report, designed to query the data store for event data. A data store with an ODBC connector is required to use this advanced reporting tool.
Novell Audit is packaged with NetWare 6.5 and can be installed during the NetWare 6.5 server installation. If NetWare 6.5 is already installed, you can return to the NetWare Install and add the Novell Audit Starter Pack component.
For other platforms, the Novell Audit Starter Pack can be downloaded from http://download.novell.com. A Quick Start Card for each platform is provided in the download files.
Novell BorderManager 3.8 is not enabled for Novell Audit by default. To enable Novell Audit for BorderManager 3.8, do the following:
1. Ensure that Novell Audit is properly installed and configured as per the Novell Audit Quick Start Card available with the download. This includes installing a Secure Logging Server and installing the NetWare Platform Agent on each BorderManager 3.8 proxy server that reports events to Novell Audit.
2. Ensure that the Platform Agents are correctly configured to communicate with the Secure Logging Server. On each BorderManager 3.8 proxy server that reports events to Novell Audit, check for the file sys:\etc\logevent.cfg. In this file, change the value of the LogHost parameter to the IP address or DNS name of your Secure Logging Server.
Figure 4: logevent.cfg file
Prepare the Secure Logging Server to receive data from BorderManager 3.8. You need do this only once, no matter how many BorderManager 3.8 proxy servers report events to Novell Audit. To simplify setup, a .ncf file that prepares Novell Audit to receive BorderManager 3.8 events is provided. This file is located at sys:\etc\proxy\naudit\runaud.ncf on any server where BorderManager 3.8 is installed. Open this file in a text editor and enter a valid user name and password with Administrator rights to the Secure Logging Server. Follow the format shown in the figure below.
Figure 5: runaud.ncf file
a) Secure Logging Server on the same machine: If the Secure Logging Server is set up on the same machine where the edited version of runaud.ncf exists, go to the server system console, type sys:\etc\proxy\naudit\runaud.ncf, and press Enter.
b) Secure Logging Server on Another NetWare server: Copy sys:\etc\proxy\naudit\runaud.ncf to the NetWare server where the Secure Logging Server is installed and run the .ncf file from the System Console.
c) Secure Logging Server on Windows: Copy sys:\etc\proxy\naudit\runaud.ncf to the Windows server where the Secure Logging Server is installed. Rename the file to runaud.bat and run it.
d) Secure Logging Server on Other Platforms: See the Novell Audit product documentation for instructions to set up new applications on other platforms supported by the Secure Logging Server.
4. Restart the Secure Logging Server by entering the following commands:
unload lengine load lengine
Configuring the BorderManager Proxy Server
1. On each BorderManager 3.8 proxy server (that reports events to Novell Audit), add the following in the sys:\etc\proxy\proxy.cfg file, using a text editor:
[Extra Configuration] EnableNsureAuditLogging=1
2. Restart the BorderManager 3.8 server(s) by entering the following commands:
Validating the Configuration
To confirm that the configuration steps are correct,
- Log in to iManager (https://
- In the left panel, select Roles and Tasks > Auditing and Logging > Logging Server Options. The Logging Server Options page is displayed.
- Browse and select the appropriate SLS object and click OK. All applications registered with Novell Audit are listed.
- Click the Log Applications.
Among the Application listed, you should see Novell BorderManager as in the figure below:
Figure 6: NBM Registered with Nsure
If it is not listed, that means the configuration was not successful.
Possible Cause: sys:\etc\proxy\Naudit\runaud.ncf may be invalid.
Solution: Make sure that the fully distinguished name (fdn) is in dotted format, and ensure that the password is correct.
Creating Nsure Aduit Data Base through iManager
1. In the left panel, select Roles and Tasks > Auditing and Logging > Query Options. The Query Options page is displayed.
2. In the Database tab, click New. The New Database page is displayed.
3. Enter all the fields of the new data base.
Note: Refer the online help. Default parameters of the DataBase that you can use are given in the table below:
|JDBC Class||com.mysql.jdbc.Driver (the driver name is case-sensitive)|
|Host||jdbc:mysql://ip_address (replace the ip_address by the server ip_address where mysql is running)|
4. Click OK. The new database is created.
Creating Queries through iManager
- In the left panel, select Roles and Tasks > Auditing and Logging > Query Options. The Query Options page is displayed.
- Click the Query task under Novell Audit role in the left panel.
- Select the appropriate database from the drop-down list. Note: Select the data base created using the steps in the previous section.
- Click New in the Queries section. The New Query window is displayed.
- Enter the Name and the Query SQL Statement. For the Common Log query statement in BorderManager, use this:
select * from log where EventID=0x00040001.
For the Extended Log query statement, use this:
select * from log where EventID=0x00040002.
- Click OK to save the query.
Using Queries through iManager
- In the left panel, select Roles and Tasks > Auditing and Logging > Query Options. The Query Options page is displayed.
- Click Query task under Novell Audit role in the left panel. All the saved queries are listed.
- In the Queries section, select the Query you want to run.
- Click Run Query. The audit log results of the query are displayed.
Some basic MySQL commands that can be used on Netware console to query the data base are given below.
1. On the Netware console enter the following command:
mysql -h <ipaddress> -u auditusr -p naudit
2. Enter the password when prompted. Note: By default the password is auditpwd.
3. On MySQL prompt, enter the following command:
4. To delete all previous records, enter the following command:
5. To view all logs, enter the following command:
select * from log;
6. To query for all common logs of NBM, enter the following command:
select * from log where EventID=0x00040001;
7. To query for all extended logs of NBM, enter the following command:
select * from log where EventID=0x00040002;
Before running queries or building reports that display proxy log data in a useful manner, you should understand the nature of the data that the Novell BorderManager 3.8 HTTP proxy reports.
Novell Audit Event Information
For the purposes of Novell Audit, each URL request through the BorderManager 3.8 HTTP proxy generates three events. The Novell Audit event information for BorderManager 3.8 is detailed in the following table.
|Event ID||Description||Data Fields|
|00040001||Proxy Common Log Data||IP Address, Authenticated User Name, Date, Time, Time Zone, HTTP Request, URL, HTTP Version, Status Code, and File Size|
|00040002||Proxy Extended Log Data||cached, [date-time], c-ip, cs-method, and cs-uri|
|00040005||3rd Party Categorization||url, username, url-category, and vendor-ID|
For descriptions of the data fields in the Common and Extended Log Data events, see "Understanding Novell BorderManager's HTTP Proxy Logs" by Marcus Williamson in the January, 2002, Novell AppNotes (http://developer.novell.com/research/appnotes/2002/january/02/a020102.htm).
Third-party Categorization Data
The logging syntax for Third Party categorization is unique with respect to BorderManager 3.8 configuration for Novell Audit. The Third Party Categorization data fields are described below:
|url||The URL of the Web content being requested|
|username||The name of the user requesting that URL|
|url-category||The categorization of the URL, based on the 3rd party categorization product being used on the proxy server that handled the request|
|vendor-ID||1 - CyberPatrol* (Note: This is not officially supported on BorderManager 3.8.)
3 - SurfControl Content Database
4 - N2H2 Category Server
7 - Connectotel LinkWALL*
The IP address of the BorderManager 3.8 proxy server that reported the event is also included in each event record.
For information on how to use Novell Audit to create reports, generate alerts, monitor Internet activity in real time, or output data to various formats for processing by other applications, refer to the Novell Audit product documentation at: http://www.novell.com/documentation/nsureaudit/index.html.
As can be seen from this AppNote, Novell BorderManager provides a variety of options for logging the use of the HTTP Proxy component and is capable of registering its platform agent to the Novell Audit Server and report the log information to it. Further, by querying Novell Audit, user-friendly log reports of common and extended log information can be obtained for analysis.
For more information about Novell BorderManager and Novell Audit, see the following resources:
- Novell BorderManager online documentation at http://www.novell.com/documentation/nbm38/index.html
- A Beginner's Guide to BorderManager and Novell BorderManager: A Beginner's Guide to Configuring Filter Exceptions, by Craig Johnson, available at http://nscsysop.hypermart.net/
- Novell Audit online documentation at http://www.novell.com/documentation/nsureaudit/index.html
Novell Cool Solutions (corporate web communities) are produced by WebWise Solutions. www.webwiseone.com