22.1 Setting Up Logging Server and Console Events

Secure Logging Server manages the information flow with the auditing system. It performs the following actions:

Receives incoming events and requests.
Logs information to the data store.
Monitors designated events.
Provides filtering and notification services.
Resets critical system attributes according to a specified policy automatically.

Specifying the logging server details:

Click Auditing.

Specify the following details:

Field	Description
Audit Messages Using	Select any one of the following options: Log File (Not Recommended For Production): Audit events are sent to a local log file. Identity Server and ESP: /var/opt/novell/syslog/audit_common.log Access Gateway: /var/opt/novell/syslog/audit_ag.log Syslog: Audit events are sent the audit server. See Important Points to Consider When Using Syslog.
Stop Service on Audit Server Failure	Select to stop the Apache services when the audit server is offline or not reachable and audit events could not be cached.
Server Listening Address	Specify the IP address or DNS name of the Syslog server you want to use. You can send the audit events to a maximum of two audit servers at a time. If your auditing server is in a private network, you can specify the public NAT IP address of the auditing server instead of the IP address or DNS name of the auditing server. Using this address, devices can contact the auditing server.
Port	Specify the port that syslog uses to connect to the Secure Logging Server. For Sentinel server, the default port is 1468. For third-party syslog servers, specify the configured port of that server. For Analytics Server, specify 1468.
Format	You can choose to send the audit events in CSV or JSON format.
Server Public NAT Address	If your auditing server is in a private network, specify the public NAT IP address of the auditing server. Using this address devices can contact the auditing server. To use Sentinel server or Sentinel Log Manager, specify the IP address or DNS name of the Sentinel.
Send Audit Events to Interset Behavioral Analytics Server	This is a read-only field. It indicates whether you have configured to send audit events to Interset for behavioral analytics. For more information, see Section 5.8.6, Configuring Behavioral Analytics.
IMPORTANT:If you select Sentinel server for auditing through syslog, you must use the latest Access Manager Collector for Sentinel.
Management Console Audit Events	Select the system-wide events that you want to audit. Select All: Selects all audit events. Health Changes: Generated when the health of a server changes. Server Imports: Generated when a server is imported into Administration Console. Server Deletes: Generated when a server is deleted from Administration Console. Server Statistics: Generated periodically when statistics are generated for the server. Configuration Changes: Generated when you change a server configuration.

Click OK.

It might take up to 15 minutes for the events you selected to start appearing in the audit files.
(Conditional) To change the IP Address of Analytics Server, you must change the IP Address of the primary Analytics Server. For more information, see Managing Details of a Cluster.
(Conditional) If Administration Console is the only Access Manager component installed on the machine and you have changed the address or port of the Secure Logging Server, complete the following steps:

For security reasons, the Novell Audit Configuration file cannot be modified using Administration Console when it is the only Access Manager component on the machine. Only a system administrator can edit this.

Perform the following configurations:

Modify the nam.conf file and specify the following parameters:

Sample nam.conf file:

#$InputTCPServerStreamDriverMode 1
#$InputTCPServerStreamDriverAuthMode x509/name
$InputTCPServerRun 1290
$template ForwardFormat,"<%PRI%>%TIMESTAMP:::date-rfc3164% %HOSTNAME% %syslogtag:1:32%%msg:::sp-if-no-1st-sp%%msg%\n"
local0.*   @@1.1.1.1:1468;ForwardFormat
& ~

Sample namMultiTarget.conf file:

#$InputTCPServerStreamDriverMode 1
#$InputTCPServerStreamDriverAuthMode x509/name
$InputTCPServerRun 1292
$template ForwardFormat,"<%PRI%>%TIMESTAMP:::date-rfc3164% %HOSTNAME% %syslogtag:1:32%%msg:::sp-if-no-1st-sp%%msg%\n"
local1.*   @@2.2.2.2:1290;ForwardFormat
& ~
~

This enables the local rsyslog agent to communicate to local TCP port 1290 for nam.conf or 1292 for namMultiTarget.conf and forward the audit message to the remote server communicating with port 1468.

NOTE:You have to create the namMultiTarget.conf manually while adding an Additional Auditing Server from within iManager.

Modify the Auditlogging.cfg file and select JSON as the audit message format and syslog as audit server type.

For information about how to modify a file, see Modifying Configurations.

Sample Auditlogging.cfg file:
```
LOGDEST=syslog
FORMAT=JSON
SERVERIP=
SERVERPORT=
```
Restart each device imported into Administration Console.

The devices (Identity Server and Access Gateway) do not start reporting events until they have been restarted.

NOTE:The eDirectory audit configuration remains unchanged even after you upgrade to the latest version of Access Manager. To fetch eDirectory audit events, manually unload and re-load the audit modules. Perform this activity each time you start eDirectory.

To install and enable eDirectory packages, see Installing Novell Audit Packages in the eDirectory Administration Guide.

Access Manager 5.0 Service Pack 3 release onwards, the timestamp format in Access Gateway log is updated. The timestamp is updated to match the timestamp format of Identity Provider and Administration Console audit log. To change the timestamp to older format, perform the following:

Open Auditlogging.cfg from /opt/novell/syslog/Auditlogging.cfg.
Update AGLEGACY to true.

Sample Auditlogging.cfg file:
```
AGLEGACY=true
```