Novell Audit Platform Agent has errors, drops events in certain configurations.

The Novell Audit Platform Agent (PA) is configured via the /etc/logevent.conf file and this file is to configure all uses of the PA libraries on a single system.  Each time the PA libraries are loaded they attempt to spawn an instance of the lcache process for caching purposes should the connection to Sentinel, Log Manager, or another auditing server cease to function for any reason.  In many environments this works properly but because of the system-wide configuration file and the potential for multiple Novell Audit-enabled services on a single system, conflicts can arise leading to intermittent functionality and potentially lost data.

A best practice when using any instance of the PA is to only have one instance loaded per system.  Audit-enabled applications, where possible, should be individually placed on a given system with a few exceptions.  Within eDirectory there is the possibility to audit eDirectory, the Identity Manager engine, Novell Modular Authentication Services (NMAS), and SecretStore.  All of these run within the ndsd process and therefore may be on a single system together.  Anytime auditing is not enabled the limit of one application per system does not apply.

The Identity Manager User Application, iManager, Password Management Framework (PMF), and some pieces of Novell Access Manager (NAM) use the Java-based Platform Agent.  Because each of these services will likely run as different users each must be on its own system for auditing to work properly.  When non-root instances are in use additional configuration options must be applied so ensure that non-privileged ports are used for lcache operation as well as directory structures that the non-root users can access and modify.