[logs] Novell logs

From: Daniele Muscetta (danieleat_private)
Date: Wed Jan 29 2003 - 14:11:25 PST

  • Next message: Darin.MARAISat_private: "[logs] sql-worm and the address generator"

    >> We're continuing to struggle with what we're going to do about
    >> logs from Novell servers, despite the great suggestions from this
    >> There are a bunch of add-on syslog daemons for NetWare
    >> (including one from Novell as part of their NIMS product); as far as
    >> know, however, there are no syslog client NLMs--the easiest way I
    >> of to get conlog messages to a remote syslog box is to use Perl for
    >> There have been a couple of questions about how to monitor
    >> Novell.  I haven't found anything about syslog yet, but it
    >> appears that Novell has SNMP capabilities.  Check out:
    >> http://lanweb.cit.buffalo.edu/doc/Online/inst-87.html
    >> if SNMP is an option for you.
    >> cheers -- tbird
    Hi list, I am new here, so I apologize, should I repeat something
    already resolved...
    But the quotes above are precisely ALL I found in the entire archive of
    the list and in general... Searching elsewhere on the web, one doesn't
    get much more info... 
    But I am now in the same situation of wanting/needing/having to collect
    also Novell logs...
    I reached the following conclusions:
    1) no syslog client available (that I am aware of)...
    2) wanting to support applications, other that the OS, even when running
    modern porting such as Apache, it does not have syslog capabilities like
    its UX brother... Because apache writes to the local syslog daemon, as
    far as I know, it doesn't let you tell him a remote box to log to, but
    just the facility, that's it... The documentation says: "Using syslog
    instead of a filename enables logging via syslogd(8) if the system
    supports it. The default is to use syslog facility local7, but you can
    override this by using the syslog:facility syntax where facility can be
    one of the names usually documented in syslog(1). Example:  ErrorLog
    syslog:user" - and also in womething written by tbird I found around she
    was suggesting this approach... Clean, but on Novell is not an option,
    3) someone said PERL: any help available, a part from just the language
    used... Code examples, or such? Anybody knows where to find them? Am I
    too lame not being able to wirte them? Most likely. I apologize.
    These are the question.
    So far the only thing I found is NetIQ Security Manager / Microsoft
    Operations Manager.
    The product (as it is most likely known) is the same codebase. What
    changes are the "rules", grouped in "active knowledge modules"... That
    would be, simply speaking, the pre-made filters, processing, correlating
    and alerting rules (that are "physically" queries, stored procedures and
    scripts in ms msql server...): The difference is that the Microsoft
    version is oriented more to system management/availability of
    applications (like all the possible error conditions of exchange ever
    existed, and this sort of things to "detect" from the eventlogs...),
    while NetIQ has a "Security" version, that focuses mainly on Windows
    Security, but they added also capabilities to read Firewall-1 and Cisco
    PIX logs and configurations, using the pre-existing, syslog server
    embedded in the products. The feature has always been there - normally
    the products collects the logs using its own proprietary agent
    technology - but since the early versions (3.1x if am not wrong), when
    the product was still produced by missioncritical software, company that
    later merged in the new NetIQ, it was able ALSO to collect syslogs. The
    new product has unix management/auditing (limited), and it also alerts
    from ISS RealSecure.
    It is a cool "manager of managers".
    NetIQ also produces additional sets of rules (based on his own "security
    manager") that you can install on the Microsoft counterpart (MOM).
    A couple of days ago I found that... they now have one of this "modules"
    for Novell, too ! Freshly added.
    But at the moment in which I am writing, the module for Novell (which,
    by the way, uses SNMP with some extension: Microsoft WBEM SNMP Provider)
    is ONLY available for MOM, and NOT for Security Manager.
    On the other side, the module for the Cisco PIX is ONLY available for
    Security manager and NOT for MOM.
    It looks it is something related to licensing issues.
    So far, I still don't manage to integrate Novell in my logging
    infrastructure... With all the rest, I mean! ;)
    Any idea ?
    Best regards to everybody,
    Daniele Muscetta
    LogAnalysis mailing list

    This archive was generated by hypermail 2b30 : Wed Jan 29 2003 - 23:11:55 PST