H.4 Instrumentation Startup Commands

To log events to Novell Audit, you must install the Platform Agent on every server that you want to report events to the Secure Logging Server. You must also install the Instrumentation associated with every logging application that you want to report events to Novell Audit. The following sections reviews the startup commands for the instrumentations that ship with Novell Audit:

H.4.1 NetWare and eDirectory Instrumentation Startup Commands

The NetWare and eDirectory Instrumentations for Novell Audit (auditNW and auditDS, respectively) allow Novell Audit to log NetWare, eDirectory, and file system events.

Typically, auditNW and auditDS automatically load each time the server restarts. However, you can also manually load or unload the instrumentation files. The following sections review the instrumentation startup commands for NetWare, Windows, Linux, and Solaris systems.

For more information on these instrumentations, see Section 5.4.1, eDirectory Instrumentation and Section 5.4.2, NetWare and File System Instrumentations.

Starting and Stopping the NetWare and eDirectory Instrumentations on NetWare

NOTE:At server startup, the NetWare and eDirectory instrumentations should be loaded as soon as possible, but they must be loaded after TCP/IP.

On NetWare, the startup scripts for auditNW and auditDS are included in the auditagt.ncf file. Auditagt.ncf is added to the server’s autoexec.ncf file during installation. Therefore, the NetWare and eDirectory Instrumentations automatically load each time the server restarts.

If you want to prevent auditNW or auditDS from being unloaded by users with access to the server console, you can append the -n switch to the agent startup scripts. (For example, load auditnw -n .)

To manually start the NetWare or eDirectory Instrumentation on NetWare, enter

load auditnw

or

load auditDS

To load both the NetWare and eDirectory Instrumentations, enter

load auditagt.ncf

To stop the NetWare and eDirectory Instrumentations on NetWare, enter

unload auditnw

unload auditDS

NOTE:Auditnw.nlm, audit.ds, and auditagt.ncf are located in the sys:\system directory.

You must individually start or stop the instrumentations on each server in the tree.

Starting and Stopping the eDirectory Instrumentation on Windows

On Windows, the eDirectory Instrumentation is managed through the Novell eDirectory Services utility. By default, the eDirectory Instrumentation must be manually loaded on one server per DS Replica.

To manually load or unload the eDirectory Instrumentation on Windows:

  1. Load ndscons.exe.

    Ndscons.exe is usually in the \novell\nds\ directory.

  2. In the list of installed services, select the Novell Audit Component.

  3. Click Start or Stop.

To configure auditDS.dlm to load each time the server restarts:

  1. Load ndscons.exe.

    Ndscons.exe is usually in the \novell\nds\ directory.

  2. In the list of installed services, select the Novell Audit Component.

  3. Click Startup.

  4. Select the Automatic startup type, then click OK.

Starting and Stopping the eDirectory Instrumentation on Linux and Solaris

On Linux and Solaris systems, the eDirectory Instrumentation must be manually loaded on one server per DS Replica.

To manually start the eDirectory Instrumentation on Linux or Solaris, enter

ndstrace -c "load auditDS

To manually stop the eDirectory Instrumentation on Linux or Solaris, enter

ndstrace -c "unload auditDS

To automatically load the eDirectory Instrumentation each time the server restarts, add the following to the ndsmodules.conf file:

auditDS auto #NSure Audit Platform Agent

NOTE:On eDirectory 8.7, the path to the ndsmodules.conf file is /usr/lib/nds-modules/ndsmodules.conf. On eDirectory 8.8, the path is /etc/opt/novell/eDirectory/nds-modules/ndsmodules.conf.

On Linux systems, the startup script is /etc/init.d/novell-naudit . On Solaris systems, the startup script is /etc/init.d/naudit .

H.4.2 Novell Audit Instrumentation

The Novell Audit Instrumentation (NsureAuditInst) audits Novell Audit events. It is automatically installed with the Secure Logging Server to provide an “audit the auditor” event trail. By reviewing the Novell Audit Instrumentation events, you can determine if your logging server is performing the way you expect.

The Novell Audit Instrumentation automatically loads with the Secure Logging Server. We do not recommend that you unload the Novell Audit Instrumentation.

For more information about the Novell Audit instrumentation, see Section 5.4.3, Novell Audit Instrumentation.

H.4.3 Starting and Stopping the Windows Instrumentation

To log Windows events, the Windows Instrumentation, nauditwin, must be loaded on every server where you want to log Windows events. The Novell Audit Windows instrumentation runs as a service on Windows 2000, XP, and 2003. It collects events from the Event Viewer and sends them to the Secure Logging Server for processing by Novell Audit.

Typically, nauditwin.exe is automatically loaded each time the server restarts. However, you can also manually load or unload the instrumentation through Windows Services.

To manually load or unload the Windows Instrumentation, you must start or stop the Novell Audit Windows Instrumentation service:

  1. Click Start > Settings > Control Panel.

  2. Open the Services window.

    • On Window NT, select Services.
    • On Windows 2000 and XP, select Administrative Tools > Services.
  3. In the list of installed services, right-click Novell Audit Windows Instrumentation, then select Start or Stop.

For more information on the Windows Instrumentation, see Section 5.4.4, Windows Instrumentation.

H.4.4 Log Parser Instrumentation Startup Commands

The Log Parser Instrumentation, logparse, harvests events from text-based log files such as syslog, Apache error logs, and Novell Application Launcher™ logs. Events are parsed one line at a time and formatted in the Novell Audit event structure. Parsing text-based log files allows Novell Audit to process and log events from applications that are not currently instrumented for Novell Audit.

The Log Parser Instrumentation must be manually loaded or unloaded. The following table reviews the Log Parser Instrumentation startup commands.

Table H-1 Log Parser Instrumentation Startup Commands

Platform

Startup Command

NetWare

To manually start the Log Parser Instrumentation on NetWare, enter

load logparse

To stop the Log Parser Instrumentations on NetWare, enter

unload logparse

logparse.nlm is located in the sys:\system directory.

NOTE:You can add logparse to the auditagt.ncf file to automatically load the Log Parser Instrumentations each time the server restarts.

Linux

To manually start the Log Parser Instrumentation on Linux, go to the /opt/novell/naudit/ directory and enter

./logparse &

To manually stop the Log Parser Instrumentation on Linux, enter

pkill logparse

Solaris

To manually start the Log Parser Instrumentation on Solaris, go to the opt/NOVLnaudit/ directory and enter

./logparse &

To manually stop the Log Parser Instrumentation on Solaris, enter

pkill logparse

Windows

To manually load or unload the Log Parser Instrumentation on Windows, you must start or stop the Novell Audit Log Parser Instrumentation service:

  1. Click Start > Settings > Control Panel.
  2. Open the Services window.
    • On Window NT, select Services.
    • On Windows 2000 and XP, select Administrative Tools > Services.
  3. In the list of installed services, right-click Novell Audit Log Parser Instrumentation, then select Start or Stop.

For more information about the Log Parser Instrumentation and parsing text logs, see Section 5.4.5, Log Parser Instrumentation.