21.1 Setting Up Logging Server and Console Events

Secure Logging Server manages the information flow with the auditing system. It performs the following actions:

  • Receives incoming events and requests.

  • Logs information to the data store.

  • Monitors designated events.

  • Provides filtering and notification services.

  • Resets critical system attributes according to a specified policy automatically.

Specifying the logging server details:

  1. Click Auditing.

  2. Specify the following details:

    Field

    Description

    Audit Messages Using

    Select any one of the following options:

    Log File (Not Recommended For Production): Audit events are sent to a local log file.

    • Identity Server and ESP: /var/opt/novell/syslog/audit_common.log

    • Access Gateway: /var/opt/novell/syslog/audit_ag.log

    Syslog: Audit events are sent the audit server. See Important Points to Consider When Using Syslog.

    Stop Service on Audit Server Failure

    Select to stop the Apache services when the audit server is offline or not reachable and audit events could not be cached.

    Server Listening Address

    Specify the IP address or DNS name of the Syslog server you want to use. You can send the audit events to a maximum of two audit servers at a time.

    If your auditing server is in a private network, you can specify the public NAT IP address of the auditing server instead of the IP address or DNS name of the auditing server. Using this address, devices can contact the auditing server.

    Port

    Specify the port that syslog uses to connect to the Secure Logging Server.

    • For Sentinel server, the default port is 1468.

    • For third-party syslog servers, specify the configured port of that server.

    • For Analytics Server, specify 1468.

    Format

    You can choose to send the audit events in CSV or JSON format.

    Server Public NAT Address

    If your auditing server is in a private network, specify the public NAT IP address of the auditing server. Using this address devices can contact the auditing server.

    To use Sentinel server or Sentinel Log Manager, specify the IP address or DNS name of the Sentinel.

    Send Audit Events to Interset Behavioral Analytics Server

    This is a read-only field. It indicates whether you have configured to send audit events to Interset for behavioral analytics. For more information, see Section 5.8.6, Configuring Behavioral Analytics.

    IMPORTANT:If you select Sentinel server for auditing through syslog, you must use the latest Access Manager Collector for Sentinel.

    Management Console Audit Events

    Select the system-wide events that you want to audit.

    • Select All: Selects all audit events.

    • Health Changes: Generated when the health of a server changes.

    • Server Imports: Generated when a server is imported into Administration Console.

    • Server Deletes: Generated when a server is deleted from Administration Console.

    • Server Statistics: Generated periodically when statistics are generated for the server.

    • Configuration Changes: Generated when you change a server configuration.

  3. Click OK.

    It might take up to 15 minutes for the events you selected to start appearing in the audit files.

  4. (Conditional) To change the IP Address of Analytics Server, you must change the IP Address of the primary Analytics Server. For more information, see Managing Details of a Cluster.

Perform the following configurations:

NOTE:The eDirectory audit configuration remains unchanged even after you upgrade to the latest version of Access Manager. To fetch eDirectory audit events, manually unload and re-load the audit modules. Perform this activity each time you start eDirectory.

To install and enable eDirectory packages, see Installing Novell Audit Packages in the eDirectory Administration Guide.