You must install the Platform Agent on every server that you want to report events to the Secure Logging Server. You must also install the Instrumentation associated with every logging application that you want to report events to Novell Audit. This section reviews how to verify you are running the Platform Agent and Instrumentations required to log events to the Secure Logging Server:
Each logging application requires a Platform Agent to send events to the Secure Logging Server. Consequently, each logging application’s associated Instrumentation automatically loads the Platform Agent.
The following table outlines commands you can use to verify that the Platform Agent is loaded:
NOTE:In some cases, it might be possible that the Platform Agent is available when lcache is not running. The lcache process is started by the Platform Agent when an instrumentation attempts to send an event. In the unlikely event that none of the instrumentations are sending events to the Platform Agent, lcache will not be running; however, the Platform Agent will still be available.
Table 9-2 Commands Used to Verify the Platform Agent is Loaded
You can view all Platform Agents connected to the Secure Logging Server in the Secure Logging Server Section 9.6, Server and System Statistics.
page. For more information, seeFor more information on the Platform Agent, see Configuring
the Platform Agent
in the Novell
Audit 2.0 Administration Guide
The NetWare and eDirectory Instrumentations for Novell Audit (auditNW and auditDS, respectively) allow Novell Audit to log NetWare, eDirectory, and file system events.
To enable NetWare and file system logging, auditNW must be loaded on every server where you want to log NetWare and file system events. Additionally, the Platform Agent must be installed on every server where you want to log NetWare, file system, and eDirectory events. AuditNW and auditDS automatically load the Platform Agent (logevent) to send events to the Secure Logging Server.
NOTE:Before the Platform Agents are launched, the LogHost parameter
in the Platform Agent configuration file on each server must be
updated with the IP address or DNS name of your Secure Logging Server.
For more information, see Configuring
the Platform Agent
in the Novell
Audit 2.0 Administration Guide.
Typically, auditNW and auditDS are automatically loaded each time the server restarts. However, you can also manually load or unload the instrumentation files.
The following table reviews the startup commands for the eDirectory and NetWare Instrumentations.
IMPORTANT:You must individually start or stop the instrumentations on each server in the tree.
Table 9-3 NetWare and eDirectory Instrumentation Startup Commands
For more information on the eDirectory and NetWare Instrumentations,
see eDirectory
Instrumentation
and NetWare
and File System Instrumentations
in the Novell
Audit 2.0 Administration Guide.
The Novell Audit Windows instrumentation, nauditwin.exe, runs as a service on Windows 2000, XP, and 2003. The Novell Audit Windows instrumentation collects events from the Event Viewer and sends them to the Secure Logging Server for processing by Novell Audit.
To enable logging of Windows events, the Windows Instrumentation must be loaded on every server where you want to log Windows events. Additionally, the Platform Agent (logevent) must be installed on every server where you want to log Windows events. Nauditwin.exe automatically loads the Platform Agent to send events to the Secure Logging Server.
NOTE:Before the Platform Agents are launched, the LogHost parameter in the Platform Agent configuration file on each server must be updated with the IP address or DNS name of your Secure Logging Server. For more information, see Section 8.2, Configuring the Platform Agent.
Typically, nauditwin.exe is automatically loaded each time the server restarts. However, you can also manually load or unload the instrumentation through Windows Services.
To manually load or unload the Windows Instrumentation, you must start or stop the Novell Audit Windows Instrumentation service:
Click
> > .Open the Services window.
On Window NT, select
.On Windows 2000 and XP, select
> .In the list of installed services, right-click
, then select or .For more information on the Windows Instrumentation, see Windows
Instrumentation
in the Novell
Audit 2.0 Administration Guide
The Novell Audit Instrumentation (NsureAuditInst) logs an event every time the Secure Logging Server loads a Channel, Notification, or Application object. It also logs an event each time a Channel driver fails to load or if there is a bad Heartbeat or Notification configuration. Therefore, by reviewing your system’s Audit the Auditor events, you can determine if your logging server is performing the way you expect.
The Novell Audit Instrumentation automatically loads with the Secure Logging Server. We do not recommend that you unload the Novell Audit Instrumentation.
For more information about the Novell Audit instrumentation,
see Novell
Audit Instrumentation
in the Novell
Audit 2.0 Administration Guide.
The Log Parser Instrumentation, logparse, harvests events from Windows text-based log files such as syslog, Apache error logs, and Novell Application Launcher™ logs. Events are parsed one line at a time and formatted in the Novell Audit event structure. Parsing text-based log files allows Novell Audit to process and log events from applications that are not currently instrumented for Novell Audit.
The Log Parser Instrumentation must be manually loaded or unloaded. The following table reviews the Log Parser Instrumentation startup commands.
Table 9-4 Log Parser Instrumentation Startup Commands
For more information about the Log Parser Instrumentation
and parsing text logs, see Log
Parser Instrumentation
in the Novell
Audit 2.0 Administration Guide.