6.2 Configuring Data Collection for Novell Audit Server

Administrators can enable or disable data collection and view health information for the audit server and event sources.

6.2.1 Enabling or Disabling Data Collection for the Audit Server

Use the following procedure to enable or disable the data collection status for the audit server.

  1. Log in to the Sentinel Log Manager as administrator.

  2. Click collection in the upper left corner of the page.

    The Collection tab is displayed on the right pane of the page.

  3. Select the Audit Server tab.

  4. In the Audit Server section, enable or disable data collection at a global level for event sources by using the On and Off options.

    For more information about audit server health status, refer to Viewing Audit Server Health.

  5. Enable data collection at the application level by using the On and Off options in the Event Sources section.

    These settings might affect data collection for several servers (for example, multiple eDirectory™ instances). However, they do not start or stop services on the event source machines.

    For more information about event source health status, see Viewing Event Source Health for the Audit Server.

Changes on this page take effect immediately.

To view the health of audit server and its event sources, use the instructions described in the following sections:

Viewing Audit Server Health

The audit server is a server that listens for connections from Novell applications. Use the following procedure to view the audit server health:

  1. Log in to the Sentinel Log Manager as an administrator.

  2. Click collection in the upper left corner of the page.

    The Collection tab is displayed on the right pane of the page.

  3. Click the Audit Server tab.

  4. A colored icon next to the audit server indicates its health.

    Green: Indicates that the audit server is healthy (it is turned on, is listening on a port, and doesn’t have any unresolved errors).

    Red: Indicates that the audit server has experienced an error. For more information, view the server0.*.log files.

    Black: Indicates that the audit server has been taken offline by an administrator.

Viewing Event Source Health for the Audit Server

The health status for each Novell application is indicated by a colored icon. For each online data source, Sentinel Log Manager also shows the calculated event rate for incoming events. The event rate is recalculated every 60 seconds.

  1. Log in to the Sentinel Log Manager as an administrator.

  2. Click collection link in the upper left corner of the page.

    The Collection tab is displayed on the right pane of the page.

  3. Select the Audit Server tab.

  4. A colored icon next to the Novell application indicates its health.

    Green: Indicates that the event source is healthy and Log Manager has received data from it.

    Yellow: Indicates a warning condition. A common cause for this condition is that the application is turned on in Sentinel Log Manager but is not sending any data. For example, this condition could happen if the event source is not configured properly to send data to Sentinel Log Manager or if event logging is not enabled for the application.

    Red: Indicates that the Sentinel Log Manager server is reporting an error connecting to or receiving data from this application.

    Black: Indicates that the event source has been turned off. Sentinel Log Manager is not processing any data from it.

  5. Click show details to see more information, including IP addresses for individual event sources and their associated status.

6.2.2 Managing Event Sources

Although Sentinel Log Manager is preconfigured to accept data from supported applications, the application servers also must be configured to send data to the Sentinel Log Manager server.

Sentinel Log Manager can also be configured to collect data from other devices and applications. For more information about configuring these refer to the appropriate collector documentation and the device or application vendor documentation.

Adding Event Sources

After new event sources start sending data to the Sentinel Log Manager, the IP addresses for those event sources are automatically added to the list of IP addresses that are displayed when you click show details for a Novell application.

Deleting Event Sources

If there is an error with the connection for an event source, the event source can be deleted by using the yellow icon to the left of the IP address. If the event source starts sending data again, the connection is automatically re-established.

6.2.3 Setting the Audit Server Options

Administrators can change the settings about how Sentinel Log Manager listens for data from the event source applications, set the port on which Sentinel Log Manager listens and the type of authentication between the event source and the Sentinel Log Manager.

Specifying Audit Server Settings

  1. Log in to the Sentinel Log Manager as an administrator.

  2. Click the collection link in the upper left corner of the page.

    The Collection tab is displayed on the right pane of the page.

  3. Select the Audit Server tab.

  4. Click the Configuration link on the right side of the screen.

  5. Specify the port on which the Sentinel Log Manager server listens to messages from the event sources.

    For more information about setting the port, see Port Configuration and Port Forwarding for the Audit Server.

  6. Set the appropriate client authentication and server key pairs settings.

    For more information about client authentication, see Client Authentication for the Audit Server.

  7. Select the Sentinel Log Manager server behavior when the number of events received exceeds the buffer capacity.

    Temporarily pause connections: Drops the existing connections and stops accepting new connections until the buffer has space for the new messages. In the meantime, messages are cached by the event sources.

    Drop oldest messages: Drops the oldest messages to accept new messages.

    WARNING:There is no supported method for recovering dropped messages, if you select Drop oldest messages.

  8. Select Idle Connection to disconnect event sources that have not sent data for a certain period of time.

    The event source connections are automatically re-created when they start sending data again.

  9. Specify the number of minutes before an idle connection is disconnected.

  10. Select Event Signatures to receive a signature with the event.

    To receive a signature, the Platform Agent on the event source must be configured properly.

  11. Click Save.

Port Configuration and Port Forwarding for the Audit Server

The default port on which Log Manager listens for messages from the server is 1289. When the port is changed, the system checks whether the specified port is valid and open.

Binding to ports less than 1024 requires root privileges. So use a port greater than 1024. You can change the source devices to send data to a higher port or use port forwarding on the Sentinel Log Manager server.

To change the event source to send data to a different port:

  1. Log in to the event source machine.

  2. Open the logevent file for editing. The file location depends on the operating system:

    • Linux: /etc/logevent.conf

    • Windows*: C:\WINDOWS\logevent.cfg

    • NetWare®: SYS:\etc\logevent.cfg

    • Solaris: /etc/logevent.conf

  3. Set the LogEnginePort parameter to the desired port.

  4. Save the file.

  5. Restart the Platform Agent.

    The method varies by operating system and application. Reboot the machine or refer to the application specific documentation on the Novell Documentation Web Site for more instructions.

To configure port forwarding on the Sentinel Log Manager server:

  1. Log in to the Sentinel Log Manager server operating system as root (or su to root).

  2. Open the /etc/init.d/boot.local file for editing.

  3. Add the following command at the end of the bootup process:

    iptables -A PREROUTING -t nat -p protocol --dport incoming port -j DNAT --to-destination IP:rerouted port

    where protocol is tcp or udp, incoming port is the port on which the messages are arriving, and IP:rerouted port is the IP address of the local machine and an available port above 1024

  4. Save the changes.

  5. Reboot. If you cannot reboot immediately, run the iptables command in Step 3 from a command line.

Client Authentication for the Audit Server

The event sources send their data over an SSL connection, and the Client authentication setting for the Sentinel Log Manager server determines what kind of authentication is performed for the certificates from the audit server on the event sources.

Open: No authentication is required. Log Manager does not request, require, or validate a certificate from the event source.

Loose: A valid X.509 certificate is required from the event source, but the certificate is not validated. It does not need to be signed by a certificate authority.

Strict: A valid X.509 certificate is required from the event source, and it must be signed by a trusted certificate authority. If the event source does not present a valid certificate, Log Manager does not accept its event data.

Creating a Truststore

For strict authentication, you must have a truststore that contains either the event source’s certificate or the certificate for the certificate authority (CA) that signed the event source’s certificate. After you have a DER or PEM certificate, you can create the truststore by using the CreateTruststore utility that comes with Log Manager.

  1. Log in to the Sentinel Log Manager server as novell.

  2. Go to /opt/novell/sentinel_log_mgr_1.0_x86/data/updates/done.

  3. Unzip the audit_connector.zip file.

    unzip audit_connector.zip

  4. Either copy TruststoreCreator.sh or TruststoreCreator.bat to the machine with the certificates or copy the certificates to the machine with the TruststoreCreator utility.

  5. Run the TruststoreCreator.sh utility.

    TruststoreCreator.sh -keystore /tmp/my.keystore -password password1 -certs /tmp/cert1.pem,/tmp/cert2.pem

    In this example, the TruststoreCreator utility creates a keystore file called my.keystore that contains two certificates (cert1.pem and cert2.pem) in it. It is protected by the password password1.

Importing a Truststore

For strict authentication, the administrator can import a truststore by using the Import button. This helps ensure that only authorized event sources are sending data to Log Manager. The truststore must include either the certificate of the event source or the certificate of the certificate authority that signed it.

The following procedure must be run on the machine that has the truststore on it. You can open a Web browser on the machine with the truststore or move the truststore to any machine with a Web browser.

  1. Log in to the Sentinel Log Manager as an administrator.

  2. Click the collection link in the upper left corner of the page.

  3. The Collection tab is displayed on the right pane of the page.

  4. Select the Audit Server tab.

  5. Click the Configuration link on the right side of the screen.

  6. Select the Strict option under Client authentication.

  7. Click Browse and browse to the truststore file (for example, my.keystore)

  8. Specify the password for the truststore file.

  9. Click Import.

  10. If desired, click Details to see more information about the truststore.

  11. Click Save.

After the truststore is imported successfully, you can click Details to see the certificates included in the truststore.

Server Key Pair

Log Manager is installed with a built-in certificate, which is used to authenticate the Sentinel Log Manager server to the event sources. This certificate can be overridden with a certificate signed by a public certificate authority (CA).

To replace the built-in certificate:

  1. Log in to the Sentinel Log Manager as an administrator.

  2. Click the collection link in the upper left corner of the page.

  3. The Collection tab is displayed on the right pane of the page.

  4. Select the Audit Server tab.

  5. Click the Configuration link on the right side of the screen.

  6. Under Server key pairs, select Custom.

  7. Click Browse and browse to the truststore file.

  8. Specify the password for the truststore file.

  9. Click Import.

    If there is more than one public-private key pair in the file, select the desired key pair and click OK.

  10. Click Details to see more information about the server key pair.

  11. Click Save.