An Instrumentation provides the Application object, the schema file (*.lsc), and the code that a logging application requires to log events to Novell Audit. The following applications are instrumented for Novell Audit:
The following section describes the instrumentations that are included with Novell Audit.
For instrumentations not documented in this manual, please refer to the logging application’s respective documentation for more information on the instrumentation.
The eDirectory Instrumentation for Novell Audit, auditDS, allows Novell Audit to log eDirectory events to the Novell Audit database. The eDirectory Instrumentation can log events from the following versions of the directory:
Novell Audit 2.0.1 can log events from multiple instances of eDirectory on Linux and Solaris. When you install Novell Audit 2.0.1, it detects if eDirectory 8.8 is installed and configures each instance of eDirectory to run the eDirectory instrumentation.
NOTE:Novell Audit 2.0.1 does not separately install the eDirectory instrumentation for each eDirectory instance; rather it creates a symbolic link to a single installation of the auditDS libraries.
To support event signing and chaining—otherwise known as non-repudiation of data—you must bind each eDirectory instance to its own IP address. If you are not using the event signing and non-repudiation feature, you can have multiple instances of eDirectory on a single IP address.
Novell Audit 1.0.3P3 or greater and Novell Audit 2.0 log events only from a single instance of eDirectory 8.8.
To log eDirectory events, the eDirectory Instrumentation (auditDS) must be loaded on every server where you want to log eDirectory events. On NetWare, auditDS.nlm is loaded each time the server is started from the autoexec.ncf. On Linux and Solaris systems, auditds is added to nds-modules.conf and starts each time the ndsd service is started. On Windows, auditDS is not configured to start logging automatically. You can enable this service from the eDirectory console in the Windows Control Panel. For information on starting the eDirectory Instrumentation, see Instrumentation Startup Commands.
In previous versions of Nsure™ Audit, the eDirectory events were configured on the NCP Server object. Therefore, administrators were required to configure every NCP Server object where they wanted to log eDirectory events.
Novell Audit 2.0 now allows administrators to create a global filter in the eDirectory Instrumentation object that determines which eDirectory events the Platform Agents send to the Secure Logging Server. However, administrators must still enable the eDirectory events on the NCP Server object.
The following sections review how to configure eDirectory events on both the NCP Server object and the eDirectory Instrumentation:
For a listing of eDirectory events that can be logged to Novell Audit, see Section B.1, eDirectory Events.
IMPORTANT:eDirectory events such as login and logout are ubiquitous and can quickly fill your data store. Therefore, you should monitor your system’s event traffic and configure your data store’s expiration or roll policies accordingly. For information on the MySQL channel’s expiration properties, see MySQL Channel Object. For information on configuring the File channel to purge or roll its log files, see File Channel Object.
IMPORTANT:If you are running multiple instances of eDirectory, you must enable the eDirectory events on the NCP Server object in each tree.
During installation, Novell Audit extends the definition of the NCP Server object to include log settings for eDirectory, NetWare, and file system events. These settings are found under the Novell Audit property tab in the NCP Server object.
Figure 5-1 Edirectory Events in the NCP Server Object
The Novell Audit page has four different menus:
, , , and . The Server menu identifies the Logging Server object associated with the current NCP Server object. This menu is for informational purposes only and cannot be modified. The , , and menus list the events that fall in their respective categories.To select which eDirectory events you want to log on the current server:
Click
in the NCP Server object.Select the
menu.Enable the eDirectory events you want to log on the current server:
You can create a global filter on the eDirectory Instrumentation that limits which events are actually logged to the data store.
Set the Global Settings:
When finished, click
.After you click
, there might be a slight delay before the logging server begins logging the selected events.You do not need to restart the logging server to effect changes to Novell Audit attributes in the NCP Server object.
eDirectory events are partition-specific; that is, they only need to be enabled on one NCP Server object per partition.
Through the eDirectory Instrumentation object in eDirectory, you can control which events the Platform Agents send to the Secure Logging Server. Essentially, the eDirectory Instrumentation allows you to create a global eDirectory event filter that is applied to every Platform Agent in the Novell Audit system.
NOTE:If you are running multiple instances of eDirectory, the eDirectory Instrumentation object is created in the eDirectory tree on the Secure Logging Server. This object controls which eDirectory events all eDirectory trees send to the Secure Logging Server.
To select which eDirectory events you want all Platform Agents to log to the Secure Logging Server:
Click
in the eDirectory Instrumentation object.Select the check box next to the eDirectory events you want all Platform Agents to log to the Secure Logging Server:
Select
to enable the events selected in the eDirectory Instrumentation.IMPORTANT:The event settings on the NCP Server object are the master settings. If you do not configure the eDirectory Instrumentation, all events enabled in the NCP Server object are logged. However, if you enable events in the eDirectory Instrumentation but not the NCP Server object, then no events are logged. If you enable events in both the eDirectory Instrumentation and the NCP Server object, only events enabled in both locations are logged.
When finished, click
.IMPORTANT:You must restart the Secure Logging Server to implement the changes to the eDirectory Instrumentation.
The NetWare Instrumentation for Novell Audit, auditNW, allows Novell Audit to log NetWare and file system events. The NetWare Instrumentation can log NetWare and file system events from NetWare 5.0 systems and higher.
To log NetWare or file system events, the NetWare Instrumentation must be loaded on every server where you want to log NetWare and file system events. AuditNW is automatically loaded each time the server restarts. For information on starting the NetWare Instrumentation, see Instrumentation Startup Commands.
In previous versions of Nsure Audit, the NetWare and file system events were configured on the NCP Server object. Therefore, administrators were required to configure every NCP Server object where they wanted to log NetWare or file system events.
Novell Audit 2.0 now allows administrators to create a global filter in the NetWare Instrumentation object that determines which NetWare and file system events the Platform Agents send to the Secure Logging Server. However, administrators must still enable the NetWare and file system events on the NCP Server object.
NOTE:If you want to filter events on a volume or directory level, you can create Notification filters that select events based on the volume or directory listed in the Text2 field.
The following sections review how to configure NetWare and file system events on both the NCP Server object and the NetWare Instrumentation:
For a listing of NetWare events that can be logged to Novell Audit, see Section B.3, NetWare Events. For a listing of File System events that can be logged to Novell Audit, see Section B.2, File System Events.
During installation, Novell Audit extends the definition of the NCP Server object to include log settings for eDirectory, NetWare, and file system events. These settings are found under the
property in the NCP Server object.Figure 5-2 NetWare Events in the NCP Server Object
The Novell Audit page has four different menus:
, , , and . The Server menu identifies the Logging Server object associated with the current NCP Server object. This menu is for informational purposes only and cannot be modified. The , , and menus list the events that fall in their respective categories.To select which NetWare and file system events you want to log:
Click
in the NCP Server object.Select the
or menu.Enable the NetWare and file system events you want to log on the current server:
You can create a global filter on the NetWare Instrumentation that limits which events are actually logged to the data store.
When finished, click
.After you click
, there might be a slight delay before the logging server begins logging the selected events.NOTE:You do not need to restart the logging server to effect changes to Novell Audit attributes in the NCP Server object.
NetWare and File System events are server-specific settings; that is, they must be enabled on each NCP Server object in the tree.
Through the NetWare Instrumentation object in eDirectory, you can control which events the Platform Agents send to the Secure Logging Server. Essentially, the NetWare Instrumentation allows you to create a global NetWare and file system event filter that is applied to every Platform Agent in the Novell Audit system.
To select which NetWare and file system events you want all Platform Agents to log to the Secure Logging Server:
Click
in the NetWare Instrumentation object.Select the check box next to the NetWare and file system events you want all Platform Agents to log to the Secure Logging Server:
Select
to enable the events selected in the NetWare Instrumentation.IMPORTANT:The event settings on the NCP Server object are the master settings. If you do not configure the NetWare Instrumentation, all events enabled in the NCP Server object are logged. However, if you enable events in the NetWare Instrumentation but not the NCP Server object, then no events are logged. If you enable events in both the NetWare Instrumentation and the NCP Server object, only events enabled in both locations are logged.
When finished, click
.IMPORTANT:You must restart the Secure Logging Server to implement the changes to the NetWare Instrumentation.
The Novell Audit Instrumentation (NsureAuditInst) audits Novell Audit events. It is automatically installed with the Secure Logging Server to provide an “audit the auditor” event trail. By reviewing the Novell Audit Instrumentation events, you can determine if your logging server is performing the way you expect. For example, the Novell Audit Instrumentation can log an event every time the Secure Logging Server loads a Channel, Notification, or Application object. It can also log an event each time a Channel driver fails to load or when there is a bad Heartbeat or Notification configuration.
The Novell Audit Instrumentation object in eDirectory allows you to manage which Novell Audit events are logged. For a listing of Novell Audit events, see Section B.4, Novell Audit Events.
To select which Novell Audit events you want all Platform Agents to log to the Secure Logging Server:
Click
in the Novell Audit Instrumentation object.Select the check box next to the Novell Audit events you want all Platform Agents to log to the Secure Logging Server:
Select
to enable the events selected in the Novell Audit Instrumentation.When finished, click
.IMPORTANT:You must restart the Secure Logging Server to implement the changes to the Novell Audit Instrumentation.
To log Windows events, the Windows Instrumentation, nauditwin, must be loaded on every server where you want to log Windows events. The Novell Audit Windows instrumentation runs as a service on Windows 2000, XP, and 2003. It collects events from the Event Viewer and sends them to the Secure Logging Server for processing by Novell Audit.
The Windows Instrumentation object in eDirectory allows you to manage which Windows events the Platform Agents send to the Secure Logging Server.
To select which Windows events you want all Platform Agents to log to the Secure Logging Server:
Click
in the Windows Instrumentation object.Select the check box next to the Windows events you want all Platform Agents to log to the Secure Logging Server:
Select
to enable the events selected in the Windows Instrumentation.When finished, click
.IMPORTANT:You must restart the Secure Logging Server to implement the changes to the Windows Instrumentation.
After the Windows Instrumentation is installed, you must enable Windows auditing.
IMPORTANT:To configure auditing for a domain, you must be on a domain controller.
To configure your Windows auditing policy:
(Optional) In a domain environment, use the
administrative tool to enable auditing for the domain.Go to the Control Panel and select
.Select one of the following Security Policy administrative tools to configure your system audit policy:
NOTE:If the machine has only Windows installed, the
is the only option available.Define the audit policy.
Audit policy is applied in the same order as group policy. (Group policy hierarchy is listed in the
dialog box of the System Policy Editor.) If there is a policy conflict, the most recently applied policy overrides a previously applied policy.After you have defined the Windows audit policy, the Windows Instrumentation logs every event enabled in the audit policy.
If you don’t see a Windows event logged in Novell Audit, check the Windows Event Viewer to see if the event has been logged in Windows. If the event doesn’t appear in the Event Viewer, it will not be logged in Novell Audit.
The Log Parser Instrumentation harvests events from text-based log files such as syslog, Apache error logs, and Novell Application Launcher™ logs. Events are parsed one line at a time and formatted in the Novell Audit event structure. Parsing text-based log files allows Novell Audit to process and log events from applications that are not currently instrumented for Novell Audit.
NOTE:The Log Parser Instrumentation does not currently handle multi-byte characters.
The Log Parser is not designed to consolidate information from multiple lines into a single event. Therefore, for the Log Parser Instrumentation to parse a text-based log file, each line must end in either a carriage return or line feed. For more information of Novell Audit event structure, see Section A.1, Event Structure.
To configure log parsing, you must identify the servers where the text logs are located, identify the log files, and identify the lines in the log files that you want to parse into events. These tasks are discussed in the following sections.
To configure log parsing, you must first create at least one host. A host is a server that contains one or more text-based log files that you want to parse.
The
page allows you to create and manage host servers. To access the Hosts page, click in the Logfile Parser Instrumentation object.Figure 5-3 Hosts Page
The following table reviews the options in the
page:Table 5-2 Hosts Page Options
Option |
Description |
---|---|
|
Creates a new host server. For information on this procedure, see Defining a Host Server. |
|
Allows you to modify the selected host’s information. |
|
Deletes the selected host. |
|
The IP address or DNS name of the server where one or more log files reside. |
|
The total number of log files that reside on the host. |
|
The host server description. The description is created when the host is defined. |
In the Logfile Parser Instrumentation, click
.In the
page, click to define a new host server.In the
dialog box, provide the following information:In the
field, specify the IP address or DNS name of the server where the log file resides.In the
field, provide a description of the host server, such as the server name.Click
.After you create a host, you must define the log files from which you want to harvest events.
The
page allows you to create and manage log files. To access the Logfiles page, go to the Logfile Parser page, then click the IP address or host name of the server where the log file resides.Figure 5-4 Logfiles Page
The following table reviews the options in the
page:Table 5-3 Logfiles Page Options
Option |
Description |
---|---|
|
Creates a new log file. For information on this procedure, see Defining a Log File. NOTE:Novell Audit dedicates a separate thread to schedule and parse each log file you define. |
|
Allows you to modify the selected log file’s information. |
|
Deletes the selected log file. |
|
Imports an existing log file definition and its associated line readers. If you define a log file and line readers that you want to use on another machine or share with an associate, you can export log files defined in the Logfile Parser Instrumentation, then import them on another machine as a new log file, or you can replace an existing log file with the same name. To import an existing log file:
|
|
Exports the selected log file to the default location specified by the browser you are using to access iManager. The export process creates an XML file from the log file and line reader configuration. To export a log file:
IMPORTANT:If you are using Internet Explorer in the Windows XP environment, you must first enable the and features in Internet Explorer before you can export a log file.To enable the and features in Internet Explorer:
|
|
A unique name for the target log file. The is defined when you create the log file. |
|
The directory location and filename of the log file on the target system. For example, the location of the Syslog file on Red Hat and SUSE® systems is typically /var/log/messages. The is defined when you create the log file. |
|
A description of the log file. The is defined when you create the log file. |
In the Logfile Parser Instrumentation, click
.Click the IP address or host name of the server where the log file resides.
In the
page, click to define the log file from which you want to harvest events.In the
dialog box, provide the following information:Click
.After you create a host and a log file, you must create a line reader. A line reader identifies a specific line in the log file and defines what to do with the line. The line can be discarded or parsed into an event that is logged in the Novell Audit data store.
NOTE:Before you define line readers, we recommend you familiarize yourself with the Novell Audit event structure. For more information, see Section A.1, Event Structure.
The
page allows you to create and manage line readers. To access the page, go to the page, then click the log file where you want to define a line reader.Figure 5-5 Line Readers Page
The following table reviews the options in the
page:
Item |
Description |
---|---|
|
Creates a new line reader. For information on this procedure, see Defining a Line Reader. |
|
Allows you to modify the selected line reader’s information. |
|
Deletes the selected line reader. |
|
A number (0-999) which uniquely identifies each event. The is defined when you create the line reader.For more information on how Novell Audit uses Event IDs, see Section A.1, Event Structure. |
|
Specifies how the line is processed:
The is defined when you create the line reader. |
|
The event source. This is generally defined as the log file filename. When the line is parsed into a Novell Audit event, the information provided in this field displays in the event’s Component field. For more information on how Novell Audit uses the Component field, see Section A.1, Event Structure. |
|
A description of the line reader. The is defined when you create the line reader. |
In the Logfile Parser Instrumentation, click
.Click the IP address or host name of the server where the log file resides.
In the
page, click the log file where you want to define the line reader.In the Line Reader page, click
.The Line Reader wizard launches.
Complete the Line Reader wizard to define the Line Reader.
The Log Parser Instrumentation uses the information defined in the Line Reader to select specific lines in the text-based log file and either ignore them or parse them into events that can be logged to the Novell Audit data store.
The following sections walk you through each step in the wizard:
The first step in the Line Reader wizard is the Line Reader Configuration. In this page, you define the parameters the Log Parser Instrumentation needs to identify a specific line in the log file. You also determine how the Log Parser Instrumentation processes the line and define the event identifiers.
Figure 5-6 Line Reader Configuration Page
The following table reviews each option in the
page:Table 5-4 Line Reader Configuration Page Options
Option |
Description |
---|---|
|
The Parse Type defines how the Log Parser Instrumentation processes the line.
|
|
Textual information about the line reader. |
|
A number (0-999) which uniquely identifies each event. For more information on how Novell Audit uses Event IDs, see Section A.1, Event Structure. Use this field only for Tokenizer and Fixed Position parse types. |
|
The event source. This is generally defined as the log file filename. When the line is parsed into a Novell Audit event, the information provided in this field displays in the event’s Component field. For more information on how Novell Audit uses the Component field, see Section A.1, Event Structure. Use this field only for Tokenizer and Fixed Position parse types. |
|
The regular expression the Log Parser Instrumentation uses to identify the line in the log file. When the Log Parser Instrumentation finds a match, the line is processed as defined in the field.If the Parse Type is Step 3: Section page into the event fields defined in the Step 2: Hardcoded Fields page. or , the Log Parser Instrumentation parses each line section defined in the |
The second step in the Line Reader wizard is defining the event fields. If the Parse Type defined in Step 1 is
or , the Log Parser Instrumentation parses the line into the event fields defined in this page.The fields in the Section A.1, Event Structure.
page are equivalent to the fields defined in Novell Audit events. For more information on Novell Audit event structure, seeAll hardcoded fields are optional.
NOTE:The log parser does not currently handle multi-byte characters.
Figure 5-7 Hardcoded Fields Page
The following table reviews each option in the
page:Table 5-5 Hardcoded Field Page Options
Option |
Description |
---|---|
|
The severity of the reported event.
|
|
An ID that can be used to identify related events. |
|
Who or what caused the event to happen. |
|
The predefined format for the originator. Defined values for this type are currently:
|
|
The event target. All eDirectory events store the event’s object in the Target field. |
|
The predefined format for the target. Defined values for this type are currently:
|
|
The event subtarget. All eDirectory events store the event’s attribute in the Sub Target field. |
|
The value of this field depends upon the event. It can contain any text string up to 255 characters. The Text1 field is vital to the function of the CVR driver. For more information, see CVR Channel Driver. |
|
The value of this field depends upon the event. It can contain any text string up to 255 characters. The Text2 field is vital to the function of the CVR driver. For more information, see CVR Channel Driver. |
|
The value of this field depends upon the event. It can contain any text string up to 255 characters. |
|
The value of this field depends upon the event. It can contain any numeric value up to 32 bits. |
|
The value of this field depends upon the event. It can contain any numeric value up to 32 bits. |
|
The value of this field depends upon the event. It can contain any numeric value up to 32 bits. |
|
Identifies the type of data contained in the Data field. |
|
The value of this field depends upon the event. The default size of this field is 3072 characters. |
The third step in the Line Reader wizard is defining which line sections parse to which event fields. In this page, you provide the information the Log Parser Instrumentation needs to identify specific sections of the line and you associate each line section with one of the event fields defined in Step 2: Hardcoded Fields. The Log Parser Instrumentation uses this information to parse text-based line data into an event that can be stored in the Novell Audit database.
To add more than one section, click . To delete a section, click at the section you want to delete.
Figure 5-8 Section Page
The following table reviews each option in the
page:The Summary page reviews the information that you provided during the Line Configuration Wizard. To modify any of the information, click
to return to the applicable page and make the necessary modifications. When you have provided the correct information, click .Figure 5-9 Summary Page