3.0 Installing and Configuring the Platform Agent

The Platform Agent, logevent, is the client portion of the Novell® auditing system. It receives logging information and system requests from Identity Manager and transmits the information to either Novell Audit or Novell® Sentinel™.

The Platform Agent is automatically installed if either the Novell Identity Manager Metadirectory Server or Novell Identity Manager Connected System option is selected during the Identity Manager install. For more information on the Identity Manager installation, see the Identity Manager 3.5.1 Installation Guide.

IMPORTANT:The Platform Agent must be installed on every server running Identity Manager if you want to log Identity Manager events.

Figure 3-1 Identity Manager Installation

After you install Identity Manager, you can configure the Platform Agent. The Platform Agent’s configuration settings are stored in a simple, text-based configuration file, logevent. By default, logevent is located in the following directories:

Table 3-1 Platform Agent Configuration File

Operating System	File
NetWare®	SYS:/etc/logevent.cfg
Linux	/etc/logevent.conf
Solaris^*	/etc/logevent.conf
Windows^*	/Windows_Directory/logevent.cfg The Windows_Directory is usually drive:\windows.

The following is a sample logevent.cfg file.

LogHost=127.0.0.1
LogCacheDir=c:\logcache
LogCachePort=288
LogEnginePort=289
LogCacheUnload=no
LogReconnectInterval=600
LogDebug=never
LogSigned=always

The entries in the logevent file are not case sensitive, entries can appear in any order, empty lines are valid, and any line that starts with a hash (#) is commented out.

The following table provides an explanation of each setting in the logevent file.

IMPORTANT:You must restart the Platform Agent any time you make a change to the configuration.

Table 3-2 logevent Settings

Setting	Description
LogHost=dns_name	The host name or IP address of the Novell Audit Secure Logging Server or the Novell Sentinel Audit Server where the Platform Agent sends events. In an environment where the Platform Agent connects to multiple hosts—for example, to provide load balancing or system redundancy—separate the IP address of each server with commas in the LogHost entry. For example, LogHost=192.168.0.1,192.168.0.3,192.168.0.4 The Platform Agent connects to the servers in the order specified. Therefore, if the first logging server goes down, the Platform Agent tries to connect to the second logging server, and so on. For more information on configuring multiple hosts, see Configuring Multiple Secure Logging Servers in the Novell Audit 2.0 Administration Guide.
LogCacheDir=path	The directory where the Platform Agent stores the cached event information if the Novell Audit Secure Logging Server or Novell Sentinel Audit Server becomes unavailable.
LogEnginePort=port	The port at which the Platform Agent can connect to the Novell Audit Secure Logging Server or the Novell Sentinel Audit Server. By default, this is port 289.
LogCachePort=port	The port at which the Platform Agent connects to the Logging Cache Module. If the connection between the Platform Agent and the Secure Logging Server or Novell Sentinel Audit Server fails, Identity Manager continues to log events to the local Platform Agent. The Platform Agent simply switches into Disconnected Cache mode; that is, it begins sending events to the Logging Cache module (lcache). The Logging Cache module writes the events to the Disconnected Mode Cache until the connection is restored. When the connection to the Novell Audit Secure Logging Server or the Novell Sentinel Audit Server is restored, the Logging Cache Module transmits the cache files to the Secure Logging Server. To protect the integrity of the data store, the Secure Logging Server validates the authentication credentials in each cache file before logging its events.
LogCacheUnload=Y\|N	Set to N to prevent lcache from being unloaded.
LogCacheSecure=Y\|N	Set the parameter to Y to encrypt the local cache file.
LogReconnectInterval=seconds	The interval, in seconds, at which the Platform Agent and the Platform Agent Cache try to reconnect to the Novell Audit Secure Logging Server or Novell Sentinel Audit Server if the connection is lost.
LogDebug=Never\|Always\|Server	The Platform Agent debug setting. Set to Never to never log debug events. Set to Always to always log debug events. Leave out or set to Server to use the default setting provided by the Log Debug Events attribute in the Novell Audit Secure Logging Server Configuration page. NOTE:The Server option applies only to Novell Audit systems.
LogSigned=Never\|Always\|Server	The signature setting for Platform Agent events. IMPORTANT:Novell Sentinel can receive and map Audit signatures to a Novell Sentinel event field; however, Novell Sentinel does not currently verify event signatures. Set to Never to never sign or chain events. Set to Always to always log events with a digital signature and to sequentially chain events. Leave out, or set to Server to use the default setting provided by the Sign Events attribute in the Novell Audit Secure Logging Server Configuration page. NOTE:The Server option applies only to Novell Audit systems. For more information on event signatures, see Signing Events in the Novell Audit 2.0 Administration Guide.
LogMaxBigData=bytes	The maximum size of the event data field. The default value is 3072 bytes. Set this value to the maximum number of bytes the client allows. Data that exceeds the maximum is truncated or not sent if the application doesn’t allow truncated events to be logged.
LogMaxCacheSize=bytes	The maximum size, in bytes, of the Platform Agent cache file.
LogCacheLimitAction=stop logging\|drop cache	The action that you want the cache module to take when it reaches the maximum cache size limit. Set to stop logging if you want to stop collecting new events. Set to drop cache if you want to delete the cache and start over with any new events that are generated.

For complete information on the Novell Audit Platform Agent, see Configuring the Platform Agent in the Novell Audit 2.0 Administration Guide.