NetiQ Sentinel data collection guide

Share This:

Sentinel Data Collection

Sentinel collects data from servers in 2 ways:

– Using Audit Server on port 1289 (default)
– Using Syslog Server on port 1468 (default)

1.Audit server listens to Sentinel Audit connector that collects data from audit source (AUDIT)

A.Platform Agent installed on the target host helps to collect data mainly from specific systems listed below:

eDirectory 8.7 and later
Identity Manager 3.6 and later
Novell NetWare 6.5 SP8 and later
Novell iManager 2.7 and later
Novell Modular Authentication Service 3.3.4 and later
NetIQ Access Manager 3.1 and later
Identity Manager Role Mapping Administrator 4.0.1 and later
Identity Manager Role Based Provisioning Module 4.0.1 and later

B. Sentinel Agent helps to collect data from one of many available plugins as well as above, it’s used instead of syslog: (AUDIT)

C. Syslog is another way of gathering the data on different port than Sentinel Agent. (SYSLOG)

Some plugins only accept certain type of way to collect the logs listed on the last column below as an example.

AirPatrol    Wireless Locator System    Apr 2010    6.1r1    SYSLOG
Apache    HTTP Server    Sep 2011    2011.1r1    FILE,SYSLOG
Attachmate    Luminet    Jun 2012    2011.1r1    SYSLOG
Barracuda    Web Application Firewall    Apr 2010    6.1r1    SYSLOG
Blue Coat    ProxySG Appliances    Feb 2010    6.1r1    SYSLOG
NetIQ    Change Guardian (Legacy)    Sep 2011    2011.1r1    SYSLOG
NetIQ    Security Manager    Sep 2012    2011.1r2    SYSLOG
NetIQ    UNIX Agent    Sep 2011    2011.1r1    SYSLOG
Nortel    VPN    Sep 2009    6.1r1    SYSLOG
Novell    Access Governance Suite    Apr 2010    6.1r1    DATABASE
Novell    Access Manager SSL VPN    Mar 2010    6.1r1    AUDIT
NetIQ    Access Manager    Oct 2012    2011.1r1    FILE,AUDIT  
NetIQ    Cloud Manager    Jun 2012    2011.1r1    FILE,SYSLOG
Novell    Cloud Security Service    May 2011    6.1r1    SYSLOG
Novell    Identity Manager    Apr 2011    6.1r7    AUDIT,SYSLOG    

Additional instruction on dependencies are located in documentation together with plug-ins available at:
http://support.novell.com/products/sentinel/secure/sentinelplugins.html

Collecting data:

1.Syslog – basic:
Edit /etc/syslog-ng/syslog-ng.conf

#Forward all messages to Sentinel:
destination d_slm { tcp(“sentinelserverIP” port(1468)); };
log { source(src); destination(d_slm); };

Filters can be applied accordingly with syslog expressions.

2. File Servers OES (NSS)

To collect data from NSS volumes you are required to use novell-vigil (default on SLES11-SP2+)
First step to is to copy vlog-v2sent from sentinel server (after installing the OES collector pack is accessible by going to sentinel web GUI.
Lunching the Control Center -> Solutions Pack (bronze package icon) -> OES collector pack, then highlight Even Source Setup and download the script.
Copy the vlog-v2sent script to each file server, change permissions and execute.

This will run novell-vigil followed by sentagent service.
It will also create those files:
/usr/local/sbin/sentagent  – executable
/usr/local/sbin/sentagent.properties  – specifies the host and the port for sentinel
/usr/local/sbin/sentsubagent.conf  – runs vlog utility and point to filter file – vlogfilers in this directory
/usr/local/sbin/vlogfilters – contains filters for what to and what not to log

For example you can:
ADDTRUSTEE and REMOVETRUSTEE for home directories,
ADDTRUSTEE,REMOVETRUSTEE,DELETE and SETINHERITEDRIGHTS for share directories, as shown in example below:

cat /usr/local/sbin/vlogfilters
HOMENSSVOLUME1:/** (ADDTRUSTEE REMOVETRUSTEE)
SHAREDNSSVOLUME1:/** (ADDTRUSTEE REMOVETRUSTEE DELETE SETINHERITEDRIGHTS)

3. eDirectory

Dependencies:
Platform Agent has to be installed from the script, creating:
/etc/logevent.conf -specifies the details for connection with sentinel server:

LogHost=sentinelDNS
LogEnginePort=1289

It also adds lcache process that cache the logs in event of sentinel being not available or overwhelmed. This process can cause problems if the cache becomes too big.

Most of the config takes place in iManager by selecting eDirectory audit from the roles tab.
There is an option not to log Audit events, but XDAS evens which are more meaningful.
This is done vy installing xdas rpm and configuring /etc/opt/novell/eDirectory/conf/xdasconfig.properties

log4j.rootLogger=debug, S
log4j.appender.S=org.apache.log4j.net.SyslogAppender
log4j.appender.S.Host=<Sentinel Syslog Server IP>
log4j.appender.S.Port=<port>
log4j.appender.S.Protocol=<protocol>
log4j.appender.S.Threshold=INFO
log4j.appender.S.Facility=USER

To start collecting logs:

ndstrace -c “load auditds” for each instance of eDirectory on the target server (to collect Novell Audit Logs)
ndstrace -c “load xdasauditds” for each instance of eDirectory on the target server (to collect XDAS events)

Leave a comment

Your email address will not be published. Required fields are marked *

Time limit is exhausted. Please reload the CAPTCHA.