A.0 Setting Up Cloud Manager to Log to a Sentinel Collector

NetIQ has created a Sentinel Collector to provide data capture capabilities for NetIQ Cloud Manager Application Server 2.1.5. Sentinel must be installed and operational before attempting to use this Collector.

The Collector parses, normalizes, and enhances records received from a data source (known as an Observer). Other Event Source Management (ESM) components like Connectors and Collector Managers perform functions such as remote protocol connections and data mapping. To learn more about Sentinel and its components, see the NetIQ Sentinel product page or the NetIQ Sentinel product documentation.

You can download a custom-built Sentinel Collector plug-in for Cloud Manager at the Sentinel Plug-ins Web site. The site also has a link to download documentation for the Cloud Manager Collector.

If you choose to use this Collector, you need to configure Cloud Manager to send its syslog information to the Collector. Use the following steps to set up Cloud Manager.

At the Cloud Manager Application Server, modify the file: /opt/netiq/cloudmanager/etc/cmauditlogger.properties.
1. In the properties file, change the following line
```
log4j.appender.CMSYSLOG.layout.ConversionPattern=%m\n
```
  to look like this:
```
log4j.appender.CMSYSLOG.layout.ConversionPattern=NQ_CloudManager: %m\n
```
2. In the properties file, change the current audit location line
```
log4j.category.com.novell.cm.audit.api.impl.AuditLogger=INFO, CMFILE
```
  to look like this:
```
log4j.category.com.novell.cm.audit.api.impl.AuditLogger=INFO, CMFILE, CMSYSLOG
```
3. (Optional) If you don’t want the local audit file, change the current audit location line
```
log4j.category.com.novell.cm.audit.api.impl.AuditLogger=INFO, CMFILE
```
  to look like this:
```
og4j.category.com.novell.cm.audit.api.impl.AuditLogger=INFO, CMSYSLOG
```
4. Save the properties file and restart the Application Server.
At the Cloud Manager Application Server, configure syslog to receive messages from the Application Server and then send it to the Sentinel server. To do this, modify the file: /etc/syslog-ng/syslog-ng.conf.
1. In the syslog file, add a new source. For example:
```
source r_src { udp(ip("localhost") port(514)); };
```
2. (Conditional) If other services are already logging locally over UDP, you can add a filter line in the syslog file. For example:
```
filter f_ncm        { facility(syslog) and match('NQ_CloudManager:'); };
```
  NOTE:The syslog value shown for the facility in the line above should match the value for the facility specified in the cmauditlogger.properties file. The default is syslog.
3. In the syslog file, create a destination and log entry for syslog. For example:
```
destination sentinel { tcp("###.###.###.##" port(1468)); };
log { source(r_src); filter(f_ncm); destination(sentinel); };
```
  NOTE:The port number shown in the first line above must match the port for the Syslog TCP listener on the Sentinel server.
4. Save the file and restart syslog on the Application Server. On SUSE Linux Enterprise Server 11, the syslog restart command looks like this:
  
  /etc/init.d/syslog-ng restart
Ensure that the Sentinel Collector for NetIQ Cloud Manager Collector is added to Sentinel and that the Syslog TCP connector in Sentinel is configured and running.