20.1.1 Specifying the Logging Server and Console Events

The Secure Logging Server manages the flow of information to and from the auditing system. It receives incoming events and requests, logs information to the data store, monitors designated events, and provides filtering and notification services. In addition, you can configure it to automatically reset critical system attributes according to a specified policy.

To specify the logging server, perform the following steps:

  1. Click Auditing.

  2. Specify the following details:

    Field

    Description

    Audit Messages Using

    Select any one of the following options:

    • Platform Agent (Discontinued):Only on an Upgraded Access Manager

    • Log File (Not Recommended For Production):Only on a fresh installation of Access Manager

      The audit events are sent to a local log file.

      On Windows:

      • Identity Server and ESP: "C:\Program Files\Novell\Syslog\audit_common.log"

      • Access Gateway: "C:\Program Files\Novell\Syslog\audit_ag.log"

      On Linux:

      • Identity Server and ESP: /var/opt/novell/syslog/audit_common.log

      • Access Gateway: /var/opt/novell/syslog/audit_ag.log

    • Syslog: From the list, select a syslog server. The available options are:

      • Send to Sentinel: The audit event are sent in CSV format.

      • Send to Third party: The audit events are sent in JSON format.

        NOTE:If Administration Console is configured as a remote Audit server for syslog, then, the audit logs are sent to the following location: /var/log/NAM_Audits.log.

      • Send to Analytics Server: The audit event are sent in CSV format.

    Server Listening Address

    Specify the IP address or DNS name of the audit logging server you want to use. By default, the system uses the primary Administration Console IP address. If you want to use a different Secure Logging Server, specify that server here. For example, if you select syslog, specify the syslog server details here.

    NOTE:If you have enabled Analytics Server cluster configuration, the virtual IP address is auto-populated. For information about cluster configuration, see Post-Installation Cluster Configuration for Analytics Server.

    Access Manager supports auditing through syslog only on TCP.

    On Windows, if syslog is selected for auditing, the Server Listening Address field is disabled. To specify the server details, manually install and configure the local syslog client.

    Server Public NAT Address

    If your auditing server is in the private network, enter Public NAT IP Address of the auditing server using which devices can reach the auditing server.

    To use a Sentinel server or a Sentinel Log Manager, specify the IP address or DNS name of the Sentinel.

    Port

    Specify the port that the Platform Agents or syslog uses to connect to the Secure Logging Server.

    • Platform Agent: The default secure logging server port is 1289.

    • Syslog:

      • For Sentinel server, the default port is 1468.

      • For third-party syslog servers, specify the configured port of that server.

      • For Analytics Server, specify 1468.

    NOTE:If you select Sentinel server for auditing through syslog, then you must use the latest Access Manager Collector for Sentinel.

    Stop Service on Audit Server Failure

    Enable this option to stop the Apache services when the audit server is offline or not reachable and audit events could not be cached.

    Management Console Audit Events

    Select the system-wide events you want to audit:

    Select All: Selects all of the audit events.

    Health Changes: Generated whenever the health of a server changes.

    Server Imports: Generated whenever a server is imported into Administration Console.

    Server Deletes: Generated whenever a server is deleted from Administration Console.

    Server Statistics: Generated periodically whenever statistics are generated for server.

    Configuration Changes: Generated whenever you change a server configuration.

  3. Click OK.

    If you did not change the address or port of the Secure Logging Server, this completes the process. It might take up to fifteen minutes for the events you selected to start appearing in the audit files.

  4. (Conditional) If you want to change the IP Address of Analytics Server, you must change the IP Address of the primary Analytics Server. For information about changing the primary IP address, see Section 4.5.4, Managing Details of a Cluster.

  5. (Conditional) If Administration Console is the only Access Manager component installed on the machine and you have changed the address or port of the Secure Logging Server, complete the following steps:

    For security reasons, the Novell Audit Configuration file cannot be modified using Administration Console when it is the only Access Manager component on the machine. It can only be edited by a system administrator.

    For Administration Console, if syslog is selected for auditing, manually perform the following configuration: (Applicable only on SLES 11 SP4)

    1. In the /etc/sysconfig/syslog file, change the SYSLOG_DAEMON value to rsyslog. This will change the default syslog daemon to rsyslog, if it is currently not the default syslog daemon.

    2. Edit the /etc/rsyslog.d/nam.conf file and specify the following parameters:

      Sample nam.conf file: 

      $InputTCPServerRun 1290
$template ForwardFormat,"<%PRI%>%TIMESTAMP:::date-rfc3164% %HOSTNAME% %syslogtag:1:32%%msg:::sp-if-no-1st-sp%%msg%\n"
local0.* @@172.16.50.50:1468;ForwardFormat

      This will enable local rsyslog agent to communicate to local TCP port 1290 and forward the audit message to remote server 172.16.50.50 communicating with port 1468.

    3. Restart the local syslog daemon.

    4. Select the audit message format and audit server type by editing the file /etc/Auditlogging.cfg.

      Sample Auditlogging.cfg file: 

      LOGDEST=syslog
FORMAT=JSON
SERVERIP=127.0.0.1
SERVERPORT=1290

    5. Restart Administration Console.

    6. Open a terminal window, then enter the command for your platform:

      Linux: /etc/init.d/novell-ac restart OR rcnovell-ac restart

      Windows:

      • For Administration Console: net stop Tomcat8 net start Tomcat8

      • For Identity Server and Access Gateway: net stop Tomcat net start Tomcat

      To restart syslog, run the following commands:

      • For SLES 11 SP4: rcrsyslog restart

      • For SLES 12 SP2: rcsyslog restart

      • For RHEL 6.9: service rsyslog restart

      • For RHEL 7.4: systemctl restart rsyslog.service

    7. Restart each device imported into Administration Console.

      The devices (Identity Server and Access Gateway) do not start reporting events until they have been restarted.