31.1 Configuring Access Manager for Novell Auditing

By default, Access Manager is preconfigured to use the Novell Audit server it installs on the first instance of the Administration Console. If you install more than one instance of the Administration Console for failover, Novell Audit is installed with each instance. However, if you already use Novell Audit, you can continue using your existing installation with Access Manager. You’ll need to configure Access Manager to use your audit server. You’ll also need to register the Access Manager with your audit servers by importing the nids_en.lsc and sslvpn_en.lsc files.

Novell Access Manager allows you to specify only one Novell Audit server. You still have failover, when the audit server goes down. The auditing clients on the Novell Access Manager components go into caching mode when the audit server is not available. They save all events until the entries can be sent to the audit server.

This section includes the following topics:

31.1.1 Specifying the Logging Server and Events

The Secure Logging Server manages the flow of information to and from the Novell auditing system. It receives incoming events and requests from the Platform Agents, logs information to the data store, monitors designated events, and provides filtering and notification services. It can also be configured to automatically reset critical system attributes according to a specified policy.

  1. To specify the logging server, click Access Manager > Auditing.

  2. Fill in the following fields:

    Server: Specify the IP address or DNS name of the audit logging server you want to use. By default, the system uses the primary Administration Console IP address. If you want to use a different Secure Logging Server, specify that server here.

    Access Manager does not currently support the use of custom application certificates. (For information on this Novell Audit feature, see Authentication Logging Applications.)

    To use Novell Sentinel™ instead of Novell Audit, specify the IP address or DNS name of your Collector. For more information on Sentinel, see Sentinel 6.

    Port: Specify the port that the Platform Agents use to connect to the Secure Logging Server.

    To use Novell Sentinel instead of Novell Audit, specify the port of your Collector.

    IMPORTANT:Whenever you change the port or address of the Secure Logging Server, all Access Gateways must be updated, then every Access Manager device (Identity Server, Administration Console, Access Gateways, SSL VPN servers, and J2EE Agents) must be rebooted (not just the module stopped and started) before the configuration change takes affect.

  3. Under Management Console Audit Events, specify the system-wide events you want to audit:

    Select All: Selects all of the audit events.

    Health Changes: Generated whenever the health of a server changes.

    Server Imports: Generated whenever a server is imported into the Administration Console.

    Server Deletes: Generated whenever a server is deleted from the Administration Console.

    Configuration Changes: Generated whenever you change a server configuration.

  4. Click OK.

    If you did not change the address or port of the Secure Logging Server, this completes the process. It may take up to fifteen minutes for the events you selected to start appearing in the audit files.

    If you changed the address or the port of the Secure Logging Server, complete the following steps:

  5. If the Administration Console is the only Access Manager component installed on the machine, edit the Novell Audit Configuration file.

    For security reasons, this file cannot be edited from the Administration Console when it is the only Access Manager component on the machine.

    Edit the /etc/logevent.conf file and specify the new address and port of the Secure Logging Server.

  6. Restart the Administration Console. From a terminal window, enter the following command:

    /etc/init.d/novell-tomcat4 restart
    
  7. Restart every device imported into the Administration Console.

    The devices (Identity Server, Access Gateway, SSL VPN, J2EE Agents) do not start reporting events until they have been restarted.

31.1.2 Configuring the Platform Agent

The Platform Agents installed with the Access Manager components use an embedded certificate. Access Manager does not currently support the use of custom application certificates. For information on this Novell Audit feature, see Authenticating Logging Applications.

The platform agents that are installed on each Access Manager component can be configured by modifying the logevent file. For the location of this file and its parameters, see Logevent.

IMPORTANT:Do not use this file to modify the IP address of the Secure Audit Server. Use the Administration Console for this task (see Section 31.1.1, Specifying the Logging Server and Events).

If you are using Sentinel, most of the parameters in this file should be set on the collector.

When the platform agent loses its connection to the audit server, it enters caching mode. The default size of the audit cache file is unlimited. This means that if the connection is broken for long and traffic is high, the cache file can become quite large. When the connection to the audit server is re-established, the platform agent becomes very busy while it tries to upload the cached events to the audit server and still process new events. When coming out of caching mode, the platform agent appears unresponsive because it is so busy and because it holds application threads that are logging new events for a long period of time. If it holds too many threads, the whole system can appear to be hung. You can minimize the effects of this scenario by configuring the following two parameters in the logevent file.

Parameter

Description

LogMaxCacheSize

Sets a limit to the amount of cache the platform agent can consume to log events when the audit server is unreachable. The default is unlimited.

LogCacheLimitAction

Specifies what the platform agent should do with incoming events when the maximum cache size limit is reached. You can select one of the following actions:

Delete the current cache file and start logging events in a new cache file.

Stop logging which preserves all entries in cache and stop collecting new events.

When you set a finite cache file size, it limits the number of events that must be uploaded to the audit server when caching mode is terminated and keeps the platform agent responsive to new audit events that are registered. If you have lots of users and are logging lots of events, you might need to configure these parameters.

For more information about these parameters, see Logevent.

31.1.3 Generating Queries

Queries let you create, run, edit and delete queries and event verifications. You can create two kinds of queries in Access Manager: manual queries and saved queries. Manual queries are simply queries that are not saved; they only run one time. All verification queries are saved. Saved queries and verifications are listed in the Queries list and can be run again and again against different databases.Access Manager uses queries to request information from MySQL* and Oracle* databases. All queries are defined in SQL. Although you must be familiar with the SQL language to create SQL query statements, this is the most powerful and flexible query method.

For information about queries, see Novell Audit 2.0.2, at the Novell Documentation Web site.