Using Novell Sentinel Log Manager to Monitor Novell Applications

Auditing Novell® ApplicationsEvent Collection with Novell Sentinel™ Log Manager

David CorletteProduct Line [email protected]

© Novell, Inc. All rights reserved.2

Agenda

• Overview of Novell® event auditing technologies

• nAudit: Identity Manager, Novell eDirectory™, Access Manager, iManager, Modular Authentication Service, Netware®

• Syslog: Privileged User Manager, SecureLogin

• Custom API: Open Enterprise Server


Auditing Novell® Applications

• Several historical auditing frameworks

• Acquired products which use their own frameworks

• Minimal and weak industry event auditing standards

• Current common standards:

– nAudit

– Syslog

– Custom API

nAudit Framework


Architecture

SourceApplication

Cache

Instrumentation

PlatformAgent

Sentinel

Connector SSL


Event Structure

• 21 pre-defined fields with data types and baseline semantic definitions

• LSC file defines additional semantics for each event


Configuration

Event Source• Each application has its own instrumentation

– Event Selection varies as a result• Simple configuration file for Platform Agent

– LogHost=<Sentinel Collector Manager IP>– LogEnginePort=1289 <Event Source Server port>

Novell® Sentinel™

• If Connector/Event Source Server/Collector is properly deployed, Event Sources will automatically deploy


Configuration Examples

Novell Identity Manager

Novell Access Manager

Novell eDirectory

Syslog Framework


Architecture

SourceApplication

SyslogDaemon

Sentinel

Connector TCP


Event Structure

• Defined header with date/time and host ID– Jan 12 10:12:03 myhost …

• Pseudo-standard that application ID follows host ID– Jan 12 10:12:03 myhost sshd: ...

• Rest of message is free-form; some Novell applications use structured JSON string to carry data

• Simple, lightweight format but requires more complex parsing on the backend


Configuration

Event Source• Each application has its own configuration procedure

– Event Selection varies as a result


• If Event Source Server is properly deployed and Collector is in ESM Library, Collector/Connector/Event Sources will automatically deploy


Configuration ExamplesPrivileged User Manager

SecureLoginNovell SecureLogin 7.0 SP1 will include a syslog forwarder which will forwardNSL events (sent to Windows EventLog) to Sentinel. Instructions TBD.

SUSE® Linuxfilter f_sentinel { facility(authpriv,auth,ftp,kern,mail,local0); };destination d_sentinel { tcp(130.57.171.51 port(1468)); };log { source(src); filter(f_sentinel); destination(d_sentinel); };

Custom API Example


Architecture

OpenEnterprise

ServerVigil Engine

VigilClient

Sentinel

Connector

TCP

NSSNCP AFP CIFS

SentinelAgent


Event Structure

• Vigil Engine exposes C API for clients to connect and receive events

• Client can output in common formats like XML, NVP• Fields are named and have pre-defined, fixed meanings• Sentinel™ Agent reads STDOUT from Vigil Client• Sentinel Agent forwards data over Syslog to Sentinel

NSS CREATE TaskID[0] Zid[98] ParentZid[7F] FileType[3] FileAttributes[20] OpRetCode[0] VolID[6E584A8B8170DE01800112DF59F86F0C] UserID[03000000000000000000000000000000] UserName[Supervisor] uid[0] uname[root] euid[0] euname[root] suid[0] suname[root] fsuid[0] fsuname[root] gid[0] guname[root] egid[0] eguname[root] sgid[0] sguname[root] fsgid[0] fsguname[root] comm[vi] target[VOL1:/.myfile.txt.swx] key[0x0] requestedRights[0x00000002] createFlags[0x00000100] createAndOpen[0x00000000] retOpenCreateAction[0x00000002] accessed[2009-07-28 11:47:16] created[2009-07-28 11:47:16] modified[2009-07-28 11:47:16] metaDataModified[2009-07-28 11:47:16] targethost[OESVigil]


Configuration

Event Source• Client must be configured to connect to Engine• Sentinel Agent must be configured to invoke Client• Agent must be configured to send to Sentinel➔Scripts are provided to accomplish all of the above


• If Event Source Server is properly deployed and Collector is in ESM Library, Collector/Connector/Event Sources will automatically deploy

Open Enterprise Server Configuration Demonstration

Unpublished Work of Novell, Inc. All Rights Reserved.This work is an unpublished work and contains confidential, proprietary, and trade secret information of Novell, Inc. Access to this work is restricted to Novell employees who have a need to know to perform tasks within the scope of their assignments. No part of this work may be practiced, performed, copied, distributed, revised, modified, translated, abridged, condensed, expanded, collected, or adapted without the prior written consent of Novell, Inc. Any use or exploitation of this work without authorization could subject the perpetrator to criminal and civil liability.

General DisclaimerThis document is not to be construed as a promise by any participating company to develop, deliver, or market a product. It is not a commitment to deliver any material, code, or functionality, and should not be relied upon in making purchasing decisions. Novell, Inc. makes no representations or warranties with respect to the contents of this document, and specifically disclaims any express or implied warranties of merchantability or fitness for any particular purpose. The development, release, and timing of features or functionality described for Novell products remains at the sole discretion of Novell. Further, Novell, Inc. reserves the right to revise this document and to make changes to its content, at any time, without obligation to notify any person or entity of such revisions or changes. All Novell marks referenced in this presentation are trademarks or registered trademarks of Novell, Inc. in the United States and other countries. All third-party trademarks are the property of their respective owners.

Technology

Using Novell Sentinel Log Manager to Monitor Novell Applications