Novell iManager is a Web-based application that is used to manage, maintain, and monitor Novell eDirectory™ through wired and wireless devices. With the Nsure Audit plug-in module, iManager can be used to manage Nsure Audit objects in eDirectory.
In addition to managing Nsure Audit objects, the Nsure Audit plug-in module allows you to create and run queries in iManager. Using the Query Options and Queries tasks under the Auditing and Logging Role, you can perform the following tasks:
Before you can query a database, iManager needs to know where to find the data store and how to communicate with the database. This information is stored in the database definition. Every database you want to query must have its own database definition in iManager.
IMPORTANT:The database definitions you create in iManager are stored in the User object you use to log in to iManager. Consequently, they are not available to other users on the system.
To create a database definition in iManager:
Open the
task.Click the
button on the iManager toolbar.In the Roles and Tasks view, expand the
Role.Click the
task.In the
page, click > .In the
menu, specify the database information.The following table provides a description of each field in the Database menu.
When finished, click
.The new database definition now appears in the
list.The following table provides a description of each field in the database definition.
Table 9-1 Database Definition Menu Fields
Field |
Description |
---|---|
|
The name you want to use to refer to this database. This name appears in the Database Name list. |
|
Package and name of the Java Class providing JDBC connectivity. The JDBC drivers for the Nsure Audit supported data stores are available at the following sites:
|
continued |
You must copy the JDBC drivers for your data store to the following Nsure Audit Java classpath or a subdirectory thereof:
Additionally, if you are going to query a JDBC data store in iManager, copy all required JDBC drivers (*.jar) to the following iManager classpaths on your iManager server:
|
|
A valid JDBC URL, including the database name, that iManager uses to communicate with the database. Any JDBC-compliant driver can be used.The driver name is case sensitive. Consult the documentation provided by your database vendor for specifics on constructing JDBC URLs. The following are JDBC URL examples for the most common databases using the default port. This database name must be replaced with the name of your Nsure Audit database, the default Nsure Audit database name is naudit.
|
|
The name of the table iManager queries. In Nsure Audit, table names are defined in MySQL and Oracle Channel objects. The default table name is log. If you have multiple MySQL or Oracle Channel objects, you must create a separate database definition for each data store. |
|
The user name iManager uses to authenticate with the database. The default username for the NetWare 6.5 data store is auditusr. (This default can be changed during the installation of Nsure Audit.) This account has all privileges to the default database (naudit) and can log in from any IP address. By default, MySQL installs in Secure Mode on NetWare 6.5. In Secure Mode, the default MySQL administrative account, Root, has rights to log in only at the database server. Therefore, if MySQL is running in Secure Mode and you want iManager to use the Root account to log in to the database, MySQL and the iManager Web server must be located on the same server and you must specify a loopback address (127.0.0.1 or localhost) in the Host field. |
|
The password the logging server uses to authenticate with the database. The default password for the NetWare 6.5 data store is auditpwd. (This default can be changed during the installation of Nsure Audit.) IMPORTANT:If you do not specify a different default password during the installation, new databases can be created and accessed using the default username and password. To prevent this, specify a different default password during the install. |
|
Stores the password the logging server uses to authenticate with the database. This enables iManager to automatically log in to the database. If you do not select the option, you must specify the password each time you run a query on the current database. |
After you have created a database definition, you can edit or delete the definition by selecting the database, then clicking
or .NOTE:Deleting a database definition does not affect the actual database. It only removes the database from the Query Options task’s
list, which means that iManager can no longer query the database.The Product Events page displays the events associated with each logging application’s log schema (LSC) file.
NOTE:The log schema (LSC) file catalogs the events that can be logged for a given application. It also provides the event descriptions and field labels that iManager uses in its query results. For more information, see Section A.4, Log Schema Files.
From the Product Events page, you can import new or custom LSC files. You can also view, add, modify, or delete events within existing LSC files. The following sections review these processes in more detail:
The LSC files for the logging application instrumentations installed with Nsure Audit (such as NetWare, eDirectory, and Identity Manager) automatically display in the Product Events page. However, if you add a new logging application to Nsure Audit or localize an existing application’s LSC file, you can import those log schemas into iManager. When you import an LSC file into iManager, you can then view or modify the events defined in the LSC file, add new events, or use the events to define queries, Notification filters, or Heartbeat Notifications.
NOTE:For more information on defining queries in iManager, see Section 9.1.4, Defining Queries in iManager. For information on defining Notification Filters, see Section 8.3, Notification Filters. For information on defining Heartbeat Notifications, see Section 8.4, Heartbeat Objects .
To import a logging application’s log schema in iManager:
Open the
task.Click the
button on the iManager toolbar.In the Roles and Tasks view, expand the
Role.Click the
task.In the Query Options page, click
.Provide the distinguished name (DN) of the Secure Logging Server.
If you have multiple logging servers, specify the distinguished name of the logging server that loads the Application object configuration at startup. For an explanation, see Section 6.0, Managing Applications that Log to Nsure Audit.
Click the
button to locate the object in the directory tree.To move up or down in the tree, click the navigation arrows. You can also search the tree by specifying the object name and context in the Search tab.
NOTE:iManager only links valid entries.
Click the
button to see a list of Logging Server objects that have been selected during this iManager session.From the
drop-down list, select which language version of the log schema you want to import.If an application does not have a log schema for the selected language, iManager imports nothing.
Click
.When you click Section 6.3, Application Objects.
, iManager locates the Logging Server object in eDirectory, scans the logging server’s supported Application containers, and imports the log schemas from the Application objects in those containers. For more information, seeThe logging applications and their associated events now appear in the
list.From the Product Events page, you can view the events defined in each logging application’s log schema.
To view a logging application’s associated events:
Open the
task.Click the
button on the iManager toolbar.In the Roles and Tasks view, expand the
Role.Click the
task.In the Query Options page, click
.In the Product Events page, click the plus icon next to the product name to display the application’s log events.
NOTE:Only those events defined in the application’s LSC file appear in the Product Events page.
Select an event to view the Event ID, description, and field definitions.
For more information on event fields, see Section A.1, Event Structure.
To add an event to an application’s log schema:
Open the
task.Click the
button on the iManager toolbar.In the Roles and Tasks view, expand the
Role.Click the
task.In the Query Options page, click
.In the
page, select the logging application to which you want to add an event, then click .Click
to confirm you want to create a new event.In the
menu, specify the information for each event field.IMPORTANT:The
and fields are required.The language attribute is the logging application’s associated Application object.
field can contain any text string up to 255 characters. The event description is stored in eDirectory in the NAuditSchemaThe EventID is comprised of two elements: the HiWord and the LoWord.
For more information, see the Nsure Audit SDK.
For an explanation of all the event fields, see Section A.1, Event Structure.
To define the event schema, click the Argument Builder button .
The event schema determines what event fields are reported and how the event field data is displayed when logging to the File or Syslog channel in Translated Mode.
For information on using the Argument Builder to define the event schema, see Using the Argument Builder to Define Event Schema.
To modify an existing event in an application’s log schema:
Open the
task.Click the
button on the iManager toolbar.In the Roles and Tasks view, expand the
Role.Click the
task.In the Query Options page, click
.In the Product Events page, click the plus icon next to the product name to display the application’s log events.
NOTE:Only those events defined in the application’s LSC file appear in the
page.Select the event you want to modify, then click
.In the
menu, modify the event fields.For an explanation of event fields, see Event Structure.
To modify the event schema, click the
button .The event schema determines what event fields are reported and how the event field data is displayed when logging to the File or Syslog channel in Translated Mode.
For information on using the Argument Builder to modify the event schema, see Using the Argument Builder to Define Event Schema.
The Argument Builder is a tool that simplifies the process of defining the event schema. The event schema determines what event fields are reported and how the event field data is displayed when logging to the File or Syslog channel in Translated Mode.
The Argument Builder provides a graphical interface from which you can select which event fields you want to display in the translated log file and how you want the field data to display. Based on your selections, the Argument Builder defines the event schema using a series of event field and format variables. For information on the event schema syntax, see Section A.3, Managing Event Data.
To define an event’s schema:
Open the
task.Click the
button on the iManager toolbar.In the Roles and Tasks view, expand the
Role.Click the
task.In the Query Options page, click
.Open the event menu:
In the event menu, click the
button to open the Argument Builder.To add a text field to the event schema:
In the
frame, select , then click .In the
frame, specify the text string in the field.In the
frame, click .The new text field appears in the
frame.To add an event field to the event schema:
In the
frame, select , then click .In the
frame, select an event field from the drop-down list.Select the event field’s associated format from the
drop-down list.In the
frame, click .The new event field appears in the
frame.To remove an item from the event schema:
In the
frame, select the text or event field you want to remove.Click the
button in the frame.The text or event field is removed from the
frame.To modify the item order in the event schema:
In the
frame, select the text or event field you want to move.Click the
or buttons in the frame to modify the item order.When you have completed the event schema definition, click
to save your changes.iManager returns you to the event menu.
The defined event schema appears in the Section A.3, Managing Event Data.
field as a series of event field and format variables. For information on the event schema syntax, seeTo delete an event from an application’s log schema:
Open the
task.Click the
button on the iManager toolbar.In the Roles and Tasks view, expand the
Role.Click the
task.In the Query Options page, click
.In the Product Events page, click the plus icon next to the product name to display the application’s log events.
NOTE:Only those events defined in the application’s LSC file appear in the Product Events page.
Select the event you want to modify, then click
.Click
to confirm you want to delete the event.The event is removed from the LSC file.
The Global Options page allows you to set a default limit on the number of rows returned in the query results.
To set a default query limit in iManager:
Open the
task.Click the
button on the iManager toolbar.In the Roles and Tasks view, expand the
Role.Click the
task.In the Query Options page, click
.In the Global Options page, specify your default query limit.
When finished, click
.The Global Options page also includes the default sort order and date time format; however, these options cannot be modified in the current release.
The following table provides an explanation of each option in the Global Options page.
IMPORTANT:These are global settings. This means that iManager automatically adds these parameters to all database queries unless the parameter is expressly defined in the query statement.
Table 9-2 Query Global Options
iManager uses queries to request information from MySQL and Oracle databases. All queries are defined in SQL. Although you must be familiar with the SQL language to create SQL query statements, this is the most powerful and flexible query method.
iManager includes several predefined queries and it includes a Query Builder to help you define basic query statements. Of course, you can also build your own query statements.
You can create two kinds of queries in iManager: manual queries and saved queries. Manual queries are simply queries that are not saved; they only run one time. Saved queries are saved in the Query list and can be run again and again against different databases.
IMPORTANT:Saved queries are stored in the User object you use to log in to iManager. Therefore, they are not available to other users on the system.
The following sections provide the information you need to perform the following tasks:
iManager includes several predefined queries. You can modify these queries or run them “as is.”
Open the
task.Click the
button on the iManager toolbar.In the Roles and Tasks view, expand the
Role.Click the
task.Select the predefined queries from the
list.The following table lists the queries that ship with iManager and their functions.
Table 9-3 iManager Predefined Queries
Manual queries are simply queries that are not saved; they only run one time.
To create a manual query in iManager:
Open the
task.Click the
button on the iManager toolbar.In the Roles and Tasks view, expand the
Role.Click the
task.In the
drop-down list, select the database you want to query.Click
.In the
field, specify the name you want to appear as the title in the query results.Define the query statement in the
box.For basic information on building SQL queries, see the MySQL Reference Manual.
You do not need to include a FROM clause in your query statement. iManager dynamically builds the FROM clause using the table specified in the database definition you select when you run the query. However, if the query statement does include a FROM clause, iManager queries the table defined in the query statement.
Click
to run the query.The following table contains macros that can be used when creating iManager queries:
Table 9-4 iManager Query Macros
Saved queries are saved in the Query list and can be run again and again against different databases.
To create a saved query in iManager:
Open the
task.Click the
button on the iManager toolbar.In the Roles and Tasks view, expand the
Role.Click the
task.Click
.In the
field, specify the name you want to use to refer to this query.The query name appears in the
list and in the query results’ title.In the
drop-down list, select the field information (columns) you want to return in the query.Use Shift+click or Ctrl+click to select multiple fields.
Define the query statement.
For specific information on the Query Builder, see Creating Saved Queries Using the Query Builder.
or
For basic information on SQL query statements, see the MySQL Reference Manual.
You do not need to include a FROM clause in your query statement. iManager dynamically builds the FROM clause using the table specified in the database definition you select when you run the query. However, if the query statement does include a FROM clause, iManager queries the table defined in the query statement.
Select
if you want to label the column headings in the query results page with the field titles defined in the log schema.Select this option only for queries that return one type of event. If you select this option for queries that return multiple types of events, Nsure Audit Report labels the column headings with the field titles from the last event returned in the query.
IMPORTANT:For this option to work, you must import each application’s log schema. For information, see Importing Log Schemas.
When finished, click
.The query now appears in the
list.If you are unfamiliar with the SQL query language, you can use the Query Builder to help you define basic saved queries. The Query Builder simplifies the process of creating a query by allowing you to choose from lists of predefined parameters. The Query Builder then constructs the query statement from the parameters you select.
To open the Query Builder fields, select
in the initial drop-down list.Figure 9-1 Query Builder in iManager
Because the Query Builder can provide only a limited set of parameters, the queries it creates are very simple. However, it is the easiest way to create saved queries and it is capable of creating most base-level queries.
The following table reviews the options in the Query Builder.
Table 9-5 Query Builder Options
Parameter |
Description |
---|---|
Event Field |
The event field you want to query. You can select the following options from the drop-down list: For more information on event fields, see Section A.1, Event Structure. |
Condition |
The condition under which the logging server applies the Value to the Event Field. Depending on the , you can select the following conditions from the drop-down list box: |
Product |
Limits the query results to a specific logging application. This option is available only if you select the field. |
Value |
The value for the designated event field. The query statement applies the Value to the designated Event Field under the defined conditions. If an event matches the criteria, it is returned in the query results. If you select in the Event field and if the designated product’s log schema provides event descriptions, iManager displays the event descriptions rather than the Event IDs; however, the events are still sorted by their numeric Event ID. Therefore, the event descriptions are not listed in alphabetical order, but related events are grouped together. |
Operator |
To narrow the query results, you can define values for multiple event fields. Using standard and/or operators, you can define multiple event conditions. The done operator indicates the end of the query statement. The conditions are accumulative; that is, the logging server applies the first condition, then the second, then the third, etc., to progressively narrow the results. |
Arrows |
The down-arrow moves the query down into the Query SQL Statement box. iManager builds an SQL query statement from the parameters you define in the Query Builder. The up-arrow moves an SQL query statement from the Query SQL Statement box to the Query Builder. If the query statement includes clauses that are outside the scope of the Query Builder, iManager returns the error SQL statement is too complex to use builder. |
After you have created a saved query, you can edit or delete the query by selecting the query name and clicking
or .Open the
task.Click the
button on the iManager toolbar.In the Roles and Tasks view, expand the
Role.Click the
task.In the
drop-down list, select the database you want to query.For information on creating Database definitions, see Defining Your Query Databases in iManager.
In the
list, select the query you want to run.Click
.iManager returns the query results in a data table; rows represent individual records and columns represent fields within those records. You can click any of the column headings to sort the results by that field.
Figure 9-2 iManager Query Results
If you selected the
option when you defined the query, iManager labels the query results with the field titles defined in the log schema. iManager also displays each event’s field titles as you mouse over the event fields.NOTE:It is recommended that you only select theCreating Saved Queries .
option for queries that return one type of event. If you select this option for queries that return multiple types of events, Nsure Audit Report labels the column headings with the field titles from the last event returned in the query. For more information on the option, seeTo provide non-repudiable logs, Nsure Audit can digitally sign each event that is logged to the data store. To sign an event, the logging application or the Platform Agent hashes the event data and signs the hash with the Logging Application’s private key. The signature is then stored as part of the event. This signature allows the auditor or investigator to determine if an event has been changed.
To allow auditors to determine if an event has been deleted or the sequence of events has been changed, Nsure Audit can also chain its event signatures. That is, if event chaining is enabled, each event’s signature includes its own data as well as the signature from the previous event.
Event chaining is enabled in the Platform Agent’s configuration file, logevent. For information on configuring this option, see Logevent. It can also be configured through the Secure Logging Server object’s attribute. For more information, see Section 4.2.2, Logging Server Objects .
If event chaining is enabled, iManager can verify that all the events logged to the data store for each logging application are authentic; that is, it can validate the event signatures to determine if an application’s events have been tampered with, deleted, or if the sequence of events has been changed.
The following sections review how to define a verification query and how to verify logged events:
To verify that an application’s logged events are authentic:
Open the
task.Click the
button on the iManager toolbar.In the Roles and Tasks view, expand the
Role.Click the
task.In the
drop-down list, select the database where the events you want to verify are logged.Select the Logging Application for which you want to verify events.
NOTE:Nsure Audit provides a pre-defined verification query for Nsure Audit events. For all other logging applications, you must define your own verification query. For more information, see Defining Verification Queries.
Click
.After Nsure Audit Report verifies the application’s events, it returns the verification results.
If the event chain is authentic, iManager returns a message that the table’s events have been verified as authentic.If the event chain is not authentic, iManager lists each problem and its associated event.
There following table provides an explanation for each signature error.
Table 9-6 Signature Errors
To define a verification query:
Open the
task.Click the
button on the iManager toolbar.In the Roles and Tasks view, expand the
Role.Click the
task.In the
drop-down list, select the database where the events you want to verify are logged.Click
to define the verification query.The
menu appears.In the
field, specify the name you want to use to refer to this query.The query name appears in the
list and in the query results’ title.In the
drop-down list, select the logging application for the events you want to verify.To narrow the query, select
or in the drop-down list.This expands the filter options so you can narrow the verification query to a specific time frame or IP address range.
Using standard and/or operators, you can define multiple event conditions. The done operator indicates the end of the query statement.
The conditions are accumulative; that is, the logging server applies the first condition, then the second, then the third, etc., to progressively narrow the results.
Include the Logging Application Certificate in the
window.Click
to locate the Logging Application Certificate in the directory tree.By default, the Logging Application Certificates are available in the following directories:
Click
.The query now appears in the
list.iManager can export query results in the following formats:
To export query results in iManager:
Run a query.
For step-by-step instructions, see Running Queries in iManager.
Within the query results page, click
.Select the export format, then click
.iManager brings up a
dialog box.Select the directory location and specify the filename.
Click
.Run a query.
For step-by-step instructions, see Running Queries in iManager.
Within the query results page, click
.iManager opens another page with the query results formatted in an HTML table.
Click
> .The query results are printed to your default printer.