I'm trying to set up rule hit auditing with no luck so far. I've
installed Audit 2.0.2 on the BorderManager server, and I'm trying to use
a text file as the data store. I have set the following in proxy.cfg:

[Extra Configuration]
EnableNsureAuditLogging=1

I think the main problem I'm having right now is that BorderManager
doesn't show up under the "Log Applications" for the logging server
object. I've used the RUNAUD.NCF command (edited with my admin
credentials) several times, but it doesn't fix the problem.
AUDITEXT.NLM, which is called by RUNAUD, gives no feedback, so I don't
know what's happening. Any suggestions on this?

Also, in iManager > BorderManager > Proxy Services > Novell Audit... I
haven't configured this yet because I don't know what port to use on the
secure logging server. I've seen some references to 288 and 289. Port
289 is open on the server. Is that the one to use, or if not, how do I
tell? Thanks.


- Jim Wagner

In article <XTrMk.4153$Fg1.2643@kovat.provo.novell.com>, Jim Wagner wrote:
> I'm trying to set up rule hit auditing with no luck so far. I've
> installed Audit 2.0.2 on the BorderManager server, and I'm trying to use
> a text file as the data store. I have set the following in proxy.cfg:
>
> [Extra Configuration]
> EnableNsureAuditLogging=1

I'm not quite sure, but I don't think the proxy.cfg statement is used
anymore by BM 3.9. 3.8, yes.
>
> I think the main problem I'm having right now is that BorderManager
> doesn't show up under the "Log Applications" for the logging server
> object. I've used the RUNAUD.NCF command (edited with my admin
> credentials) several times, but it doesn't fix the problem.
> AUDITEXT.NLM, which is called by RUNAUD, gives no feedback, so I don't
> know what's happening. Any suggestions on this?

Do you have anything else currently working with auditing? It would help
to know if the audit database server is working, and the only problem is
getting BMgr to send it the rule log data.

>
> Also, in iManager > BorderManager > Proxy Services > Novell Audit... I
> haven't configured this yet because I don't know what port to use on the
> secure logging server. I've seen some references to 288 and 289. Port
> 289 is open on the server. Is that the one to use, or if not, how do I
> tell? Thanks.
>
Use port 289.


Craig Johnson
Novell Support Connection SysOp
*** For a current patch list, tips, handy files and books on
BorderManager, go to http://www.craigjconsulting.com ***

Craig Johnson wrote:
>> [Extra Configuration]
>> EnableNsureAuditLogging=1
>
> I'm not quite sure, but I don't think the proxy.cfg statement is used
> anymore by BM 3.9. 3.8, yes.

According to the following page it's still required:
http://www.novell.com/documentation...ta/botcdrh.html

> Do you have anything else currently working with auditing? It would help
> to know if the audit database server is working, and the only problem is
> getting BMgr to send it the rule log data.

That's what I was thinking, too. I've tried configuring logging of user
logins, logouts, and intruder detection, which I've been needing to do
anyway. Unfortunately it's only partially working. It's logging
logins, but isn't providing the IP address. It's logging logouts only
of the [Public] object - whatever that implies. Intruder lockouts are
being logged, but again with no IP address. So it is logging, but it's
not giving me much useful information at this point. Here's a sample
from the text data store:

[Mon, 27 Oct 2008 06:46:24 -0600] [eDirInst\Object]: User .[Public]. has
logged out of server \OurTree\AV\BorderManager\OurNBMServer
[Mon, 27 Oct 2008 06:54:55 -0600] [eDirInst\Object]: User
..ateacher.Teachers.ES.AV (using null password: No) logged in (NDS Login:
Yes) to server \OureTree\AV\BorderManager\OurNBMServer
[Mon, 27 Oct 2008 08:51:34 -0600] [eDirInst\Meta]: Object
..astudent.Students.MS.AV locked by intruder detection

>> Also, in iManager > BorderManager > Proxy Services > Novell Audit... I
>> haven't configured this yet because I don't know what port to use on the
>> secure logging server. I've seen some references to 288 and 289. Port
>> 289 is open on the server. Is that the one to use, or if not, how do I
>> tell? Thanks.
>>
> Use port 289.

OK, I've now configured it with the private IP address of the BM server
and port 289. I've run RUNAUD.NCF again (still getting no feedback),
unloaded AUDITDS.NLM, AUDITNW.NLM, LENGINE.NLM, and loaded them all
again. Restarting iManager, BorderManager still does not appear as a
log application.


-J.W.



>
> Craig Johnson
> Novell Support Connection SysOp
> *** For a current patch list, tips, handy files and books on
> BorderManager, go to http://www.craigjconsulting.com ***
>
>

Jim Wagner wrote:
> Restarting iManager, BorderManager still does not appear as a
> log application.

It may not matter, but just to clarify, I actually just logged out of
iManager in my browser and back in. I didn't restart Tomcat on the server.

-J.W.

In article <p2kNk.4572$Fg1.2062@kovat.provo.novell.com>, Jim Wagner wrote:
> That's what I was thinking, too. I've tried configuring logging of user
> logins, logouts, and intruder detection, which I've been needing to do
> anyway. Unfortunately it's only partially working. It's logging
> logins, but isn't providing the IP address.+

I'm not sure if it is supposed to, especially for just logins. Might be
able to add additional logging and get the IP address with the login.

> It's logging logouts only
> of the [Public] object - whatever that implies.

I suspect that you don't see user logouts because users almost never
actually log out. Try using the Novell Connections menu in the red N on
the system tray and Detach from a server or the network. That would be an
explicit logout (I think).

The BMgr server is probably doing a login related to something like the
scmserviceprocess looking for updates to the VPN config.

> Intruder lockouts are
> being logged, but again with no IP address.

Again, I'm not sure that is considered specific logout activity. Probably
need to log some other attribute to get that data.

Craig Johnson
Novell Support Connection SysOp
*** For a current patch list, tips, handy files and books on
BorderManager, go to http://www.craigjconsulting.com ***

In article <9rlNk.4620$Fg1.717@kovat.provo.novell.com>, Jim Wagner wrote:
> It may not matter, but just to clarify, I actually just logged out of
> iManager in my browser and back in. I didn't restart Tomcat on the server.
>
I'd at least try rebooing the BMgr server once.

Craig Johnson
Novell Support Connection SysOp
*** For a current patch list, tips, handy files and books on
BorderManager, go to http://www.craigjconsulting.com ***

Craig Johnson wrote:
> I'd at least try rebooing the BMgr server once.

I did reboot at least twice when initially trying to set this all up
last Friday. I've rebooted again, however, and NBM still does not show
up as a log application under auditing. Just to make sure I'm in the
right place and not doing something stupid, here are the log
applications that do appear:

eDirectory Instrumentation
iChain Instrumentation
Identity Manager
Logfile Parser
NAudit Instrumentation
NetWare Instrumentation
NMAS Instrumentation
SecretStore
Windows

I noticed something when rebooting the server this time. On the BM
status screen where it shows the cache loading and the various proxies
that are active I found this message:
"Proxy Nsure Audit initialization failed with error code = 9"

I've searched Novell Support and Google for this message. I found only
one mention of it, back in August 2007. The guy who posted never
received a reply, so I'm not sure where to go with this. Thanks.

-J.W.

Craig Johnson wrote:
> I'm not sure if it is supposed to, especially for just logins. Might be
> able to add additional logging and get the IP address with the login.
>
> I suspect that you don't see user logouts because users almost never
> actually log out. Try using the Novell Connections menu in the red N on
> the system tray and Detach from a server or the network. That would be an
> explicit logout (I think).

Isn't a logout from Windows also a logout from the eDir tree? I'll do
some experimentation here when I have a chance. Right now my main
concern is keeping an eye on our students' web surfing habits.

-J.W.

In article <EhqNk.4714$Fg1.2811@kovat.provo.novell.com>, Jim Wagner
wrote:
> Isn't a logout from Windows also a logout from the eDir tree?
>
No.

Craig Johnson
Novell Support Connection SysOp
*** For a current patch list, tips, handy files and books on
BorderManager, go to http://www.craigjconsulting.com ***