NSS and Syslog information

Hi All,
Long time user of Netware and audit for Netware here. We are moving to OES 2SP2 Linux and I am evaluating Senitinel Logmanager as a upgrade to the Audit starter pack. What I would like is the same functionality in NetWare in Linux, what seems to be there now is a lot of logging but not a whole lot of usefull information.
Now part of this is the Sentinel Logmanager itself but part also seems to be the vigil interaction with the Logmanager/syslog server.
What I am finding is that NSS/vigil reports a whole lot of information for every file transaction, viewing a raw data feed for one file event there are something like 4-6 vigil log entries. What it looks like is happening is everything NSS does for verification is being reported to Vigil, including background processes that probably should not be. For instance, I created a directory as a test and it generated nss logs for opening and closing and creating a tmp file in the directory then deleting it, I assume many of these are NSS procedures to ensure the the directory was in fact created and that a file was able to be saved in it. For logging though what needs to be known is that a directory was created and who created it, so it seems to be way to much information.
The second issue I am seeing is that most of the packets being sent by Vigil are coming with a initiate user as root. I was able to find some packets in the raw data tap that mention the username but all other log entries that are in relation to that event reference root. Now I figure this is acurate if a lot of these entries are really lower level system verifications( which as I mention above should not show up) but it would be helpful to extend(if you do not have a pre-existing field) the schema of the log packets to include the original event and the originating user of that event.
Right now in log manager I see a ton of events and not one NSS event referencing a username or IP address, so I can tell you when a file was modified, opened, deleted etc., etc., etc., but I can not tell you by who or by what address. Now part of this is logmanager, obviously if I am recieving some packets with the username in the event from the raw data tap the vigil is sending but log manager is not retaining it, but the other side is that for every single event I am recieving 4-6 event packets and not one of those packets reference the initiating IP address or username, only one packet for every event is referencing a username and IP address.
Is there is roadmap to address this?
Thanks

What I am finding is that NSS/vigil reports a whole lot of information for every file transaction, viewing a raw data feed for one file event there are something like 4-6 vigil log entries. What it looks like is happening is everything NSS does for verification is being reported to Vigil, including background processes that probably should not be. For instance, I created a directory as a test and it generated nss logs for opening and closing and creating a tmp file in the directory then deleting it, I assume many of these are NSS procedures to ensure the the directory was in fact created and that a file was able to be saved in it. For logging though what needs to be known is that a directory was created and who created it, so it seems to be way to much information.
[DGC] From your discussion it sounds like the old Netware auditing did a better job of reporting only what is actually relevant.
To some extent, this is working as designed - we get raw records from Vigil, convert them to Sentinel events, and send them. On the other hand, we understand that ultimately you want to be able to ask the simple questions like "which directories were created by Joe?", and get a useful answer.
The Vigil auditing piece is brand new, so we're still getting a handle on the exact information that is produced and how it maps to actual user behavior. Internally, NSS is a complex beast that does shared filehandles and all sorts of fun stuff, so it's quite difficult to do this exactly right the first time. What we need is feedback like yours so that we can go in and refine how we process the inbound events.
The second issue I am seeing is that most of the packets being sent by Vigil are coming with a initiate user as root. I was able to find some packets in the raw data tap that mention the username but all other log entries that are in relation to that event reference root. Now I figure this is acurate if a lot of these entries are really lower level system verifications( which as I mention above should not show up) but it would be helpful to extend(if you do not have a pre-existing field) the schema of the log packets to include the original event and the originating user of that event.
[DGC] This problem has several root causes, but fundamentally the issue is that NSS itself rarely does anything as a user other than root/SUPERVISOR. It's the client (NCP/CIFS/AFP) that "knows" who the real end user is. There were also some bugs in the Vigil framework that prevented this information from passing through.
Some time in the next few months the OES team will be releasing some patches and a new version of the Vigil client that will address several of these issue. At the same time we'll be updating the Collector to do pretty much what you describe. Likely the solution won't be perfect quite yet, as there's still a lot to learn, but we should be a lot closer to the solution you're looking for. If you still see significant issues, simply file SRs with NTS and we will take care of them.

Similar Messages

  • NSS and DRBD

    Hi,
    I have customer with a limited budget, but wanting to use OES and NSS in a cluster. I've used DRBD quite a lot before and have always been very happy with it, so I'd like to combine it with NSS (and possibly other Novell services).
    Has anyone every installed NSS on top of DRBD and Heartbeat?
    In the past I clustered NSS volumes with NCS and remember that shared storage was abolutely needed. Can NSS be clustered with Heartbeat? Can an NSS volume be swapped in between servers by stopping and starting a init.d-script (as is required for Heartbeat)?
    Thank you,
    Bart

    Originally Posted by brunold
    Bart,
    a few things on this ....
    We have a bunch of xen server running where we mirror the xen guests with drbd and control them with heartbeat.
    The problem with nss and heartbeat might be that nss cannot be stopped. The runlevel script supports just the start option and I'm not aware that the nss system supports 'hotplug' for whole disks. Hotplug in case the heartbeat will deactivate the mirror and activate it on the second node. I guess there might be soem wrisk in data loss ....
    Another idea for you could be not to use nss volumes, but to simply use reiser or ext3 filesystems and provide them to the clients via a ncp volume. So you can use drbd to mirror the devices, heartbeat mount / dismount the filesystems and then you would need to create the ncp share.
    Please see "man ncpcon" - section Managing NCP Volumes for more information.
    Rainer
    nss supports activation and deactivation of pools - this can be used "turn off" nss on the shared disk.
    try nss /poolact=POOL1 and nss /pooldeact=POOL1 commands

  • Updated to firefox 4.0. since then my computer is very slow accessing the internet, websites and getting information from within a website.

    Over a week ago I updated my computer to Firefox 4.0. Since then my computer is very slow accessing the internet, websites and getting information from within a website. Also, a tool bar has shown up for YAHOO which I did not request. The old detailed tool bar for Firefox has disappeared. All that now shows for Firefox is the area to enter website urls and an area to enter topic for a Google Search.
    Many times I have to exit Firefox and re-enter it later to access the internet.
    Please advice what I need to do to get back to the speed I had with the older version of Firefox.
    Thank You,
    Dennis

    Over a week ago I updated my computer to Firefox 4.0. Since then my computer is very slow accessing the internet, websites and getting information from within a website. Also, a tool bar has shown up for YAHOO which I did not request. The old detailed tool bar for Firefox has disappeared. All that now shows for Firefox is the area to enter website urls and an area to enter topic for a Google Search.
    Many times I have to exit Firefox and re-enter it later to access the internet.
    Please advice what I need to do to get back to the speed I had with the older version of Firefox.
    Thank You,
    Dennis

  • I am trying to open PDF files from safari, but when I click on them they open in a separate window and the information is encrypted. Any ideas on how to get them to open them in Adobe? Any help please!

    I am trying to open PDF files from safari, but when I click on them they open in a separate window and the information is encrypted. Any ideas on how to get them to open them in Adobe? Any help please!

    The pdf is loading as html code. If you save it, it will download as :
    605124.pdf.html
    Change the extension to .pdf
    And it opens and works perfectly, I just tested it:
    Use this link to download it automatically:
    http://saladeaula.estacio.br/arquivo.asp?dir=00/1020624/605124.pdf&num_seq=59828 4

  • How to get Apple ID and password that is different to iTunes store account which I have already activated and completed contracts, tax information and bank information I want to create a Paid Books Account use apple ID

    I was given this address from the Apple customer support team.
    I have an active existing iTunes store account and use the same Apple ID for signing into my iTunes Connect Account that distributes Apps.
    I have created some books using the iBook author and in order to distribute content on the iBookstore I have been told electronically that I need a new Apple ID and password that is different to iTunes store account which I have already activated and completed contracts, tax information and bank information valid until 2013?
    I want to create a Paid Books Account using the same email address, tax information and bank information. This has been most frustrating, as I cannot get passed the sign in section and there is no contact person I can speak to. I was of the understanding the iTunes connect account and the Developer programs which I paid good money for is all what I needed to be paid for selling iBooks on the iBookstore???
    I only have one email address and wish to also use it for the Paid Books Account. I have books ready to be exported and published.
    I am also having trouble locating and downloading iTunes Producer. I understand I need to have the Paid Books Account active to access the iTunes Producer program. Please help.
    See additional information below:
    What device did you use to connect to the store?  Mac computer
    Which operating system is installed?  Mac OS X v10.7.x
    What version of iTunes is installed on your computer?  iTunes 10.6
    Choose the iTunes Store or App Store for your country:  Other
    Please select your country:  Australia

    Hi Lrwill,
    If the apps that are on your son's iPad were purchased under his Dad's Apple ID, then signing your Apple ID onto the iPad will not help you with updating those apps.
    Also, if the iPad was sync'd with his Dad's iTunes library, then hooking it up to your computer/iTunes library, will require you to reset the iPad, and everything that was loaded under the other Library and Apple ID will be wiped out.
    Can you provide a little more info about what was set up under which Apple ID and what iTunes library the iPad was sync'd with?
    Cheers,
    GB

  • I received an email this am telling me I was charged for a purchase I made of .99 this am.  I did not purchase anything. I contacted PayPay and was informed it was for a recurring monthyl .99 fee..I don't know what that is and don't want it. What is it?

    I received an email this am telling me I was charged for a purchase I made of .99 this am.  I did not purchase anything. I contacted PayPay and was informed it was for a recurring monthly .99 fee..I don't know what that is and don't want it. What is it?  PayPal cancelled any further payments for this. I was informed I needed to request refund from ITunes. I did that. Why was I charged a .99 recurring fee? I purchased, or thought I did, an app called "Appzilla2" on Jan 10 for .99 cents.  Does this mean I must pay .99/monthly to use it?  If so, please cancel the appzilla.

    We are itunes users just like you.  We cannot cancel anything.
    Look at your purchase history and see what the charge is for.  Contact itunes support if need be.

  • HT2731 my wife and I share an itune account. we both have our own iphone and ipad. how do i share my contacts and calander information between my iphone and ipad but not own her devices

    my wife and I share an itune account. we both have our own iphone and ipad. how do i share my contacts and calander information between my iphone and ipad but not own her devices

    Have her get her own Apple ID and then set up Family Sharing: Start or join a family group using Family Sharing - Apple Support

  • Is there a way to place an encrypted document on the iPhone, a document that contains passwords and private information, really well protected from hackers?

    Is there a way to place an encrypted document on the iPhone, a document that contains passwords and private information, really well protected from hackers?
    Can such a document be exempted from the cloud feature, a feature that I use for the rest of my stuff?
    If so, how can I do this?

    Yeah, but 1Password charges for both the iPhone client AND the Mac/Windows client, and it ain't cheap! Plus, it only syncs via Dropbox, and where I work Dropbox is banned due to security concerns.
    Sure, there is Secure Notes, a free form entry part of 1Password, but a bug in the program will not let you view all the text you can put in the field!! You have to EDIT the text to see the whole list! What if you accidentally delete or change an entry while scrolling through your entries??
    Plus NONE of the programs I have tried, and I have tried a lot, can find text IN the file - do a search and it will tell you what file/folder the text is in, but YOU have to scroll down through 400 entries one at a time looking for the entry.
    I use a program called Secure Text - I have many admin passwords, and DO not need a field based program. Secure Text is totally freeform entry. However, it suffers from the same search issue.
    If someone knows of a secure text program that uses a file/folder type of layout, free form entry, AND can actually tell you where in the file/folder the text you searched for is, PLEASE let me know! Plus sycing via some method other than Dropbox would be a plus.
    Before I got my iPhone, I used a program called Tombo for my WinCE based system AND my Windows workstation, and the synced up fine without iTunes, internet, DropBox type functionality or any of that horsecoller stuff Apple likes to throw on your neck.

  • My files, photos, email files, software programs, and all information did NOT transfer over to Mavericks (from Mt. Lion).  How do I get all my stuff to appear when using Mavericks?

    Will someone please help me?
    My files, photos, email files, software programs, calendar info, and all information did NOT transfer over to Mavericks (from Mt Lion).  How do I get all my stuff to appear when using Mavericks?
    My email did transfer over.
    Thank you.

    First click on the Apple > Logout and Log back in or restart the unit see if that solves it.  If it doesn't do you have a backup of your system prior to upgrade?  Check Disk Utility and see how much space is being used to make sure the drive wasn't somehow erased.

  • Within redbox I can not click on a movie and get information about it, instead I get an error message that says that the situation may be temporary. yet i keep having the same problem. Do you have any idea how to fix the problem?

    Within redbox I can not click on a movie and get information about it, instead I get an error message that says that the situation may be temporary. yet i keep having the same problem. Do you have any idea how to fix the problem?

    Did you delete all receipts with iDVD in the file name  with either a .PKG or .BOM extension that reside in the HD/Library/Receipts folder and from the /var/db/receipts/  folder before installing the new copy?  If not then do so and delete the new application also.
    Click to view full size
    Then install iPhoto from the disk it came on originally and apply all necessary updaters: Apple - Support - Downloads
    OT

  • I can no longer buy, download, or update apps/iTunes without being asked for apple ID and billing information to be declined

    I can no longer buy, download, or update apps/iTunes without being asked for apple ID and billing information. Even if apps are free or updating I'm asked for billing information. It's been like this for a couple of weeks after the purchase of a movie off iTunes and the purchase was successful but afterwards my App Store and iTunes stopped working properly. Help me please, thanks.

    Go here:
    https://expresslane.apple.com/Issues.action
    Ask for assistance.

  • I brought my first generation Ipod to an apple store today and was informed that the batteries are no longer available??

    I brought my 1st Gen Ipod to an Apple Store today and was informed that batteries for this unit are no longer available. I find this totally unacceptable.
    Is there anyway that I can have the battery for this unit replaced?
    Please advise
    A.Lauro

    There are still several third party service centers out there who offer replacement services for the battery.  Google for "iPod battery replacement."
    Better yet, see if your 1G iPod Nano qualifes under Apple's 1G Nano recall regarding a batch of nanos shipped with bad batteries.  See this article for more details.
    http://www.apple.com/support/ipodnano_replacement/
    B-rock

  • RME 4.3.1 on new server - 2 issues with Inventory and syslog

    Hi,
    I recently installed new server 2003 with LMS3.2 and after the problems with DevicePackages i resubmitted all device and the device center tasks that was missing now reappeared.
    So I went on and added my two VPN3030 VPN Concentrators.
    This device is supported for RME inventory and syslog
    I got the config-archive running (!) so thats fine (Runs via HTTPS login)
    I have two issues:
    1. I can not get inventory to work .
    I have communication going, and a packet trace/sniff show I have syslog going into RME and i see SNMP GET and respones to/from device
    I see some java error logs in ic_server.log fil
    I have tried with two different LMS32-servers
    I have increased SNMP timeout etc
    I tried deleted the device and rediscover
    log are like this:
    [ Thu Aug 19  10:12:30 CEST 2010 ],ERROR,[Thread-14],com.cisco.nm.rmeng.inventory.ics.core.CollectionController,761, Collection failed for the device : 3748
    com.cisco.nm.xms.xdi.ags.system.CollectionFailed: com.cisco.nm.lib.snmp.lib.SnmpException: SnmpResponseNoSuchName on 10.3.6.2 while performing SnmpWalk(*) at index = 10
        at com.cisco.nm.xms.xdi.pkgs.LibInventory.PortInterfaceAGI_RFC1213_HelperMethods.getIfTableEntriesFromDevice(PortInterfaceAGI_RFC1213_HelperMethods.java:639)
        at com.cisco.nm.xms.xdi.pkgs.SharedInventoryVPN3000.PortInterfaceAGI_RFC1213_Mib.g$eval(PortInterfaceAGI_RFC1213_Mib.java:77)
        at com.cisco.nm.xms.xdi.ags.PortInterfaceAGI.g$eval(PortInterfaceAGI.java:21)
        at com.cisco.nm.xms.xdi.SdiEngine.initAndEvalAGIs(SdiEngine.java:383)
        at com.cisco.nm.xms.xdi.SdiEngine.request(SdiEngine.java:309)
        at com.cisco.nm.xms.xdi.SdiEngine.getDevRepr(SdiEngine.java:302)
        at com.cisco.nm.rmeng.inventory.ics.core.CollectionController.run(CollectionController.java:539)
        at java.lang.Thread.run(Thread.java:595)
    [ Thu Aug 19  10:12:30 CEST 2010 ],INFO ,[Thread-14],com.cisco.nm.rmeng.inventory.ics.core.CollectionController,841,Device collection failed for 10.3.6.2
    2.:I can not get syslog into the devices syslog reports
    This is wierder than issue 1: I have two VPN3030, one actually does syslog fine, but one VPN 3030 does not
    I havent done any thing different for the two device ...
    one simply works, one doesnt ...
    I get no syslog msg in device center for one of the device.
    The syslogs ARE infact in the syslog.log
    The syslog msg DO show up, but in Unexpected device report  ...
    The same VPN device does work with my second server so I think this is related to RME database on one specific server.
    But i have tried delete device and rediscover etc ...
    please help ...

    ok - looks like i need TAC again ...
    As for the syslog issue - this happens only for one device on one of my servers ...
    That is what is strange ... So IP is coorect and ok - (they do get syslogs into DevCenter on one server and on other device)
    Thank you for your reply - really nice that you take your time into this forum !

  • SC - Contract and vendor information disappear afeter change plant

    Dear friends,
        I'm using SRM 5.5 and i have the follow problem:
        I create a SC using a item registered in MDM 2.0 the item has contract information and vendor information, but there is not information about plant.
        The SC get the contract and vendor information but i need sometimes change the plant and when a change the plant the information about catalog and vendor disappear.
        I tried use the BADI BBP_SOS_BADI to recover contract and vendor information, but in this moment i don't have how to get contract information because the catalog information disappear.
        I'm using the classic scenario so i don't create contract in SRM just in backend System.
    Thanks.
    Roberto Aran.

    Hi
    Could see the plant data in the SC( Ship to address/ Performance location)
    BR
    Muthu

  • In iPhoto, how can I export images with the metadata - including the title and caption information - intact as part of the image?

    In iPhoto, how can I export images with the metadata — including the title and caption information — intact as part of the image?

    Check those boxes in the export dialogue - Exporting From iPhoto
    LN

Maybe you are looking for

  • Audio duplicate feature on hp pavilion-1247cl notebook using windows 7 not working

    . i have a hp pavilion dv6-1247cl laptop.running on windows 7 initially i was able to use the duplicate feature-fn/f4 key to display and hear my web page on the tv screen using the hdmi cable connection. i am unsure if i have accidentally changed a s

  • Can't see some photos in Organizer - Photoshop 9

    In Organizer, I am using the "Folder Location" display view. I imported some photos from a folder by doing the following: I right clicked on the folder from which I wanted to import the photos and then left clicked on "Import to Organizer." When the

  • Problem with the Display Driver

    Hi. I just got this message when I started Adobe Photoshop today, that's the CS4 edition, about that there was a problem with the Display driver: "Photoshop have encountered a problem with the display driver, and has temporarily disabled GPU enhancem

  • Printing Credit Memo !!

    HI Friends We have a requirement of printing the credit memo as we need to send it to the vendor with the returns. How do we configure it? Any ideas?? Thank You

  • Macbook keeps telling me memory is full...

    Macbook keeps telling me memory is full after I removed all documents and most of my library. Any ideas why?