2.2 Configuration Objects
When you install the Secure Logging Server, the installation program extends the eDirectory schema to include the following objects:
Nsure Audit uses these objects to store and look up system configuration parameters.
IMPORTANT:The Platform Agent is not configured through eDirectory. Instead, the Platform Agent's configuration settings are stored in a simple, text-based configuration file (logevent). For more information, see Logevent.
2.2.1 Logging Services Container
During your initial installation, Nsure Audit extends the eDirectory schema and creates the Logging Services container at the root of your directory tree. Because it is part of Nsure Audit, there can only be one Logging Services container per tree and, as the logging system container, it only contains Nsure Audit component objects.
Locating all logging system components in the Logging Services container is ideal for organizations that need a simple, easy-to-manage logging system. It also suits organizations that are implementing Nsure Audit as an auditing solution and, for security reasons, want to centrally manage their system. To facilitate distributed administration, however, Nsure Audit components can also be created and managed outside the Logging Services container.
If the Logging Services container is deleted, it can only be re-created by re-running AuditExt. For more information, see Section G.5, AuditExt.
2.2.2 Logging Server Object
In eDirectory, the Logging Server object represents the physical server where you installed the Secure Logging Server. However, because the Logging Server object is specific to Nsure Audit, it does not replace the NCP Server object. Instead, each Logging Server object is associated with an NCP Server object.
The Logging Server object is represented as a container with server attributes; it can contain Nsure Audit objects and it stores all the properties and attributes for the Secure Logging Server. For information on creating and configuring the Logging Server object, see Section 4.2, Configuring the Secure Logging Server.
2.2.3 Nsure Audit Attributes on the NCP Server Object
During installation, Nsure Audit extends the definition of the NCP Server object to include the log settings for eDirectory, NetWare, traditional file system, and NSS events. These settings are found under the NCP Server object's Nsure Audit tab.
The Nsure Audit screen has separate menus for NetWare, Filesystem, and eDirectory events. Each menu lists the events that fall in its respective category. To configure NetWare, Filesystem, or eDirectory instrumentation to log a particular type of event, simply mark the event's check box and click Apply. The instrumentation automatically begins logging the marked events to the Secure Logging Server.
NOTE:You do not need to restart the logging server to effect changes to NSure Audit attributes in the NCP Server object.
For more information on configuring the NCP Server object's Nsure Audit attributes, see Section 5.0, Logging eDirectory, NetWare, and File System Events.
2.2.4 Application Objects
Application objects are associated with applications that log to or request information from Nsure Audit. These objects store the information required by the logging server to authenticate logging applications. They also identify which users have rights to monitor the applications' events and they store the applications' log schemas.
NOTE:The log schema catalogs the events that can be logged for a given application. For more information, see Section A.4, Log Schema Files.
Application objects are usually created automatically when either Nsure Audit or the logging application is installed. If necessary, they can also be manually added to the tree using iManager.
During installation, Novell Nsure Audit automatically creates Application objects for itself (the Naudit Instrumentation), the eDirectory Instrumentation, and the NetWare Instrumentation.The Naudit Instrumentation allows Nsure Audit to audit its own events such as creating Channel or Notification objects. The eDirectory Instrumentation manages logging of eDirectory events and the NetWare Instrumentation provides logging for NetWare and file system events.
NOTE:The NetWare Instrumentation is only installed on NetWare versions.
Application objects can be created only within Application containers. Novell Nsure Audit creates the Application objects for the Naudit, eDirectory, and NetWare Instrumentations in the Application container under Logging Services.
For more information on creating and configuring Application objects, see Section 6.0, Managing Applications that Log to Nsure Audit.
Application Containers
Application containers provide a reference point through which the logging server can locate Application objects. At startup, the logging server scans its list of Application containers and loads the included Application object configurations in memory where it can quickly access the information when authenticating applications. For information on configuring the Application Container property on the logging server, see Logging Server Objects .
IMPORTANT:The logging server scans its list of Application containers only at startup. Therefore, if you create or modify an Application object, you must restart the logging server. For information on restarting the logging server, see Section G.3, Secure Logging Server Startup Commands.
The Application container under Logging Services is automatically created during installation; however, additional Application containers can be created anywhere in the tree.
2.2.5 Channel Objects
Channel objects store the information the logging server needs to use channel drivers. For example, a MySQL Channel object contains the IP address or host name of the MySQL database server; a username and password for connecting to the server, the name of the database and table, and any other relevant information. An SMTP Channel object, on the other hand, includes the address of the SMTP server; a username and password; and the recipient, sender, subject, and body of the log message.
Nsure Audit is designed so you can create multiple Channel objects for any given channel. This means you can apply different channel configurations to different functions or events. For instance, you can configure the logging server to use one MySQL Channel object to add events to the central data store and configure a Notification Filter to use another MySQL Channel object to create a filtered log.
The available types of Channel objects are:
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
SMTP
Oracle
(Only available on NetWare using the JDBC Java channel.)
SNMP 
File
Java
Syslog
MySQL
CVR Additional Channel objects can be easily incorporated in this model. For more information, see the Nsure Audit SDK.
Of particular note is the Critical Value Reset (CVR) Channel object. In configuring a CVR Channel object, you can flag an attribute in eDirectory with a reset policy. If the value of that specific attribute is changed, the CVR channel automatically resets the value as per the policy defined in the CVR Channel object.
The logging server looks for Channel objects only in Channel containers; therefore, Channel objects can only be created within Channel containers. For information on creating and configuring Channel objects, see Section 7.0, Configuring System Channels.
Channel Containers
Channel containers provide a reference point through which the logging server can locate Channel objects. At startup, the logging server scans its list of Channel containers and loads the included Channel object configurations and their drivers. The drivers and Channel object configurations are then available to provide event notification and to log events. Note that the logging server only loads those drivers that have Channel objects in supported Channel containers. For information on configuring the Channel Container property on the logging server, see Logging Server Objects .
IMPORTANT:The logging server scans its list of Channel containers only at startup. Therefore, if you create or modify a Channel object, you must restart the logging server. For information on restarting the logging server, see Section G.3, Secure Logging Server Startup Commands.
The Channel container under Logging Services is automatically created during installation; however, Channel containers can be created anywhere in the tree.
2.2.6 Notification Objects
Nsure Audit provides two kinds of event notification:
- Filtered Notification
- Heartbeat Notification
Filtered notification tells you when a specific event has occured; heartbeat notification tells you when an event has not occured. The following sections discuss the objects associated with each notification.
Notification Filter Objects
Notification Filter objects store the criteria the logging server uses to filter system events. They also designate which Channel objects the logging server uses to provide event notification.
When you define a Notification Filter, you specify a value for a given event field. To narrow the results, you can define values for multiple event fields. Using standard “and,” “or,” and “not” operators, you can define up to 15 event conditions. For more information on the event fields, see Section A.1, Event Structure.
After you define the filter criteria, you must select the object's notification channel. Notification channels are simply the Channel objects the logging server uses to provide event notification. For example, if you want to e-mail filtered events to your mailbox, you must select an SMTP Channel object that is configured to relay events to your e-mail address. Similarly, if you want to log filtered events to a MySQL database, you must select a MySQL Channel object that is configured to write events to the correct database and table. You can define multiple notification channels for any given Notification Filter.
The logging server looks for Notification Filter objects only in Notification containers; therefore, Notification Filter objects can be created only within Notification containers. For information on creating and configuring Notification Filter objects, see Section 8.0, Configuring Filters and Event Notifications.
Heartbeat Objects
Heartbeat objects define which Event IDs the logging server looks for and the interval at which those events must occur. If an event does not occur within the designated interval, the logging server generates a heartbeat event.
The heartbeat event is automatically logged to the central data store; however, if you want to receive notification that a specific event has not occurred, you must create a Notification Filter for the corresponding heartbeat event.
The logging server looks for Heartbeat objects only in Notification containers; therefore, Heartbeat objects can be created only within Notification containers. For information on creating and configuring Heartbeat objects, see Section 8.0, Configuring Filters and Event Notifications.
Notification Containers
Notification containers provide a reference point through which the logging server can locate Notification objects. At startup, the logging server scans its list of Notification containers and loads the included Notification object configurations in memory where it can quickly access the information to filter or monitor events. For information on configuring the Notification Container property on the logging server, see Logging Server Objects .
IMPORTANT:The logging server scans its list of Notification containers only at startup. Therefore, if you create or modify a Notification object, you must restart the logging server. For information on restarting the logging server, see Section G.3, Secure Logging Server Startup Commands.
The Notification container under Logging Services is automatically created during installation; however, Notification containers can be created anywhere in the tree.