How do I configure or customize VigilEnt Security Agent for NetWare to look for particular threats? (NETIQKB31373)

  • 7731373
  • 02-Feb-2007
  • 08-Sep-2008

Resolution

goal
How do I configure or customize VigilEnt Security Agent for NetWare to look for particular threats?

fact
VigilEnt Security Agent for Netware 1.X

fix

VigilEnt Security Agent for NetWare (VSAN) extracts critical messages from SYS:SYSTEM\SYS$LOG.ERR and SYS:SYSTEM\BOOT$LOG.ERR using a technique called "log scrubbing". The log scrubbing mechanism compares the error log with words, phrases, or regular expressions that are listed in the log scrubber configuration files. If the log scrubber finds a match, the entry from the error log appears on a VSAN report. By default, VSAN extracts all messages from the boot log and selected messages from the system log, but the logs can be checked for any key words, phrases, or expressions that an administrator wants to view.

Follow the steps below to edit the log scrubber configuration files.

  1. Using Microsoft Windows Explorer, navigate to the VSAN\NWAgent directory.

  2. If you want to edit boot messages, locate the bootlog.pol file.
    If you want to edit system messages, locate the syslog.pol file.

  3. Open one of the above configuration files in a text editor.

  4. Scroll-down to the end of the file and select the first empty line.

  5. Enter the words, phrases, or expressions for the log scrubber to match in the log. For example, to see all of the entries in the log that contain the word ?error,? add the word error to the first blank line at the end of the configuration file. (Each entry must appear on its own line.)

  6. Save the file and Exit the text editor. The error log scrubber will use the edited configuration files the next time VSAN is run.

  7. After running VSAN, view the reports from the VigilEnt Security Manager console or use the following information to locate the specific report to view:

    boot messages VSAN\Reports\nwrbootmsg.htm
    system messages VSAN\Reports\nwrselerr.htmvv



Additional Information

Formerly known as NETIQKB31373

Feedback service temporarily unavailable. For content questions or problems, please contact Support.