Environment
Novell Log Manager 1.1
Novell Log Manager 1.2
Novell Sentinel 6.1
Novell Sentinel RD
Novell Log Manager 1.2
Novell Sentinel 6.1
Novell Sentinel RD
Situation
This document is intended to provide a basic overview of the Sentinel Agent and relative event source plug-in for VLOG and vigil in order to better understand, configure and troubleshoot NSS
Auditing for Novell Open Enterprise Server 2 using Sentinel or Sentinel Log Manager
The procedure explained below needs to be completed after the proper configuration of the NSS Audit Engine and NSS Audit Client Logger components of OES2. Before going through the current document please see also KB 7008421
The procedure explained below needs to be completed after the proper configuration of the NSS Audit Engine and NSS Audit Client Logger components of OES2. Before going through the current document please see also KB 7008421
Resolution
Sentinel Agent
Novell Sentinel Log Manager can be used to collect and report on event logs from the NSS Auditing Client Logger utility. Sentinel Agent is a general-purpose event-forwarding agent which Novell Open Enterprise Server 2 will use to deliver audit events to Sentinel.
The Sentinel Agent needs to downloaded from the Utilities tab of Sentinel plug-ins website at the link https://support.novell.com/products/sentinel/secure/sentinel61.html
The Sentinel Agent will be installed as a service; you may want to set the service to automatically start on boot.
Once the Sentinel Agent has been downloaded and unzipped, the following files should be available:
- Sentinel-Agent_6.1r1.pdf - Agent documentation
- SentinelMasterAgent.msi - Windows installer
- sentagentsetup_32 - Linux 32 bit installer
- sentagentsetup_64 - Linux 64 bit installer
Pick the sentagentsetup script which reflect your architecture (32 or 64 bit) and execute it to complete the Sentinel Agent setup. Remember that the script needs either to have the execute permission set or to be execute with the command "sh".
During the installation you will be firstly asked hostname or IP address of the Sentinel Server or Collector Manager (in case is not located on the SLM server) and the port number on which Sentinel's Syslog event source server is listening (1468 by default) and then the script will install the following files:
- monitor script (/usr/local/sbin/sentagent)
- sentagent init script (/etc/init.d/sentagent)
- configuration properties for sentagent for additional tuning of file and cache size parameters (/usr/local/sbin/sentagent.properties)
Once the installation is finished, start it up and activate it to automatically start on boot use the following commands (as the root user):
/etc/init.d/sentagent start
chkconfig sentagent on
Novell Open Enterprise Server Collector Pack
At this point there is still one piece left which is the event source agent plug-in for the Sentinel Agent.
At the same link above from where you downloaded the Sentinel Agent, it is necessary to download the Novell Open Enterprise Server Collector Pack from the Collectors tab of the Sentinel plug-ins website as it contains a set of content to support the use of this Collector, including an additional event source agent plug-in for the Sentinel Agent.
Once downloaded the Collector Pack, extract the event source agent plug-in from it:
vlog /opt/novell/vigil/bin/vlog --v2sent -F /usr/local/sbin/vlogfilters
This will be be executed by Sentinel Agent and will invoke the VLOG utility to receive NSS audit events. It will also enable the NSS Auditing service as well as configure the VLOG utility with an empty filter set (/usr/local/sbin/vlogfilters)
The option --v2sent is not documented in the VLOG documentation as it has been written it is used specifically for Sentinel environment. Currently, the vlog "--v2sent" option is equivalent to: "-C SENTINEL -c SENTINEL_KEY -f SENT -kKSq"
For further information on the meaning of the options above please see the VLOG documentation at the link https://www.novell.com/documentation/oes2/mgmt_nss_vlog_lx/?page=/documentation/oes2/mgmt_nss_vlog_lx/data/bo299y5.html
Novell Sentinel Log Manager can be used to collect and report on event logs from the NSS Auditing Client Logger utility. Sentinel Agent is a general-purpose event-forwarding agent which Novell Open Enterprise Server 2 will use to deliver audit events to Sentinel.
The Sentinel Agent needs to downloaded from the Utilities tab of Sentinel plug-ins website at the link https://support.novell.com/products/sentinel/secure/sentinel61.html
The Sentinel Agent will be installed as a service; you may want to set the service to automatically start on boot.
Once the Sentinel Agent has been downloaded and unzipped, the following files should be available:
- Sentinel-Agent_6.1r1.pdf - Agent documentation
- SentinelMasterAgent.msi - Windows installer
- sentagentsetup_32 - Linux 32 bit installer
- sentagentsetup_64 - Linux 64 bit installer
Pick the sentagentsetup script which reflect your architecture (32 or 64 bit) and execute it to complete the Sentinel Agent setup. Remember that the script needs either to have the execute permission set or to be execute with the command "sh".
During the installation you will be firstly asked hostname or IP address of the Sentinel Server or Collector Manager (in case is not located on the SLM server) and the port number on which Sentinel's Syslog event source server is listening (1468 by default) and then the script will install the following files:
- monitor script (/usr/local/sbin/sentagent)
- sentagent init script (/etc/init.d/sentagent)
- configuration properties for sentagent for additional tuning of file and cache size parameters (/usr/local/sbin/sentagent.properties)
Once the installation is finished, start it up and activate it to automatically start on boot use the following commands (as the root user):
/etc/init.d/sentagent start
chkconfig sentagent on
Novell Open Enterprise Server Collector Pack
At this point there is still one piece left which is the event source agent plug-in for the Sentinel Agent.
At the same link above from where you downloaded the Sentinel Agent, it is necessary to download the Novell Open Enterprise Server Collector Pack from the Collectors tab of the Sentinel plug-ins website as it contains a set of content to support the use of this Collector, including an additional event source agent plug-in for the Sentinel Agent.
Once downloaded the Collector Pack, extract the event source agent plug-in from it:
- Sentinel 6.1/6.1 RD:
- Import the Collector Pack into Sentinel's Solution Manager and export the vlog-v2sent script under the
Event Source Setup control.
- Sentinel Log Manager: Sentinel Log Manager does not provide direct support for Sentinel Solution/Collector
Packs, so a separate Collector Pack Extractor tool must be used to extract the installation script. - Download the Collector Pack Extractor and associated documentation from the Utilities tab of Sentinel
plug-ins website. - Follow the included instructions to extract content from the Collector Pack; you should find the vlog-v2sent
script in the resulting set of extracted files.
vlog /opt/novell/vigil/bin/vlog --v2sent -F /usr/local/sbin/vlogfilters
This will be be executed by Sentinel Agent and will invoke the VLOG utility to receive NSS audit events. It will also enable the NSS Auditing service as well as configure the VLOG utility with an empty filter set (/usr/local/sbin/vlogfilters)
The option --v2sent is not documented in the VLOG documentation as it has been written it is used specifically for Sentinel environment. Currently, the vlog "--v2sent" option is equivalent to: "-C SENTINEL -c SENTINEL_KEY -f SENT -kKSq"
For further information on the meaning of the options above please see the VLOG documentation at the link https://www.novell.com/documentation/oes2/mgmt_nss_vlog_lx/?page=/documentation/oes2/mgmt_nss_vlog_lx/data/bo299y5.html
Additional Information
See also TID 7008421