Auditing Filesystem events on a clustered resource

It is not possible to load or configure Novell Audit to be a clustered resource. What this means is that it is not possible to load LENGINE.NLM in a virtual NCP server. Nor is it possible to load the other audit modules (AUDITDS.NLM, AUDITNW.NLM, LOGEVENT.NLM, LCACHE.NLM) as a clustered resource.

However, it is possible to audit clustered resources. If you have a clustered resource (volume) that fails over from one node to another and you need to audit certain files on that clustered resource, then you are able to audit those directories and files. In order to audit those file system events, you will need to do the following items:

1.) Install the platform agent (PA) and instrumentation (ie. AUDITNW.NLM, AUDITDS.NLM) on to every node in the cluster. The platform agent and instrumentation will need to be running as well.

2.) Go into the NCP server object of each node in the cluster and select the file system events you wish to audit. Again, you will need to do this on every node in the cluster in which this resource/volume will fail over to.

3.) You will need to stop and start the instrumentation (AUDITSTP.NCF / AUDITAGT.NCF) and platform agents on each server in the cluster for the changes in #2 above to take effect immediately.

If you need to have fault tolerance for your Secure Logging Server (SLS), it is recommended that you install and configure multiple SLSes. Then in the SYS:ETC/LOGEVENT.CFG file you add the following syntax:

LogHost=,,,....,

Example:

LogHost=10.1.1.1,10.2.1.1,10.1.3.1,10.1.1.4

By having multiple SLSes available to the platform agents, you have your fault tolerance. If the SLS on ip_address1 goes down, then the platform agent will connect to the SLS on ip_address2. If the SLS is down on the first two IP addresses, then the platform agent will move to the third IP address up to ip_addressN.