Environment
Novell Audit 2.0.2 Platform Agent
Novell NetWare 6.5 Support Pack 5
Situation
When running a DSREPAIR with Novell Audit installed, when the
eDirectory database opens, the server ABENDs in LOGEVENT.NLM.
The server does not ABEND when running in normal
conditions.
Identity Manager (DirXML) is also installed on the server and
is being audited.
Resolution
A coredump of the ABEND was taken and analyzed. A copy
of the stack walk (without symbols) is provided in the "Additional
Notes" section below. The problem is the Identity Manager
(IDM - formerly known as DirXML) has a corrupt NAuditConfiguration
attribute. Below is a copy of the contents of that
attribute:
As you can see above, the EventConfiguration enabled is set to"true" and "false" simultaneously. This is causing the
ABEND.
FIX:
Please read through all of the steps prior to performing them
to understand what will happen. To fix the problem, please do
the following steps:
1.) Login to iManager. iManager is located at http:///nps/iManager.html
.
2.) Go to "Auditing and Logging" and click on "Logging
Server Options". Search for your Secure Logging Server
(SLS) object. Typically the SLS is located in the"Logging Services" container that is located at the top of your
tree. If you have installed your SLS in a different area of
the tree, then browse to the appropriate location and select the
SLS object.
3.) Click on the "General" tab and click on the"Summary" link. In the "Summary" section you should see three
different categories. Those categories are Channels,
Notifications, and Log Applications. Scroll down to the "Log
Applications" category. There you will see "Identity Manager"
hyperlinked. Click on "Identity Manager".
4.) A new window should pop up when you click on"Identity Manager". On the "Configuration" tab you should
have an "Events" link. Click on "Events". Take a look
at how this section is configured. If "Enable filtering for
selected events" is unchecked, then you can ignore this step.
If there is a check next to "Enable filtering for selected events",
then take note on which events are being audited/logged. Now
close the "Modify Object" pop up for the Identity Manager log
application.
5.) Map a drive to SYS:/PUBLIC on the file server that
has a copy of ConsoleOne on it. Start ConsoleOne.
Typically ConsoleOne is located at
SYS:/PUBLIC/MGMT/CONSOLEONE/1.2/BIN and is called ConsoleOne.exe in
the BIN directory.
6.) Once ConsoleOne is loaded, go to the location in the
tree where the IDM log application is located. In a default
install of Novell Audit, this is located in the
.Applications.Logging Services.
container.
7.) In the Applications container, locate the "Identity
Manager" object. Double click on it. Click on the"Other" tab. One of the attributes that you see is the"NAuditConfiguration" attribute. Highlight"NAuditConfiguration" and click on the "Delete" button. You
will be prompted with "Do you really want to delete this
attribute?". Click on the "Yes" button to delete the
attribute. Now you can close ConsoleOne. (Note:
You do not need to use ConsoleOne to delete this attribute.
You can use any other tool that will allow you to delete the"NAuditConfiguration" attribute.)
8.) Return to iManager. Repeat steps 1 - 3
above. On the "Configuration" tab, click on the "Events"
link. Restore the settings that you recorded in step 4.
Then click on "OK" or "Apply" to save your changes.
9.) Restart LENGINE.NLM so the new settings can be
read.
Additional Information
Stack walk of the ABEND:
P00# sw
Current EIP:908B3407 LOGEVENT.NLM|LogEventDirectW+19D11
ESP:9D994C70 EIP:9089EC22 LOGEVENT.NLM|LogEventDirectW+552C
ESP:9D994C90 EIP:908954D1 LOGEVENT.NLM|LogGetEnabledEvents+3E5
ESP:9D994CEC EIP:90896509 LOGEVENT.NLM|LogOpen+682
ESP:9D994E74 EIP:B425A56C DXEVENT.NLM|DxSetEventID+2761
ESP:9D994EA4 EIP:B424F2FD DXEVENT.NLM|DxFreeCacheBlock+290A
ESP:9D994EE8 EIP:B42472FF DXEVENT.NLM|getDirXMLInterface+BB7
ESP:9D994EEC EIP:8FEC366F DS.NLM|InitializeEventCache+30
ESP:9D994EF8 EIP:8FE6D68F DS.NLM|DSAgentOpenLocal+3D4
ESP:9D994FC8 EIP:8F0CF149 DSLOADER.NLM|DDSOpenLocalAgent+12
ESP:9D994FCC EIP:909FD412 DSREPAIR.NLM|+2D412
ESP:9D994FE4 EIP:909EF3C2 DSREPAIR.NLM|+1F3C2
ESP:9D994FF8 EIP:909EF78A DSREPAIR.NLM|+1F78A
ESP:9D995088 EIP:90A155C5 DSREPAIR.NLM|+455C5
ESP:9D995108 EIP:909D79CE DSREPAIR.NLM|+79CE
ESP:9D99512C EIP:909D77A5 DSREPAIR.NLM|+77A5
ESP:9D995284 EIP:909D7119 DSREPAIR.NLM|+7119
ESP:9D99528C EIP:901B6646 NWSNUT.NLM|NWSMenuAction+27
ESP:9D9952A4 EIP:901B698D NWSNUT.NLM|NWSLList+1FD
ESP:9D9952F8 EIP:901B6C1D NWSNUT.NLM|NWSList+46
ESP:9D995344 EIP:901B660C NWSNUT.NLM|NWSMenu+D8
ESP:9D995394 EIP:909D7068 DSREPAIR.NLM|+7068
ESP:9D9953C4 EIP:909D68C3 DSREPAIR.NLM|+68C3
ESP:9D9953CC EIP:909D6776 DSREPAIR.NLM|+6776
ESP:9D9953E8 EIP:8F22A340 SAL.NLM|SAL_TZOffset+D0
ESP:9D9953F8 EIP:883EAD28 LIBC.NLM|ThreadStartFunc+D8
ESP:9D99540C EIP:00226E38 SERVER.NLM|TcoNewSystemThreadEntryPoint+40
(stack end)
P00#
Current EIP:908B3407 LOGEVENT.NLM|LogEventDirectW+19D11
ESP:9D994C70 EIP:9089EC22 LOGEVENT.NLM|LogEventDirectW+552C
ESP:9D994C90 EIP:908954D1 LOGEVENT.NLM|LogGetEnabledEvents+3E5
ESP:9D994CEC EIP:90896509 LOGEVENT.NLM|LogOpen+682
ESP:9D994E74 EIP:B425A56C DXEVENT.NLM|DxSetEventID+2761
ESP:9D994EA4 EIP:B424F2FD DXEVENT.NLM|DxFreeCacheBlock+290A
ESP:9D994EE8 EIP:B42472FF DXEVENT.NLM|getDirXMLInterface+BB7
ESP:9D994EEC EIP:8FEC366F DS.NLM|InitializeEventCache+30
ESP:9D994EF8 EIP:8FE6D68F DS.NLM|DSAgentOpenLocal+3D4
ESP:9D994FC8 EIP:8F0CF149 DSLOADER.NLM|DDSOpenLocalAgent+12
ESP:9D994FCC EIP:909FD412 DSREPAIR.NLM|
ESP:9D994FE4 EIP:909EF3C2 DSREPAIR.NLM|
ESP:9D994FF8 EIP:909EF78A DSREPAIR.NLM|
ESP:9D995088 EIP:90A155C5 DSREPAIR.NLM|
ESP:9D995108 EIP:909D79CE DSREPAIR.NLM|
ESP:9D99512C EIP:909D77A5 DSREPAIR.NLM|
ESP:9D995284 EIP:909D7119 DSREPAIR.NLM|
ESP:9D99528C EIP:901B6646 NWSNUT.NLM|NWSMenuAction+27
ESP:9D9952A4 EIP:901B698D NWSNUT.NLM|NWSLList+1FD
ESP:9D9952F8 EIP:901B6C1D NWSNUT.NLM|NWSList+46
ESP:9D995344 EIP:901B660C NWSNUT.NLM|NWSMenu+D8
ESP:9D995394 EIP:909D7068 DSREPAIR.NLM|
ESP:9D9953C4 EIP:909D68C3 DSREPAIR.NLM|
ESP:9D9953CC EIP:909D6776 DSREPAIR.NLM|
ESP:9D9953E8 EIP:8F22A340 SAL.NLM|SAL_TZOffset+D0
ESP:9D9953F8 EIP:883EAD28 LIBC.NLM|ThreadStartFunc+D8
ESP:9D99540C EIP:00226E38 SERVER.NLM|TcoNewSystemThreadEntryPoint+40
(stack end)
P00#
LOGEVENT.NLM Nsure Audit Platform
Agent (Build 24)
Version 2.00.02 August 31, 2006
Version 2.00.02 August 31, 2006
DXEVENT.NLM DirXML Event Handler
for Novell Directory Services 3.0.1
Version 3.00.10 June 30, 2006
Version 3.00.10 June 30, 2006