These instructions only cover the installation of the Novell Audit Starter Pack. Novell Audit is designed to integrate with several database applications (i.e., Microsoft SQL Server database, Oracle database, etc). These instructions only cover the use of MySQL since it is included in the Novell OS.
Aries>mysql -u root -p
Enter Password: <Enter the Step 1.e Password>
mysql>create database naudit;
mysql>grant all on naudit.* to auditusr@'%' identified by 'novell';
NOTE: This creates the user 'auditusr' with a password of novell.
# Novell Audit Platform Agent configuration
# LogHost - Specifies the IP address or DNS name of the Secure
# Logging Server (SLS).
. . . .
# NOTE: Some options may not be available in all versions of Novell Audit.
You need to add the following IDs to the rbsPageMembership attribute, in addition to the ones above:
Once you have added the above four values, click on the "OK" and then "Apply" buttons.
NOTE: If you are missing the naudit.scChannelsPage, naudit.scFiltersPage, or naudit.scAppsPage add the missing values. You need to have all seven values within RBS to get this to function properly.
Result Column definitions.
|Component||The component string is formatted like a DOS pathname, with a backslash ( \ ) separating component parts.
The first part of the component string is the Application Identifier. The Application Identifier is the string the logging application uses to identify itself to the logging server. The Application Identifier is stored in the application's certificate and Application object.
When the Secure Logging Server authenticates an application's connection with the Platform Agent, it associates the Application Identifier with that connection. Thereafter, it automatically adds the Application Identifier to the component string for every event coming from that connection.
For more information on application certificates and authentication, see Chapter 9, "Security and Non-Repudiation," on page 199.
The subsequent portions of the component string are defined by the application. Typically, they identify modules within the application, types of events, etc.
The intent of the component string is to facilitate queries across various products and events. For example, using wildcard characters, you can search for all iChain? violations (\ichain\*\violations), all iChain events (\ichain\*), or violations from every logging application (*\violations). You can also use the component string to filter events event chains. See Section 8.2.7, "Verifying Event Authenticity in Novell Audit Report," on page 180.
For a listing of the Novell Audit, eDirectory? and NetWare? component strings, see Section A.2, "Component Strings," on page 227.
|EventID||The EventID is comprised of two elements: the HiWord and the LoWord.
For more information, see the Novell Audit SDK (http://developer.novell.com/ndk/ naudit.htm).
|GroupID||An ID that can be used to identify related events.
For example, the NetMail? instrumentation of Novell Audit uses this field to store the temporary filename assigned to each message as it passes through the message queue. By sorting on the Group ID, NetMail administrators can view all events that occurred as that particular message passed through the message queue.
|Log Level (Severity)||The log level is an indicator of the severity of the reported event.
|IP Address||The IP address of the Platform Agent that logged the event.
By default, Novell Audit stores IP address values in network byte order.
|Client Timestamp||The time the Platform Agent received the event from the logging application.|
|ClientMS The event count field.
When a logging application makes a connection to the Platform Agent, the Secure Logging Server begins counting the events the come over that connection. The count begins at 0 for the initial event and increments by one for every event. If the logging application is restarted, the event count is reset to 0.
Novell Audit Report uses this field to determine how many events are missing if the event signatures are not to valid. For more information, see Section 8.2.7, "Verifying Event Authenticity in Novell Audit Report," on page 180.
|Server Timestamp||The time the logging server received the event.|
|Text1||The value of this field depends upon the event. It can contain any text string up to 255 characters.
The Text1 field is vital to the function of the CVR driver. The CVR driver looks in the event's Text1 and Text2 fields to identify the defined attribute and object for a given policy. For more information, see "CVR Channel Driver" on page 104.
|Text2||The value of this field depends upon the event. It can contain any text string up to 255 characters.
The Text2 field is vital to the function of the CVR driver. The CVR driver looks in the event's Text1 and Text2 fields to identify the defined attribute and object for a given policy. For more information, see "CVR Channel Driver" on page 104.
|Text3||The value of this field depends upon the event. It can contain any text string up to 255 characters.|
|Value1||The value of this field depends upon the event. It can contain any numeric value up to 32 bits.|
|Value2||The value of this field depends upon the event. It can contain any numeric value up to 32 bits.|
|Value3||The value of this field depends upon the event. It can contain any numeric value up to 32 bits.|
|Mime hint||This field identifies the type of data contained in the Data field.|
|Target||This field captures the event target.
All eDirectory events store the event's object in the Target field.
|Target Type||This field specifies which predefined format the target and originator are represented in. Defined values for this type are currently:
|Originator||This field captures who or what caused the event to happen.|
|Sub Target||This field captures the sub-component of the target which was affected by the event.
All eDirectory events store the event's attribute in the Sub Target field.
|Data Size||This field identifies the size of the data contained in the Data field.|
|Data||The value of this field depends upon the event. The default size of this field is 3072 characters. You can configure the size of this field in the LogMaxBigData value in logevent.cfg. This value does not set the size of the Data field, but it does set the maximum size that the Platform Agent can log. For more information, see "Logevent" on page 40.
The maximum size of the Data field is defined by the database where the data is logged. Thus the size varies for each database that is used. If the size of the data field logged by the Platform Agent exceeds the maximum size allowed by the database, the channel driver truncates the data in the Data field.
If an event has more data than can be stored in the String and Numeric Value fields, it is possible to store up to 3 KB of binary data in the Data field.
|Signature||The event signature.
Novell Audit digitally signs each event that is logged to the data store. To sign an event, the logging application or the Platform Agent hashes the event data and signs the hash with the Logging Application's private key. The signature is then stored as part of the event. This signature allows the auditor or investigator to determine if an event has been changed.
If event chaining is enabled, each event's signature includes its own data as well as the signature from the previous event. This allows auditors to determine if an event has been deleted or if the sequence of events has been changed.
Event chaining is enabled in the Platform Agent's configuration file, logevent. or information on configuring this option, see "Logevent" on page 40. For information on validating events in Novell Audit Report, see Section 8.2.7, "Verifying Event Authenticity in Novell Audit Report," on page 180.