Novell Audit 2.0.2 Platform Agent
Sentinel 6.0.xx Sentinel Control Center
Sentinel 6.0.xx Sentinel Event Source Management
The Novell Audit platform agent is installed on the Red Hat Linux server.
In the LogHost= parameter in the /etc/logevent.conf file points to the Sentinel connector on the Sentinel Collector Manager hosting the NAudit collector.
In Sentinel Event Source Management, you see the platform agent connect, but no data is received.
Some versions of Linux, particularly Red Hat Linux, creates a single entry in the /etc/hosts file on the loopback address of 127.0.0.1. Because the DNS name and local host are on the loopback address, the Novell Audit platform agent will connect to the Sentinel Collector Manager Server hosting the NAudit collector, but no events will be saved. Here is an example of a problematic /etc/hosts file:
127.0.0.1 tblarsen1.provo.novell.com tblarsen1 localhost.localdomain localhost
To fix it, please do the following within the /etc/hosts file:
# 127.0.0.1 tblarsen1.provo.novell.com tblarsen1 localhost.localdomain localhost
10.1.2.3 tblarsen1.provo.novell.com tblarsen1
(NOTE: Please replace the IP address 10.1.2.3 with your own statically assigned IP address.)
You may need to stop and start the Novell Audit instrumentation for these changes to take effect. Please login as root before performing the commands below:
ndstrace -c "unload auditds"
ndstrace -c "load auditds"
If the problem persists, you may need to stop and start eDirectory on that server. Please login as root before performing the commands below:
NOTE: Stopping ndsd on your Linux system will result in eDirectory services not being available on your Linux server. Please make sure that you stop and start eDirectory at a time that will least impact your production eDirectory environment.
This issue is similar to the issue found in KB 3951877.