Understanding and configuring NSS Auditing Engine (vigil) and NSS Auditing Client Logger (VLOG)

  • 7008421
  • 20-Apr-2011
  • 27-Apr-2012

Environment

Novell Open Enterprise Server 2 (OES 2) Linux Support Pack 2
Novell Open Enterprise Server 2 (OES 2) Linux Support Pack 3

Situation

When auditing NSS File System events, the following components are involved:

  1. NSS Auditing Engine (vigil)
  2. NSS Auditing Client Logger (VLOG)
This document is intended to provide a basic overview of the topics above in order to better understand, configure and troubleshoot NSS Auditing for Novell Open Enterprise Server 2.

When auditing NSS File System events using Sentinel or Sentinel Log Manager the procedure explained below needs to be completed with some further steps. Once finished with going through the current document please see also TID 7008434

Resolution

NSS Auditing Engine (vigil).

The NSS Auditing Engine is installed by default when you install NSS on an OES 2 SP3 Linux server.

The mission and focus of the NSS Auditing Engine is to capture auditing data (in the Kernel) and store that data in the various auditing streams.  Priority one, for the NSS auditing engine is to not loose auditing data.

The rpm package is novell-vigil-* and it is automatically installed when you select the pattern Novell Storage Services (NSS) during the Novell Open Enterprise Server installation.

The NSS Auditing Engine daemon is (/etc/init.d/novell-vigil) and it stopped by default. To start it up and activate it to automatically start on boot use the following commands (as the root user):

/etc/init.d/novell-vigil start

chkconfig novell-vigil on



NSS Auditing Client Logger (VLOG)

VLOG intercepts, parses, filters, augments, and displays auditing records received from the NSS Auditing Engine. The first thing it does at start up is contact the NSS Auditing Engine, and request a new "auditing stream" be created in a specific directory. After the stream has been opened by the NSS Auditing Engine, VLOG then asks the NSS Auditing Engine for the name of the initial auditing stream file. The VLOG utility then opens this file and begins parsing records.

If VLOG reaches the end of the audit stream file, it sleeps until more records are added to the file. If it encounters a "ROLL" record, it deletes the current audit stream file, opens the new audit stream file (as specified by the ROLL record) and begins processing/parsing records from the new audit stream file.

VLOG can filter events received from the vigil based on the rules defined. To create filter rules refer to the VLOG documentation at the link https://www.novell.com/documentation/oes2/mgmt_nss_vlog_lx/?page=/documentation/oes2/mgmt_nss_vlog_lx/data/bo299y5.html

The rpm package is novell-vigil-vlog-* and it is automatically installed when you select the pattern Novell Storage Services (NSS) during the Novell Open Enterprise Server installation.

Prior to running VLOG, the NSS Auditing Engine (/etc/init.d/novell-vigil) should be started. To check the status of the engine, issue the following command (as the root user) in a terminal console:

/etc/init.d/novell-vigil status

If the status is not “Running”, the engine should be started by issuing the following command in a terminal console:

/etc/init.d/novell-vigil start

To run the NSS Auditing Client Logger (VLOG) utility in a terminal console:

/opt/novell/vigil/bin/vlog [OPTIONS]

Stopping vlog requires a SIGTERM signal. This can be done by issuing a Ctrl+C in the terminal where vlog is running, or by using the kill or killall command. For example, to kill all instances of vlog, enter the following in a terminal console

killall -s SIGTERM vlog

Unlike vigil, VLOG does not have an init.d script which allows itself to start automatically at boot. However, it can be manually started as daemon with the option -d, which causes vlog to run in the background and all output directed to stdout or stderr is eliminated. To start it automatically at boot other options could be considered. For instance, you could insert the command in the file /etc/init.d/boot.local

Additional Information

NSS Auditing is only supported on Novell Open Enterprise Server 2 and later. Either upgrade to SP3 or install patch OES2 SP2 Auditing 20100427 x86-64 [64bit machines] or OES2 SP2 Auditing 20100427 x86 [32bit machines] to get the vlog package. They are available for download at https://download.novell.com/patch/finder/#familyId=7660&productId=25230

Please see also TID 7008434