Anonymous_User Absent Member.
Absent Member.
242 views

GroupWise Webaccess logs on NetWare 6.5?


Hi there,
Is the NetWare File connector the only means of getting the GroupWise
Webaccess logs? This requires NFS or CIFS to be enabled.

Cheers,
Kirk


--
kmaule
------------------------------------------------------------------------
kmaule's Profile: https://forums.netiq.com/member.php?userid=306
View this thread: https://forums.netiq.com/showthread.php?t=46837

0 Likes
4 Replies
Anonymous_User Absent Member.
Absent Member.

Re: GroupWise Webaccess logs on NetWare 6.5?

To date GroupWise does not have an explicit "auditing" function, so yes
going through the log files with a custom collector is the only way to get
meaningful data out of the system and that would normally require a File
connector, though you could potentially setup something to send those data
over the wire if you can run something else on the system hosting GW.

Out of curiosity, do you have such a collector? What are the security
events that you are getting from the log files?

Good luckj.
0 Likes
Anonymous_User Absent Member.
Absent Member.

Re: GroupWise Webaccess logs on NetWare 6.5?


No I don't have this configured. Political reluctance to adding NFS or
even worse CIFS to the GroupWise server. GroupWise 12 may be going in
and that will make collection easier.

Cheers,
Kirk


--
kmaule
------------------------------------------------------------------------
kmaule's Profile: https://forums.netiq.com/member.php?userid=306
View this thread: https://forums.netiq.com/showthread.php?t=46837

0 Likes
Anonymous_User Absent Member.
Absent Member.

Re: GroupWise Webaccess logs on NetWare 6.5?


There is not much in the WebAccess logs except some header at the
beginning of each day's new log. Otherwise there are only five types of
events and the ones with the leading "..." are literally what the log
has. Each line gets contained in the s_raw_message2 field.

Any hints or working examples how to parse this info greatly
appreciated!

Kirk
==
02-15-13 00:00:01 ***** WebAccess Configuration Information *****
02-15-13 00:00:01
02-15-13 00:00:01 General Settings:
02-15-13 00:00:01 Agent Version: 8.0.3 (8/27/2012)
02-15-13 00:00:01 Gateway Home Directory:
GW_WEB01/GWISE:\DOMAIN\WPGATE\WEBAC70A
02-15-13 00:00:01 NetWare Clustering: Disabled
02-15-13 00:00:01 Server Platform: Novell NetWare 5.70
02-15-13 00:00:01 SNMP: Enabled
02-15-13 00:00:01 Work Directory: SYS:SYSTEM\tmpFiles
02-15-13 00:00:01
02-15-13 00:00:01 Log Settings:
02-15-13 00:00:01 Log File:
GW_WEB01/GWISE:\DOMAIN\WPGATE\WEBAC70A\000.prc\0215web.001
02-15-13 00:00:01 Log Level: NORMAL
02-15-13 00:00:01 Max Log File Age (days): 7
02-15-13 00:00:01 Max Log Disk Space (kb): 65536
02-15-13 00:00:01
02-15-13 00:00:01 Client/Server Settings:
02-15-13 00:00:01 IP Address: GW_WEB01 (10.10.0.12)
02-15-13 00:00:01 TCP Port for Incoming Connections: 7205
02-15-13 00:00:01 Client/Server over SSL: Disabled
02-15-13 00:00:01 WebConsole: Enabled
02-15-13 00:00:01 WebConsole Url: http://10.10.0.12:7211
02-15-13 00:00:25 Viewed document: TEXT.htm User: Site_Dom.SitePO.user1
02-15-13 06:14:34 ...itePO.user2 Conversation timed out

02-15-13 06:16:09 ...itePO.user3 Login

02-15-13 06:16:10 ...itePO.user3 Logout

02-15-13 06:17:08 Login failed: user4
02-15-13 07:33:37 Viewed document: Hold Off.doc User:
Site_Dom.SitePO.user5


--
kmaule
------------------------------------------------------------------------
kmaule's Profile: https://forums.netiq.com/member.php?userid=306
View this thread: https://forums.netiq.com/showthread.php?t=46837

0 Likes
Anonymous_User Absent Member.
Absent Member.

Re: GroupWise Webaccess logs on NetWare 6.5?

If this is a comprehensive list of what you want to collect then creating
a collector should not be too hard. Unfortunately since the GW folks do
not have a proper auditing method, or anything really information in these
events (client IP, for example) this may be limited in value, so be sure
it adds enough value to offset the cost (at least in time) to make it.

Typically collectors that read from files parse one line at a time as an
entire event. If that is ever not he case with data from these files
you'll need to do some things to make that work (using the 'Session'
object in the collector code, for example, may be possible, or cleaning up
the log file before Sentinel sees its contents). Once done you just need
to match the lines that you want. Since GW apparently uses the
ywk-non-compliant and significant-scrambled date format common in the USA
a regular expression to match the line you want may look like this for the
login/logout events:

(\d{2|)-(\d{2|)-(\d{2|) (\d{2|):(\d{2|):(\d{2|) .\.\.(\S+) (Log\S+)

Using capturing you can then extract the various date pieces ($1, $2, and
$3) or time pieces ($4, $5, and $6), the user's PO.name ($7) and event
($8). From there you parse the event as covered in the SDK's
instructions. You'll probably need a different expression to match the
failed login event:

(\d{2|)-(\d{2|)-(\d{2|) (\d{2|):(\d{2|):(\d{2|) (Login failed): (\S+)

Despite the inconsistency in event format you can use patterns like these
in conditionals, basically testing "If this pattern matches then do this;
else if that pattern matches do that; else do something else." At the end
of the day create patterns and conditionals and parsing for all of your
events and then you have a collector.

There was a BrainShare session this year (a couple weeks ago) walking
through the creation of collectors. If you can find the presentation I
would recommend going through it as it was very helpful on these things.
For more help with collectors, try the Plug-in SDK forum:
https://forums.netiq.com/forumdisplay.php?75-DEVELOPERS-Plug-in-SDK

Good luck.
0 Likes
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.