Environment
Novell Access Manager 3.1 Linux Novell Identity Server
Novell Access Manager 3.1 Windows Novell Identity Server
Novell Access Manager 3.1 Linux Access Gateway
Novell Access Manager 3.1 Windows Novell Identity Server
Novell Access Manager 3.1 Linux Access Gateway
Situation
Access Manager writes log files to multiple locations, all referenced via the Admin Console -> Auditing -> General Logging TAB. For example, the Linux Access Gateway (LAG) writes proxy specific logs to /var/log/ics_dyn.log. Looking at the /etc/sysconfig configuration on the LAG, one can see the local0.* statement describing what is logged.
The events are well defined in the Access Manager documentation (e.g. the first digit is Severity) at the following locations:
The events are well defined in the Access Manager documentation (e.g. the first digit is Severity) at the following locations:
https://www.novell.com/documentation/novellaccessmanager31/eventcodes/data/be9dppc.html
https://www.novell.com/documentation/novellaccessmanager31/eventcodes/data/lag1.html
https://www.novell.com/documentation/novellaccessmanager31/eventcodes/data/lag1.html
Administrator wants to configure syslog in such a way that the events are sent to another, remote syslog server. The goal is to filter which event get send or not based on severity. To do this, one has to understand the mapping between Access Manager Severity and syslog-level. Currently, the various levels are:
Access Manager Severity
1 = severe
2 = error
3 = warn
4 = config
5 = info
6 = debug
9 = internal
1 = severe
2 = error
3 = warn
4 = config
5 = info
6 = debug
9 = internal
syslog-level
- emerg
- alert
- crit
- err
- warning
- notice
- info
- debug
- emerg
- alert
- crit
- err
- warning
- notice
- info
- debug
Resolution
There are a few overlaps in the mapping - we map the 8 syslog events to 6 different audit style levels. The mapping is done based on the following table:
For example, modifying the /etc/syslog.conf configuration to include
"local0.info -/tmp/logtest.out"
and restarting syslog, we can see the following entry in the /tmp/logtest.out file
"Nov 14 23:19:04 agcluster : AM#504513000: AMDEVICEID#ag-769DF08E988EFAA: AMAUTHID#0: AMEVENTID#0: VccHealth::HealthGET".
When I set "local0.notice -/tmp/logtest.out", there is not corresponding message. This is because they map to two different severity levels.
AG_LOG_EMERGENCY <-> SYSLOG_LOG_CRIT
AG_LOG_ALERT <-> SYSLOG_LOG_CRIT
AG_LOG_CRITICAL <-> SYSLOG_LOG_CRIT
AG_LOG_ERROR <-> SYSLOG_LOG_ERR
AG_LOG_WARNING <-> SYSLOG_LOG_WARNING
AG_LOG_NOTICE <-> SYSLOG_LOG_NOTICE
AG_LOG_INFO <-> SYSLOG_LOG_INFO
AG_LOG_DEBUG <-> SYSLOG_LOG_DEBUG AG_LOG_ALERT <-> SYSLOG_LOG_CRIT
AG_LOG_CRITICAL <-> SYSLOG_LOG_CRIT
AG_LOG_ERROR <-> SYSLOG_LOG_ERR
AG_LOG_WARNING <-> SYSLOG_LOG_WARNING
AG_LOG_NOTICE <-> SYSLOG_LOG_NOTICE
AG_LOG_INFO <-> SYSLOG_LOG_INFO
For example, modifying the /etc/syslog.conf configuration to include
"local0.info -/tmp/logtest.out"
and restarting syslog, we can see the following entry in the /tmp/logtest.out file
"Nov 14 23:19:04 agcluster : AM#504513000: AMDEVICEID#ag-769DF08E988EFAA: AMAUTHID#0: AMEVENTID#0: VccHealth::HealthGET".
When I set "local0.notice -/tmp/logtest.out", there is not corresponding message. This is because they map to two different severity levels.