Novell Documentation: NSure Audit

7.5 File

The File channel allows the logging server to log events directly to file in raw format or to translate those events to a human-readable log file.

The default option is to translate the log files. Raw log files can be translated at a later time using the letrans utility. For more information, see Section G.7, LETrans.

Raw files simply contain the event data; consequently, they are not in a human-readable format. However, because these comma-delimited files maintain a consistent field structure across events, you can import these files into spreadsheet programs like Microsoft Excel*.

The following is a sample from a raw log file:

2302777206,1118368566,1118955519,eDirInst\Agent,720917,7,346,,0,pki.dlm,0,,,,,0,0,0,0,
2302777206,1118368567,1118955519,eDirInst\Agent,721735,7,346,,1,\BOOP-TREE\novell\BOOP-NDS,0,,198.53.162.118,,,33,262176,0,0,
2302777206,1118956181,1118956181,eDirInst\Meta,721748,7,28,.Admin.novell,1,.Rufus.novell,1,,Entry ID: .Rufus.novell, Attribute ID: [All Attributes Rights], Privileges: Attribute Read,,,1,0,0,0, 2302777206,1118956186,1118956186,eDirInst\Attribute,720902,7,31,.BOOP-NDS.novell,1,.[Root].,1,Partition Status,,,,9,0,0,0,AAAAAAIAAACa6rFCAAAAAAAAAAAAAAAADgAAAFs AUgBvAG8AdABdAAAAAAAQAAAAAAAAAIoiAAD/////AAAAAA=
2302777206,1118956186,1118956186,eDirInst\Attribute,720902,7,32,.BOOP-NDS.novell,1,.[Root].,
1, Purge Vector,Seconds: 1118956186, Replica Number: 1, Event: 1,,,19,0,0,0, 2302777206,1118955953,1118955953,eDirInst\Attribute,720902,7,22,.Admin.novell,1,.Birds.novell,1,Owner,.Admin.novell,,,1,0,0,0,
2302777206,1118955953,1118955953,eDirInst\Meta,721748,7,23,.Admin.novell,1,.Birds.novell,1,,Entry ID: .[Root]., Attribute ID: Member, Privileges: Attribute Read,,,1,0,0,0, 2302777206,1118956181,1118956181,eDirInst\Attribute,720902,7,28,.Admin.novell,1,
.Rufus.novell,1,Password Allow Change,True,,,7,0,0,0,

Translated log files can be visually scanned for content; however, it is difficult to generate reports from these files because there is no consistent field structure—they contain only the event descriptions defined in the application’s Log Schema (LSC) file.

The following is a sample from a translated log file:

[Thu, 09 Jun 2005 14:28:03 -0700] [eDirInst\Object]: A list Subordinate Entries operation has been performed on container .eDirectory Instrumentation.Applications.Logging Services by .Boop-nds Logging Server.Logging Services [Thu, 09 Jun 2005 14:28:40 -0700] [eDirInst\Partition]: Synchronization has ended on partition .[Root]..  All Processed: Yes [Thu, 09 Jun 2005 14:28:51 -0700] [eDirInst\Object]: User .Admin.novell (using null password: No) logged in (NDS Login: Yes) to server \BOOP-TREE\novell\BOOP-NDS. [Thu, 09 Jun 2005 14:29:04 -0700] [eDirInst\Object]: A read operation was performed on object .BOOP-TREE CA.Security by .Admin.novell [Thu, 09 Jun 2005 14:34:04 -0700] [eDirInst\Object]: A read operation was performed on object .File.Channels.Logging Services by .Boop-nds Logging Server.Logging Services Thu, 09 Jun 2005 14:48:41 -0700] [eDirInst\Agent]: The connection state has been changed by .BOOP-NDS.novell [Thu, 09 Jun 2005 14:48:41 -0700] [eDirInst\Replica]: A purge operation has started on partition .[Root]. [Thu, 09 Jun 2005 14:48:41 -0700] [eDirInst\Replica]: A purge operation has ended on partition .[Root].

In addition to providing different log formats, the File channel is capable of creating localized logs. If the logging applications have localized log schema files and if those files are added to their respective Application objects, the File channel can write translated log files in the language designated in the File Channel object.

The logging server can use the File channel to write the central data store or create filtered log files.

7.5.1 File Channel Driver

At startup, the File channel driver, lgdfile, loads each application’s log schema. If a logging application has multiple language versions of its log schema, the File channel loads the schema for the language designated in the File Channel object.

NOTE:The Log Schema catalogs the events that can be logged for a given application. It can also provide event descriptions and labels for the event fields. For more information, see Log Schema Files.

If the File and Syslog Channel objects reference the same language, the drivers independently load the log schema in their own memory. The only time the log schema is shared is between multiple instances of the same driver. For example, if you have two File channels configured to write translated log files in English, the English log schema for each application is loaded only once.

When the File channel driver creates a raw log file, it writes the event data “as is” to the data store. If the data is in raw format and the DataSize = 0, then each line in the file is written as a comma-separated list of 19 fields in the following order:

SourceIP,	ClientTimestamp,	ServerTimestamp,	Component,	ID,	Severity,	GroupID,	Originator, OriginatorType,	Target,	TargetType,	SubTarget,	Text1,	Text2,	Text3,	Value1,	Value2,	Value3,	0(Just a trailing zero)

If DataSize is not 0, then each line in the raw file is written as a comma-separated list of 20 fields. MIMEHint replaces the trailing 0 and the last field is the Data string:

SourceIP,	ClientTimestamp,	ServerTimestamp,	Component,	ID,	Severity,	GroupID,	Originator, OriginatorType,	Target,	TargetType,	SubTarget,	Text1,	Text2,	Text3,	Value1,	Value2,	Value3,	MIMEHint,DataString

When it creates a translated log file, the File driver uses the Event ID to look up each event in the corresponding application’s log schema and then it writes the event description to the data store. If the log schema isn’t available, or if there isn’t a descriptive entry for the current event, the File channel defaults to the following format:

$DC $TC,$SO,$NI,$NL,$NG,$SB,$NH,$SU,$NV,$SY,$N1,$N2,$N3,$SS,$ST,$SF\n

(Client date and time Stamp, Component, EventID, Log Level, Group ID, Originator, OriginatorType, Target, TargetType, Subtarget, Value1, Value2, Value3, Text1, Text2, Text3.) See Section A.3, Managing Event Data for an explanation of each field and format variable.

Because it uses the log schema to write translated logs, the File driver is also capable of creating localized logs. If a logging application has localized log schema files and if those files are added to the Application object, the File driver uses the log schema for the language designated in the File Channel object to write the event descriptions. For more information on the File channel’s language attribute, see File Channel Object. For information on localized log schema files, see Localized Log Schema Files.

7.5.2 File Channel Object

The File Channel object stores the information the File driver needs to write events to the file system.

The following table provides a description of each Channel object attribute.

IMPORTANT:You must restart the logging server to effect any changes in Channel object configuration. For more information, see Section G.3, Secure Logging Server Startup Commands

Table 7-3 File Channel Object Attributes

Attribute	Description
Configuration	File Channel object configuration information.
Log File Location	The path to the log file. The default Log File directories are as follows: sys:\etc\logdir\ (NetWare) \program files\novell\nsure audit\logs\ (Windows) /var/opt/novell/naudit/logs/ (Linux) /opt/NOVLnaudit/logs/ (Solaris) IMPORTANT:By default, file data stores are named auditlog. Therefore, if you have multiple File Channel objects, you must either give each log file a different filename or point them to different paths.
Log File Name	The name of the file to which the logging server writes events. The default filename is auditlog.
Purge log files after _____ seconds	The life span of the log files. The logging server deletes all log files older than the designated time period.
Flush log files after _____ seconds	The interval at which the file channel driver flushes the events in memory to the log file on disk. NOTE:On NetWare, the file channel driver writes events to memory and intermittently flushes the events to disk. To manually flush the file channel buffers, enter `naudit file flush` at the server console.
Roll when log file reaches _____ bytes	The log file’s maximum file size. When a log file reaches the designated file size, lgdfile renames the file and creates a new log file. The archive filename is a combination of the current date and a hexadecimal sequence number (l/yy/mm/dd.###). For example, the first log file archived on July 10, 2003 would be named l030710.001. Subsequent log files archived on the same day would be named l030710.002, l030710.003, etc.
Log format	The File channel driver can log events in either translated or raw format. Select either Translated or Raw to set the logging mode for the current Channel object.
Translated	This is the default option. In Translated mode, the File channel driver uses the Event ID to look up each event in the application’s log schema and it writes the event description to the data store. If the log schema isn’t available, or if there isn’t a descriptive entry for a particular event, the File channel defaults to the following format: $DC $TC,$SO,$NI,$NL,$NG,$N1,$N2,$SS,$ST\n (Client Date and Time Stamp, Component, EventID, Log Level, Group ID, Value1, Value2, Text1, Text2) NOTE:Log Schema files (*.lsc) catalog the events that can be logged for a given application. They can also provide event descriptions and labels for the event fields. For more information, see Section A.4, Log Schema Files. Although a translated log file can be visually scanned for content, no reports can be generated from this file because there is no consistent field structure; it contains only the event descriptions.
Raw	In Raw mode, the File channel driver writes the event data in comma-separated format (csv) to the data store. The raw log file is not in a human-readable format; however, it can be imported into spreadsheet programs like Microsoft Excel.
Translated Language	The language in which events are written to file. IMPORTANT:This option is valid only for Translated log files. If logging applications have localized Log Schema files and if those files are added to their respective Application object, the File channel can write Translated log files in the selected language. If there isn’t a log schema for the selected language, the channel defaults to English. You can create parallel logs in multiple languages by defining multiple File Channel objects with different languages and having a single notification filter pass events to all those channels.
Status	Allows you to enable or disable the Channel object. By default, all Channel objects are enabled. This means that the logging server loads the Channel object’s configuration in memory at startup. The Channel object must be located in a supported Channel container for the logging server to use it. For more information on the logging server’s Channel Container property, see Logging Server Objects . If you select the Disabled option, you must restart the Secure Logging Server for the setting to become effective. Thereafter, the logging server cannot load the object’s configuration until you select Enabled. For information on unloading the logging server, see Section G.3, Secure Logging Server Startup Commands.