Novell Documentation: NSure Audit - Configuring the Data Store

4.3 Configuring the Data Store

Nsure Audit is able to write the data store to the following storage devices:

Before selecting a storage device for your data store, you need to consider your system's logging traffic. On the high end, the File driver can process over 60,000 events per second on a P4 Xeon class server. Databases, on the other hand, are, much slower. The MySQL driver can handle about 3,000 events per second on a P4 Xeon class server.

Novell Nsure Audit is designed to handle occasional peaks that exceed a given database's limitations; however, if you expect to consistently exceed the database driver's capacity, you must plan your setup accordingly, either by using multiple Secure Logging Servers or by using the file driver.

IMPORTANT:In planning your system setup, you should perform your own throughput test in your environment and not rely solely on the numbers provided in this document.

To configure the Nsure Audit data store, you must first create a Channel object. Each Channel object defines the parameters associated with its corresponding storage device. For example, MySQL Channel objects include the IP address or host name of the MySQL database server, a username and password for connecting with the server, the database and table names, and fields for SQL table create and expiration commands. For more information on creating and configuring Channel objects, see Section 7.0, Configuring System Channels.

After creating the Channel object, you must configure the logging server to log events to that channel. The Log Driver property in the Logging Server object determines which Channel object the server uses to create the data store. For more information on the Log Driver property, see Logging Server Objects .

After the Channel and Logging Server objects are configured, you must restart the logging server to load the Channel object configuration and the channel driver. In most cases, the channel driver automatically creates the necessary file or database table for the data store.

IMPORTANT:Novell Nsure Audit does not secure the data store. Therefore, you must manage data store security at the database, for MySQL and Oracle data stores, or through the file system, in the for file data stores.

The data store structure for each storage device is discussed in the following sections.

4.3.1 File Data Store

Depending on the File Channel object configuration, the File channel driver (lgdfile) can log events in raw format or it can translate the event data into a human-readable log. All file data stores are named “log.”

Raw files simply contain the event data; consequently, they are not in a human-readable format. However, because they maintain a consistent field structure across events, they can be imported into spreadsheet programs like Microsoft Excel.

The following is a sample from a raw log file:

16777343,1051924636,1051924647,eDirInst\Object,721699,7,0,.OntarioTestData.Channels.Logging Services,,0,0,0,LlNhdHVybiBMb2dnaW5nIFNlcnZlci5Mb2dnaW5nIFNlcnZpY2Vz
16777343,1051924636,1051924647,eDirInst\Object,721690,7,0,.eDirectoryInstrumentation.Applications.Logging Services,,0,0,0,LlNhdHVybiBMb2dnaW5nIFNlcnZlci5Mb2dnaW5nIFNlcnZpY2Vz
16777343,1051926065,1051926065,eDirInst\Object,720897,7,0,.BillBob.SIM,,0,0,1,LmFkbWluLlNJTQ=

Translated log files, on the other hand, can be visually scanned for content; however, it is difficult to generate reports from these files because there is no consistent field structure—they contain only the event descriptions.

The following is a sample from a translated log file:

[Sat, 03 May 2003 01:25:10 +0000] eDirInst\Object: A read operation was performed on object .OntarioTestData.Channels.Logging Services by .Saturn Logging Server.Logging Services
[Sat, 03 May 2003 01:25:10 +0000] eDirInst\Object: A list Subordinate Entires operation has been performed on container .eDirectory Instrumentation.Applications.Logging Services by .Saturn Logging Server.Logging Services
[Sat, 03 May 2003 01:39:41 +0000] eDirInst\Object: A new eDirectory object called .BillBob.SIM (Class:User) was created by .admin.SIM

In addition to providing different log formats, the File channel is capable of creating localized logs. If the logging applications have localized Log Schema (LSC) files, the File channel can write translated log files in the language designated in the File Channel object.

Nsure Audit includes a utility, called LETrans, that can translate raw log files into human readable format. See Section G.7, LETrans.

NOTE:LSC files catalog the events that can be logged for a given application. They can also indicate what kind of data is stored in the event fields and provide descriptive information on the event itself. For more information, see Section A.4, Log Schema Files.

For more information on the File channel, see Section 7.5, File.

4.3.2 MySQL Data Store

When the logging server loads the MySQL Channel object configuration, the MySQL channel driver, lgdmsql, automatically creates the data store's database and table using the names defined in the MySQL Channel object.

The MySQL channel driver builds the data store using the following table structure:

Image displaying the MySQL table structure

The default number of rows depends on the operating system. The default maximum size for a MySQL table is 4 GB (or 2 GB if your operating system only supports 2 GB tables). This default size limitation keeps pointer sizes down, making the index smaller and faster.

IMPORTANT:If the SQL server data volume runs out of disk space, any clients logging events will freeze and need to be restarted.

NOTE:If you need larger tables, use the max_rows and avg_row_length commands in the MySQL Channel object's Create Table Options property

For more detailed information on using MySQL with Nsure Audit, see Section C.0, Using MySQL with Nsure Audit.

For more information on the MySQL channel, see Section 7.9, MySQL.

4.3.3 Oracle Data Store

The Oracle channel drive, lgdora, creates the table for the Oracle data store automatically. In most circumstances, you do not need to create the data store table.

If a situation arises requiring you to create this table manually, you can create the data store using the following table structure:

For more information on the Oracle channel, see Section 7.10, Oracle.

IMPORTANT:Because Oracle no longer supports NetWare, Oracle data stores can be created only on Windows, Solaris, and Linux systems.

4.3.4 Syslog Data Store

The Syslog channel driver, lgdsyslog, allows the logging server to log events to a specific syslog facility on any syslog host.

It is also capable of creating localized logs. If the logging applications have localized Log Schema (LSC) files, the Syslog channel can write the log files in the language designated in the Syslog Channel object.

For more information on the Syslog channel, see Section 7.13, Syslog.

4.3.5 Microsoft SQL Server Data Store

The Microsoft SQL Server channel driver, lgdmssql, creates the table for the SQL Server data store automatically. In most circumstances, you do not need to create the data store table.

If a situation arises requiring you to create this table manually, you can create the data store using the following table structure:

Image displaying SQL Sever table configuration