To log events to Novell Audit, you must install the Platform Agent on every server that you want to report events to the Secure Logging Server. You must also install the Instrumentation associated with every logging application that you want to report events to Novell Audit. The following sections reviews the startup commands for the instrumentations that ship with Novell Audit:
The NetWare and eDirectory Instrumentations for Novell Audit (auditNW and auditDS, respectively) allow Novell Audit to log NetWare, eDirectory, and file system events.
Typically, auditNW and auditDS automatically load each time the server restarts. However, you can also manually load or unload the instrumentation files. The following sections review the instrumentation startup commands for NetWare, Windows, Linux, and Solaris systems.
For more information on these instrumentations, see Section 5.4.1, eDirectory Instrumentation and Section 5.4.2, NetWare and File System Instrumentations.
NOTE:At server startup, the NetWare and eDirectory instrumentations should be loaded as soon as possible, but they must be loaded after TCP/IP.
On NetWare, the startup scripts for auditNW and auditDS are included in the auditagt.ncf file. Auditagt.ncf is added to the server’s autoexec.ncf file during installation. Therefore, the NetWare and eDirectory Instrumentations automatically load each time the server restarts.
If you want to prevent auditNW or auditDS from being unloaded by users with access to the server console, you can append the -n switch to the agent startup scripts. (For example, load auditnw -n .)
To manually start the NetWare or eDirectory Instrumentation on NetWare, enter
load auditnw
or
load auditDS
To load both the NetWare and eDirectory Instrumentations, enter
load auditagt.ncf
To stop the NetWare and eDirectory Instrumentations on NetWare, enter
unload auditnw
unload auditDS
NOTE:Auditnw.nlm, audit.ds, and auditagt.ncf are located in the sys:\system directory.
You must individually start or stop the instrumentations on each server in the tree.
On Windows, the eDirectory Instrumentation is managed through the Novell eDirectory Services utility. By default, the eDirectory Instrumentation must be manually loaded on one server per DS Replica.
To manually load or unload the eDirectory Instrumentation on Windows:
Load ndscons.exe.
Ndscons.exe is usually in the \novell\nds\ directory.
In the list of installed services, select the
.Click
or .To configure auditDS.dlm to load each time the server restarts:
Load ndscons.exe.
Ndscons.exe is usually in the \novell\nds\ directory.
In the list of installed services, select the
.Click
.Select the
startup type, then click .On Linux and Solaris systems, the eDirectory Instrumentation must be manually loaded on one server per DS Replica.
To manually start the eDirectory Instrumentation on Linux or Solaris, enter
ndstrace -c "load auditDS”
To manually stop the eDirectory Instrumentation on Linux or Solaris, enter
ndstrace -c "unload auditDS”
To automatically load the eDirectory Instrumentation each time the server restarts, add the following to the ndsmodules.conf file:
auditDS auto #NSure Audit Platform Agent
NOTE:On eDirectory 8.7, the path to the ndsmodules.conf file is /usr/lib/nds-modules/ndsmodules.conf. On eDirectory 8.8, the path is /etc/opt/novell/eDirectory/nds-modules/ndsmodules.conf.
On Linux systems, the startup script is /etc/init.d/novell-naudit . On Solaris systems, the startup script is /etc/init.d/naudit .
The Novell Audit Instrumentation (NsureAuditInst) audits Novell Audit events. It is automatically installed with the Secure Logging Server to provide an “audit the auditor” event trail. By reviewing the Novell Audit Instrumentation events, you can determine if your logging server is performing the way you expect.
The Novell Audit Instrumentation automatically loads with the Secure Logging Server. We do not recommend that you unload the Novell Audit Instrumentation.
For more information about the Novell Audit instrumentation, see Section 5.4.3, Novell Audit Instrumentation.
To log Windows events, the Windows Instrumentation, nauditwin, must be loaded on every server where you want to log Windows events. The Novell Audit Windows instrumentation runs as a service on Windows 2000, XP, and 2003. It collects events from the Event Viewer and sends them to the Secure Logging Server for processing by Novell Audit.
Typically, nauditwin.exe is automatically loaded each time the server restarts. However, you can also manually load or unload the instrumentation through Windows Services.
To manually load or unload the Windows Instrumentation, you must start or stop the Novell Audit Windows Instrumentation service:
Click
> > .Open the Services window.
In the list of installed services, right-click
, then select or .For more information on the Windows Instrumentation, see Section 5.4.4, Windows Instrumentation.
The Log Parser Instrumentation, logparse, harvests events from text-based log files such as syslog, Apache error logs, and Novell Application Launcher™ logs. Events are parsed one line at a time and formatted in the Novell Audit event structure. Parsing text-based log files allows Novell Audit to process and log events from applications that are not currently instrumented for Novell Audit.
The Log Parser Instrumentation must be manually loaded or unloaded. The following table reviews the Log Parser Instrumentation startup commands.
Table H-1 Log Parser Instrumentation Startup Commands
For more information about the Log Parser Instrumentation and parsing text logs, see Section 5.4.5, Log Parser Instrumentation.