Novell Documentation: Novell Audit 2.0 - Platform Agent and Logging Instrumentations

9.4 Platform Agent and Logging Instrumentations

You must install the Platform Agent on every server that you want to report events to the Secure Logging Server. You must also install the Instrumentation associated with every logging application that you want to report events to Novell Audit. This section reviews how to verify you are running the Platform Agent and Instrumentations required to log events to the Secure Logging Server:

9.4.1 Platform Agent

Each logging application requires a Platform Agent to send events to the Secure Logging Server. Consequently, each logging application’s associated Instrumentation automatically loads the Platform Agent.

The following table outlines commands you can use to verify that the Platform Agent is loaded:

NOTE:In some cases, it might be possible that the Platform Agent is available when lcache is not running. The lcache process is started by the Platform Agent when an instrumentation attempts to send an event. In the unlikely event that none of the instrumentations are sending events to the Platform Agent, lcache will not be running; however, the Platform Agent will still be available.

Table 9-2 Commands Used to Verify the Platform Agent is Loaded

Operating System	Command
NetWare	To determine if logevent.nlm is loaded on NetWare, enter m logevent at the NetWare command prompt. If logevent.nlm is not loaded, reload it and check the NetWare logger screen for any messages.
Linux/Solaris	To verify that the Platform Agent is running on Linux or Solaris, use the following command: ps -ef \|grep lcache
Windows	To determine if the Platform Agent is running on Windows, open Task Manager and verify that lcache.exe is running.

Operating System

Command

NetWare

To determine if logevent.nlm is loaded on NetWare, enter m logevent at the NetWare command prompt.

If logevent.nlm is not loaded, reload it and check the NetWare logger screen for any messages.

Linux/Solaris

To verify that the Platform Agent is running on Linux or Solaris, use the following command:

ps -ef |grep lcache

Windows

To determine if the Platform Agent is running on Windows, open Task Manager and verify that lcache.exe is running.

You can view all Platform Agents connected to the Secure Logging Server in the Secure Logging Server Monitor page. For more information, see Section 9.6, Server and System Statistics.

For more information on the Platform Agent, see Configuring the Platform Agent in the Novell Audit 2.0 Administration Guide

9.4.2 NetWare and eDirectory Instrumentations

The NetWare and eDirectory Instrumentations for Novell Audit (auditNW and auditDS, respectively) allow Novell Audit to log NetWare, eDirectory, and file system events.

To enable NetWare and file system logging, auditNW must be loaded on every server where you want to log NetWare and file system events. Additionally, the Platform Agent must be installed on every server where you want to log NetWare, file system, and eDirectory events. AuditNW and auditDS automatically load the Platform Agent (logevent) to send events to the Secure Logging Server.

NOTE:Before the Platform Agents are launched, the LogHost parameter in the Platform Agent configuration file on each server must be updated with the IP address or DNS name of your Secure Logging Server. For more information, see Configuring the Platform Agent in the Novell Audit 2.0 Administration Guide.

Typically, auditNW and auditDS are automatically loaded each time the server restarts. However, you can also manually load or unload the instrumentation files.

The following table reviews the startup commands for the eDirectory and NetWare Instrumentations.

IMPORTANT:You must individually start or stop the instrumentations on each server in the tree.

Table 9-3 NetWare and eDirectory Instrumentation Startup Commands

Platform	Startup Command
NetWare	On NetWare, the startup scripts for auditNW and auditDS are included in the auditagt.ncf file. Auditagt.ncf is added to the server’s autoexec.ncf file during installation. Therefore, the NetWare and eDirectory Instrumentations automatically load each time the server restarts. If you want to prevent auditNW or auditDS from being unloaded by users with access to the server console, you can append the -n switch to the agent startup scripts. (For example, load auditnw -n .) To manually start the NetWare or eDirectory Instrumentation on NetWare, enter load auditnw or load auditDS To load both the NetWare and eDirectory Instrumentations, enter load auditagt.ncf To stop the NetWare and eDirectory Instrumentations on NetWare, enter unload auditnw unload auditDS NOTE:Auditnw.nlm, audit.ds, and auditagt.ncf are located in the sys:\system directory.
Linux	On Linux systems, the eDirectory Instrumentation must be manually loaded on one server per DS Replica. To manually start the eDirectory Instrumentation on Linux, enter ndstrace -c "load auditDS” To manually stop the eDirectory Instrumentation on Linux, enter ndstrace -c "unload auditDS” To automatically load the eDirectory Instrumentation each time the server restarts, add the following to the ndsmodules.conf file: auditDS auto #NSure Audit Platform Agent NOTE:On eDirectory 8.7, the path to the ndsmodules.conf file is /usr/lib/nds-modules/ndsmodules.conf. On eDirectory 8.8, the path is /etc/opt/novell/eDirectory/nds-modules/ndsmodules.conf. On Linux systems, the startup script is /etc/init.d/novell-naudit .
Solaris	On Solaris systems, the eDirectory Instrumentation must be manually loaded on one server per DS Replica. To manually start the eDirectory Instrumentation on Solaris, enter ndstrace -c "load auditDS” To manually stop the eDirectory Instrumentation on Solaris, enter ndstrace -c "unload auditDS" To automatically load the eDirectory Instrumentation each time the server restarts, add the following to the /usr/lib/nds-modules/ndsmodules.conf file: auditDS auto #NSure Audit Platform Agent NOTE:On eDirectory 8.7, the path to the ndsmodules.conf file is /usr/lib/nds-modules/ndsmodules.conf. On eDirectory 8.8, the path is /etc/opt/novell/eDirectory/nds-modules/ndsmodules.conf. On Solaris systems, the startup script is /etc/init.d/naudit .
Windows	On Windows, the eDirectory Instrumentation is managed through the Novell eDirectory Services utility. By default, the eDirectory Instrumentation must be manually loaded on one server per DS Replica. To manually load or unload the eDirectory Instrumentation on Windows: Load ndscons.exe. Ndscons.exe is usually in the \novell\nds\ directory. In the list of installed services, select the Novell Audit Component. Click Start or Stop. To configure auditDS.dlm to load each time the server restarts: Load ndscons.exe. Ndscons.exe is usually in the \novell\nds\ directory. In the list of installed services, select the Novell Audit Component. Click Startup. Select the Automatic startup type, then click OK.

For more information on the eDirectory and NetWare Instrumentations, see eDirectory Instrumentation and NetWare and File System Instrumentations in the Novell Audit 2.0 Administration Guide.

9.4.3 Windows Instrumentation

The Novell Audit Windows instrumentation, nauditwin.exe, runs as a service on Windows 2000, XP, and 2003. The Novell Audit Windows instrumentation collects events from the Event Viewer and sends them to the Secure Logging Server for processing by Novell Audit.

To enable logging of Windows events, the Windows Instrumentation must be loaded on every server where you want to log Windows events. Additionally, the Platform Agent (logevent) must be installed on every server where you want to log Windows events. Nauditwin.exe automatically loads the Platform Agent to send events to the Secure Logging Server.

Typically, nauditwin.exe is automatically loaded each time the server restarts. However, you can also manually load or unload the instrumentation through Windows Services.

To manually load or unload the Windows Instrumentation, you must start or stop the Novell Audit Windows Instrumentation service:

Click Start > Settings > Control Panel.
Open the Services window.
- On Window NT, select Services.
- On Windows 2000 and XP, select Administrative Tools > Services.
In the list of installed services, right-click Novell Audit Windows Instrumentation, then select Start or Stop.

For more information on the Windows Instrumentation, see Windows Instrumentation in the Novell Audit 2.0 Administration Guide

9.4.4 Novell Audit Instrumentation

The Novell Audit Instrumentation (NsureAuditInst) logs an event every time the Secure Logging Server loads a Channel, Notification, or Application object. It also logs an event each time a Channel driver fails to load or if there is a bad Heartbeat or Notification configuration. Therefore, by reviewing your system’s Audit the Auditor events, you can determine if your logging server is performing the way you expect.

The Novell Audit Instrumentation automatically loads with the Secure Logging Server. We do not recommend that you unload the Novell Audit Instrumentation.

For more information about the Novell Audit instrumentation, see Novell Audit Instrumentation in the Novell Audit 2.0 Administration Guide.

9.4.5 Log Parser Instrumentation

The Log Parser Instrumentation, logparse, harvests events from Windows text-based log files such as syslog, Apache error logs, and Novell Application Launcher™ logs. Events are parsed one line at a time and formatted in the Novell Audit event structure. Parsing text-based log files allows Novell Audit to process and log events from applications that are not currently instrumented for Novell Audit.

The Log Parser Instrumentation must be manually loaded or unloaded. The following table reviews the Log Parser Instrumentation startup commands.

Table 9-4 Log Parser Instrumentation Startup Commands

Platform	Startup Command
NetWare	To manually start the Log Parser Instrumentation on NetWare, enter load logparse To stop the Log Parser Instrumentations on NetWare, enter unload logparse logparse.nlm is located in the sys:\system directory. NOTE:You can add logparse to the auditagt.ncf file to automatically load the Log Parser Instrumentations each time the server restarts.
Linux	To manually start the Log Parser Instrumentation on Linux, go to the /opt/novell/naudit/ directory and enter ./logparse & To manually stop the Log Parser Instrumentation on Linux, enter pkill logparse
Solaris	To manually start the Log Parser Instrumentation on Solaris, go to the opt/NOVLnaudit/ directory and enter ./logparse & To manually stop the Log Parser Instrumentation on Solaris, enter pkill logparse
Windows	To manually load or unload the Log Parser Instrumentation on Windows, you must start or stop the Novell Audit Log Parser Instrumentation service: Click Start > Settings > Control Panel. Open the Services window. On Window NT, select Services. On Windows 2000 and XP, select Administrative Tools > Services. In the list of installed services, right-click Novell Audit Log Parser Instrumentation, then select Start or Stop.

For more information about the Log Parser Instrumentation and parsing text logs, see Log Parser Instrumentation in the Novell Audit 2.0 Administration Guide.