1.6 Enabling Auditing

Access Manager includes a licensed version of Novell Audit to provide compliance assurance logging and to maintain audit log entries that can be subsequently included in reports. In addition to selectable events, device-generated alerts are automatically sent to the audit server. Access Manager comes preconfigured to use the Novell Audit server, but you can configure Access Manager to use an already existing Novell Audit server, a Sentinel server, or a Sentinel Log Manager server.

The audit logs record events that have occurred in the identity and access management system and are primarily intended for auditing and compliance purposes. You can configure the following types of events for logging:

Audit logging does not track the operational processing of the Access Manager components; that is, the processing and interactions between the Access Manager components required to fulfill a user request. (For this type of logging, see Configuring Component Logging in the Novell Access Manager 3.1 SP4 Identity Server Guide.) Audit logs record the results of user and administrator requests and other system events. Although the primary purpose for audit logging is for auditing and compliance, the types of events logged can also be useful for detecting abnormal and error conditions and can be used as a first alert mechanism for system support. You can configure the audit log entries to generate alerts by leveraging the Novell Audit Notification feature. You can select to generate e-mail, syslog, and SNMP notifications.

Access Manager has been assigned the Novell Audit server-alert event code 0x002E0605. The Novell Audit Platform Agent is responsible for packaging and forwarding the audit log entries to the configured audit server. If the audit server is not available, the Platform Agent caches log entries until the server is operational and can accept audit log data.

1.6.1 Configuring Access Manager for Auditing

By default, Access Manager is preconfigured to use the Novell Audit server it installs on the first instance of the Administration Console. If you install more than one instance of the Administration Console for failover, Novell Audit is installed with each instance. However, if you already use Novell Audit, you can configure Access Manager to use your audit server. You also need to register the Access Manager with your audit servers by importing the nids_en.lsc and sslvpn_en.lsc files. If you have a Sentinel server or a Sentinel Log Manager server, you can configure Access Manager to send the events to them.

Access Manager allows you to specify only one audit server. You still have failover if the audit server goes down. The auditing clients on the Novell Access Manager components go into caching mode when the audit server is not available. They save all events until the entries can be sent to the audit server.

This section includes the following topics:

Specifying the Logging Server and the Console Events

The Secure Logging Server manages the flow of information to and from the auditing system. It receives incoming events and requests from the Platform Agents, logs information to the data store, monitors designated events, and provides filtering and notification services. It can also be configured to automatically reset critical system attributes according to a specified policy.

  1. To specify the logging server, click Auditing > Novell Auditing.

  2. Fill in the following fields:

    Server Listening Address: Specify the IP address or DNS name of the audit logging server you want to use. By default, the system uses the primary Administration Console IP address. If you want to use a different Secure Logging Server, specify that server here.

    Server Public NAT Address: If your auditing server is in the private network, then you have to enter Public NAT IP Address of the auditing server using which devices can reach the auditing server.

    To use a Sentinel server or a Sentinel Log Manager instead of Novell Audit, specify the IP address or DNS name of your Collector.

    Port: Specify the port that the Platform Agents use to connect to the Secure Logging Server.

    Stop Service on Audit Server Failure: If you enable this checkbox, then audit events are not cached and also if the audit server is offline or not reachable, then Apache services will be stopped.

    To use a Sentinel server or Sentinel Log Manager instead of Novell Audit, specify the port of your Collector.

    IMPORTANT:Whenever you change the port or address of the Secure Logging Server, all Access Gateways must be updated, then every Access Manager device (Identity Server, Administration Console, Access Gateways, SSL VPN servers, and J2EE Agents) must be rebooted (not just stopping and starting the module) before the configuration change takes affect.

  3. Under Management Console Audit Events, specify the system-wide events you want to audit:

    Select All: Selects all of the audit events.

    Health Changes: Generated whenever the health of a server changes.

    Server Imports: Generated whenever a server is imported into the Administration Console.

    Server Deletes: Generated whenever a server is deleted from the Administration Console.

    Configuration Changes: Generated whenever you change a server configuration.

  4. Click OK.

    If you did not change the address or port of the Secure Logging Server, this completes the process. It might take up to fifteen minutes for the events you selected to start appearing in the audit files.

  5. (Conditional) If the Administration Console is the only Access Manager component installed on the machine and you have changed the address or port of the Secure Logging Server, complete the following steps:

    For security reasons, the Novell Audit Configuration file cannot be edited by the Administration Console when it is the only Access Manager component on the machine. It can only be edited by a system administrator.

    1. Open the logevent.conf file.

      Linux: Located in the etc directory

      Windows: Located in the Windows directory.

    2. Specify the new address and port of the Secure Logging Server, then save the file.

  6. (Conditional) If you have changed the port of the Secure Logging Server in step 2, complete the following steps:

    1. In the Administration Console, select the Roles and Tasks view.

    2. Click Auditing and Logging > Logging Server Options > Object Selector > Logging Services and select Novell Audit Secure Logging Server.

    3. Click OK.

    4. Go to Configuration in the General tab. Change the Secure Logging Server Port from 289 to the required port that the Platform Agents use to connect to the Secure Logging Server.

    5. Click OK.

  7. Restart the Administration Console. Open a terminal window, then enter the command for your platform:

    Linux: /etc/init.d/novell-tomcat5 restart

    Windows: net stop Tomcat5 net start Tomcat5

  8. Restart every device imported into the Administration Console.

    The devices (Identity Server, Access Gateway, SSL VPN, J2EE Agents) do not start reporting events until they have been restarted.

Configuring the Platform Agent

The Platform Agents installed with the Access Manager components use an embedded certificate. Access Manager does not currently support the use of custom application certificates. For information on this Novell Audit feature, see “Authenticating Logging Applications” in the Novell Audit Administration Guide.

The Platform Agents that are installed on each Access Manager component can be configured by modifying the logevent file. For the location of this file and its parameters, see “Logevent” in the Novell Audit Administration Guide.

IMPORTANT:Do not use this file to modify the IP address of the Secure Audit Server. Use the Administration Console for this task (see Specifying the Logging Server and the Console Events).

If you are using Sentinel, most of the parameters in this file should be set on the collector.

When the Platform Agent loses its connection to the audit server, it enters caching mode. The default size of the audit cache file is unlimited. This means that if the connection is broken for long and traffic is high, the cache file can become quite large. When the connection to the audit server is re-established, the Platform Agent becomes very busy while it tries to upload the cached events to the audit server and still process new events. When it comes out of caching mode, the Platform Agent appears unresponsive because it is so busy and because it holds application threads that are logging new events for a long period of time. If it holds too many threads, the whole system can appear to be hung. You can minimize the effects of this scenario by configuring the following two parameters in the logevent file.

Parameter

Description

LogMaxCacheSize

Sets a limit to the amount of cache the Platform Agent can consume to log events when the audit server is unreachable. The default is unlimited.

LogCacheLimitAction

Specifies what the Platform Agent should do with incoming events when the maximum cache size limit is reached. You can select one of the following actions:

Delete the current cache file and start logging events in a new cache file.

Stop logging, which preserves all entries in cache and stops collecting new events.

When you set a finite cache file size, it limits the number of events that must be uploaded to the audit server when caching mode is terminated and keeps the Platform Agent responsive to new audit events that are registered. If you have many users and are logging many events, you might need to configure these parameters.

For more information about these parameters, see “Logevent” in the Novell Audit Administration Guide.

Configuring the Devices for Auditing

Each device defines the events that can be enabled for auditing. For information on enabling these events, see the following:

For a listing of all Novell Audit events logged by Access Manager, see Section C.0, Access Manager Audit Events and Data.

1.6.2 Querying Data and Generating Reports in Novell Audit

Queries let you create, run, edit, and delete queries and event verifications. You can create two kinds of queries in Access Manager: manual queries and saved queries. Manual queries are simply queries that are not saved; they only run one time. All verification queries are saved. Saved queries and verifications are listed in the Queries list and can be run again and again against different databases.

Access Manager uses queries to request information from MySQL and Oracle databases. All queries are defined in SQL. Although you must be familiar with the SQL language to create SQL query statements, this is the most powerful and flexible query method.

Novell Audit provides two tools to query events and generate reports: the Novell Audit iManager plug-in and Novell Audit Report (LReport).

The following sections provide more information on these tools:

The Novell Audit iManager Plug-In

The Novell Audit iManager plug-in is a Web-based JDBC application that enables you to query MySQL and Oracle databases. All queries are defined in SQL.

iManager includes several predefined queries and it includes a Query Builder to help you define basic query statements. Of course, you can also build your own SQL query statements.

For complete information on defining and running queries in iManager, see the following sections in the Novell Audit 2.0 Administration Guide.

Novell Audit Report

Novell Audit Report is a Windows-based, ODBC-compliant application that can use SQL query statements or Crystal Decisions Reports to query Oracle and MySQL data stores (or any other database that has ODBC driver support). You can define your own SQL query statements or import existing query statements and reports. Query results are returned in simple data tables; rows represent individual records and columns represent fields within those records.

For complete information on defining and running queries in Novell Audit Report, see the following sections in the Novell Audit 2.0 Administration Guide.