4.2 Configuring Data Collection for Novell Audit Server

The following sections describe how you can configure audit server port to receive data and how you can set the audit server options:

4.2.1 Specifying the Audit Server Settings

To specify the data collection settings for the audit server:

  1. Log in to the Sentinel Log Manager as an administrator.

  2. Click the collection link in the upper left corner of the page.

    The Collection tab is displayed on the right pane of the page.

  3. Select the Event Source Servers tab.

  4. In the Audit Server section, to start or stop the data collection for the audit server, select the On and Off options.

  5. In the Audit Server section, specify the port on which the Sentinel Log Manager server listens to messages from the event sources.

    For more information about setting the port, see Port Configuration and Port Forwarding for the Audit Server.

  6. Set the appropriate client authentication and server key pairs settings.

    For more information about client authentication, see Client Authentication for the Audit Server.

  7. Select the Sentinel Log Manager server behavior when the number of events received exceeds the buffer capacity.

    Temporarily pause connections: Drops the existing connections and stops accepting new connections until the buffer has space for the new messages. In the meantime, messages are cached by the event sources.

    Drop oldest messages: Drops the oldest messages to accept new messages.

    WARNING:There is no supported method for recovering dropped messages, if you select Drop oldest messages.

  8. Select Idle Connection to disconnect event sources that have not sent data for a certain period of time.

    The event source connections are automatically re-created when they start sending data again.

  9. Specify the number of minutes before an idle connection is disconnected.

  10. Select Event Signatures to receive a signature with the event.

    To receive a signature, the Platform Agent on the event source must be configured properly.

  11. Click Reset to change the specified settings to previous settings before saving it

  12. Click Save to save the new settings.

    The Save button is disabled until a valid port is specified for the server.

These settings might affect data collection for several servers (for example, multiple eDirectory™ instances). However, they do not start or stop services on the event source machines.

Changes on this page take effect immediately.

To view the health of audit server and its event sources, see Section 4.4, Managing Event Sources.

4.2.2 Setting the Audit Server Options

Administrators can change the settings about how Sentinel Log Manager listens for data from the event source applications, set the port on which Sentinel Log Manager listens and the type of authentication between the event source and the Sentinel Log Manager.

Port Configuration and Port Forwarding for the Audit Server

The default port on which Log Manager listens for messages from the server is 1289. When the port is changed, the system checks whether the specified port is valid and open.

Binding to ports less than 1024 requires root privileges. So use a port greater than 1024. You can change the source devices to send data to a higher port or use port forwarding on the Sentinel Log Manager server.

To change the event source to send data to a different port:

  1. Log in to the event source machine.

  2. Open the logevent file for editing. The file location depends on the operating system:

    • Linux: /etc/logevent.conf

    • Windows*: C:\WINDOWS\logevent.cfg

    • NetWare®: SYS:\etc\logevent.cfg

    • Solaris: /etc/logevent.conf

  3. Set the LogEnginePort parameter to the desired port.

  4. Save the file.

  5. Restart the Platform Agent.

    The method varies by operating system and application. Reboot the machine or refer to the application specific documentation on the Novell Documentation Web Site for more instructions.

To configure port forwarding on the Sentinel Log Manager server:

  1. Log in to the Sentinel Log Manager server operating system as root (or su to root).

  2. Open the /etc/init.d/boot.local file for editing.

  3. Add the following command at the end of the bootup process:

    iptables -A PREROUTING -t nat -p protocol --dport incoming port -j DNAT --to-destination IP:rerouted port

    where protocol is tcp or udp, incoming port is the port on which the messages are arriving, and IP:rerouted port is the IP address of the local machine and an available port above 1024

  4. Save the changes.

  5. Reboot. If you cannot reboot immediately, run the iptables command in Step 3 from a command line.

Client Authentication for the Audit Server

The event sources send their data over an SSL connection, and the Client authentication setting for the Sentinel Log Manager server determines what kind of authentication is performed for the certificates from the audit server on the event sources.

Open: No authentication is required. Log Manager does not request, require, or validate a certificate from the event source.

Loose: A valid X.509 certificate is required from the event source, but the certificate is not validated. It does not need to be signed by a certificate authority.

Strict: A valid X.509 certificate is required from the event source, and it must be signed by a trusted certificate authority. If the event source does not present a valid certificate, Log Manager does not accept its event data.

Creating a Truststore

For strict authentication, you must have a truststore that contains either the event source’s certificate or the certificate for the certificate authority (CA) that signed the event source’s certificate. After you have a DER or PEM certificate, you can create the truststore by using the CreateTruststore utility that comes with Log Manager.

  1. Log in to the Sentinel Log Manager server as novell.

  2. Go to /opt/novell/sentinel_log_mgr_1.0_x86/data/updates/done.

  3. Unzip the audit_connector.zip file.

    unzip audit_connector.zip

  4. Either copy TruststoreCreator.sh or TruststoreCreator.bat to the machine with the certificates or copy the certificates to the machine with the TruststoreCreator utility.

  5. Run the TruststoreCreator.sh utility.

    TruststoreCreator.sh -keystore /tmp/my.keystore -password password1 -certs /tmp/cert1.pem,/tmp/cert2.pem

    In this example, the TruststoreCreator utility creates a keystore file called my.keystore that contains two certificates (cert1.pem and cert2.pem) in it. It is protected by the password password1.

Importing a Truststore

For strict authentication, the administrator can import a truststore by using the Import button. This helps ensure that only authorized event sources are sending data to Log Manager. The truststore must include either the certificate of the event source or the certificate of the certificate authority that signed it.

The following procedure must be run on the machine that has the truststore on it. You can open a Web browser on the machine with the truststore or move the truststore to any machine with a Web browser.

  1. Log in to the Sentinel Log Manager as an administrator.

  2. Click the collection link in the upper left corner of the page.

    The Collection tab is displayed on the right pane of the page.

  3. Select the Event Source Servers tab.

  4. In the Audit Server section, select the Strict option under Client authentication.

  5. Click Browse and browse to the truststore file (for example, my.keystore)

  6. Specify the password for the truststore file.

  7. Click Import.

  8. If desired, click Details to see more information about the truststore.

  9. Click Reset to change the specified settings to previous setting before saving it

  10. Click Save.

After the truststore is imported successfully, you can click Details to see the certificates included in the truststore.

Server Key Pair

Log Manager is installed with a built-in certificate, which is used to authenticate the Sentinel Log Manager server to the event sources. This certificate can be overridden with a certificate signed by a public certificate authority (CA).

To replace the built-in certificate:

  1. Log in to the Sentinel Log Manager as an administrator.

  2. Click the collection link in the upper left corner of the page.

    The Collection tab is displayed on the right pane of the page.

  3. Select the Event Source Servers tab.

  4. In the Audit Server section, under Server key pairs, select Custom.

  5. Click Browse and browse to the truststore file.

  6. Specify the password for the truststore file.

  7. Click Import.

    If there is more than one public-private key pair in the file, select the desired key pair and click OK.

  8. Click Details to see more information about the server key pair.

  9. Click Reset to change the specified settings to previous setting before saving it

  10. Click Save.