2.7 Enabling Auditing

LDAP Proxy allows you to audit the activities on the proxy and back-end directory servers. For example, you can track session details, LDAP policies, and back-end activities. Proxy supports the traditional method of auditing as well as the XDAS-standards based auditing.

2.7.1 Configuring Proxy Paths

The <proxy-paths> node is an optional node that defines the location of certain mandatory directories that are installed during proxy installation.

By default, the <proxy-paths> node is defined in the nlpconf.xml file as follows:

<proxy-paths>
 <dir-config> /etc/opt/novell/ldapproxy/conf</dir-config>
 <dir-log> /var/opt/novell/ldapproxy/log</dir-log>
</proxy-paths>

Configuration Parameters

The following elements and parameters are used to configure proxy paths:

<dir-config>: The location of the conf directory. In the sample configuration, the location specified is /etc/opt/novell/ldapproxy/conf.
<dir-log>: The location of the log file. In the sample configuration, the location specified is /var/opt/novell/ldapproxy/log.

2.7.2 Configuring Audit Events Using XDAS

Though LDAP Proxy supports both traditional as well as the XDAS standards-based auditing, NetIQ recommends that you use XDAS auditing.

XDAS auditing supports auditing through Syslog appender and file appender. Syslog appender supports event logging over UDP, TCP and SSL protocols. File appender supports event logging through rolling files.

The following is a sample configuration of XDAS events:

<!--XDAS configuration!-->
<proxy-xdas-config>
                 <xdas-event>AUTHENTICATE_SESSION</xdas-event>
                 <xdas-event>UNAUTHENTICATE_SESSION</xdas-event>
                 <xdas-event>MODIFY_ACCOUNT</xdas-event>
</proxy-xdas-config>

The following table lists how traditional LDAP Proxy events are mapped to XDAS events.

Table 2-1 Mapping LDAP Proxy Events to XDAS Events

LDAP Events	Proxy Event ID	Proxy Events	XDAS Events	XDAS Event ID
LDAP Events	1442817	The LDAP Bind requests that are received.	AUTHENTICATE_SESSION	0.0.11.0
	1442818	The LDAP Bind responses that are sent.	AUTHENTICATE_SESSION	0.0.11.0
	1442819	The LDAP Unbind requests that are received.	UNAUTHENTICATE_SESSION	0.0.11.1
	1442820	The LDAP Search requests that are received.	QUERY_ACCOUNT, QUERY_DATA_ITEM_ATTRIBUTE, QUERY_ROLE	0.0.0.4, 0.0.2.2, 0.0.8.4
	1442821	The LDAP Search Result Entry responses that are sent.	QUERY_ACCOUNT, QUERY_DATA_ITEM_ATTRIBUTE	0.0.0.4, 0.0.2.2
	1442822	The LDAP Search Done responses that are sent	QUERY_DATA_ITEM_ATTRIBUTE	0.0.2.2
	1442823	The LDAP Search Referral responses that are sent	QUERY_DATA_ITEM_ATTRIBUTE	0.0.2.2
	1442824	The LDAP Modify requests that are received	MODIFY_ACCOUNT, MODIFY_DATA_ITEM_ATTRIBUTE, MODIFY_ROLE	0.0.0.5, 0.0.2.3, 0.0.8.5
	1442825	The LDAP Modify responses that are sent	MODIFY_ACCOUNT, MODIFY_DATA_ITEM_ATTRIBUTE, MODIFY_ROLE	0.0.0.5, 0.0.2.3, 0.0.8.5
	1442826	The LDAP Add requests that are received	CREATE_ACCOUNT, CREATE_DATA_ITEM, CREATE_ROLE	0.0.0.0, 0.0.2.0, 0.0.8.0
	1442827	The LDAP Add responses that are sent.	CREATE_ACCOUNT, CREATE_DATA_ITEM, CREATE_ROLE	0.0.0.0, 0.0.2.0, 0.0.8.0
	1442828	The LDAP Delete requests that are received	DELETE_ACCOUNT, DELETE_DATA_ITEM, DELETE_ROLE	0.0.0.1, 0.0.2.1, 0.0.8.1
	1442829	The LDAP Delete responses that are sent	DELETE_ACCOUNT, DELETE_DATA_ITEM, DELETE_ROLE	0.0.0.1, 0.0.2.1, 0.0.8.1
	1442830	The LDAP Modify DN requests that are received	MODIFY_ACCOUNT, MODIFY_DATA_ITEM_ATTRIBUTE	0.0.0.5, 0.0.2.3
	1442831	The LDAP Modify DN responses that are sent	MODIFY_ACCOUNT, MODIFY_DATA_ITEM_ATTRIBUTE	0.0.0.5, 0.0.2.3
	1442832	The LDAP Compare requests that are received	QUERY_ACCOUNT, QUERY_DATA_ITEM_ATTRIBUTE, QUERY_ROLE	0.0.0.4, 0.0.2.2, 0.0.8.4
	1442833	The LDAP Compare responses that are sent.	QUERY_DATA_ITEM_ATTRIBUTE	0.0.2.2
	1442834	The LDAP Abandon requests that are received.	TERMINATE_DATA_ITEM_ASSOCIATION	0.0.6.1
	1442835	The LDAP Extended requests that are received	QUERY_DATA_ITEM_ATTRIBUTE, QUERY_ROLE	0.0.2.2, 0.0.8.4
	1442836	The LDAP Extended responses that are received.	QUERY_DATA_ITEM_ATTRIBUTE	0.0.2.2
	1442837	The LDAP Extended intermediate responses that are received	QUERY_DATA_ITEM_ATTRIBUTE	0.0.2.2
	1442838	The LDAP Start TLS requests that are received	QUERY_DATA_ITEM_ATTRIBUTE	0.0.2.2
	1442839	The LDAP Start TLS responses that are sent	QUERY_DATA_ITEM_ATTRIBUTE	0.0.2.2
	1442840	The LDAP Stop TLS requests that are received	QUERY_DATA_ITEM_ATTRIBUTE	0.0.2.2
	1442841	The LDAP Unknown requests that are received.	QUERY_DATA_ITEM_ATTRIBUTE	0.0.2.2
	1442842	The LDAP Unknown responses that are received	QUERY_DATA_ITEM_ATTRIBUTE	0.0.2.2
Policy Events	1443073	The Connections that ar rejected	TERMINATE_SESSION	0.0.1.1
	1443074	The Requests that are denied	DESTROY_ACCESS_TOKEN	0.0.11.5
	1443075	The Routes that are not found for incoming requests	RESOURCE_UNAVAILABLE	0.0.9.4
	1443076	The Connection routes that are changed	MODIFY_SESSION	0.0.1.3
Back-end Events	1443329	The back- end servers whosestatus is changed to up.	ENABLE_SERVICE	0.0.3.5
	1443330	The back-end servers whose status is changed to down	DISABLE_SERVICE	0.0.3.4
	1443331	The back-end servers whose status is changed to slow	MODIFY_SERVICE_CONFIGURATION	0.0.3.3
	1443332	The servers in back-end group that are down	DISABLE_SERVICE	0.0.3.4
	1443333	The back-end servers whose maximum connection limit has exceeded	REMOVE_SERVICE	0.0.3.1
	1443334	The LDAP Proxy System request sent to the back-end server	INVOKE_SERVICE	0.0.4.0
Session Events	1442561	The new sessions that are created	CREATE_SESSION	0.0.1.0
	1442562	The sessions that are terminated	TERMINATE_SESSION	0.0.1.1
	1442563	The sessions whose identity has been changed	MODIFY_SESSION	0.0.1.3
System Events	1442305	The LDAP Proxy systems that have been initialized	START_SYSTEM	0.0.9.0
	1442306	The LDAP Proxy systems that have been shut down	SHUTDOWN_SYSTEM	0.0.9.1
Event System Events	1442049	The event producers and consumers that are registered or deregistered	CONFIGURE_AUDIT_SERVICE	0.0.10.0
	1442050	The event producers and consumers that are registered or deregistered	CONFIGURE_AUDIT_SERVICE	0.0.10.0

Configuring the XDAS Audit Events

To configure XDAS audit events:

Open the nlpconf.xml file from the /etc/opt/novell/ldapproxy/conf directory in any XML editor.
Create an instance similar to the sample configuration. This <proxy-xdas-config> node must be defined after the <proxy-paths> node in the configuration file.
Use the <xdas-event> element to define the XDAS audit events.

For more information about the various events that can be monitored and their IDs, refer to Table 2-5.
Save the nlpconf.xml file.

Configuring the XDASv2 Property File

When you install LDAP Proxy, the installer lays down the xdasconfig.properties file in the /etc/opt/novell/ldapproxy/conf directory.

The following is the content of the XDASv2 property file:

# Set the level of the root logger to DEBUG and attach appenders.
#log4j.rootLogger=debug, S, R

# Defines appender S to be a SyslogAppender. 
#log4j.appender.S=org.apache.log4j.net.SyslogAppender

# Defines location of Syslog server.
#log4j.appender.S.Host=localhost
#log4j.appender.S.Port=port

# Specify protocol to be used (UDP/TCP/SSL)
#log4j.appender.S.Protocol=UDP

# Specify SSL certificate file for SSL connection.
# File path should be given with double backslash.
#log4j.appender.S.SSLCertFile=/etc/opt/novell/mycert.pem

# Minimum log-level allowed in syslog.
#log4j.appender.S.Threshold=INFO

# Defines the type of facility.
#log4j.appender.S.Facility=USER

# Defines caching for SyslogAppender.
# Inputs should be yes/no
#log4j.appender.S.CacheEnabled=no

# Cache location directory
# Directory should be available for creating cache files
#log4j.appender.S.CacheDir=/var/opt/novell/ldapproxy

# Cache File Size
# Cache File Size should be in the range of 50MB to 4000MB
#log4j.appender.S.CacheMaxFileSize=500MB

# Layout definition for appender Syslog S.
#log4j.appender.S.layout=org.apache.log4j.PatternLayout
#log4j.appender.S.layout.ConversionPattern=%c : %p%m%n

# Defines appender R to be a Rolling File Appender.
#log4j.appender.R=org.apache.log4j.RollingFileAppender

# Log file for appender R.
#log4j.appender.R.File=/var/opt/novell/ldapproxy/log/xdas-events.log

# Max size of log file for appender R.
#log4j.appender.R.MaxFileSize=100MB

# Set the maximum number of backup files to keep for appender R.
# Max can be 13. If set to zero, then there will be no backup files.
#log4j.appender.R.MaxBackupIndex=10

# Layout definition for appender Rolling log file R.
#log4j.appender.R.layout=org.apache.log4j.PatternLayout
#log4j.appender.R.layout.ConversionPattern=%d{MMM dd HH:mm:ss} %c : %p%m%n

Table 2-2 XDASv2 Property File

Options	ID
Syslog Appender	S
Rolling File Appender	R

The entries in the xdasconfig.properties file are not case sensitive, entries can appear in any order, empty lines are valid, and any line that starts with a hash (#) is commented out.

NOTE:If you add or delete any event in the nlpconf.xml file, restart LDAP Proxy for the changes to take effect.

The following table provides an explanation of each setting in the xdasconfig.properties file.

Table 2-3 XDAS Settings

Setting	Description
log4j.rootLogger=debug, S, R	Sets the level of the root logger to debug and attaches an appender named R or S, where S specifies a Syslog appender and R specifies a Rolling File appender.
log4j.appender.S=org.apache.log4j.net.SyslogAppender	Specifies the appender S to be a Syslog appender.
log4j.appender.S.Host=localhost	Specifies the location of the Syslog server where XDAS events are logged. For example,log4j.appender.S.Host=192.168.0.1
log4j.appender.S.Port=port	The port at which the XDAS connects to the Syslog server. The port supports values from 1 to 65535. If you specify an invalid value, the port defaults to 514. If the connection between XDAS and the Syslog server fails, Identity Manager cannot log events until the connection is restored.
log4j.appender.S.Protocol=UDP	Specifies the protocol to use. For example, UDP, TCP, or SSL.
log4j.appender.S.SSLCertFile=/etc/opt/novell/mycert.pem	Specifies the SSL certificate file for the SSL connection. Use double backslashes to specify the path of the file. This is an optional setting.
log4j.appender.S.Threshold=INFO	Specifies the minimum log level allowed in the Syslog appender. Currently, the INFO log level is supported.
log4j.appender.S.Facility=USER	Specifies the type of facility. The facility is used to try to classify the message.Currently, USER facility is supported. These values may be specified as upper or lower case characters.
log4j.appender.S.layout=org.apache.log4j.PatternLayout	Layout setting for Syslog appender.
log4j.appender.S.layout.ConversionPattern=%c : %p%m%n	Layout setting for Syslog appender. For information about the conversion patters and their descriptions, see logging.apache.org.
log4j.appender.R=org.apache.log4j.RollingFileAppender	Specifies appender R to be a Rolling File appender
log4j.appender.R.File=/var/opt/novell/ldapproxy/log/xdas-events.log	The location of the log file for a Rolling File appender.
log4j.appender.R.MaxFileSize=100MB	The maximum size, in MBs, of the log file for a Rolling File appender. Set this value to the maximum size that the client allows.
log4j.appender.R.MaxBackupIndex=10	Specify the maximum number of backup files for a Rolling File appender. The maximum number of the backup files can be 10. A zero value means no backup files.
log4j.appender.R.layout=org.apache.log4j.PatternLayout	Layout setting for Rolling File appender.
log4j.appender.R.layout.ConversionPattern=%d{MMM dd HH:mm:ss} %c : %p%m%n	Layout setting for Rolling File appender. See Table 2-4 for simple date format patterns. For information about the conversion patters and their descriptions, see logging.apache.org

The following examples illustrate the date and time patterns interpreted in the U.S. The given date and time are 2012-07-04 12:08:56 local time in the U.S. Pacific Time time zone.

Table 2-4 Date and Time Pattern Example

Date and Time Pattern	Result
"yyyy.MM.dd G 'at' HH:mm:ss z"	2012.07.04 AD at 12:08:56 PDT
"EEE, MMM d, ''yy"	Wed, Jul 4, '01
"h:mm a"	12:08 PM
"hh 'o''clock' a, zzzz"	12 o'clock PM, Pacific Daylight Time
"K:mm a, z"	0:08 PM, PDT
"yyyyy.MMMMM.dd GGG hh:mm aaa"	02012.July.24 AD 12:08 PM
"EEE, d MMM yyyy HH:mm:ss Z"	Wed, 24 Jul 2012 12:08:56 -0700
"yyMMddHHmmssZ"	120724120856-0700
"yyyy-MM-dd'T'HH:mm:ss.SSSZ"	2012-07-04T12:08:56.235-0700

Enabling Syslog Appender

You can use the Syslog appender, if you want centralize the auditing messages at one place. Additionally, a Syslog server offers better backup support in the event of a disaster.

To enable the Syslog appender, make the following changes in the xdasxconfig.properties file:

Change the following entry to S to attach a Syslog appender:

log4j.rootLogger=debug, S

Uncomment the following entries:

log4j.appender.S=org.apache.log4j.net.SyslogAppender

log4j.appender.S.Host=localhost

log4j.appender.S.Port=port

log4j.appender.S.Protocol=UDP

log4j.appender.S.SSLCertFile=/etc/opt/novell/mycert.pem

#log4j.appender.S.Threshold=INFO

#log4j.appender.S.Facility=USER

#log4j.appender.S.layout=org.apache.log4j.PatternLayout

#log4j.appender.S.layout.ConversionPattern=%c : %p%m%n

Restart nlpd.

Enabling Rolling File Appender

The File appender is preferred, if the auditing solution is limited to an individual server. Also, it is easy to bring up this solution because the number of components to be setup are few and thus, is more suited for demonstrations.

To enable the Rolling File appender, make the following changes in the xdasxconfig.properties file:

Change the following entry to R to attach a Rolling File appender.

log4j.rootLogger=debug, R

Uncomment the following entries:

log4j.appender.R=org.apache.log4j.RollingFileAppender

log4j.appender.R.File=/var/opt/novell/ldapproxy/log/xdas-events.log

log4j.appender.R.MaxFileSize=100MB

log4j.appender.R.MaxBackupIndex=10

log4j.appender.R.layout=org.apache.log4j.PatternLayout

log4j.appender.R.layout.ConversionPattern=%d{MMM dd HH:mm:ss} %c : %p%m%n

Restart nlpd.

Enabling XDAS Event Caching

LDAP Proxy allows you to optionally store XDAS events locally on the agent in a Syslog Appender cache. With events cached, if the agent cannot communicate with the auditing server, the audit events generated are retained, ensuring that audit data is not lost. The agent then attempts to re-send the cached events when the agent computer can once again communicate with the auditing server.

XDAS event caching is disabled by default. To enable event caching, complete the steps below.

On the agent computer, navigate to the location of the XDASv2 property file. The xdasconfig.properties file is located at /etc/opt/novell/ldapproxy/conf/xdasconfig.properties by default.
Use a text editor to open the xdasconfig.properties file.
Within the property file, navigate to the log4j.appender.S.CacheEnabled property and change the property value to yes.
If you want to cache events in a specific directory, modify the value of the log4j.appender.S.CacheDir property to specify the directory path. The default path is /var/opt/novell/ldapproxy. If you specify a directory, ensure that the directory path is a valid location on the server. If the specified path does not exist, the Syslog Appender logs events to the default location.
If you want to specify a custom file size for the cache, modify the value of the log4j.appender.S.CacheMaxFileSize property. The default value is 100 MB. The minimum value should be 50 MB, with a maximum value of 4 GB.
Save and close the xdasconfig.properties file.
Restart nlpd.

2.7.3 Configuring Audit Events

You can configure a specific set of events in traditional auditing or XDAS auditing individually and configure both these auditing systems together.

It enables you to monitor all the user activities that occur in the proxy. This helps you to track user activities including local activities such as LDAP requests, back-end server status, policy actions, configuration changes, and session details. This helps to detect and resolve potential problems before they arise, so that users are not denied access to critical services.

The proxy configuration allows you to specify the kind of events that must be audited. The following types of events can be monitored:

LDAP Events
Policy Events
Back-end Events
Session Events
System Events
Event System Events

You can configure all the events to be monitored by using the <proxy-audit-config> node in the configuration file. However, this is an optional configuration.

The following is a sample configuration for defining audit events. The events to be monitored are specified by using the <event-id> element. The sample configuration monitors events with event-ids 1442305 and 1442306, which means to monitor the LDAP Proxy systems that are initialized and shut down:

<proxy-audit-config audit-file-size-mb="512">
 <event-id>1442305</event-id>
 <event-id>1442306</event-id>
</proxy-audit-config>

To configure audit events:

Open the nlpconf.xml file from the /etc/opt/novell/ldapproxy/conf directory in any XML editor.
Create an instance similar to the sample configuration. This <proxy-audit-config> node must be defined after the <proxy-paths> node in the configuration file.
Use the <event-id> element to define the audit events.

For more information about the various events that can be monitored and their IDs, refer to Table 2-5.
(Optional) Specify the file size of the audit log file in the audit-file-size-mb attribute. The default file size is 1 GB. If you do not want to specify the file size, you can remove this element from the configuration.
Save the nlpconf.xml file.

Table 2-5 Audit Events

Category	Event-id	Description
LDAP Events	1442817	The LDAP Bind requests that are received.
	1442818	The LDAP Bind responses that are sent.
	1442819	The LDAP Unbind requests that are received.
	1442820	The LDAP Search requests that are received.
	1442821	The LDAP Search Result Entry responses that are sent.
	1442822	The LDAP Search Done responses that are sent.
	1442823	The LDAP Search Referral responses that are sent.
	1442824	The LDAP Modify requests that are received
	1442825	The LDAP Modify responses that are sent.
	1442826	The LDAP Add requests that are received.
	1442827	The LDAP Add responses that are sent.
	1442828	The LDAP Delete requests that are received.
	1442829	The LDAP Delete responses that are sent.
	1442830	The LDAP Modify DN requests that are received.
	1442831	The LDAP Modify DN responses that are sent.
	1442832	The LDAP Compare requests that are received.
	1442833	The LDAP Compare responses that are sent.
	1442834	The LDAP Abandon requests that are received.
	1442835	The LDAP Extended requests that are received
	1442836	The LDAP Extended responses that are received.
	1442837	The LDAP Extended intermediate responses that are received.
	1442838	The LDAP Start TLS requests that are received.
	1442839	The LDAP Start TLS responses that are sent.
	1442840	The LDAP Stop TLS requests that are received.
	1442841	The LDAP Unknown requests that are received.
	1442842	The LDAP Unknown responses that are received.
Policy Events	1443073	The Connections that are rejected.
	1443074	The Requests that are denied.
	1443075	The Routes that are not found for incoming requests.
	1443076	The Connection routes that are changed.
Back-end Events	1443329	The back-end servers whose status is changed to up.
	1443330	The back-end servers whose status is changed to down.
	1443331	The back-end servers whose status is changed to slow.
	1443332	The servers in back-end group that are down.
	1443333	The back-end servers whose maximum connection limit has been exceeded.
	1443334	The LDAP Proxy System request sent to the back-end server.
Session Events	1442561	The new sessions that are created.
	1442562	The sessions that are terminated.
	1442563	The sessions whose identity has been changed.
System Events	1442305	The LDAP Proxy systems that have been initialized.
	1442306	The LDAP Proxy systems that have been shut down.
Event System Events	1442049	The event producers and consumers that are registered or deregistered.
	1442050	The event producers and consumers that register or deregister events.