HTTP Proxy Logging to Nsure™ Audit in Novell BorderManager 3.8
Posted: 2 Mar 2005
HTTP Proxy Logging to Nsure™ Audit in Novell BorderManager® 3.8
The ability to create accurate log information is an important operational
aspect of any software. This AppNote provides an overview of Nsure Audit, an
efficient logging method used to capture the log events reported by
BorderManager. The configuration steps to make event logging effective are
detailed. The AppNote also explains how to query Nsure Audit to get and analyze
the log report. Also provided is the MySQL commands to query log report.
Introduction
The ability to create accurate log information is an important operational
aspect of any software. The Novell BorderManager HTTP Proxy maintains Common
Logs, Extended Logs, and Indexed Logs. In general, the Common Log format
provides sufficient information for analysis of outgoing proxy activity. In
certain circumstances, for instance, while using specialized log analyzers, it
may be appropriate to use the Extended Log.
With Nsure Audit, you can capture log information in a centralized manner,
based on the server-client model. Here the common and extended log information
are reported to Nsure Audit. You can later query and get the log reports.
This appnote provides the detailed information regarding the steps to be
followed to configure NBM and Nsure Audit so that Nsure Audit can successfully
capture the log information reported by NBM.
What is Nsure Audit?
Nsure Audit provides secure logging, reporting, monitoring, and notification
capabilities. Through integration with Nsure Audit, the BorderManager 3.8 HTTP
proxy supports logging of all events previously reported in the Common and
Extended log formats. It also categorizes each Web request provided by
third-party URL database products, from partners such as SurfControl* and
N2H2*.
An Additional Logging Method Nsure Audit is an additional logging
method. The legacy Common, Extended and Indexed Logging still exist in
BorderManager 3.8. However, Nsure Audit has several key advantages over other
logging methods:
- Security - Nsure Audit events are signed and chained. This means that you
have forensically viable evidence of all HTTP proxy activity. Nsure Audit
guarantees that no log data has been deleted or modified.
- Log Data Aggregation - The Nsure Audit Secure Logging Server allows you to
collect log data from multiple BorderManager 3.8 proxy servers into one data
store. Reports may then be generated that reflect Web activity for an entire
organization, not just for one server.
- Performance - Nsure Audit is very fast and scalable. It allows you to do
comprehensive logging with minimal impact on proxy performance.
Note: For maximum performance while using Nsure Audit, you should
disable legacy proxy logging methods in NetWare® Administrator.
Nsure Audit Architecture Overview
Nsure Audit is a centralized, cross-platform logging service that can log
data from multiple applications to a centralized data store. After event data is
logged, you can run detailed reports, do custom queries, and trigger
notifications based on logged events.
Components
Nsure Audit consists of two primary components:
- Platform Agent
- Secure Logging Server
The following figure illustrates the high-level architecture of Nsure
Audit:
Figure 1: Nsure Audit High Level Architecture
In this illustration, BorderManager 3.8 is one of the applications which uses
the Platform Agent to report events to the Nsure Audit Secure Logging
Server.
Platform Agent (logevent)
The Platform Agent is the client portion of the Nsure auditing system. The
Platform Agent receives logging information and system requests from
authenticated applications and transmits the information to the Secure Logging
Server.
Figure 2: Platform Agent Architecture
If the connection between the Platform Agent and the Secure Logging Server
fails, applications continue to log events to the local Platform Agent, just as
they always do. The Platform Agent simply switches into Disconnected Cache Mode,
and the Cache Module writes all logged events to the local cache until the
connection is restored. Switching into Disconnected Cache Mode is completely
transparent to the logging applications.
The Platform Agent supports following applications:
- Novell eDirectoryTM 6.0 and higher
- DirXML® 2.0
- NetMailTM 3.5 and higher
- iChain® 2.2 SP1
- BorderManager® 3.8
- NetWare® NSS File System
- NetWare Traditional File System
Platform Agent Configuration The Platform Agent is not configured
through eDirectory. Instead, the configuration settings are stored in a simple,
text-based configuration file (logevent). This makes the Platform Agent small,
unobtrusive, and self-contained. In other words, it has no external dependencies
and therefore is always available to receive logged events. Storing the Platform
Agent configuration in a text-based file also allows the Platform Agent to
eventually run on platforms that do not have eDirectory support. The logevent
file stores the host name or IP address of the logging server, the Disconnected
Mode Cache directory, port assignments, and other related information.
Secure Logging Server
The Secure Logging Server is the server component of the Nsure auditing
system. The Secure Logging Server manages the flow of information to and from
the Nsure auditing system. It receives incoming events and requests from the
Platform Agents, logs information to the data store, monitors designated events,
and provides filtering and notification services. It can also be configured to
automatically reset critical system attributes according to a specified policy.
Figure 3: Secure Logging Server Architecture The Secure Logging
Server supports the following platforms:
- NetWare 6.5
- NetWare 6.0 SP3 or later
- NetWare 5.1 SP6 or later
- Windows 2003 Server
- Windows 2000 Server SP4 or later
- Solaris 8 and 9
- SUSE Linux Enterprise Server 8
- Red Hat Linux AS and ES 2.1
The Secure Logging Server is configured through eDirectory. The Logging
Server object contains all the configuration settings for the Secure Logging
Server. Consequently, the logging server must have access to eDirectory and the
Logging Server object before it can launch the Secure Logging Server.
The Secure Logging Server provides the following services:
- Event Management
- Logging and Notification Channels
- Logging Service
- Notification Service
Before an application can log events to Novell Nsure Audit, it must be able
to authenticate with the system and report events in the auditing system.
The Secure Logging Server can log events to MySQL*, Oracle*, Java*
applications, and several other data stores, including a flat file. Nsure Audit
features a tool called Nsure Audit Report, designed to query the data store for
event data. A data store with an ODBC connector is required to use this advanced
reporting tool.
Installing Nsure Audit
Nsure Audit is packaged with NetWare 6.5 and can be installed during the
NetWare 6.5 server installation. If NetWare 6.5 is already installed, you can
return to the NetWare Install and add the Nsure Audit Starter Pack
component.
For other platforms, the Nsure Audit Starter Pack can be downloaded from http://download.novell.com/. A Quick
Start Card for each platform is provided in the download files.
Configuring Novell BorderManager 3.8 for Nsure Audit
Novell BorderManager 3.8 is not enabled for Nsure Audit by default. To enable
Nsure Audit for BorderManager 3.8, do the following:
1. Ensure that Nsure Audit is properly installed and configured as per the
Nsure Audit Quick Start Card available with the download. This includes
installing a Secure Logging Server and installing the NetWare Platform Agent on
each BorderManager 3.8 proxy server that reports events to Nsure Audit.
2. Ensure that the Platform Agents are correctly configured to communicate
with the Secure Logging Server. On each BorderManager 3.8 proxy server that
reports events to Nsure Audit, check for the file sys:etclogevent.cfg. In this
file, change the value of the LogHost parameter to the IP address or DNS name of
your Secure Logging Server.
Figure 4: logevent.cfg file
Prepare the Secure Logging Server to receive data from BorderManager 3.8. You
need do this only once, no matter how many BorderManager 3.8 proxy servers
report events to Nsure Audit. To simplify setup, a .ncf file that prepares Nsure
Audit to receive BorderManager 3.8 events is provided. This file is located at
sys:etcproxy
audit
unaud.ncf on any server where BorderManager 3.8 is
installed. Open this file in a text editor and enter a valid user name and
password with Administrator rights to the Secure Logging Server. Follow the
format shown in the figure below.
Figure 5: runaud.ncf file
Setup Scenarios
a) Secure Logging Server on the same machine: If the Secure Logging
Server is set up on the same machine where the edited version of runaud.ncf
exists, go to the server system console, type sys:etcproxy
audit
unaud.ncf,
and press Enter.
b) Secure Logging Server on Another NetWare server: Copy
sys:etcproxy
audit
unaud.ncf to the NetWare server where the Secure Logging
Server is installed and run the .ncf file from the System Console.
c) Secure Logging Server on Windows: Copy
sys:etcproxy
audit
unaud.ncf to the Windows server where the Secure Logging
Server is installed. Rename the file to runaud.bat and run it.
d) Secure Logging Server on Other Platforms: See the Nsure Audit
product documentation for instructions to set up new applications on other
platforms supported by the Secure Logging Server.
4. Restart the Secure Logging Server by entering the following commands: unload lengine
load lengine
Configuring the BorderManager Proxy Server
1. On each BorderManager 3.8 proxy server (that reports events to Nsure
Audit), add the following in the sys:etcproxyproxy.cfg file, using a text
editor: [Extra Configuration]
EnableNsureAuditLogging=1
2. Restart the BorderManager 3.8 server(s) by entering the following
commands: stopbrd
startbrd
Validating the Configuration
To confirm that the configuration steps are correct,
- Log in to iManager (https:///nps/imanager.html).
- In the left panel, select Roles and Tasks > Auditing and Logging >
Logging Server Options. The Logging Server Options page is displayed.
- Browse and select the appropriate SLS object and click OK. All
applications registered with Nsure Audit are listed.
- Click the Log Applications.
Among the Application listed, you should see Novell BorderManager as in the
figure below:
Figure 6: NBM Registered with Nsure
If it is not listed, that means the configuration was not successful.
Possible Cause: sys:etcproxyNaudit
unaud.ncf may be invalid.
Solution: Make sure that the fully distinguished name (fdn) is in
dotted format, and ensure that the password is correct.
Creating Nsure Aduit Data Base through iManager
1. In the left panel, select Roles and Tasks > Auditing and Logging >
Query Options. The Query Options page is displayed.
2. In the Database tab, click New. The New Database page is displayed.
3. Enter all the fields of the new data base.
Note: Refer the online help. Default parameters of the DataBase that you can
use are given in the table below:
Parameter |
Value |
Name |
db |
JDBC Class |
com.mysql.jdbc.Driver (the driver name is case-sensitive) |
Host |
jdbc:mysql://ip_address (replace the ip_address by the server
ip_address where mysql is running) |
Port |
3306 |
Database |
naudit |
Table |
log |
Username |
auditusr |
Password |
auditpwd |
4. Click OK. The new database is created.
Creating Queries through iManager
- In the left panel, select Roles and Tasks > Auditing and Logging >
Query Options. The Query Options page is displayed.
- Click the Query task under Nsure Audit role in the left panel.
- Select the appropriate database from the drop-down list. Note: Select the
data base created using the steps in the previous section.
- Click New in the Queries section. The New Query window is displayed.
- Enter the Name and the Query SQL Statement. For the Common Log query
statement in BorderManager, select * from log, where EventID=0x00040001. For
the Extended Log query statement, select * from log, where EventID=0x00040002.
- Click OK to save the query.
Using Queries through iManager
- In the left panel, select Roles and Tasks > Auditing and Logging >
Query Options. The Query Options page is displayed.
- Click Query task under Nsure Audit role in the left panel. All the saved
queries are listed.
- In the Queries section, select the Query you want to run.
- Click Run Query. The audit log results of the query are displayed.
Getting an Nsure Audit Log Report using MySQL Commands
Some basic MySQL commands that can be used on Netware console to query the
data base are given below.
1. On the Netware console enter the following command: mysql -h <ipaddress> -u auditusr -p naudit
2. Enter the password when prompted. Note: By default the password is
auditpwd.
3. On MySQL prompt, enter the following command: use naudit;
4. To delete all previous records, enter the following command: truncate log;
5. To view all logs, enter the following command: select * from log;
6. To query for all common logs of NBM, enter the following command: select * from log where EventID=0x00040001;
7. To query for all extended logs of NBM, enter the following command: select * from log where EventID=0x00040002;
Novell BorderManager 3.8 Event Data
Before running queries or building reports that display proxy log data in a
useful manner, you should understand the nature of the data that the Novell
BorderManager 3.8 HTTP proxy reports.
Nsure Audit Event Information
For the purposes of Nsure Audit, each URL request through the BorderManager
3.8 HTTP proxy generates three events. The Nsure Audit event information for
BorderManager 3.8 is detailed in the following table.
Event ID |
Description |
Data Fields |
00040001 |
Proxy Common Log Data |
IP Address, Authenticated User Name, Date, Time, Time Zone, HTTP
Request, URL, HTTP Version, Status Code, and File Size |
00040002 |
Proxy Extended Log Data |
cached, [date-time], c-ip, cs-method, and cs-uri |
00040005 |
3rd Party Categorization |
url, username, url-category, and vendor-ID |
For descriptions of the data fields in the Common and Extended Log Data
events, see "Understanding Novell BorderManager's HTTP Proxy Logs" by Marcus
Williamson in the January, 2002, Novell AppNotes (http://developer.novell.com/research/appnotes/2002/january/02/a020102.htm).
Third-party Categorization Data
The logging syntax for Third Party categorization is unique with respect to
BorderManager 3.8 configuration for Nsure Audit. The Third Party Categorization
data fields are described below:
Data Field |
Description |
url |
The URL of the Web content being requested |
username |
The name of the user requesting that URL |
url-category |
The categorization of the URL, based on the 3rd party categorization
product being used on the proxy server that handled the request |
vendor-ID |
1 - CyberPatrol* (Note: This is not officially supported on
BorderManager 3.8.) 3 - SurfControl Content Database 4 - N2H2
Category Server 7 - Connectotel LinkWALL* |
The IP address of the BorderManager 3.8 proxy server that reported the event
is also included in each event record.
Other Nsure Audit Capabilities
For information on how to use Nsure Audit to create reports, generate alerts,
monitor Internet activity in real time, or output data to various formats for
processing by other applications, refer to the Nsure Audit product documentation
at: http://www.novell.com/documentation/nsureaudit/index.html.
Conclusion
As can be seen from this AppNote, Novell BorderManager provides a variety of
options for logging the use of the HTTP Proxy component and is capable of
registering its platform agent to the Nsure Audit Server and report the log
information to it. Further, by querying Nsure audit, user-friendly log reports
of common and extended log information can be obtained for analysis.
|