eDirectory 8.8 SP6 XDAS Audit to Syslog



By: sashwin

November 16, 2010 4:56 pm

Reads: 428

Comments:1

Rating:0

Author: Ashwin S

Table of Contents

Introduction

The XDASv2 specification provides a standardized classification for audit events. It defines a set of generic events at a global distributed system level. XDASv2 provides a common portable audit record format to facilitate the merging and analysis of audit information from multiple components at the distributed system level. The XDASv2 events are encapsulated within a hierarchical notational system that helps to extend the standard or existing event identifier set. eDirectory 8.8 SP6 supports XDASv2 format to log eDirectory events into the syslog.

Installing eDirectory XDASv2 File

eDirectory standalone installer will install all the files required for XDASv2 support by default. Following are the packages/binaries on different platforms,

  • On Linux
    • novell-edirectory-xdaslog
    • novell-edirectory-xdaslog-conf
    • novell-edirectory-xdasinstrument
  • On Solaris
    • NOVLlog
    • NOVLedirxdasin
  • On Windows (it will available in the installed location)
    • xdasauditds.dlm
    • xdaslog.dll

Configuring eDirectory XDASv2 Property File

The eDirectory XDASv2 property file is located at ‘/etc/opt/novell/configuration/xdasconfig.properties’ for root instance and in customized location for non-root users. You can customize the file according to your requirement.

The following is the content of the XDASv2 property file:

# Set the level of the root logger to DEBUG and attach appenders.
#log4j.rootLogger=debug, S, R
# Defines appender S to be a SyslogAppender. 
#log4j.appender.S=org.apache.log4j.net.SyslogAppender
# Defines location of Syslog server.
#log4j.appender.S.Host=localhost
#log4j.appender.S.Port=port
# Specify protocol to be used (UDP/TCP/SSL)
#log4j.appender.S.Protocol=UDP
# Specify SSL certificate file for SSL connection.
# File path should be given with double backslash.
#log4j.appender.S.SSLCertFile=/etc/opt/novell/mycert.pem
# Minimum log-level allowed in syslog.
#log4j.appender.S.Threshold=INFO
# Defines the type of facility.
#log4j.appender.S.Facility=USER
# Layout definition for appender Syslog S.
#log4j.appender.S.layout=org.apache.log4j.PatternLayout
#log4j.appender.S.layout.ConversionPattern=%c : %p%m%n
# Defines appender R to be a Rolling File Appender.
#log4j.appender.R=org.apache.log4j.RollingFileAppender
# Log file for appender R.
#log4j.appender.R.File=/var/opt/novell/eDirectory/log/xdas-events.log
# Max size of log file for appender R.
#log4j.appender.R.MaxFileSize=100MB
# Set the maximum number of backup files to keep for appender R.
# Max can be 13. If set to zero, then there will be no backup files.
#log4j.appender.R.MaxBackupIndex=10
# Layout definition for appender Rolling log file R.
#log4j.appender.R.layout=org.apache.log4j.PatternLayout
#log4j.appender.R.layout.ConversionPattern=%d{MMM dd HH:mm:ss} %c : %p%m%n

Uncomment and modify following lines in above configuration file,

log4j.rootLogger=debug, S

log4j.appender.S=org.apache.log4j.net.SyslogAppender

log4j.appender.S.Host=localhost
log4j.appender.S.Port=514

log4j.appender.S.Protocol=UDP

log4j.appender.S.Threshold=INFO

log4j.appender.S.Facility=USER

log4j.appender.S.layout=org.apache.log4j.PatternLayout
log4j.appender.S.layout.ConversionPattern=%c : %p%m%n

The Syslog server can be modified by specifying the Host server with IP address. Then all the eDirectory audit logs will be available on the specified Host server.

Loading the Modules

After you have configured the XDASv2 events, run the following command to load the XDASv2 modules:

  • On Linux/Solaris run the following command to load the eDirectory XDASv2 modules:

    ndstrace -c “load xdasauditds”
  • On Windows run ndscons.exe, select xdasauditds.dlm module from the list of modules and click start

Managing and Configuring eDirectory events

You can manage and configure eDirectory for XDASv2 auditing by using Novell iManager. iManager plug-in for XDASv2 is, by default, installed with eDirectory. Here are the steps to configure events,

  1. Log in to the iManager console.
  2. Select eDirectory Auditing->Audit Configuration from Roles and Tasks.
  3. Specify the NCP Server.
  4. Configuring Events.
    1. Select DS, LDAP or either of them for XDASv2 event settings.
    2. Select Log event values either Log Large Values or Do Not Log Large Values.
    3. Select the actual event from the section of events on the basis of requirement.
  5. Configuring XDASv2 Roles
    1. Select object classes for which you want to collect events.
    2. Set any number of attributes for the object classes you have selected.
    3. Click Apply to confirm the modifications. The selected attributes appear in this list.
  6. Configuring XDASv2 Accounts
    1. Select object classes from the list for which you want to collect events.
    2. Selected object classes appear in this list.
    3. Click Apply after adding the object classes.

Logging of Events

Events will be logged in the log file specified in xdasconfig properties file. Any applications or third party developers can use syslog to audit their requirements. Threshold can be modified as required in the xdasconfig properties files to obtain the messages of severity accordingly. The changes will be reflected after the restart of eDirectory. Here is an sample output of creating an user event,

Oct 11 12:22:55 eDirectory: INFO {"Source" : "eDirectory#DS","Observer" : {"Account" : {"Domain" : "90_129","Name" :
"CN=test,O=novell"},"Entity" : {"SysAddr" : "192.168.1.129","SysName" : "test"}},"Initiator" :
{"Account" : {"Name" : "CN=admin,O=novell","Id" : "32842"}},"Target" : {"Data" : {"ClassName" : "User"},"Account" :
{"Domain" : "90_129","Name" : "CN=XDAS-user,O=novell","Id" : "599298"}},"Action" : {"Event" : {"Id" : "0.0.2.0","Name" :
"CREATE_ACCOUNT","CorrelationID" : "eDirectory#23#7bb3d063-8fca-4957-68ab-63d0b37bca8f","SubEvent" :
"DSE_CREATE_ENTRY"},"Time" : {"Offset" : 1281509575},"Log" : {"Severity" : 7},"Outcome" : "0","ExtendedOutcome" :
"0"}}

References

VN:F [1.9.22_1171]
Rating: 0.0/5 (0 votes cast)

Tags:
Categories: eDirectory, Technical Solutions

Disclaimer: As with everything else at NetIQ Cool Solutions, this content is definitely not supported by NetIQ, so Customer Support will not be able to help you if it has any adverse effect on your environment.  It just worked for at least one person, and perhaps it will be useful for you too.  Be sure to test in a non-production environment.

1 Comment

  1. By:davidkrotil

    Hi,
    there aren´t XDAS packages.

Comment