Nsure Audit 1.0.x Netware 6.x installation guide
(Last modified: 05Sep2005)
This document (10091433) is provided subject to the disclaimer at the end of this document.
Novell Nsure Audit 1.0.1
Novell Nsure Audit 1.0.2
Novell NetWare 6
Novell NetWare 6.5
Nsure Audit Netware 6 installation guide
The purpose of this document is to provide a step by step upgrade process for Nsure Audit 1.0.2 on NetWare 6, logging to MySQL. Nsure Audit is a replacement for NAAS (Novell Advanced Auditing Services) and AUDITCON.
This document assumes that Nsure Audit has not been configured previously in the tree.
Part I: Download and Install Nsure Audit:
Go to download.novell.com
Choose "Novell Nsure Audit" in the "choose a product" drop down menu.
Click the "submit search" button.
Click the "Download" button for 1.0.2 Starter Pack for Nsure Audit.
Download the ISO image.
Burn the ISO image to CD.
To Remove NAAS see this TID. This step is optional.
Select a server in your environment to be the Secure Logging Server. This server may be in its own tree, or it may be in the same tree as the rest of the production environment.
Insert the Nsure Audit CD in the CD-ROM drive of the server that Secure Logging Server software will be installed to.
Load the CDROM NSS driver. LOAD CD9660.NSS.
If the cdrom does not get mounted automatically (it should) then mount the CDROM volume.
MOUNT CDROM (this is specific to the Nsure Audit CD-ROM burned from the ISO)
Select Product Options from the menu.
Select Install a Product Not Listed.
Press ESC when the previously specified paths screen appears.
Press F3 to specify a new path.
Specify CDROM:\NETWARE as the path to the install files for Nsure Audit.
Select the following options.
First Time Directory Install
Configure Server for Nsure Audit
Nsure Audit Log Server Files
Nsure Audit Instrumentation Files
Nsure Audit Platform Agent Files
Press F10 to accept the selections. Nsure Audit installation will copy files into place.
During the installation a prompt to authenticate as admin will appear. You must authenticate as a user with Admin rights at the root of the tree, and rights to extend the schema.
When the logging Logging Server name prompt appears, use the default name (SERVERNAME LOGGING SERVER) and press ESC to continue.
If a previous attempt at installing Nsure Audit was done, a message regarding updating LOGEVENT.CFG will appear. It really doesn't matter if you update this file or not. The file included with 1.0.1 has more help options than the original files.
When the installation is finished, the NWCONFIG screen will return. Press ESC to exit NWCONFIG.
Confirm that the following lines have been added to AUTOEXEC.NCF
For debugging purposes, REM out auditsvr.ncf
Add the following line above auditagt
load lengine -d
This will load a debug screen when the logging server is loaded. This screen provides channel and event statistics.
Part II: Install MySQL on the NetWare Server
Download MySQL 4.0 from http://dev.mysql.com/downloads/mysql/4.0.html
If using MySQL 4.1, reference this TID following the MySQL user account setup.
Create the file SYS:\etc\my.cnf
The contents of this file, should be as follows:
datadir is the parameter to define where the data will be stored on the server.
To create the initial MySQL database that is required for all administrative purposes, issue the following command at the command prompt:
Start the MySQL daemon using the following command, and add this command to AUTOEXEC.NCF prior to the Secure Logging Server startup commands:
In order to administer users that are able to access the databases on the server, it is necessary to create a root user. Issue the following command at the server command prompt to create the initial root user. The word novell enclosed in single quotes should be replaced with the appropriate password for the root user.
The remainder of the configuration takes place from MySQL monitor. To load MySQL monitor type:
From the mysql> prompt type \u mysql to instruct the MySQL monitor that we are using the database called mysql. It is also possible to type use mysql
Currently, the root user created above may only log in from localhost (the server console). It is desired, although not required to create an administrative account that can also log in from anywhere for administration purposes. MySQL authentication is host based. You may specify a certain IP address to allow access from, or you may use a global wild card. To create the root account that can login globally, issue the following commands. Each "user@host" as a separate account. Be sure to enter the ; at the end of the last line. This lets mysql monitor know that you are done typing the command and to execute it. Again, replace the word novell in single quotes with the password for the root user.
Confirm the creation of the root@'% user with the following command:
Create the Nsure Audit Database. This is the database that will be used by the MySQL logging channel. The logging channel can create this database if desired. In order to do that, the auditusr account created later on must be granted rights to *.*, like the root user.
Create the auditusr account and grant access to the naudit database.
This step creates the user account that the Secure Logging Server will use to update the naudit database. MySQL uses a host@network address scheme for assigning user access. The following steps assume that the MySQL channel is going to connect to the MySQL database on the localhost address (127.0.0.1). It also assumes that iManager is installed on the local machine, and Nsure Audit Report will be run on the same machine as the logging server.
GRANT all on naudit.* to auditusr@'localhost'
IDENTIFIED by 'novell';
Confirm the creation of the user account.
select user,host from user;
In many cases, it will be desired to have an auditusr account that can access the naudit database from an administrative pc, that may not have a static IP address.
In these circumstances, create an auditusr account with access from any address, using the wildcard character (%) in place of an ip address. For example:
grant all on naudit.* to auditusr@'%'
identified by 'novell';
Part III: Install the Nsure Audit iManager Snapin
The snapin is available in the Add-Ons directory of the Nsure Audit CD. It is also available from download.novell.com, under the Nsure Audit Product list.
On a server that has iManager 2.0.x installed, log into iManager as a user with root access to the tree.
Once iManager loads, click on the configure icon. This icon looks like a man sitting behind a desk.
In the iManager configuration screen, expand the menu for Module Configuration.
Click the Install Module Package link.
Browse to the location of the Nsure Audit NPM file. For example, if D: is the CDROM drive, D:\add_ons\iManager_plugins\naudit.npm
Wait for a few minutes, while the package is installed.
If you are running iManager in Assigned Mode and have RBS configured, complete the following steps to install or update the Nsure Audit iManager plug-in:Log into iManager as a Collection Owner, then click Configure.
Restart the web servlet engine.
Wait for at least one minute for Tomcat to completely stop.
The loading process often takes up to 5 minutes to fully initialize. Please wait before attempting to load iManager and administer Nsure Audit. Often, a server restart may be necessary.
Part IV: Configure the Secure Logging Server to send data to the MySQL channel
In iManager, expand the Nsure Audit task, and select Server Configuration.
Click on the channels tab.
Click the check box next to the Channels container, and then click New.
Create a channel of type MySQL. Any name will be fine.
When returned to the channels container screen, click the check box next to the MySQL channel under the channels container, and then click edit.
When the edit MySQL channel screen appears, fill in the following information. ALL FIELDS ARE CASE SENSITIVE!
Host: IP address of the server running MySQL. (If Part II this TID was followed to install MySQL use 127.0.0.1)
If MySQL is installed on the same server as the logging server, and the account created to access the Nsure Audit databse is auditusr@'%', then this should be the logging servers IP address.
Password: Password for auditusr@'localhost'
Advanced Create Table Options: Blank
SQL Expiration Commands:
create table newtable ($T) $e;RENAME TABLE $l TO $n, newtable TO $l
** $l should be the LETTER l NOT the number one.
This script does the following:
Creates a new table using the CREATE TABLE Options.
Renames the current table so it includes the date and time in decimal.
Renames the new table with the default table name.
Expire at time or interval: Mondays
This means that the expiration script will run at every Monday at Midnight.
Click apply, then close.
Click on the General Tab (general tab of Logging Server object)
In the Log Channel Field, use the magnifying glass to browse for the MySQL channel that was just created (example, mysql.Channels.Logging Services) - This tells the logging server to send all data to the MySQL channel.
Click Apply to save the changes.
Test the configuration:
From the server console load lengine -d.
If the Nsure Audit 1.0.1 console loads, then everything is configured correctly. If it does not load, check the Logger Screen on the Netware Server for error messages. Double check your accounts created for MySQL. Was the user created auditusr@'%' or was it auditusr@localhost? Does case match for the username and password. Is MySQL loaded? If you created auditusr@localhost but not auditusr@'%', then it is necessary to change the address on the MySQL channel to be 127.0.0.1. Based on the experiences from Technical Support, it is best to use auditusr@'%'.
If everything is configured correctly, continue the installation process.
Part V: Configure the platform agent to send events to the logging server
This process needs to be completed for every server that will be audited. For eDirectory and file system auditing this means every eDirectory replica holder, and any server with files or directories that need to be audited. The steps below describe how to configure eDirectory and NetWare platform agents; platform agents for other Novell products will need to be configured as documented for each product. (For example, the platform agent for SecretStore has no configuration options; all SecretStore events will be tracked when "SSS.NLM -A" is loaded).
If this server is not the logging server install the platform agent. If the server is the Secure Logging Server, the platform agent should have been installed already, and this step may be skipped.
Mount the Nsure Audit CD.
Select Product Options
Select Install Product Not Listed.
Press ESC if the previously selected paths screen appears.
On the screen to specify the path to install from, press F3, and then enter the path to the installation media (CDROM:\netware)
Select only the following:
Nsure Audit Instrumentation Files
Nsure Audit Platform Agent Files
If this server is not in the same tree as the Secure Logging Server, also select Directory Schema Update.
If prompted to overwrite LOGEVENT.CFG, please do so.
If prompted to authenticate, be sure to authenticate as a user with rights to extend the schema in the tree.
When finished, the NWCONFIG screen will appear.
From the Roles and tasks menu, expand the eDirectory Administration menu, and select Modify Object.
Browse to the NCP server object for the server that is running the platform agent. For example, if the server we want to audit is named SERVERFS1 and is in the Novell container, browse to the Novell container, and select the SERVERFS1 object. Or, enter SERVERFS1.Novell in the box.
When the Server Object screen appears, click on the Nsure Audit tab.
Click on the Netware hyperlink below the row of tabs. Select the events you want to audit, then click Apply.
Repeat this task for Filesystem and eDirectory events.
Edit the SYS:/ETC/LOGEVENT.CFG file.
Change the loghost setting to be the IP address of the Secure Logging Server (DNS names, and eDirectory object names are not supported)
Optional: Add LogReconnectInterval=60 to the bottom of the LOGEVENT.CFG file. This will make the platform agents attempt to reconnect to the logging server every 60 seconds, if the connection to the SLS is lost. The default value is 600.
At the server console, run auditagt.ncf
This will load a series of NLMs that gather events from the server, and send these events to the logging server.
Check the Nsure Audit console. There should be 2 connections to the logging server. There will be at least 2 connections for every NetWare server with the Nsure Audit instrumentation and platform agent installed and running. If more instrumented applications are running, the connection count will increase by 1 for each application.
Part VI: Configure the query tools
There are two tools that can be used to query the database. The Nsure Audit iManager Snapin has a complex query builder to query the database. Nsure Audit Report (LREPORT) is a Windows application which can be used to query the database as well. It is not necessary to set up both utilities, however instructions for both are provided here.
Intall the MySQL JDBC Driver for iManager
Obtain the MySQL Connector/J 3.0 from http://dev.mysql.com/downloads/connector/j/3.0.html. Included in the zip file is the binary that needs to be copied to the server. The file name is mysql-connector-java-3.0.11-stable-bin.jar (the version number changes with each revision)
On NetWare 6 and 6.5 copy this file to SYS:/JAVA/LIB/EXT
On servers running Nterprise Linux Services, the file should be copied to /var/opt/novell/tomcat4/common/lib/
On Windows servers running iManager and Tomcat services, copy this jar file to: C:\Program Files\novell\tomcat\common\lib
Restart tomcat after copying this file into place.
tc4stop - wait for two minutes on NetWare
tomcat4 - wait for up to 5 minutes on NetWare
Configure iManager to query the MySQL database
From the roles and tasks menu, expand Nsure Audit, and select Query Configuration.
On the Query Configuration page, select the Databases tab, and click New.
Provide a name for the database, ie. Naudit Database
Provide the JDBC class name. For MySQL this is com.mysql.jdbc.Driver (case sensitive)
Provide the JDBC URL. The URL should contain the sername and database name (from Part II) and look like this: jdbc:mysql://serverIPaddress:3306/naudit
Provide the name of the table you want to query, ie. log
Enter the username and password of the Nsure Audit user created for MySQL.
Click store password if you do not wish to be prompted for the password at the beginning of each query session.
In order to utilize the query builder, it is necessary to import the events from the Secure Logging Server.
Click the Product Events tab.
Enter the Nsure Audit Logging Server DN (ie. Servername Logging Server.Logging Services) or browse to the object in the tree.
Select the appropriate Language and then Click Update.
Configure the Global Options, click on the Global Options tab.
Define how many events you wish to query at a time.
Select the time format. RFC822 Local means local time. NOTE:There is a known issue with the local time being a few hours off in the Nsure Audit 1.0.1 snapin. This is resolved in 1.0.2.
To create a query, click Queries from the Nsure Audit section of the iManager roles and tasks.
Select the database to query from the drop down list.
Under the Queries heading, click New.
Provide the name of the Query, the name may describe the event you want to query, ie Login.
In the query builder, click the drop down that says end, and select AND. A row of boxes will appear.
From here, it is possible to select different events, or other fields in the database to query against.
For login, EventID, Matches, eDirectory, Create Object, AND
Time Frame, Matches, Last 7 Days
Click the blue down arrow to populate the Query SQL Statement.
Click translate column titles, then click OK.
Configure Nsure Audit Report
- Download the ODBC data connector for MySQL fro m http://dev.mysql.com/downloads/connector/odbc/3.51.html (to simplify things, download the driver installer)
- Execute the driver installer.
- Go to Control Panel, Administrative tools, and open the Data sources (ODBC) applet.
- Click on the User DSN tab. Highlight the line that contains MySQL ODBC 3.51 Driver under the Driver column. The default name is usually test. Click Configure.
- Change the data source name to naudit.
- Enter the host name or IP address for the server hosting the MySQL database.
- Enter the database name (usually naudit)
- Enter the user account and password with rights to access the naudit database.
- Leave the port number alone, unless the port number was changed during the MySQL installation.
- Click Test Data Source to confirm that the data source is configured correctly.
Import the event data and license from the Secure Logging Server
- Launch Nsure Audit Report. This can be launched from the Start Menu, or from Program Files/Novell/Nsure Audit/lreport.exe.
- The first time Nsure Audit Report loads, it will display a message about licensing. If the license has been installed for the Secure Logging Server, the following steps will also disable the Starter Pack license message as well as import the event information. Click OK if this message is displayed. NOTE: If you have just installed a new Nsure Audit License file (NAUDIT.NLF)on your secure logging server, you need to load and unload lengine.nlm prior to importing the application schemata in order to eliminate the license message.
- When Nsure Audit Report is opened, click on File, then Import, and select Application Schemata.
- Enter the DNS name or IP address of the Secure Logging Server, and select the appropriate language. Click ok.
- Restart Nsure Audit Report when prompted.
Configure the display format for timestamps and the DATA (Perpetrator) Fields
- From Nsure Audit Report, click View, and then Options.
- Click on the translation tab.
- Change the Date/Time format to Locale. This will display the date and time the event occurred.
- Change the Binary Data to Display Ascii, and set the Display First setting to 100 bytes. If a the display first XXX bytes is not configured, the data field will be blank when queries are displayed.
- Click OK.
Configure a Query
There are a couple of ways to create basic queries.
From the query menu, click Query Expert.
Provide a name for the query, ie. Login.
Select eDirectory:Login from the drop down list.
An alternate method is to expand the workspace window, click on the Events tab at the bottom. Expand the application that you want to generate a query for, ie. eDirectory.
Right click the event to generate a query from, select Define Query.
Both applications can use a manual query, with a regular SQL statement as well. Use the Query Expert, and the Query builder to look at examples.
After following these steps, a single server should logging events to the MySQL database, and a query should be able to be run on these events from Nsure Audit Report, or iManager. For more information, see the documentation at https://www.novell.com/documentation/NsureAudit
The Origin of this information may be internal or external to Novell. Novell makes all reasonable efforts to verify this information. However, the information provided in this document is for your information only. Novell makes no explicit or implied claims to the validity of this information.
Any trademarks referenced in this document are the property of their respective owners. Consult your product manuals for complete trademark information.