How does event filtering in Novell Audit 2.0 work?

  • 3003973
  • 16-Jun-2006
  • 26-Apr-2012


Novell Audit 2.0.x


How does event filtering in Novell Audit 2.0 work?
If my servers are configured to all eDirectory events, but I only want to see certain eDirectory events, does this filtering occur at the Platform Agent, or does the Secure Logging Server filter those events?
Do the events that I want to filter out ever hit the wire?


The information in this TID comes from the documentation.  To view the source, please go to and search for "Configuring eDirectory Events".  Here is what the documentation says:
"Novell Audit 2.0 now allows administrators to create a global filter in the eDirectory Instrumentation object that determines which eDirectory events the Platform Agents send to the Secure Logging Server. However, administrators must still enable the eDirectory events on the NCP Server object."
What exactly does this mean?
The instrumentation is the piece that audits or monitors the application that you want to receive data.  For example, if you want to audit eDirectory events, in iManager you go to"eDirectory Administration" | Modify Object | select the NCP server object in question | click on the "Novell Audit" tab | click on the"eDirectory" link.  In this location, you choose what events the eDirectory instrumentation will audit.  If you turn all of them on, the eDirectory instrumentation (AUDITDS.NLM on NetWare, NAUDITDS.DLM on Windows) will register call backs with eDirectory to receive notification when these events occur.
The platform agent (LOGEVENT.NLM on NetWare, logevent.dll on Windows) will normally accept all of these events.  However, if you go into the attributes of the log application, you can actually tell the Platform Agent (PA) what to send to the Secure Logging Server (SLS).  In order to modify what events you want to see, do the following from withing iManager:
1.)  Click on "Auditing and Logging".
2.)  Click on "Logging Server Options".
3.)  Browse out and select your SLS.
4.)  Click on the "General" tab and click on the"Summary" link.
5.)  Scroll down to the "eDirectory Instrumentation" from"Log Applications" section.
6.)  On the "Configuration" tab, click on the "Events" link.
7.)  Put a check mark in the box that says, "Enable filtering for selected events".  Then scroll through the various events and put a check mark next to those events that you want to audit.
8.)  Click on the "OK" or "Apply" button.
9.)  You will need to shutdown and restart your PA for the changes to take effect.
10.)  To turn off the event filtering, simply uncheck the"Enable filtering for selected events" and restart your PA.
Q1:  Are there any processor costs associated with enabling all of the eDirectory events at the instrumentation level, but having the PA filter out the events I actually want?
A1:  The eDirectory instrumentation will continue to register for the events that you selected on the server's NCP object.  It will collect the data as it is configured to do.  If you are not collecting all of those events, then it adds additional overhead on the server to collect that data.
Q2:  What happens to the events that are collected and discarded?  Are they sent on the wire?
A2:  The events are filtered out at the PA are discarded.  The discarded events are never sent on the wire.
Q3:  How does filtering effect signing and chaining (non-repudiation of data)?
A3:  The PA is responsible for event signing and chaining, not the instumentation.  So the signing and chaining will remain intact.
Q4:  I have several PAs in different trees.  I want those PAs to send their data to a single SLS.  How can I use event filtering in this scenario?
A4:  Event filtering is configured on a SLS basis.  In order for this to work, you need to create an SLS object in each tree and configure the events you want to filter out in each tree.  Then you modify the logevent.cfg/logevent.conf file and set LogHost= in the other tree.  When logevent loads, it will read the configuration and then send the data on to the appropriate location.
Q5:  Is it a manditory requirement for me to go into the Log Application and configure what events I want to filter out and keep?
A5:  No, it is not required.  If you made your choices on the instrumentation for each NCP server object, and those are the events you want to receive, then you do not need to make any other changes.  It is only necessary if the NCP server object has more events than you care to receive and you want to make a tree wide change without touching any of the file servers.