How to process orphaned NSS auditing files using OES Collector

Detailed steps:

 

1. Use Event Source Management (ESM) to set OES event source in question to use Trust Event Source time option  ( for example: right click on event source >>> select General tab >>> Make sure that you have a check in Trust Event Sources time )

 

 

2. Go to /var/log/audit/vlog/SENTINEL   It is a current log and offset log.

 

   in SENTINEL folder you should have only 2 files that look like that:

 

-rw------- 1 root root 66000 Apr 13 16:37 SENTINEL_000000004DB7C9C3_000C46.log
-rw-r--r-- 1 root root  4368 Apr 13 16:06 vlogoffset.conf

 

 
Move Orphaned files to /var/log/audit/vlog/SENTINEL  If you look at your orphaned files they look like this:

 

VLOG_22697-1301927936_000000004D9B7A26_00127E
VLOG_22697-1301927936_000000004D9B7A25_0769F3

 

You need to rename your "old" orphaned files to match current name that you see in /var/log/audit/vlog/SENTINEL

 

VLOG_22697-1301927936_000000004D9B7A26_00127E should be change to SENTINEL_000000004D9B7A26_00127E. That means that we need to remove this part VLOG_22697-1301927936 from the file and add SENTINEL_ part to it.

 

This procedure needs to be done to ALL files so they could be consumed by Sentinel. You can use similar commands to accomplish this:

 

(for example)    rename VLOG_22697-1301927936_ SENTINEL_ VLOG*.log

 

You just need to figure out the pattern but all files should be using current log format ( SENTINEL_000000004DA61F20_0AC0D8.log ) that you see in /var/log/audit/vlog/SENTINEL

 

 

4. Move vlogoffset.conf from /var/log/audit/vlog/SENTINEL to /var/log/audit/vlog/

 

5. Start Sentinel Agent /etc/init.d/sentagent start

6. After all orphaned files are processed use ESM to undo option you set in step 1 where you set to use Trust Event Source time option ( for example: right click on event source >>> select General tab >>> Make sure you uncheck Trust Event Sources time )