Understanding and Configuring Sentinel Agent and event source plug-in for VLOG and vigil

  • 7008434
  • 22-Apr-2011
  • 27-Apr-2012

Environment

Novell Log Manager 1.1
Novell Log Manager 1.2
Novell Sentinel 6.1
Novell Sentinel RD

Situation

This document is intended to provide a basic overview of the Sentinel Agent and relative event source plug-in for VLOG and vigil in order to better understand, configure and troubleshoot NSS Auditing for Novell Open Enterprise Server 2 using Sentinel or Sentinel Log Manager

The procedure explained below needs to be completed after the proper configuration of the NSS Audit Engine and NSS Audit Client Logger components of OES2. Before going through the current document please see also KB 7008421

Resolution

Sentinel Agent

Novell Sentinel Log Manager can be used to collect and report on event logs from the NSS Auditing Client Logger utility. Sentinel Agent is a general-purpose event-forwarding agent which Novell Open Enterprise Server 2 will use to deliver audit events to Sentinel.

The Sentinel Agent needs to downloaded from the Utilities tab of Sentinel plug-ins website at the link https://support.novell.com/products/sentinel/secure/sentinel61.html

The Sentinel Agent will be installed as a service; you may want to set the service to automatically start on boot.

Once the Sentinel Agent has been downloaded and unzipped, the following files should be available:

- Sentinel-Agent_6.1r1.pdf - Agent documentation
- SentinelMasterAgent.msi - Windows installer
- sentagentsetup_32 - Linux 32 bit installer
- sentagentsetup_64 - Linux 64 bit installer

Pick the sentagentsetup script which reflect your architecture (32 or 64 bit) and execute it to complete the Sentinel Agent setup. Remember that the script needs either to have the execute permission set or to be execute with the command "sh".

During the installation you will be firstly asked hostname or IP address of the Sentinel Server or Collector Manager (in case is not located on the SLM server) and the port number on which Sentinel's Syslog event source server is listening (1468 by default) and then the script will install the following files:

- monitor script (/usr/local/sbin/sentagent)
- sentagent init script (/etc/init.d/sentagent)
- configuration properties for sentagent for additional tuning of file and cache size parameters (/usr/local/sbin/sentagent.properties)

Once the installation is finished, start it up and activate it to automatically start on boot use the following commands (as the root user):

/etc/init.d/sentagent start

chkconfig sentagent on



Novell Open Enterprise Server Collector Pack

At this point there is still one piece left which is the event source agent plug-in for the Sentinel Agent.

At the same link above from where you downloaded the Sentinel Agent, it is necessary to download the Novell Open Enterprise Server Collector Pack from the Collectors tab of the Sentinel plug-ins website as it contains a set of content to support the use of this Collector, including an additional event source agent plug-in for the Sentinel Agent.

Once downloaded the Collector Pack, extract the event source agent plug-in from it:
  • Sentinel 6.1/6.1 RD:
    1. Import the Collector Pack into Sentinel's Solution Manager and export the vlog-v2sent script under the
      Event Source Setup control.
  • Sentinel Log Manager: Sentinel Log Manager does not provide direct support for Sentinel Solution/Collector
    Packs, so a separate Collector Pack Extractor tool must be used to extract the installation script.
    1. Download the Collector Pack Extractor and associated documentation from the Utilities tab of Sentinel
      plug-ins website.
    2. Follow the included instructions to extract content from the Collector Pack; you should find the vlog-v2sent
      script in the resulting set of extracted files.
Once you finally get the vlog-v2sent script out of the Collector Pack, copy it onto the Novell Open Enterprise Server 2 system and execute it as root. The script will do several checks on the current environment in order to verify if the requirements are satisfied (vigil, VLOG and Sentinel Agent) and then it will install a small event source agent plug-in script (/usr/local/sbin/sentsubagent.conf) with the following content:

vlog /opt/novell/vigil/bin/vlog --v2sent -F /usr/local/sbin/vlogfilters

This will be be executed by Sentinel Agent and will invoke the VLOG utility to receive NSS audit events. It will also enable the NSS Auditing service as well as configure the VLOG utility with an empty filter set (/usr/local/sbin/vlogfilters)

The option --v2sent is not documented in the VLOG documentation as it has been written it is used specifically for Sentinel environment. Currently, the vlog "--v2sent" option is equivalent to:  "-C SENTINEL -c SENTINEL_KEY -f SENT -kKSq"

For further information on the meaning of the options above please see the VLOG documentation at the link https://www.novell.com/documentation/oes2/mgmt_nss_vlog_lx/?page=/documentation/oes2/mgmt_nss_vlog_lx/data/bo299y5.html

Additional Information

See also TID 7008421

Feedback service temporarily unavailable. For content questions or problems, please contact Support.