Novell Open Enterprise Server Utility Reference
Novell®
www.novell.com
AUTHORIZED DOCUMENTATION
Novell Storage ServicesTM Auditing Client Logger (VLOG) Utility
Reference
Open Enterprise Server
novdocx (en) 16 April 2010
2 SP2
April 29, 2010
OES 2 SP2: NSS Auditing Client Logger (VLOG) Utility Reference
Legal Notices
Novell, Inc., makes no representations or warranties with respect to the contents or use of this documentation, and
specifically disclaims any express or implied warranties of merchantability or fitness for any particular purpose.
Further, Novell, Inc., reserves the right to revise this publication and to make changes to its content, at any time,
without obligation to notify any person or entity of such revisions or changes.
Further, Novell, Inc., makes no representations or warranties with respect to any software, and specifically disclaims
any express or implied warranties of merchantability or fitness for any particular purpose. Further, Novell, Inc.,
reserves the right to make changes to any and all parts of Novell software, at any time, without any obligation to
notify any person or entity of such changes.
Any products or technical information provided under this Agreement may be subject to U.S. export controls and the
trade laws of other countries. You agree to comply with all export control regulations and to obtain any required
licenses or classification to export, re-export or import deliverables. You agree not to export or re-export to entities on
the current U.S. export exclusion lists or to any embargoed or terrorist countries as specified in the U.S. export laws.
You agree to not use deliverables for prohibited nuclear, missile, or chemical biological weaponry end uses. See the
Novell International Trade Services Web page (http://www.novell.com/info/exports/) for more information on
exporting Novell software. Novell assumes no responsibility for your failure to obtain any necessary export
approvals.
novdocx (en) 16 April 2010
Copyright © 2010 Novell, Inc. All rights reserved. No part of this publication may be reproduced, photocopied,
stored on a retrieval system, or transmitted without the express written consent of the publisher.
Novell, Inc.
404 Wyman Street, Suite 500
Waltham, MA 02451
U.S.A.
www.novell.com
Online Documentation: To access the latest online documentation for this and other Novell products, see
the Novell Documentation Web page (http://www.novell.com/documentation).
Novell Trademarks
For Novell trademarks, see the Novell Trademark and Service Mark list (http://www.novell.com/company/legal/
trademarks/tmlist.html).
Third-Party Materials
All third-party trademarks are the property of their respective owners.
novdocx (en) 16 April 2010
novdocx (en) 16 April 2010
4 OES 2 SP2: NSS Auditing Client Logger (VLOG) Utility Reference
Contents
About This Guide 7
1 Overview of the NSS Auditing Client Logger (VLOG) Utility 9
1.1 Using VLOG with the NSS Auditing Engine . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9
1.1.1 Logged Output . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9
1.1.2 Paths to Include or Exclude . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9
1.1.3 File System Events to Monitor . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9
1.1.4 NSS, NCP, and CIFS Event Sub-Types to Monitor . . . . . . . . . . . . . . . . . . . . . . . . . . 10
1.1.5 VIGIL Events to Monitor. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10
1.2 Using Auditing Client Applications with the NSS Auditing Engine . . . . . . . . . . . . . . . . . . . . . . 10
1.2.1 Novell Sentinel Log Manager. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11
1.2.2 Third-Party Partner Applications . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11
2 VLOG Utility Man Page 13
novdocx (en) 16 April 2010
vlog. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14
Contents 5
novdocx (en) 16 April 2010
6 OES 2 SP2: NSS Auditing Client Logger (VLOG) Utility Reference
About This Guide
This reference guide describes the syntax and options for the Novell Storage Services (NSS)
Auditing Client Logger (VLOG) utility for Novell Open Enterprise Server (OES) 2 Support Pack 2
(SP2) Linux. The VLOG utility is used with the NSS Auditing Engine, which is available in OES 2
SP2 Linux and later.
This guide includes the following sections:
Chapter 1, “Overview of the NSS Auditing Client Logger (VLOG) Utility,” on page 9
Chapter 2, “VLOG Utility Man Page,” on page 13
Audience
This guide is intended for system administrators or anyone who is responsible for auditing file
system events on NSS file systems on OES 2 SP2 Linux servers.
novdocx (en) 16 April 2010
Knowledge of the NSS file system is assumed. Some background knowledge of the host operating
system is also assumed.
Feedback
We want to hear your comments and suggestions about this manual and the other documentation
included with this product. Please use the User Comments feature at the bottom of each page of the
online documentation, or go to www.novell.com/documentation/feedback.html and enter your
comments there.
Documentation Updates
The VLOG man page,
with any updates to the VLOG utility.
For the most recent version of the OES 2 SP2: NSS Auditing Client Logger (VLOG) Reference, visit
the Novell Open Enterprise Server 2 Documentation Web site (http://www.novell.com/
documentation/oes2/security.html) under Security.
Additional Documentation
Information about the NSS Auditing Engine SDK (Software Development Kit) is available on the
NSS Auditing SDK Web site (http://developer.novell.com/wiki/index.php/NSS_Auditing_SDK).
vlog(8)
, is available on the server. Updates to the man page are delivered
About This Guide 7
novdocx (en) 16 April 2010
8 OES 2 SP2: NSS Auditing Client Logger (VLOG) Utility Reference
1
Overview of the NSS Auditing
novdocx (en) 16 April 2010
Client Logger (VLOG) Utility
The Novell Storage Services (NSS) Auditing Client Logger (VLOG) utility for Novell Open
Enterprise Server (OES) 2 Support Pack 2 (SP2) Linux is used with the NSS Auditing Engine (
etc/init.d/novell-vigil
NSS on an OES 2 SP2 Linux or later server.
Section 1.1, “Using VLOG with the NSS Auditing Engine,” on page 9
Section 1.2, “Using Auditing Client Applications with the NSS Auditing Engine,” on page 10
1.1 Using VLOG with the NSS Auditing Engine
When VLOG is running, it intercepts, parses, filters, augments, and displays auditing records
received from the NSS Auditing Engine (
VLOG utility, see Chapter 2, “VLOG Utility Man Page,” on page 13.
The basic functionality includes:
Section 1.1.1, “Logged Output,” on page 9
Section 1.1.2, “Paths to Include or Exclude,” on page 9
Section 1.1.3, “File System Events to Monitor,” on page 9
Section 1.1.4, “NSS, NCP, and CIFS Event Sub-Types to Monitor,” on page 10
). The NSS Auditing Engine is installed by default when you install
vigil
). For information about configuring and using the
1
/
Section 1.1.5, “VIGIL Events to Monitor,” on page 10
1.1.1 Logged Output
By default,
in CSV (comma-separated values) format and SENT format (for Novell Sentinel/Log Manager
products). For information, see “VLOG Options” on page 15.
vlog
sends its output to
stdout
in an XML record format. VLOG also supports output
1.1.2 Paths to Include or Exclude
VLOG allows you to specify which files and directories are to be monitored. You can specify
patterns for the file and directory names by using a defined set of search characters. You can specify
which file paths are to be included or excluded. For information, see “Path Element Options” on
page 21. For examples of path patterns, see “Path Element Examples” on page 22.
1.1.3 File System Events to Monitor
VLOG can be configured to log various file system events on files and directories that are reported
by the NSS Auditing Engine, including:
delete
create
Overview of the NSS Auditing Client Logger (VLOG) Utility
9
open
close
rename
link
metadata modified
trustee added or removed
inherited rights modified
For information, see “Event Types” on page 26 and “Event Type Examples” on page 26.
1.1.4 NSS, NCP, and CIFS Event Sub-Types to Monitor
These NSS file system events can be audited by NSS, NCP (NetWare Core Protocol), and CIFS subtypes. For information, see “Event Sub-Types NSS, NCP, and CIFS” on page 27 and “Event Sub-
Type Examples” on page 28.
1.1.5 VIGIL Events to Monitor
novdocx (en) 16 April 2010
VLOG can also be configured to report various events internal to the NSS Auditing Engine, referred
to as VIGIL events, such as:
Starting or stopping the
Starting or stopping the
Starting or stopping the
Starting or stopping the
Starting or stopping the Auditing Client (an internal construct of the NSS Auditing Engine)
Starting or stopping the Auditing Client User (an internal construct of the NSS Auditing
Engine)
Rolling the audit record log file over to a new file when the log reaches an administrator-
specified maximum size
For information, see “Patterns for Filtering Records of Type VIGIL” on page 17 and “Examples for
Filtering VIGIL Events” on page 19.
vigil.ko
vigil.ncp.ko
vigil.nss.ko
vigil.cifs.ko
kernel module
kernel module
kernel module
kernel module
1.2 Using Auditing Client Applications with the NSS Auditing Engine
Some auditing client applications, such as Novell Sentinel Log Manager and various third-party
products, can access audited events that are reported by the NSS Auditing Engine. Information
about the NSS Auditing Engine Software Developer Kit (SDK) is available on the NSS Auditing
SDK Web site (http://developer.novell.com/wiki/index.php/NSS_Auditing_SDK).
Section 1.2.1, “Novell Sentinel Log Manager,” on page 11
Section 1.2.2, “Third-Party Partner Applications,” on page 11
10 OES 2 SP2: NSS Auditing Client Logger (VLOG) Utility Reference
Loading...