The Platform Agent, logevent, is the client portion of the Novell auditing system. It receives logging information and system requests from authenticated applications and transmits the information to the Secure Logging Server.
For more information on program binaries, see Section I.1, Program Files and Directories. For information on how applications authenticate with Novell Audit, see Section 9.1, Authenticating Logging Applications.
There are several advantages to having applications connect to the Platform Agent instead of the Secure Logging server:
The following sections review the Platform Agent cache, configuration file, and configuration tool:
If the connection between the Platform Agent and the Secure Logging Server fails, applications continue to log events to the local Platform Agent, just as they always do. The Platform Agent simply switches into Disconnected Cache mode; that is, it begins sending events to the Logging Cache module. The Logging Cache module then writes the events to the Disconnected Mode Cache until the connection is restored. The switch into Disconnected Cache Mode is completely transparent to the logging applications.
NOTE:The port at which the Platform Agent connects to the Logging Cache Module is configured in the logevent.cfg file. For more information on this parameter, see Logevent.
The Logging Cache Module maintains a separate cache file for each authenticated application. The cache files include the authentication credentials as well as the log events for their respective applications.
When the connection to the Secure Logging Server is restored, the Logging Cache Module transmits the cache files to the Secure Logging Server. To protect the integrity of the data store, the Secure Logging Server validates the authentication credentials in each cache file before logging its events.
The Platform Agent is not configured through Novell eDirectory™. Instead, the Platform Agent’s configuration settings are stored in a simple, text-based configuration file, logevent. The default location of this file is as follows:
Table 4-1 Platform Agent Configuration File
|
Operating System |
File |
|---|---|
|
NetWare |
/etc/logevent.cfg |
|
Linux |
/etc/logevent.conf |
|
Solaris |
/etc/logevent.conf |
|
Windows |
/Windows_Directory/logevent.cfg The Windows_Directory is usually drive:\windows. |
Storing the Platform Agent’s configuration in a local text file makes the Platform Agent small, unobtrusive, and self-contained—that is, it has no external dependencies, so it is always available to receive logged events. Storing the Platform Agent’s configuration in a text-based file also allows the Platform Agent to eventually run on platforms that do not have eDirectory support.
The following is a sample logevent.cfg file.
LogHost=127.0.0.1 LogCacheDir=c:\logcache LogCachePort=288 LogEnginePort=289 LogCacheUnload=no LogReconnectInterval=600 LogDebug=never LogSigned=always
The entries in the logevent file are not case sensitive, entries can appear in any order, empty lines are valid, and any line that starts with a hash (#) is commented out.
The following table provides an explanation of each setting in the logevent file.
Some settings might not be available in all versions of Novell Audit.
IMPORTANT:You must restart the Platform Agent any time you make a change to the configuration.
Table 4-2 logevent Settings
|
Setting |
Description |
|---|---|
|
LogHost=dns_name |
Name or IP address of the Secure Logging Server the Platform Agent should use. If you are configuring multiple Secure Logging Servers, add the IP address of each logging server separated with commas to the LogHost entry. For example, LogHost=192.168.0.1,192.168.0.3,192.168.0.4 With this modification, the Platform Agents log specifically to the group of logging servers that they are a member of, regardless of the status of the servers. For more information, see Section 4.2.5, Configuring Multiple Secure Logging Servers. |
|
LogCacheDir=path |
The directory where the Platform Agent should store the cached event information if the Primary or Secondary Secure Logging Server becomes unavailable. |
|
LogEnginePort=port |
Port used by the Secure Logging Server to accept data from Platform Agents. |
|
LogCachePort=port |
Port used by the Platform Agent caching mechanism. |
|
LogCacheUnload=Y|N |
Set to N if lcache should not allow unloading |
|
LogCacheSecure=Y|N |
If the local cache file should be encrypted, this option must be set to Y. |
|
LogReconnectInterval=seconds |
The interval, in seconds, at which the Platform Agent and the Platform Agent Cache try to reconnect to the Secure Logging Server if the connection is lost. |
|
LogDebug=Never|Always|Server |
The Platform Agent debug setting.
|
|
LogSigned=Never|Always|Server |
The signature setting for Platform Agent events.
NOTE:Event signing can significantly impact program execution and CPU utilization on some systems. For more information on event signatures, see Section 9.0, Security and Non-Repudiation. |
|
LogMaxBigData=bytes |
The maximum size of the event data field. The default value is 3072 bytes. Set this value to the maximum number of bytes the client allows. Data that exceeds the maximum is truncated or not sent if the application doesn’t allow truncated events to be logged. |
|
LogMaxCacheSize=bytes |
The maximum size, in bytes, of the Platform Agent cache file. |
|
LogCacheLimitAction=stop logging|drop cache |
The action that you want the cache module to take when it reaches the maximum cache size limit.
|
The Platform Agent Configuration Tool is a Java* utility that provides a graphical interface to manage Novell Audit Platform Agents. This tool operates by making changes to the logevent.cfg file, which contains configuration settings for the Platform Agent.
IMPORTANT:You must have Java installed on the server where the Platform Agent Configuration Tool is installed to use the utility.
To make configuration changes, you can either open and edit an existing logevent.cfg configuration file, or create a new logevent.cfg file. When your changes are complete, the updated file must be saved in the correct location for your changes to be applied.
To run the Platform Agent Configuration Tool:
Locate the Platform Agent Configuration tool Java Archive file (.jar). By default it is installed in the following location:
Launch the Platform Agent Configuration tool by executing the following command at a console from the directory where the Platform Agent Configuration tool Java Archive file is located:
java -jar nauditpaconfig.jar