Hi All,

We recently began to experience issues where the identity providers
would stop reporting information to the logging server, and only a
restart of the identity providers would resolve the issue.

As per article http://www.novell.com/support/kb/doc.php?id=7010978, we
followed these steps and all seemed to be working fine until we needed
to restart the identity providers to troubleshoot an unrelated issue.
I'm unsure if the idp's were restarted as part of the logevent changes,
and this may have been the first restart since the script & init script
changes.

Since that time, the nam_audit.log file appears to be getting updated
infrequently (could be hours since last update), whereas before, the
nam_audit.log would be getting updated almost instantly. It does not
appear that events are being lost, but are being cached at the identity
providers.

The logevent.conf from the identity providers is listed below;

LogHost=xxx.xxx.xxx.xxx
LogCachePort=1288
LogEnginePort=289
LogCacheDir=/var/opt/novell/naudit/cache
LogForceCaching=Y
LogCacheLimitAction=roll cache

I have noticed on the identity providers, the following log files;

/var/opt/novell/naudit/nproduct.log
/var/opt/novell/novlwww/nproduct.log

The entries in the /var/opt/novell/naudit/nproduct.log are as follows;

Mon Apr 14 07:03:20 2014 [Novell Audit Cache]: Connection seems
terminated, Checking any orphan cache file...
Mon Apr 14 07:03:20 2014 [Novell Audit Cache]: Going to backup the
current cache file.
Mon Apr 14 07:03:23 2014 [Novell Audit Cache]: [UploadBackupCache] -
Found cache file for application Novell Access Manager.
Mon Apr 14 07:03:28 2014 [Novell Audit Cache]: [UploadBackupCache] -
Found cache file for application Novell Access Manager.
Mon Apr 14 07:03:28 2014 [Novell Audit Cache]: [UploadBackupCache]Going
to connect to the SLS/Sentinel
Mon Apr 14 07:03:28 2014 [Novell Audit Cache]: [UploadBackupCache] -
Removed application Novell Access Manager cache file
/var/opt/novell/naudit/cache/backup/lc49018cec
1d043f1f709e2550ad28a0d6.1397423000.

The entries in the /var/opt/novell/novlwww/nproduct.log are as follows;

Mon Apr 14 06:32:49 2014 [Novell Audit Platform Agent]: LCache could not
process event for the application Novell Access Manager. Reconnecting
LCache Again.
Mon Apr 14 06:32:49 2014 [Novell Audit Platform Agent]: ACK Failure for
nidp
Mon Apr 14 06:32:49 2014 [Novell Audit Platform Agent]: LCache could not
process, Going to restart/connect again
Mon Apr 14 06:46:39 2014 [Novell Audit Platform Agent]: This is from
EndClientConnection
Mon Apr 14 06:46:39 2014 [Novell Audit Platform Agent]: LCache could not
process event for the application Novell Access Manager. Reconnecting
LCache Again.

Can anybody advise if the delay in reporting the events back to the
administration console is expected behavior? Is there any option
available to cache but also report events in real (or near real) time to
the nam_audit.log file? Restarting the idp's appears to push through any
events not yet sent to the audit server.

Thanks All,
G


--
gbatty1
------------------------------------------------------------------------
gbatty1's Profile: https://forums.netiq.com/member.php?userid=2072
View this thread: https://forums.netiq.com/showthread.php?t=50536