9.1 Using iManager to Generate Queries

Novell iManager is a Web-based application that is used to manage, maintain, and monitor Novell eDirectory™ through wired and wireless devices. With the Nsure Audit plug-in module, iManager can be used to manage Nsure Audit objects in eDirectory.

In addition to managing Nsure Audit objects, the Nsure Audit plug-in module allows you to create and run queries in iManager. Using the Query Options and Queries tasks under the Auditing and Logging Role, you can perform the following tasks:

9.1.1 Defining Your Query Databases in iManager

Before you can query a database, iManager needs to know where to find the data store and how to communicate with the database. This information is stored in the database definition. Every database you want to query must have its own database definition in iManager.

IMPORTANT:The database definitions you create in iManager are stored in the User object you use to log in to iManager. Consequently, they are not available to other users on the system.

To create a database definition in iManager:

  1. Open the Query Options task.

    1. Click the Roles and Tasks button iManager Roles and Tasks button on the iManager toolbar.

    2. In the Roles and Tasks view, expand the Auditing and Logging Role.

    3. Click the Query Options task.

  2. In the Query Options page, click Databases > New.

  3. In the New Database Definition menu, specify the database information.

    The following table provides a description of each field in the Database menu.

  4. When finished, click OK.

The new database definition now appears in the Database Name list.

The following table provides a description of each field in the database definition.

Table 9-1 Database Definition Menu Fields

Field

Description

Name

The name you want to use to refer to this database.

This name appears in the Database Name list.

JDBC Class

Package and name of the Java Class providing JDBC connectivity.

The JDBC drivers for the Nsure Audit supported data stores are available at the following sites:

  • MySQL: MySQL Connector/J The MySQL JDBC .jar file can be downloaded from the MySQL Development site.
  • Oracle: Oracle Instant Client The Oracle JDBC .jar file can be downloaded from the Oracle Web site.
  • Microsoft SQL Server: Microsoft SQL Server Driver for JDBC The SQL Server JDBC .jar file can be downloaded from the Microsoft Download Center.
  • QL Server and Sybase JDBC Driver: jTDS (S) The QL Server and Sybase JDBC .jar file can be downloaded from SourceForge.net site.

JDBC Class

continued

You must copy the JDBC drivers for your data store to the following Nsure Audit Java classpath or a subdirectory thereof:

  • Windows, Linux, and Solaris: Novell_Audit_install_ directory\java\logdriver\

  • NetWare: Novell_Audit_install_directory\

Additionally, if you are going to query a JDBC data store in iManager, copy all required JDBC drivers (*.jar) to the following iManager classpaths on your iManager server:

  • NetWare: sys:\tomcat\4\common\lib

  • Linux and Solaris: /var/opt/novell/tomcat4/common/lib

  • Windows: \program files\novell\tomcat\common\lib

JDBC URL

A valid JDBC URL, including the database name, that iManager uses to communicate with the database. Any JDBC-compliant driver can be used.The driver name is case sensitive.

Consult the documentation provided by your database vendor for specifics on constructing JDBC URLs. The following are JDBC URL examples for the most common databases using the default port. This database name must be replaced with the name of your Nsure Audit database, the default Nsure Audit database name is naudit.

  • MySQL: jdbc:mysql://ip_address:port / database_name

  • Oracle: jdbc:oracle:thin:@ip_address:port:sid

  • Microsoft SQL Server: jdbc:microsoft:sqlserver://ip_address:port; DatabaseName=database_name

Table

The name of the table iManager queries.

In Nsure Audit, table names are defined in MySQL and Oracle Channel objects. The default table name is log.

If you have multiple MySQL or Oracle Channel objects, you must create a separate database definition for each data store.

Username

The user name iManager uses to authenticate with the database.

The default username for the NetWare 6.5 data store is auditusr. (This default can be changed during the installation of Nsure Audit.) This account has all privileges to the default database (naudit) and can log in from any IP address.

By default, MySQL installs in Secure Mode on NetWare 6.5. In Secure Mode, the default MySQL administrative account, Root, has rights to log in only at the database server. Therefore, if MySQL is running in Secure Mode and you want iManager to use the Root account to log in to the database, MySQL and the iManager Web server must be located on the same server and you must specify a loopback address (127.0.0.1 or localhost) in the Host field.

Password

The password the logging server uses to authenticate with the database.

The default password for the NetWare 6.5 data store is auditpwd. (This default can be changed during the installation of Nsure Audit.)

IMPORTANT:If you do not specify a different default password during the installation, new databases can be created and accessed using the default username and password. To prevent this, specify a different default password during the install.

Store Password

Stores the password the logging server uses to authenticate with the database. This enables iManager to automatically log in to the database.

If you do not select the Store Password option, you must specify the password each time you run a query on the current database.

Editing and Deleting Database Definitions

After you have created a database definition, you can edit or delete the definition by selecting the database, then clicking Edit or Delete.

NOTE:Deleting a database definition does not affect the actual database. It only removes the database from the Query Options task’s Database list, which means that iManager can no longer query the database.

9.1.2 Managing Product Events in iManager

The Product Events page displays the events associated with each logging application’s log schema (LSC) file.

NOTE:The log schema (LSC) file catalogs the events that can be logged for a given application. It also provides the event descriptions and field labels that iManager uses in its query results. For more information, see Section A.4, Log Schema Files.

From the Product Events page, you can import new or custom LSC files. You can also view, add, modify, or delete events within existing LSC files. The following sections review these processes in more detail:

Importing Log Schemas

The LSC files for the logging application instrumentations installed with Nsure Audit (such as NetWare, eDirectory, and Identity Manager) automatically display in the Product Events page. However, if you add a new logging application to Nsure Audit or localize an existing application’s LSC file, you can import those log schemas into iManager. When you import an LSC file into iManager, you can then view or modify the events defined in the LSC file, add new events, or use the events to define queries, Notification filters, or Heartbeat Notifications.

NOTE:For more information on defining queries in iManager, see Section 9.1.4, Defining Queries in iManager. For information on defining Notification Filters, see Section 8.3, Notification Filters. For information on defining Heartbeat Notifications, see Section 8.4, Heartbeat Objects .

To import a logging application’s log schema in iManager:

  1. Open the Query Options task.

    1. Click the Roles and Tasks button iManager Roles and Tasks button on the iManager toolbar.

    2. In the Roles and Tasks view, expand the Auditing and Logging Role.

    3. Click the Query Options task.

  2. In the Query Options page, click Product Events.

  3. Provide the distinguished name (DN) of the Secure Logging Server.

    If you have multiple logging servers, specify the distinguished name of the logging server that loads the Application object configuration at startup. For an explanation, see Section 6.0, Managing Applications that Log to Nsure Audit.

    1. Click the Object Selector button iManager Object Selector button to locate the object in the directory tree.

      To move up or down in the tree, click the navigation arrows. You can also search the tree by specifying the object name and context in the Search tab.

      NOTE:iManager only links valid entries.

    2. Click the Object History button iManager Object History button to see a list of Logging Server objects that have been selected during this iManager session.

  4. From the Select Language drop-down list, select which language version of the log schema you want to import.

    If an application does not have a log schema for the selected language, iManager imports nothing.

  5. Click Update.

    When you click Update, iManager locates the Logging Server object in eDirectory, scans the logging server’s supported Application containers, and imports the log schemas from the Application objects in those containers. For more information, see Section 6.3, Application Objects.

The logging applications and their associated events now appear in the Product Name list.

Viewing Product Events

From the Product Events page, you can view the events defined in each logging application’s log schema.

To view a logging application’s associated events:

  1. Open the Query Options task.

    1. Click the Roles and Tasks button iManager Roles and Tasks button on the iManager toolbar.

    2. In the Roles and Tasks view, expand the Auditing and Logging Role.

    3. Click the Query Options task.

  2. In the Query Options page, click Product Events.

  3. In the Product Events page, click the plus icon iManager Expand icon next to the product name to display the application’s log events.

    NOTE:Only those events defined in the application’s LSC file appear in the Product Events page.

  4. Select an event to view the Event ID, description, and field definitions.

For more information on event fields, see Section A.1, Event Structure.

Adding Product Events

To add an event to an application’s log schema:

  1. Open the Query Options task.

    1. Click the Roles and Tasks button iManager Roles and Tasks button on the iManager toolbar.

    2. In the Roles and Tasks view, expand the Auditing and Logging Role.

    3. Click the Query Options task.

  2. In the Query Options page, click Product Events.

  3. In the Product Events page, select the logging application to which you want to add an event, then click New.

  4. Click OK to confirm you want to create a new event.

  5. In the New Event menu, specify the information for each event field.

    IMPORTANT:The Event ID and Description fields are required.

    The Description field can contain any text string up to 255 characters. The event description is stored in eDirectory in the NAuditSchemalanguage attribute is the logging application’s associated Application object.

    The EventID is comprised of two elements: the HiWord and the LoWord.

    • The HiWord is the four-digit hex value assigned to the current application. All Application IDs are assigned through Novell Developer Support and are maintained in the Nsure Audit central registry. Before instrumenting a new application, developers should obtain an AppID through Novell Developer Support.
    • The LoWord is the AppEventID assigned by the person instrumenting the application. Typically, these values are assigned in ascending order.

    For more information, see the Nsure Audit SDK.

    For an explanation of all the event fields, see Section A.1, Event Structure.

  6. To define the event schema, click the Argument Builder button Argument Builder button.

    The event schema determines what event fields are reported and how the event field data is displayed when logging to the File or Syslog channel in Translated Mode.

    For information on using the Argument Builder to define the event schema, see Using the Argument Builder to Define Event Schema.

Modifying Product Events

To modify an existing event in an application’s log schema:

  1. Open the Query Options task.

    1. Click the Roles and Tasks button iManager Roles and Tasks button on the iManager toolbar.

    2. In the Roles and Tasks view, expand the Auditing and Logging Role.

    3. Click the Query Options task.

  2. In the Query Options page, click Product Events.

  3. In the Product Events page, click the plus icon iManager Expand icon next to the product name to display the application’s log events.

    NOTE:Only those events defined in the application’s LSC file appear in the Product Events page.

  4. Select the event you want to modify, then click Edit.

  5. In the Edit Event menu, modify the event fields.

    For an explanation of event fields, see Event Structure.

  6. To modify the event schema, click the Argument Builder button Argument Builder button.

    The event schema determines what event fields are reported and how the event field data is displayed when logging to the File or Syslog channel in Translated Mode.

    For information on using the Argument Builder to modify the event schema, see Using the Argument Builder to Define Event Schema.

Using the Argument Builder to Define Event Schema

The Argument Builder is a tool that simplifies the process of defining the event schema. The event schema determines what event fields are reported and how the event field data is displayed when logging to the File or Syslog channel in Translated Mode.

The Argument Builder provides a graphical interface from which you can select which event fields you want to display in the translated log file and how you want the field data to display. Based on your selections, the Argument Builder defines the event schema using a series of event field and format variables. For information on the event schema syntax, see Section A.3, Managing Event Data.

To define an event’s schema:

  1. Open the Query Options task.

    1. Click the Roles and Tasks button iManager Roles and Tasks button on the iManager toolbar.

    2. In the Roles and Tasks view, expand the Auditing and Logging Role.

    3. Click the Query Options task.

  2. In the Query Options page, click Product Events.

  3. Open the event menu:

    • In the Product Events page, select the logging application to which you want to add an event, click New, then click OK to confirm you want to create a new event.
    • Click the plus icon iManager Expand icon next to the product name to display the application’s log events, select the event you want to modify, then click Edit.

  4. In the event menu, click the Argument Builder button Argument Builder button to open the Argument Builder.

  5. To add a text field to the event schema:

    1. In the Noun frame, select Text, then click Add.

    2. In the Editor frame, specify the text string in the Text field.

    3. In the Noun frame, click Add.

      The new text field appears in the Expression frame.

  6. To add an event field to the event schema:

    1. In the Noun frame, select Event Field, then click Add.

    2. In the Editor frame, select an event field from the Field Name drop-down list.

    3. Select the event field’s associated format from the Field Format drop-down list.

    4. In the Noun frame, click Add.

      The new event field appears in the Expression frame.

  7. To remove an item from the event schema:

    1. In the Expression frame, select the text or event field you want to remove.

    2. Click the Remove Token button Remove Token button in the Expression frame.

      The text or event field is removed from the Expression frame.

  8. To modify the item order in the event schema:

    1. In the Expression frame, select the text or event field you want to move.

    2. Click the Up Move Up button or Down Move Up button buttons in the Expression frame to modify the item order.

  9. When you have completed the event schema definition, click OK to save your changes.

    iManager returns you to the event menu.

    The defined event schema appears in the Schema field as a series of event field and format variables. For information on the event schema syntax, see Section A.3, Managing Event Data.

Deleting Product Events

To delete an event from an application’s log schema:

  1. Open the Query Options task.

    1. Click the Roles and Tasks button iManager Roles and Tasks button on the iManager toolbar.

    2. In the Roles and Tasks view, expand the Auditing and Logging Role.

    3. Click the Query Options task.

  2. In the Query Options page, click Product Events.

  3. In the Product Events page, click the plus icon iManager Expand icon next to the product name to display the application’s log events.

    NOTE:Only those events defined in the application’s LSC file appear in the Product Events page.

  4. Select the event you want to modify, then click Delete.

  5. Click OK to confirm you want to delete the event.

The event is removed from the LSC file.

9.1.3 Setting Your Global Options in iManager

The Global Options page allows you to set a default limit on the number of rows returned in the query results.

To set a default query limit in iManager:

  1. Open the Query Options task.

    1. Click the Roles and Tasks button iManager Roles and Tasks button on the iManager toolbar.

    2. In the Roles and Tasks view, expand the Auditing and Logging Role.

    3. Click the Query Options task.

  2. In the Query Options page, click Global Options.

  3. In the Global Options page, specify your default query limit.

  4. When finished, click OK.

The Global Options page also includes the default sort order and date time format; however, these options cannot be modified in the current release.

The following table provides an explanation of each option in the Global Options page.

IMPORTANT:These are global settings. This means that iManager automatically adds these parameters to all database queries unless the parameter is expressly defined in the query statement.

Table 9-2 Query Global Options

Option

Description

Limit Query Result To

This option limits the number of rows (that is, records) that are returned from a database query.

Default Sort Order

iManager does not have a default sort order. Consequently, This option cannot be modified in the current release.

You can sort the records in the query results page by clicking a column heading.

Date/Time Format

iManager formats all time and date information in RFC-822 UTC format. RFC-822 is the Internet standard format for electronic mail message headers. All time and date values are expressed in UTC rather than local time.

This option cannot be modified in the current release.

Import existing reporting configuration

This option allows you to import queries from other iManager servers. The queries must be defined in XML format.

Export current reporting configuration and save

This option exports the queries defined on the current imanager server. The queries are exported in XML format.

9.1.4 Defining Queries in iManager

iManager uses queries to request information from MySQL and Oracle databases. All queries are defined in SQL. Although you must be familiar with the SQL language to create SQL query statements, this is the most powerful and flexible query method.

iManager includes several predefined queries and it includes a Query Builder to help you define basic query statements. Of course, you can also build your own query statements.

You can create two kinds of queries in iManager: manual queries and saved queries. Manual queries are simply queries that are not saved; they only run one time. Saved queries are saved in the Query list and can be run again and again against different databases.

IMPORTANT:Saved queries are stored in the User object you use to log in to iManager. Therefore, they are not available to other users on the system.

The following sections provide the information you need to perform the following tasks:

Using Predefined Queries

iManager includes several predefined queries. You can modify these queries or run them “as is.”

  1. Open the Queries task.

    1. Click the Roles and Tasks button iManager Roles and Tasks button on the iManager toolbar.

    2. In the Roles and Tasks view, expand the Auditing and Logging Role.

    3. Click the Queries task.

  2. Select the predefined queries from the Query list.

The following table lists the queries that ship with iManager and their functions.

Table 9-3 iManager Predefined Queries

Query

Function

All

Returns all events in the current data store.

All last hour

Returns all events that occurred within the last hour.

Count

Returns the total number of events logged to the current data store.

Distribution

Returns the number of times each Event ID has occurred in the current data store.

Creating Manual Queries

Manual queries are simply queries that are not saved; they only run one time.

To create a manual query in iManager:

  1. Open the Queries task.

    1. Click the Roles and Tasks button iManager Roles and Tasks button on the iManager toolbar.

    2. In the Roles and Tasks view, expand the Auditing and Logging Role.

    3. Click the Queries task.

  2. In the Database drop-down list, select the database you want to query.

  3. Click Manual.

  4. In the Name field, specify the name you want to appear as the title in the query results.

  5. Define the query statement in the Query box.

    For basic information on building SQL queries, see the MySQL Reference Manual.

    You do not need to include a FROM clause in your query statement. iManager dynamically builds the FROM clause using the table specified in the database definition you select when you run the query. However, if the query statement does include a FROM clause, iManager queries the table defined in the query statement.

  6. Click Run Query to run the query.

iManager Query Macros

The following table contains macros that can be used when creating iManager queries:

Table 9-4 iManager Query Macros

Macro

Description

[TIME]= [LAST_HOUR] [TODAY] [YESTERDAY] [LAST_24_HOURS] [LAST_7_DAYS] [THIS_MONTH]

Limits results to those occurring in a specific time frame.

HexToDec[hex#]

Converts a number from hexidecimal to decimal.

IP[192.168.0.5]

Enables you to use an IP address in a query.

[TABLE]

Replaced with the actual table name during the query.

Creating Saved Queries

Saved queries are saved in the Query list and can be run again and again against different databases.

To create a saved query in iManager:

  1. Open the Queries task.

    1. Click the Roles and Tasks button iManager Roles and Tasks button on the iManager toolbar.

    2. In the Roles and Tasks view, expand the Auditing and Logging Role.

    3. Click the Queries task.

  2. Click New.

  3. In the Name field, specify the name you want to use to refer to this query.

    The query name appears in the Query list and in the query results’ title.

  4. In the Select Field drop-down list, select the field information (columns) you want to return in the query.

    Use Shift+click or Ctrl+click to select multiple fields.

  5. Define the query statement.

    • Create the query using the Query Builder.

      For specific information on the Query Builder, see Creating Saved Queries Using the Query Builder.

      or

    • Write the query statement in the Query SQL Statement window.

      For basic information on SQL query statements, see the MySQL Reference Manual.

      You do not need to include a FROM clause in your query statement. iManager dynamically builds the FROM clause using the table specified in the database definition you select when you run the query. However, if the query statement does include a FROM clause, iManager queries the table defined in the query statement.

  6. Select Translate Column Titles if you want to label the column headings in the query results page with the field titles defined in the log schema.

    Select this option only for queries that return one type of event. If you select this option for queries that return multiple types of events, Nsure Audit Report labels the column headings with the field titles from the last event returned in the query.

    IMPORTANT:For this option to work, you must import each application’s log schema. For information, see Importing Log Schemas.

  7. When finished, click OK.

The query now appears in the Query list.

Creating Saved Queries Using the Query Builder

If you are unfamiliar with the SQL query language, you can use the Query Builder to help you define basic saved queries. The Query Builder simplifies the process of creating a query by allowing you to choose from lists of predefined parameters. The Query Builder then constructs the query statement from the parameters you select.

To open the Query Builder fields, select And in the initial drop-down list.

Figure 9-1 Query Builder in iManager

Because the Query Builder can provide only a limited set of parameters, the queries it creates are very simple. However, it is the easiest way to create saved queries and it is capable of creating most base-level queries.

The following table reviews the options in the Query Builder.

Table 9-5 Query Builder Options

Parameter

Description

Event Field

The event field you want to query. You can select the following options from the drop-down list:

  • Event ID
  • Time Frame
  • Component
  • Originator
  • Originator Type
  • Target
  • Target Type
  • Sub Target
  • Text1
  • Text2
  • Text3
  • Source IP
  • Severity
  • Value1
  • Value2
  • Value3

For more information on event fields, see Section A.1, Event Structure.

Condition

The condition under which the logging server applies the Value to the Event Field.

Depending on the Event Field, you can select the following conditions from the drop-down list box:

  • matches
  • less than
  • greater than
  • begins with
  • contains
  • is between _________ and __________

Product

Limits the query results to a specific logging application.

This option is available only if you select the Event ID field.

Value

The value for the designated event field.

The query statement applies the Value to the designated Event Field under the defined conditions. If an event matches the criteria, it is returned in the query results.

If you select Event ID in the Event field and if the designated product’s log schema provides event descriptions, iManager displays the event descriptions rather than the Event IDs; however, the events are still sorted by their numeric Event ID. Therefore, the event descriptions are not listed in alphabetical order, but related events are grouped together.

Operator

To narrow the query results, you can define values for multiple event fields. Using standard and/or operators, you can define multiple event conditions. The done operator indicates the end of the query statement.

The conditions are accumulative; that is, the logging server applies the first condition, then the second, then the third, etc., to progressively narrow the results.

Arrows

The down-arrow moves the query down into the Query SQL Statement box. iManager builds an SQL query statement from the parameters you define in the Query Builder.

The up-arrow moves an SQL query statement from the Query SQL Statement box to the Query Builder. If the query statement includes clauses that are outside the scope of the Query Builder, iManager returns the error SQL statement is too complex to use builder.

Modifying and Deleting Saved Queries

After you have created a saved query, you can edit or delete the query by selecting the query name and clicking Edit or Delete.

9.1.5 Running Queries in iManager

  1. Open the Queries task.

    1. Click the Roles and Tasks button iManager Roles and Tasks button on the iManager toolbar.

    2. In the Roles and Tasks view, expand the Auditing and Logging Role.

    3. Click the Queries task.

  2. In the Database drop-down list, select the database you want to query.

    For information on creating Database definitions, see Defining Your Query Databases in iManager.

  3. In the Queries list, select the query you want to run.

  4. Click Run Query.

iManager returns the query results in a data table; rows represent individual records and columns represent fields within those records. You can click any of the column headings to sort the results by that field.

Figure 9-2 iManager Query Results

If you selected the Translate Column Titles option when you defined the query, iManager labels the query results with the field titles defined in the log schema. iManager also displays each event’s field titles as you mouse over the event fields.

NOTE:It is recommended that you only select the Translate Column Titles option for queries that return one type of event. If you select this option for queries that return multiple types of events, Nsure Audit Report labels the column headings with the field titles from the last event returned in the query. For more information on the Translate Column Titles option, see Creating Saved Queries .

9.1.6 Verifying Event Authenticity in iManager

To provide non-repudiable logs, Nsure Audit can digitally sign each event that is logged to the data store. To sign an event, the logging application or the Platform Agent hashes the event data and signs the hash with the Logging Application’s private key. The signature is then stored as part of the event. This signature allows the auditor or investigator to determine if an event has been changed.

To allow auditors to determine if an event has been deleted or the sequence of events has been changed, Nsure Audit can also chain its event signatures. That is, if event chaining is enabled, each event’s signature includes its own data as well as the signature from the previous event.

Event chaining is enabled in the Platform Agent’s configuration file, logevent. For information on configuring this option, see Logevent. It can also be configured through the Secure Logging Server object’s Sign Event attribute. For more information, see Section 4.2.2, Logging Server Objects .

If event chaining is enabled, iManager can verify that all the events logged to the data store for each logging application are authentic; that is, it can validate the event signatures to determine if an application’s events have been tampered with, deleted, or if the sequence of events has been changed.

The following sections review how to define a verification query and how to verify logged events:

Verifying Logged Events

To verify that an application’s logged events are authentic:

  1. Open the Queries task.

    1. Click the Roles and Tasks button iManager Roles and Tasks button on the iManager toolbar.

    2. In the Roles and Tasks view, expand the Auditing and Logging Role.

    3. Click the Verification task.

  2. In the Database drop-down list, select the database where the events you want to verify are logged.

  3. Select the Logging Application for which you want to verify events.

    NOTE:Nsure Audit provides a pre-defined verification query for Nsure Audit events. For all other logging applications, you must define your own verification query. For more information, see Defining Verification Queries.

  4. Click Verify.

After Nsure Audit Report verifies the application’s events, it returns the verification results.

If the event chain is authentic, iManager returns a message that the table’s events have been verified as authentic.If the event chain is not authentic, iManager lists each problem and its associated event.

There following table provides an explanation for each signature error.

Table 9-6 Signature Errors

Signature Error

Explanation

Logging application restarted. This is the first event after the restart, but it cannot be verified if events have been removed at the end of the previous chain.

The logging application shut down and restarted, so the event count field (ClientMS) started again at 0; therefore, the event chain was broken.

You can determine if the application restart was malicious or not by looking at the last event in the previous event chain. Logging applications send an event when they are unloaded, so if the last event in the previous event chain is an application unload event, you know that no events have been deleted.

This is the first event in the database, but not the first event in the chain. Earlier events are missing.

The current event is the first event in the database, however, the event count field (ClientMS) indicates this is not the first event in the chain.

This message occurs if you have rolled or expired your data store. You can use the following methods to determine if any events are missing:

  • If you expired your data store, you can look at the current event’s time stamp to see if it occurred at the time you expired the data store.
  • If you rolled the data store, you can look at the event count field for the last event in the archived data store to determine if it preceded the current event.

The previous event is missing.

The current event’s signature does not include the signature from the previous event.

Using the event count field (ClientMS), Nsure Audit Report can determine that only the previous event is missing.

x previous events are missing.

The current event’s signature does not include the signature from the previous event.

Using the event count field (ClientMS), Nsure Audit Report can determine approximately how many previous events are missing.

Event has been tampered with.

The current event’s signature is not valid.

Although it includes the signature from the previous event, the event data in the signature does not match the current data.

Defining Verification Queries

To define a verification query:

  1. Open the Queries task.

    1. Click the Roles and Tasks button iManager Roles and Tasks button on the iManager toolbar.

    2. In the Roles and Tasks view, expand the Auditing and Logging Role.

    3. Click the Verification task.

  2. In the Database drop-down list, select the database where the events you want to verify are logged.

  3. Click New to define the verification query.

    The New Verification menu appears.

  4. In the Name field, specify the name you want to use to refer to this query.

    The query name appears in the Query list and in the query results’ title.

  5. In the Product drop-down list, select the logging application for the events you want to verify.

  6. To narrow the query, select And or Or in the Optional Filter drop-down list.

    This expands the filter options so you can narrow the verification query to a specific time frame or IP address range.

    Using standard and/or operators, you can define multiple event conditions. The done operator indicates the end of the query statement.

    The conditions are accumulative; that is, the logging server applies the first condition, then the second, then the third, etc., to progressively narrow the results.

  7. Include the Logging Application Certificate in the Product Certificate window.

    Click Browse to locate the Logging Application Certificate in the directory tree.

    By default, the Logging Application Certificates are available in the following directories:

    • sys:\system\naudit (NetWare)
    • \program files\novell\nsure audit\logschema\ (Windows)
    • /opt/novell/naudit//logschema/ (Linux)
    • /opt/NOVLnaudit/logschema/ (Solaris)
  8. Click OK.

The query now appears in the Query list.

9.1.7 Exporting Query Results in iManager

iManager can export query results in the following formats:

  • HTML file (*.htm)
  • Comma-Separated Text file (*.csv)
  • Tab Delimited Text file (*.txt)

To export query results in iManager:

  1. Run a query.

    For step-by-step instructions, see Running Queries in iManager.

  2. Within the query results page, click Export Results.

  3. Select the export format, then click OK.

    iManager brings up a Save As dialog box.

  4. Select the directory location and specify the filename.

  5. Click Save.

9.1.8 Printing Query Results in iManager

  1. Run a query.

    For step-by-step instructions, see Running Queries in iManager.

  2. Within the query results page, click Printer Friendly.

    iManager opens another page with the query results formatted in an HTML table.

  3. Click File > Print.

The query results are printed to your default printer.