Novell Sentinel Log Manager is a powerful log management and reporting solution. It supports collecting and reporting on log and audit data generated by Novell Identity Manager and Novell Open Enterprise Server. This integration enhances Identity Manager and Open Enterprise Server with powerful reporting capabilities.
This session will explain how Sentinel Log Manager can integrate with Identity Manager and Open Enterprise Server to collect log and audit data. It will also show how this integration can be used to provide compelling reports about Identity Manager and Open Enterprise Server activity.
This session explains how SLM can integrate with IDM and OES to collect log and audit data. It will also show how this integration can be used to provide compelling reports of IDM and OES activity.
Speaker: David Corlette Product Line Lead
Novell, Inc.
Using Novell Sentinel Log Manager to Monitor Novell Applications
1. Auditing Novell Applications ÂŽ
Event Collection with Novell Sentinel Log Manager
â˘
David Corlette
Product Line Lead
DCorlette@novell.com
2. Agenda
⢠Overview of Novell event auditing technologies
ÂŽ
⢠nAudit: Identity Manager, Novell eDirectory ,
â˘
Access Manager, iManager, Modular
Authentication Service, Netware ÂŽ
⢠Syslog: Privileged User Manager, SecureLogin
⢠Custom API: Open Enterprise Server
2 Š Novell, Inc. All rights reserved.
3. Auditing Novell Applications ÂŽ
⢠Several historical auditing frameworks
⢠Acquired products which use their own frameworks
⢠Minimal and weak industry event auditing standards
⢠Current common standards:
â nAudit
â Syslog
â Custom API
3 Š Novell, Inc. All rights reserved.
5. Architecture
Source
Application
Instrumentation Sentinel
Platform Connector
Agent SSL
Cache
5 Š Novell, Inc. All rights reserved.
6. Event Structure
⢠21 pre-defined fields with data types and baseline
semantic definitions
⢠LSC file defines additional semantics for each event
6 Š Novell, Inc. All rights reserved.
7. Configuration
Event Source
⢠Each application has its own instrumentation
â Event Selection varies as a result
⢠Simple configuration file for Platform Agent
â LogHost=<Sentinel Collector Manager IP>
â LogEnginePort=1289 <Event Source Server port>
Novell Sentinel ÂŽ
â˘
⢠If Connector/Event Source Server/Collector is properly
deployed, Event Sources will automatically deploy
7 Š Novell, Inc. All rights reserved.
8. Configuration Examples
Novell Access Manager
Novell Identity Manager
Novell eDirectory
8 Š Novell, Inc. All rights reserved.
10. Architecture
Source
Application
Sentinel
Syslog Connector
Daemon TCP
10 Š Novell, Inc. All rights reserved.
11. Event Structure
⢠Defined header with date/time and host ID
â Jan 12 10:12:03 myhost âŚ
⢠Pseudo-standard that application ID follows host ID
â Jan 12 10:12:03 myhost sshd: ...
⢠Rest of message is free-form; some Novell applications
use structured JSON string to carry data
⢠Simple, lightweight format but requires more complex
parsing on the backend
11 Š Novell, Inc. All rights reserved.
12. Configuration
Event Source
⢠Each application has its own configuration procedure
â Event Selection varies as a result
Novell Sentinel ÂŽ
â˘
⢠If Event Source Server is properly deployed and
Collector is in ESM Library, Collector/Connector/Event
Sources will automatically deploy
12 Š Novell, Inc. All rights reserved.
13. Configuration Examples
Privileged User Manager
SUSE Linux
ÂŽ
filter f_sentinel { facility(authpriv,auth,ftp,kern,mail,local0); };
destination d_sentinel { tcp(130.57.171.51 port(1468)); };
log { source(src); filter(f_sentinel); destination(d_sentinel); };
SecureLogin
Novell SecureLogin 7.0 SP1 will include a syslog forwarder which will forward
NSL events (sent to Windows EventLog) to Sentinel. Instructions TBD.
13 Š Novell, Inc. All rights reserved.
15. Architecture
NCP AFP CIFS
NSS
Open
Enterprise
Server Sentinel
Vigil Engine
Connector
Vigil
Client
TCP
Sentinel
Agent
15 Š Novell, Inc. All rights reserved.
16. Event Structure
⢠Vigil Engine exposes C API for clients to connect and
receive events
⢠Client can output in common formats like XML, NVP
⢠Fields are named and have pre-defined, fixed meanings
⢠Sentinel Agent reads STDOUT from Vigil Client
â˘
⢠Sentinel Agent forwards data over Syslog to Sentinel
NSS CREATE TaskID[0] Zid[98] ParentZid[7F] FileType[3] FileAttributes[20]
OpRetCode[0] VolID[6E584A8B8170DE01800112DF59F86F0C]
UserID[03000000000000000000000000000000] UserName[Supervisor] uid[0] uname[root]
euid[0] euname[root] suid[0] suname[root] fsuid[0] fsuname[root] gid[0] guname[root]
egid[0] eguname[root] sgid[0] sguname[root] fsgid[0] fsguname[root] comm[vi]
target[VOL1:/.myfile.txt.swx] key[0x0] requestedRights[0x00000002]
createFlags[0x00000100] createAndOpen[0x00000000] retOpenCreateAction[0x00000002]
accessed[2009-07-28 11:47:16] created[2009-07-28 11:47:16] modified[2009-07-28
11:47:16] metaDataModified[2009-07-28 11:47:16] targethost[OESVigil]
16 Š Novell, Inc. All rights reserved.
17. Configuration
Event Source
⢠Client must be configured to connect to Engine
⢠Sentinel Agent must be configured to invoke Client
⢠Agent must be configured to send to Sentinel
â Scripts are provided to accomplish all of the above
Novell Sentinel ÂŽ
â˘
⢠If Event Source Server is properly deployed and
Collector is in ESM Library, Collector/Connector/Event
Sources will automatically deploy
17 Š Novell, Inc. All rights reserved.
20. Unpublished Work of Novell, Inc. All Rights Reserved.
This work is an unpublished work and contains confidential, proprietary, and trade secret information of Novell, Inc.
Access to this work is restricted to Novell employees who have a need to know to perform tasks within the scope
of their assignments. No part of this work may be practiced, performed, copied, distributed, revised, modified,
translated, abridged, condensed, expanded, collected, or adapted without the prior written consent of Novell, Inc.
Any use or exploitation of this work without authorization could subject the perpetrator to criminal and civil liability.
General Disclaimer
This document is not to be construed as a promise by any participating company to develop, deliver, or market a
product. It is not a commitment to deliver any material, code, or functionality, and should not be relied upon in
making purchasing decisions. Novell, Inc. makes no representations or warranties with respect to the contents
of this document, and specifically disclaims any express or implied warranties of merchantability or fitness for any
particular purpose. The development, release, and timing of features or functionality described for Novell products
remains at the sole discretion of Novell. Further, Novell, Inc. reserves the right to revise this document and to
make changes to its content, at any time, without obligation to notify any person or entity of such revisions or
changes. All Novell marks referenced in this presentation are trademarks or registered trademarks of Novell, Inc.
in the United States and other countries. All third-party trademarks are the property of their respective owners.