Environment
Novell Open Enterprise Server 2 (OES 2) Linux Support Pack 2
Novell Sentinel Log Manager 1.0
Novell Sentinel Log Manager 1.0
Situation
The purpose of this document is to explain how to configure Open
Enterprise Server 2 (OES2) and Sentinel Log Manager 1.0 (SLM) in order to
collect events related to file system operations made on NSS
volumes.
Please note that this document want to be a starting point in order to configure your systems and accomplish your objectives; we are only going through the basic setup and configuration processes, not covering all the fine-tuning options that are available.
Please note that this document want to be a starting point in order to configure your systems and accomplish your objectives; we are only going through the basic setup and configuration processes, not covering all the fine-tuning options that are available.
Resolution
In order to audit NSS file system events on OES2, the first thing
to be done is to be sure that our systems are up to date with the
latest available patches. The way to configure OES2 and SLM for our
purpose has significantly changed across the various releases and
updates.
As first step, we need to use the Sentinel Event Source Management to deploy a Novell Open Enterprise Sever collector, followed by a Syslog Connector and a Syslog Event Source Server, these are the components we need to configure on the Sentinel Log Manager side to collect our NSS file system events.
Describing the entire process to create and configure collectors, connectors and source servers, is out of the scope of this document, please refer to the Sentinel documentation in order to have all the details.
Once your configuration is done, your Event Source Management console should look like this:
Once the Sentinel server has been configured as described, we need to move to our OES2 server and configure it to collect and send the NSS events.
What we need are the following components:
- sentinel agent;
- novell-vigil
- novell-vigil-vlog
- novell-vigil-libs
The Sentinel Agent can be found on the Sentinel 6.1 Plug-ins page, under the tab "Utilities":
https://support.novell.com/products/sentinel/secure/sentinel61.html
Once the Sentinel Agent has been downloaded and unzipped, you should have the following files:
- Sentinel-Agent_6.1r1.pdf - Agent documentation
- SentinelMasterAgent.msi - Windows installer
- sentagentsetup_32 - Linux 32 bit installer
- sentagentsetup_64 - Linux 64 bit installer
Choose the correct installer for you current OES2 installation, and then execute it to complete the Sentinel Agent setup. The installation process is really straightforward, and will ask you only two parameters:
- The hostname or IP address of the Sentinel Server or Collector Manager (in case is not located on the SLM server);
- The port number on which Sentinel's Syslog event source server is listening, that if you didn't change the default, is 1468;
The installation script will install the agent, create the relative init.d script and set it to run at the proper runlevels.
The next two packages we need, novell-vigil and novell-vigil-libs, should be installed by default on any OES2 server where NSS has been installed and configured:
while novell-vigil-vlog need to be manually installed, so select it from the available packages list and follow the prompt to complete the setup.
Now that we got the packages installed, we just need to configure vlog to be a Sentinel subagent. In order to do this please follow the steps outlined in the following document:
TID 7008434
If everything has been properly configured, moving back to our Event Source Management console we should find the event source related to our OES2 server automatically created:
All the NSS related events should now be properly sent to the Sentinel Log Manager server:
As first step, we need to use the Sentinel Event Source Management to deploy a Novell Open Enterprise Sever collector, followed by a Syslog Connector and a Syslog Event Source Server, these are the components we need to configure on the Sentinel Log Manager side to collect our NSS file system events.
Describing the entire process to create and configure collectors, connectors and source servers, is out of the scope of this document, please refer to the Sentinel documentation in order to have all the details.
Once your configuration is done, your Event Source Management console should look like this:
Once the Sentinel server has been configured as described, we need to move to our OES2 server and configure it to collect and send the NSS events.
What we need are the following components:
- sentinel agent;
- novell-vigil
- novell-vigil-vlog
- novell-vigil-libs
The Sentinel Agent can be found on the Sentinel 6.1 Plug-ins page, under the tab "Utilities":
https://support.novell.com/products/sentinel/secure/sentinel61.html
Once the Sentinel Agent has been downloaded and unzipped, you should have the following files:
- Sentinel-Agent_6.1r1.pdf - Agent documentation
- SentinelMasterAgent.msi - Windows installer
- sentagentsetup_32 - Linux 32 bit installer
- sentagentsetup_64 - Linux 64 bit installer
Choose the correct installer for you current OES2 installation, and then execute it to complete the Sentinel Agent setup. The installation process is really straightforward, and will ask you only two parameters:
- The hostname or IP address of the Sentinel Server or Collector Manager (in case is not located on the SLM server);
- The port number on which Sentinel's Syslog event source server is listening, that if you didn't change the default, is 1468;
The installation script will install the agent, create the relative init.d script and set it to run at the proper runlevels.
The next two packages we need, novell-vigil and novell-vigil-libs, should be installed by default on any OES2 server where NSS has been installed and configured:
while novell-vigil-vlog need to be manually installed, so select it from the available packages list and follow the prompt to complete the setup.
Now that we got the packages installed, we just need to configure vlog to be a Sentinel subagent. In order to do this please follow the steps outlined in the following document:
TID 7008434
If everything has been properly configured, moving back to our Event Source Management console we should find the event source related to our OES2 server automatically created:
All the NSS related events should now be properly sent to the Sentinel Log Manager server:
Additional Information
The steps described in this document so far, will enable the OES2
server to send NSS file system events for any operation made on any
NSS volume, directory or file present on the configured server, and
of course this may not exactly fit our needs.
Using VLOG utility options there is the chance to limit, filter, or generically speaking, to better define, what we want to audit, and what we don't. Both the OES2 man pages and the OES2 on-line documentation provide the necessary guidelines:
OES 2 man pages
From the OES2 server console type:
man vlog
OES2 - VLOG on-line documentation
https://www.novell.com/documentation/oes2/mgmt_nss_vlog_lx/?page=/documentation/oes2/mgmt_nss_vlog_lx/data/bookinfo.html
Using VLOG utility options there is the chance to limit, filter, or generically speaking, to better define, what we want to audit, and what we don't. Both the OES2 man pages and the OES2 on-line documentation provide the necessary guidelines:
OES 2 man pages
From the OES2 server console type:
man vlog
OES2 - VLOG on-line documentation
https://www.novell.com/documentation/oes2/mgmt_nss_vlog_lx/?page=/documentation/oes2/mgmt_nss_vlog_lx/data/bookinfo.html