HTTP Proxy Logging to Nsure™ Audit in Novell BorderManager 3.8

Posted: 2 Mar 2005

HTTP Proxy Logging to Nsure™ Audit in Novell BorderManager® 3.8

The ability to create accurate log information is an important operational aspect of any software. This AppNote provides an overview of Nsure Audit, an efficient logging method used to capture the log events reported by BorderManager. The configuration steps to make event logging effective are detailed. The AppNote also explains how to query Nsure Audit to get and analyze the log report. Also provided is the MySQL commands to query log report.


The ability to create accurate log information is an important operational aspect of any software. The Novell BorderManager HTTP Proxy maintains Common Logs, Extended Logs, and Indexed Logs. In general, the Common Log format provides sufficient information for analysis of outgoing proxy activity. In certain circumstances, for instance, while using specialized log analyzers, it may be appropriate to use the Extended Log.

With Nsure Audit, you can capture log information in a centralized manner, based on the server-client model. Here the common and extended log information are reported to Nsure Audit. You can later query and get the log reports.

This appnote provides the detailed information regarding the steps to be followed to configure NBM and Nsure Audit so that Nsure Audit can successfully capture the log information reported by NBM.

What is Nsure Audit?

Nsure Audit provides secure logging, reporting, monitoring, and notification capabilities. Through integration with Nsure Audit, the BorderManager 3.8 HTTP proxy supports logging of all events previously reported in the Common and Extended log formats. It also categorizes each Web request provided by third-party URL database products, from partners such as SurfControl* and N2H2*.

An Additional Logging Method

Nsure Audit is an additional logging method. The legacy Common, Extended and Indexed Logging still exist in BorderManager 3.8. However, Nsure Audit has several key advantages over other logging methods:
  1. Security - Nsure Audit events are signed and chained. This means that you have forensically viable evidence of all HTTP proxy activity. Nsure Audit guarantees that no log data has been deleted or modified.
  2. Log Data Aggregation - The Nsure Audit Secure Logging Server allows you to collect log data from multiple BorderManager 3.8 proxy servers into one data store. Reports may then be generated that reflect Web activity for an entire organization, not just for one server.
  3. Performance - Nsure Audit is very fast and scalable. It allows you to do comprehensive logging with minimal impact on proxy performance.

Note: For maximum performance while using Nsure Audit, you should disable legacy proxy logging methods in NetWare® Administrator.

Nsure Audit Architecture Overview

Nsure Audit is a centralized, cross-platform logging service that can log data from multiple applications to a centralized data store. After event data is logged, you can run detailed reports, do custom queries, and trigger notifications based on logged events.


Nsure Audit consists of two primary components:

  • Platform Agent
  • Secure Logging Server

The following figure illustrates the high-level architecture of Nsure Audit:

Figure 1: Nsure Audit High Level Architecture

In this illustration, BorderManager 3.8 is one of the applications which uses the Platform Agent to report events to the Nsure Audit Secure Logging Server.

Platform Agent (logevent)

The Platform Agent is the client portion of the Nsure auditing system. The Platform Agent receives logging information and system requests from authenticated applications and transmits the information to the Secure Logging Server.

Figure 2: Platform Agent Architecture

If the connection between the Platform Agent and the Secure Logging Server fails, applications continue to log events to the local Platform Agent, just as they always do. The Platform Agent simply switches into Disconnected Cache Mode, and the Cache Module writes all logged events to the local cache until the connection is restored. Switching into Disconnected Cache Mode is completely transparent to the logging applications.

The Platform Agent supports following applications:

  • Novell eDirectoryTM 6.0 and higher
  • DirXML® 2.0
  • NetMailTM 3.5 and higher
  • iChain® 2.2 SP1
  • BorderManager® 3.8
  • NetWare® NSS File System
  • NetWare Traditional File System

Platform Agent Configuration

The Platform Agent is not configured through eDirectory. Instead, the configuration settings are stored in a simple, text-based configuration file (logevent). This makes the Platform Agent small, unobtrusive, and self-contained. In other words, it has no external dependencies and therefore is always available to receive logged events. Storing the Platform Agent configuration in a text-based file also allows the Platform Agent to eventually run on platforms that do not have eDirectory support. The logevent file stores the host name or IP address of the logging server, the Disconnected Mode Cache directory, port assignments, and other related information.

Secure Logging Server

The Secure Logging Server is the server component of the Nsure auditing system. The Secure Logging Server manages the flow of information to and from the Nsure auditing system. It receives incoming events and requests from the Platform Agents, logs information to the data store, monitors designated events, and provides filtering and notification services. It can also be configured to automatically reset critical system attributes according to a specified policy.

Figure 3: Secure Logging Server Architecture

The Secure Logging Server supports the following platforms:
  • NetWare 6.5
  • NetWare 6.0 SP3 or later
  • NetWare 5.1 SP6 or later
  • Windows 2003 Server
  • Windows 2000 Server SP4 or later
  • Solaris 8 and 9
  • SUSE Linux Enterprise Server 8
  • Red Hat Linux AS and ES 2.1

The Secure Logging Server is configured through eDirectory. The Logging Server object contains all the configuration settings for the Secure Logging Server. Consequently, the logging server must have access to eDirectory and the Logging Server object before it can launch the Secure Logging Server.

The Secure Logging Server provides the following services:

  • Event Management
  • Logging and Notification Channels
  • Logging Service
  • Notification Service

Before an application can log events to Novell Nsure Audit, it must be able to authenticate with the system and report events in the auditing system.

The Secure Logging Server can log events to MySQL*, Oracle*, Java* applications, and several other data stores, including a flat file. Nsure Audit features a tool called Nsure Audit Report, designed to query the data store for event data. A data store with an ODBC connector is required to use this advanced reporting tool.

Installing Nsure Audit

Nsure Audit is packaged with NetWare 6.5 and can be installed during the NetWare 6.5 server installation. If NetWare 6.5 is already installed, you can return to the NetWare Install and add the Nsure Audit Starter Pack component.

For other platforms, the Nsure Audit Starter Pack can be downloaded from A Quick Start Card for each platform is provided in the download files.

Configuring Novell BorderManager 3.8 for Nsure Audit

Novell BorderManager 3.8 is not enabled for Nsure Audit by default. To enable Nsure Audit for BorderManager 3.8, do the following:

1. Ensure that Nsure Audit is properly installed and configured as per the Nsure Audit Quick Start Card available with the download. This includes installing a Secure Logging Server and installing the NetWare Platform Agent on each BorderManager 3.8 proxy server that reports events to Nsure Audit.

2. Ensure that the Platform Agents are correctly configured to communicate with the Secure Logging Server. On each BorderManager 3.8 proxy server that reports events to Nsure Audit, check for the file sys:etclogevent.cfg. In this file, change the value of the LogHost parameter to the IP address or DNS name of your Secure Logging Server.

Figure 4: logevent.cfg file

Prepare the Secure Logging Server to receive data from BorderManager 3.8. You need do this only once, no matter how many BorderManager 3.8 proxy servers report events to Nsure Audit. To simplify setup, a .ncf file that prepares Nsure Audit to receive BorderManager 3.8 events is provided. This file is located at sys:etcproxy audit unaud.ncf on any server where BorderManager 3.8 is installed. Open this file in a text editor and enter a valid user name and password with Administrator rights to the Secure Logging Server. Follow the format shown in the figure below.

Figure 5: runaud.ncf file

Setup Scenarios

a) Secure Logging Server on the same machine: If the Secure Logging Server is set up on the same machine where the edited version of runaud.ncf exists, go to the server system console, type sys:etcproxy audit unaud.ncf, and press Enter.

b) Secure Logging Server on Another NetWare server: Copy sys:etcproxy audit unaud.ncf to the NetWare server where the Secure Logging Server is installed and run the .ncf file from the System Console.

c) Secure Logging Server on Windows: Copy sys:etcproxy audit unaud.ncf to the Windows server where the Secure Logging Server is installed. Rename the file to runaud.bat and run it.

d) Secure Logging Server on Other Platforms: See the Nsure Audit product documentation for instructions to set up new applications on other platforms supported by the Secure Logging Server.

4. Restart the Secure Logging Server by entering the following commands:

unload lengine
load lengine

Configuring the BorderManager Proxy Server

1. On each BorderManager 3.8 proxy server (that reports events to Nsure Audit), add the following in the sys:etcproxyproxy.cfg file, using a text editor:

[Extra Configuration]

2. Restart the BorderManager 3.8 server(s) by entering the following commands:


Validating the Configuration

To confirm that the configuration steps are correct,

  1. Log in to iManager (https:///nps/imanager.html).
  2. In the left panel, select Roles and Tasks > Auditing and Logging > Logging Server Options. The Logging Server Options page is displayed.
  3. Browse and select the appropriate SLS object and click OK. All applications registered with Nsure Audit are listed.
  4. Click the Log Applications.

Among the Application listed, you should see Novell BorderManager as in the figure below:

Figure 6: NBM Registered with Nsure

If it is not listed, that means the configuration was not successful.

Possible Cause: sys:etcproxyNaudit unaud.ncf may be invalid.

Solution: Make sure that the fully distinguished name (fdn) is in dotted format, and ensure that the password is correct.

Creating Nsure Aduit Data Base through iManager

1. In the left panel, select Roles and Tasks > Auditing and Logging > Query Options. The Query Options page is displayed.

2. In the Database tab, click New. The New Database page is displayed.

3. Enter all the fields of the new data base.

Note: Refer the online help. Default parameters of the DataBase that you can use are given in the table below:

Parameter Value
Name db
JDBC Class com.mysql.jdbc.Driver (the driver name is case-sensitive)
Host jdbc:mysql://ip_address (replace the ip_address by the server ip_address where mysql is running)
Port 3306
Database naudit
Table log
Username auditusr
Password auditpwd

4. Click OK. The new database is created.

Creating Queries through iManager

  1. In the left panel, select Roles and Tasks > Auditing and Logging > Query Options. The Query Options page is displayed.
  2. Click the Query task under Nsure Audit role in the left panel.
  3. Select the appropriate database from the drop-down list. Note: Select the data base created using the steps in the previous section.
  4. Click New in the Queries section. The New Query window is displayed.
  5. Enter the Name and the Query SQL Statement. For the Common Log query statement in BorderManager, select * from log, where EventID=0x00040001. For the Extended Log query statement, select * from log, where EventID=0x00040002.
  6. Click OK to save the query.

Using Queries through iManager

  1. In the left panel, select Roles and Tasks > Auditing and Logging > Query Options. The Query Options page is displayed.
  2. Click Query task under Nsure Audit role in the left panel. All the saved queries are listed.
  3. In the Queries section, select the Query you want to run.
  4. Click Run Query. The audit log results of the query are displayed.

Getting an Nsure Audit Log Report using MySQL Commands

Some basic MySQL commands that can be used on Netware console to query the data base are given below.

1. On the Netware console enter the following command:

mysql -h <ipaddress> -u auditusr -p naudit

2. Enter the password when prompted. Note: By default the password is auditpwd.

3. On MySQL prompt, enter the following command:

use naudit;

4. To delete all previous records, enter the following command:

truncate log;

5. To view all logs, enter the following command:

select * from log; 

6. To query for all common logs of NBM, enter the following command:

select * from log where EventID=0x00040001;

7. To query for all extended logs of NBM, enter the following command:

select * from log where EventID=0x00040002;

Novell BorderManager 3.8 Event Data

Before running queries or building reports that display proxy log data in a useful manner, you should understand the nature of the data that the Novell BorderManager 3.8 HTTP proxy reports.

Nsure Audit Event Information

For the purposes of Nsure Audit, each URL request through the BorderManager 3.8 HTTP proxy generates three events. The Nsure Audit event information for BorderManager 3.8 is detailed in the following table.

Event ID Description Data Fields
00040001 Proxy Common Log Data IP Address, Authenticated User Name, Date, Time, Time Zone, HTTP Request, URL, HTTP Version, Status Code, and File Size
00040002 Proxy Extended Log Data cached, [date-time], c-ip, cs-method, and cs-uri
00040005 3rd Party Categorization url, username, url-category, and vendor-ID

For descriptions of the data fields in the Common and Extended Log Data events, see "Understanding Novell BorderManager's HTTP Proxy Logs" by Marcus Williamson in the January, 2002, Novell AppNotes (

Third-party Categorization Data

The logging syntax for Third Party categorization is unique with respect to BorderManager 3.8 configuration for Nsure Audit. The Third Party Categorization data fields are described below:

Data Field Description
url The URL of the Web content being requested
username The name of the user requesting that URL
url-category The categorization of the URL, based on the 3rd party categorization product being used on the proxy server that handled the request
vendor-ID 1 - CyberPatrol* (Note: This is not officially supported on BorderManager 3.8.)
3 - SurfControl Content Database
4 - N2H2 Category Server
7 - Connectotel LinkWALL*

The IP address of the BorderManager 3.8 proxy server that reported the event is also included in each event record.

Other Nsure Audit Capabilities

For information on how to use Nsure Audit to create reports, generate alerts, monitor Internet activity in real time, or output data to various formats for processing by other applications, refer to the Nsure Audit product documentation at:


As can be seen from this AppNote, Novell BorderManager provides a variety of options for logging the use of the HTTP Proxy component and is capable of registering its platform agent to the Nsure Audit Server and report the log information to it. Further, by querying Nsure audit, user-friendly log reports of common and extended log information can be obtained for analysis.

Informacja z serwisu