I'm attempting to build the configuration on Page 10 of the "NetIQ XDASv2
Administration Guide" for auditing eDir and IDM events to a remote syslog
server (OpenSUSE Linux / syslog-ng). I've followed the directions in this
guide, and the similar ones in the "Identity Manager 4.02 Reporting Guide
for Novell Sentinel", and I believe I've configured it correctly, except
that I'm not getting anything at the syslog receiver.

The problem isn't the receiver. It is receiving other syslog messages
from remote hosts, so it's working.

In the xdasconfig.properties file, I've configured syslog (with caching),
and rolling file appenders. Tellingly, I'm not seeing anything in /var/
opt/novell/eDirectory/log/xdas-events.log (rolling file) nor in /var/opt/
novell/eDirectory (event caching directory).

xdasauditds is loaded:


Code:
--------------------

hostname:~ # ndstrace -c modules --config-file /etc/nds-2.conf|grep xdas
xdasauditds Running
--------------------

and eDirectory has been restarted a half-dozen times so far to no effect.
Calling from policy:


Code:
--------------------

<do-generate-event id="$EventID$" level="log-info">
<arg-string name="target">
<token-local-variable name="object-dn"/>
</arg-string>
<arg-string name="target-type">
<token-text xml:space="preserve">0</token-text>
</arg-string>
<arg-string name="subTarget">
<token-join delimiter=",">
<token-local-variable name="UniqueModifiedAttrs"/>
</token-join>
</arg-string>
<arg-string name="value1">
<token-local-variable name="Now"/>
</arg-string>
<arg-string name="value3">
<token-local-variable name="EventCachedTime"/>
</arg-string>
<arg-string name="text1">
<token-local-variable name="EventType"/>
</arg-string>
<arg-string name="text2">
<token-class-name/>
</arg-string>
<arg-string name="text3">
<token-local-variable name="dirxml.auto.treename"/>
</arg-string>
<arg-string name="data">
<token-local-variable name="EventSpecificData"/>
</arg-string>
</do-generate-event>
--------------------


I see in the trace:


Code:
--------------------

[04/22/14 13:49:27.271]:eDirDriver-Teaming ST: Evaluating selection
criteria for rule 'Send Audit Message'.
[04/22/14 13:49:27.271]:eDirDriver-Teaming ST: (if-operation match
"add|modify|delete|move|rename|modify-password") = TRUE.
[04/22/14 13:49:27.271]:eDirDriver-Teaming ST: Rule selected.
[04/22/14 13:49:27.271]:eDirDriver-Teaming ST: Applying rule 'Send
Audit Message'.
[04/22/14 13:49:27.271]:eDirDriver-Teaming ST: Action: do-generate-
event(id="$EventID$",level="log-info",token-local-variable("object-
dn"),"0",token-join(",",token-local-variable
("UniqueModifiedAttrs")),token-local-variable("Now"),token-local-variable
("EventCachedTime"),token-local-variable("EventType"),token-class-name
(),token-local-variable("dirxml.auto.treename"),token-local-variable
("EventSpecificData")).
[04/22/14 13:49:27.271]:eDirDriver-Teaming ST: Expanded variable
reference '$EventID$' to '1001'.
[04/22/14 13:49:27.271]:eDirDriver-Teaming ST: target(token-local-
variable("object-dn"))
[04/22/14 13:49:27.271]:eDirDriver-Teaming ST: token-local-
variable("object-dn")
[04/22/14 13:49:27.271]:eDirDriver-Teaming ST: Token Value:
"\NIU-FLAT-DEVELOPMENT\NIU\Users\Z025853".
[04/22/14 13:49:27.271]:eDirDriver-Teaming ST: Arg Value: "\NIU-
FLAT-DEVELOPMENT\NIU\Users\Z025853".
[04/22/14 13:49:27.275]:eDirDriver-Teaming ST: target-type("0")
[04/22/14 13:49:27.275]:eDirDriver-Teaming ST: token-text("0")
[04/22/14 13:49:27.275]:eDirDriver-Teaming ST: Arg Value: "0".
[04/22/14 13:49:27.275]:eDirDriver-Teaming ST: subTarget(token-join
(",",token-local-variable("UniqueModifiedAttrs")))
[04/22/14 13:49:27.275]:eDirDriver-Teaming ST: token-join
(",",token-local-variable("UniqueModifiedAttrs"))
[04/22/14 13:49:27.275]:eDirDriver-Teaming ST: token-join
(",",token-local-variable("UniqueModifiedAttrs"))
[04/22/14 13:49:27.275]:eDirDriver-Teaming ST: token-local-
variable("UniqueModifiedAttrs")
[04/22/14 13:49:27.275]:eDirDriver-Teaming ST: Token Value:
{"Password Expiration Time"}.
[04/22/14 13:49:27.275]:eDirDriver-Teaming ST: Arg Value:
{"Password Expiration Time"}.
[04/22/14 13:49:27.275]:eDirDriver-Teaming ST: Token Value:
"Password Expiration Time".
[04/22/14 13:49:27.275]:eDirDriver-Teaming ST: Arg Value:
"Password Expiration Time".
[04/22/14 13:49:27.275]:eDirDriver-Teaming ST: value1(token-local-
variable("Now"))
[04/22/14 13:49:27.275]:eDirDriver-Teaming ST: token-local-
variable("Now")
[04/22/14 13:49:27.275]:eDirDriver-Teaming ST: Token Value:
"1398192567".
[04/22/14 13:49:27.275]:eDirDriver-Teaming ST: Arg Value:
"1398192567".
[04/22/14 13:49:27.275]:eDirDriver-Teaming ST: value3(token-local-
variable("EventCachedTime"))
[04/22/14 13:49:27.279]:eDirDriver-Teaming ST: token-local-
variable("EventCachedTime")
[04/22/14 13:49:27.279]:eDirDriver-Teaming ST: Token Value:
"1390438166".
[04/22/14 13:49:27.279]:eDirDriver-Teaming ST: Arg Value:
"1390438166".
[04/22/14 13:49:27.279]:eDirDriver-Teaming ST: text1(token-local-
variable("EventType"))
[04/22/14 13:49:27.279]:eDirDriver-Teaming ST: token-local-
variable("EventType")
[04/22/14 13:49:27.279]:eDirDriver-Teaming ST: Token Value:
"modify".
[04/22/14 13:49:27.279]:eDirDriver-Teaming ST: Arg Value:
"modify".
[04/22/14 13:49:27.279]:eDirDriver-Teaming ST: text2(token-class-
name())
[04/22/14 13:49:27.279]:eDirDriver-Teaming ST: token-class-name()
[04/22/14 13:49:27.279]:eDirDriver-Teaming ST: Token Value:
"User".
[04/22/14 13:49:27.279]:eDirDriver-Teaming ST: text3(token-local-
variable("dirxml.auto.treename"))
[04/22/14 13:49:27.279]:eDirDriver-Teaming ST: token-local-
variable("dirxml.auto.treename")
[04/22/14 13:49:27.279]:eDirDriver-Teaming ST: Token Value: "".
[04/22/14 13:49:27.279]:eDirDriver-Teaming ST: Arg Value: "".
[04/22/14 13:49:27.279]:eDirDriver-Teaming ST: data(token-local-
variable("EventSpecificData"))
[04/22/14 13:49:27.283]:eDirDriver-Teaming ST: token-local-
variable("EventSpecificData")
[04/22/14 13:49:27.283]:eDirDriver-Teaming ST: Token Value:
"Modified by: CN=sles10-cluster-2,OU=servers,O=NIU".
[04/22/14 13:49:27.283]:eDirDriver-Teaming ST: Arg Value:
"Modified by: CN=sles10-cluster-2,OU=servers,O=NIU".
--------------------

but then ... nothing. The fine manuals are kinda thin on debugging
information. I'm not seeing any of the error messages listed, I'm not
seeing anything at all, anywhere. Are there any ways to see what the
xdasauditds module is or isn't doing?


--
--------------------------------------------------------------------------
David Gersic dgersic_@_niu.edu
Knowledge Partner http://forums.netiq.com

Please post questions in the forums. No support provided via email.
If you find this post helpful, please click on the star below.