Viewing the Audit Trail

For viewing the audit trail, the user should be set as the Auditor with rights to view the audit trail. See the steps below for more information.


Setting the User As Auditor

  1. Create one or more Auditor domains (see Auditor Query Domains for more information).

    In ConsoleOne, right-click the desired container > click New > Object > NAASAuditorQueryDomain.

  2. Right-click the User object.

  3. Select Extensions > Add Extension > NAASAuditor.

  4. Add one or more Auditor query domains.

  5. Set one of the configured Auditor query domains as the preferred domain.

    This step is mandatory. This setting can be modified later in the Properties page of the Auditor.

  6. Configure one or more Audit servers that the auditor can contact.

    The servers configured here must have Read rights to the NaasRamdomNance and NaasSelectedDomain attributes of this user. Also, the servers must have Read rights for the Auditor query domains configured in step 4.

  7. Grant the Auditor Read rights to the naasPortNumber and HostDevice attributes of the Audit server objects to be contacted.

  8. Grant the Auditor Read rights to the NetworkAddressattribute of the NetWare server objects hosting the audit servers to be contacted.


Granting Rights for Viewing the Audit Trail

The Audit server supports fine-grained access control to the Audit data based on eDirectory rights. Every audit record contains a Target Object Name that corresponds to the name of the object in eDirectory, on which the audited event was generated.To view the audit records, a user must have Audit rights to the eDirectory object that is set as the target object. Having Audit rights to an object means having Read rights to the naasTrail attribute on that object.

The normal eDirectory Rights granting mechanism can be used for this purpose. All the normal rules of rights flowing down the tree are applicable here.

Also for connecting to the audit server, the auditor should have Read rights to the LDAP Server attribute and the LDAP:keyMaterialName attribute for the entire partition.


Auditor Query Domains

A domain is essentially a subset of the eDirectory tree. When the Auditor connects to an Audit server, the server queries all objects in the Auditor's domain and builds a list of objects to which the Auditor has Audit rights. An Auditor Query domain specifies the boundaries within which the Audit server should query objects.

IMPORTANT:  Only those Audit reports that belong to the object in the preferred domain will be displayed to the Auditor. To retrieve reports of objects that are outside the preferred domain, the Auditor must reset the preference to the domain to be queried.



Previous | Next