Using its available channel drivers, Novell Audit can log events to the following applications and interfaces:
Before selecting a storage device for your data store, you need to consider your system’s logging traffic. On the high end, the File driver can process over 30,000 events per second on a P4 Xeon* class server. Databases, on the other hand, are, much slower (the MySQL driver can handle about 5,000 events per second on a P4 Xeon class server); however, they provide advanced querying and reporting.
Novell Audit is designed to handle occasional peaks that exceed a given database’s limitations; however, if you expect to consistently exceed the database driver’s capacity, you must plan your setup accordingly, either by using multiple Secure Logging Servers or by using the File driver. For information on configuring multiple logging servers, see Section 4.2.5, Configuring Multiple Secure Logging Servers.
IMPORTANT:In planning your system setup, you should perform your own throughput test in your environment and not rely solely on the numbers provided in this document.
After configuring a Novell Audit data store, you must create a Channel object. Each Channel object defines the parameters associated with its corresponding storage device. For example, MySQL Channel objects include the IP address or host name of the MySQL database server, a username and password for connecting with the server, the database and table names, and fields for SQL table create and expiration commands. For more information on creating and configuring Channel objects, see Section 6.0, Configuring System Channels.
After creating the Channel object, you must configure the logging server to log events to that channel. The Log Driver property in the Logging Server object determines which Channel object the server uses to create the data store. For more information on the Log Driver property, see Section 4.2.3, Logging Server Object Attributes .
After the Channel and Logging Server objects are configured, you must restart the logging server to load the Channel object configuration and the channel driver. In most cases, the channel driver automatically creates the necessary file or database table for the data store.
IMPORTANT:Novell Audit does not secure the data store. Therefore, you must manage data store security at the database for MySQL and Oracle data stores, or through the file system for file data stores.
The data store structure for common storage devices is discussed in the following sections:
Depending on the File Channel object configuration, the File channel driver (lgdfile) can log events in raw format, or it can translate the event data into a human-readable log. By default, file data stores are named auditlog; however; however, you can specify the log filename in the File Channel object configuration.
Raw files simply contain the event data; consequently, they are not in a human-readable format. However, because they maintain a consistent field structure across events, they can be imported into spreadsheet programs like Microsoft Excel.
Translated log files, on the other hand, can be visually scanned for content; however, it is difficult to generate reports from these files because there is no consistent field structure—they contain only the event descriptions.
In addition to providing different log formats, the File channel is capable of creating localized logs. If the logging applications have localized Log Schema (LSC) files, the File channel can write translated log files in the language designated in the File Channel object.
For more information on the File channel, see Section 6.5, File.
When the logging server loads the MySQL Channel object configuration, the MySQL channel driver, lgdmsql, automatically creates the data store’s table. The table name is defined in the MySQL Channel object configuration page. The default table name is NAUDITLOG.
The MySQL Channel uses MyIsam as its database engine; therefore, the default maximum table size using MySQL 4.1 is 4 GB. MySQL 5.0 limits table sizes to 65,536 TB. Table size can be further constrained by the maximum file size your operating system can manage.
IMPORTANT:If the SQL server data volume runs out of disk space, any clients logging events will freeze and need to be restarted.
For more information on the MySQL channel, see Section 6.11, MySQL and Section E.0, Using Microsoft SQL Server with Novell Audit.
When the SQL Server Channel object configuration is loaded in the logging server’s memory, the SQL Server channel driver, lgdmssql, automatically creates the table structure for the SQL Server data store.The table name is defined in the Microsoft SQL Channel object configuration page. The default table name is NAUDITLOG.
For more information on the Microsoft SQL Server channel, see Section 6.9, Microsoft SQL Server and Section E.0, Using Microsoft SQL Server with Novell Audit.
IMPORTANT:The Oracle channel driver is used only on platforms where Oracle can run natively. Therefore; when running the Secure Logging Server on NetWare, create a JDBC channel to connect to the Oracle server.
When the Oracle Channel object configuration is loaded in the logging server’s memory, the Oracle channel driver, lgdora, automatically creates the table structure for the Oracle data store: The table name is defined in the Oracle Channel object configuration page. The default table name is NAUDITLOG.
For more information on the Oracle channel, see Section 6.12, Oracle and Section D.0, Using Oracle with Novell Audit.
The Syslog channel driver, lgdsyslg, allows the logging server to log events to a specific syslog facility on any syslog host. It is also capable of creating localized logs. If the logging applications have localized LSC files, the Syslog channel can write the log files in the language designated in the Syslog Channel object.
For more information on the Syslog channel, see Section 6.15, Syslog.
The JDBC channel allows the logging server to output filtered events to any JDBC-enabled data store. For performance reasons, we recommend using only the File or database channels discussed in this section as the primary log channel. You should use JDBC data stores only for notifications.
WARNING:The JDBC channel does not work on NetWare 5.x. The JDBC channel requires JVM* 1.4.2, which is not compatible with NetWare 5.x. Attempting to run the JDBC channel on NetWare 5.x abends the server.
For more information on the JDBC channel, see Section 6.7, JDBC and Section F.0, Using JDBC Data Stores with Novell Audit.