Hi all,

We've upgraded the IDM solution from v4.5.4 to the latest patches 4.6.2 and for some reason the platform agent of the eDirectory servers could not establish connection to the Sentinel server and so the events are not being sent.

We have the folling evironment:
  • eDirectory 9.0.4
  • IDM 4.6.2
  • Sentinel 8.0.0.0_3211
  • Platform agent "novell-AUDTplatformagent-2.0.2-80.x86_64"
  • eDir instrumentation "novell-AUDTedirinst-9.0.4-0.x86_64"


On the nproduct.log we have the following messages

ue Dec 19 15:36:29 2017 [Novell Audit Platform Agent]: Attempting to re-establish connection to secure log server for application eDirInst.
Tue Dec 19 15:36:29 2017 [Novell Audit Platform Agent]: Authentication Failure
Tue Dec 19 15:39:29 2017 [eDirectory Instrumentation]: Waiting 20 seconds for ConfigMonitor thread to finish... 0
Tue Dec 19 15:39:30 2017 [CloseCache]: Closing the cache
Tue Dec 19 15:39:30 2017 [CloseCache]: Closing LCache Process, Handle->s[SOCKET_CACHE]
Tue Dec 19 15:39:51 2017 [PrepareCache]: New connection to LCache Process
Tue Dec 19 15:39:51 2017 [Novell Audit Platform Agent]: Starting the new Lcache process...
Tue Dec 19 15:39:51 2017 [Novell Audit Platform Agent]: Using default path [/opt/novell/naudit/lcache]
Tue Dec 19 15:39:51 2017 [Novell Audit Platform Agent]: Launching the LCache process from [/opt/novell/naudit/lcache]
Tue Dec 19 15:39:51 2017 [Novell Audit Cache]: Cache Size has been set to [419374l] bytes.
Tue Dec 19 15:39:51 2017 [Novell Audit Cache]: Log Cache Dir : /var/opt/novell/naudit/cache
Tue Dec 19 15:39:51 2017 [Novell Audit Cache]: Going to backup the files at startup.
Tue Dec 19 15:39:53 2017 [Novell Audit Platform Agent]: Re-connecting to LCache Process
Tue Dec 19 15:39:53 2017 [PrepareCache]: Re-connecting to LCache Process
Tue Dec 19 15:39:53 2017 [HandleConnection]: New connection on socket 58200
Tue Dec 19 15:39:53 2017 [Novell Audit Platform Agent]: Authentication Failure
Tue Dec 19 15:39:53 2017 [Novell Audit Platform Agent]: Failing primary connection for application eDirInst.
Tue Dec 19 15:39:56 2017 [EndClientConnection]: Not Exiting thread due to STATE_ENDING for socket 0
Tue Dec 19 15:39:56 2017 [EndClientConnection]: Not Exiting thread due to STATE_NO_THREADEXIT for socket 0
Tue Dec 19 15:39:56 2017 [Novell Audit Cache]: Server dropped the connection, Trying to connect again...
Tue Dec 19 15:39:56 2017 [EndClientConnection]: Not Exiting thread due to STATE_ENDING for socket 0
Tue Dec 19 15:39:56 2017 [Novell Audit Cache]: Server seems busy, wait for 5 Seconds and try again...
Tue Dec 19 15:40:00 2017 [GetClientBytes]: Closing the connection. Count is [-1] and Exiting is [0]
Tue Dec 19 15:40:00 2017 [PA-EndClientConnection]: About to close socket
Tue Dec 19 15:40:00 2017 [Novell Audit Platform Agent]: LCache could not process event for the application DirXML. Reconnecting LCache Again.
Tue Dec 19 15:40:00 2017 [PA]: ACK Failure for \Engine and connection closed
Tue Dec 19 15:40:00 2017 [PA-EndClientConnection]: About to close socket
Tue Dec 19 15:40:00 2017 [Novell Audit Platform Agent]: LCache could not process event for the application DirXML. Reconnecting LCache Again.
Tue Dec 19 15:40:00 2017 [Novell Audit Platform Agent]: LCache could not process, Going to restart/connect again
Tue Dec 19 15:40:00 2017 [PrepareCache]: New connection to LCache Process
Tue Dec 19 15:40:00 2017 [HandleConnection]: New connection on socket 58210
Tue Dec 19 15:40:00 2017 [Novell Audit Platform Agent]: Attempting to re-establish connection to secure log server for application DirXML.
Tue Dec 19 15:40:00 2017 [Novell Audit Platform Agent]: Authentication Failure

And on the Sentinel log server /server0.0.log we can see the following:


Tue Dec 19 15:21:28 ART 2017|INFO|Thread-616|esecurity.ccs.comp.evtsrcmgt.connector.auditse rver.AuditX509TrustManager.<init>
Setting the trust level for the audit connector to OPEN
Tue Dec 19 15:24:43 ART 2017|INFO|NAudit (/10.1.23.10:47424)|esecurity.ccs.comp.audit.AuditLo gger.execute
Audit High:: Action by the system via Sentinel service Server object Audit Connector method NewConnection client Unknown failed : A new application NAudit from machine 10.1.23.10 made a connection with the Audit Event Source Server: Audit Server (ID D892E9F0-3CA7-102B-B598-005056C00005).
Tue Dec 19 15:24:43 ART 2017|INFO|NAudit (/10.1.23.10:47424)|esecurity.base.db.connection.DBC onnectionPool.report
ConnectionPool Stats for last 760sec: avg getCn time 0sec of 129 cns, avg use time 0.001sec over 129cns, On average 1 free and 0 active connections
Tue Dec 19 15:24:43 ART 2017|INFO|NAudit (/10.1.23.10:47424)|esecurity.ccs.comp.evtsrcmgt.con nector.auditserver.AuditConnectorServer.alertNewCo nnection
Audit Server (ID D892E9F0-3CA7-102B-B598-005056C00005): Received new event source from machine 10.1.23.10:NAudit
Tue Dec 19 15:24:43 ART 2017|INFO|NAudit (/10.1.23.10:47424)|esecurity.ccs.comp.audit.AuditLo gger.execute
Audit High:: Action by the system via Sentinel service Server object Audit Connector method LostConnection client Unknown failed : A Novell application NAudit from machine 10.1.23.10 has lost connection with the Audit Event Source Server: Audit Server (ID D892E9F0-3CA7-102B-B598-005056C00005).
Tue Dec 19 15:24:43 ART 2017|SEVERE|Thread-621|esecurity.ccs.comp.evtsrcmgt.connector.auditse rver.DeviceSensorAuditListener$LEngine.handle_LE_C MD_STARTTLS
NAudit: [Unexpected] A malformed certificate is being used by a client connection.
Tue Dec 19 15:24:43 ART 2017|INFO|Thread-622|esecurity.ccs.comp.evtsrcmgt.connector.auditse rver.AuditX509TrustManager.<init>
Setting the trust level for the audit connector to OPEN
Tue Dec 19 15:24:43 ART 2017|INFO|NAudit (/10.1.23.10:47426)|esecurity.ccs.comp.audit.AuditLo gger.execute
Audit High:: Action by the system via Sentinel service Server object Audit Connector method NewConnection client Unknown failed : A new application NAudit from machine 10.1.23.10 made a connection with the Audit Event Source Server: Audit Server (ID D892E9F0-3CA7-102B-B598-005056C00005).
Tue Dec 19 15:24:43 ART 2017|INFO|NAudit (/10.1.23.10:47426)|esecurity.ccs.comp.evtsrcmgt.con nector.auditserver.AuditConnectorServer.alertNewCo nnection
Audit Server (ID D892E9F0-3CA7-102B-B598-005056C00005): Received new event source from machine 10.1.23.10:NAudit
Tue Dec 19 15:24:43 ART 2017|INFO|NAudit (/10.1.23.10:47426)|esecurity.ccs.comp.audit.AuditLo gger.execute
Audit High:: Action by the system via Sentinel service Server object Audit Connector method LostConnection client Unknown failed : A Novell application NAudit from machine 10.1.23.10 has lost connection with the Audit Event Source Server: Audit Server (ID D892E9F0-3CA7-102B-B598-005056C00005).
Tue Dec 19 15:39:53 ART 2017|INFO|Thread-680|esecurity.ccs.comp.evtsrcmgt.connector.auditse rver.AuditX509TrustManager.<init>
Setting the trust level for the audit connector to OPEN
Tue Dec 19 15:39:56 ART 2017|INFO|Thread-681|esecurity.ccs.comp.evtsrcmgt.connector.auditse rver.AuditX509TrustManager.<init>
Setting the trust level for the audit connector to OPEN
Tue Dec 19 15:39:56 ART 2017|SEVERE|Thread-681|esecurity.ccs.comp.evtsrcmgt.connector.auditse rver.DeviceSensorAuditListener$LEngine.handle_LE_C MD_STARTTLS
NAudit: [Unexpected] A malformed certificate is being used by a client connection.

We already tried unloading and loading the audit services, killing the lcache, rebooting the sentinel server but we still get the same issues.

Any ideas? What else can we try?