Every LDAP server in your environment must be configured to forward eDirectory audit logs. Missing even one server will result in gaps in your audit data that may affect compliance reporting and incident investigation.

Understanding CEF audit log forwarding:

eDirectory generates audit log data in CEF format and forwards it via syslog to a configured destination — in this case, the LT Auditor ^MP server. There are two ways to configure this forwarding depending on your environment:

Both methods produce the same result — CEF audit events forwarded to LT Auditor ^MP on port 5014 (or your configured port).

Before you begin:

Confirm the following on each eDirectory server before proceeding:

• The LT Auditor ^MP transformation rule for eDirectory is configured and the server is listening on port 5014 (or your configured port) — see the Modifying Receiver Settings in LT Auditor ^MP article
• The firewall allows outbound syslog traffic from the eDirectory server to the LT Auditor ^MP server on the configured port
• You have administrative access to each eDirectory server — either via iManager or direct server access for configuration file editing

Option A — Configure via iManager (GUI):

Use this method if you prefer a graphical interface or are configuring a small number of eDirectory servers.

1. Open a browser and log in to iManager for the eDirectory server you are configuring
2. Navigate to eDirectory Auditing
3. Select your LDAP NCP server from the server list
4. Select CEF as the audit output format
5. Configure the syslog destination:
   • Host — the IP address or hostname of the LT Auditor ^MP server
   • Port — 5014 (or your configured port)
   • Protocol — TCP, UDP, or TLS to match your LT Auditor ^MP transformation rule setting
6. Enable the following event categories and save:

7. Click Save
8. Verify the configuration is active and eDirectory begins forwarding logs

[Your administrator should add screenshots of each iManager screen here to guide administrators who are less familiar with the iManager interface.]

Option B — Configure via configuration file (SLES LDAP Server):

Use this method for SLES Linux LDAP servers, large deployments, or where iManager access is not available.

Step 1 — Edit the audit log configuration file:

Open the audit configuration file on the eDirectory server:

sudo nano /etc/opt/novell/eDirectory/conf/auditlogconfig.properties

Uncomment and update the following lines. The example below uses TCP — replace TCP with UDP or TLS if required by your environment:

log4j.rootLogger=debug, S

log4j.appender.S=org.apache.log4j.net.SyslogAppender

log4j.appender.S.Host=<IP Address of LT Auditor MP>

log4j.appender.S.Port=5014

log4j.appender.S.Protocol=TCP

log4j.appender.S.Threshold=INFO

log4j.appender.S.CacheEnabled=no

log4j.appender.S.layout=org.apache.log4j.PatternLayout

log4j.appender.S.layout.ConversionPattern=%c: %m%n

Replace <IP Address of LT Auditor MP> with the actual IP address or hostname of your LT Auditor ^MP server.

Protocol options:

Save the file after making your changes.

Step 2 — Update the modules configuration file:

To ensure the CEF audit daemon restarts automatically when eDirectory is restarted or the server reboots, add the following line to the modules configuration file:

Open the file:

sudo nano /etc/opt/novell/eDirectory/conf/ndsmodules.conf

Add the following line:

cefauditds   auto     #cefauditds

Save the file.

Step 3 — Restart the CEF audit daemon:

Apply the configuration changes by restarting the CEF audit daemon:

ndstrace –c “unload cefauditds”

ndstrace –c “load cefauditds”

The daemon will restart and begin forwarding eDirectory CEF audit events to the LT Auditor ^MP server on the configured port.

Verifying eDirectory log forwarding:

After configuring syslog forwarding on the eDirectory server, verify that LT Auditor ^MP is receiving the data:

1. Log in to the LT Auditor ^MP Web UI
2. Navigate to View
3. Select the eDirectory environment and category
4. Set the date range to Last 15–30 minutes
5. Confirm that eDirectory events are appearing in the event list

If no events appear:

Confirm the CEF audit daemon is running on the eDirectory server:
ndstrace –c “modules” | grep cefauditds

• Confirm no firewall is blocking outbound syslog traffic from the eDirectory server to the LT Auditor ^MP server on port 5014
• Confirm the IP address and port in the configuration file match the LT Auditor ^MP transformation rule settings
• Review the eDirectory server logs for any errors related to the CEF audit module

Repeating configuration across all eDirectory servers:

Repeat the configuration steps above — using either Option A or Option B — for every eDirectory LDAP server in your environment. Each server must be individually configured to forward its audit logs to LT Auditor ^MP.

To confirm all servers are forwarding:

1. Navigate to View in the LT Auditor ^MP Web UI
2. Filter by Source or Host and confirm events are appearing from each eDirectory server
3. If any server is not appearing as a source, revisit the configuration on that server

[Your administrator should maintain a list of all eDirectory servers in the environment and confirm each one has been configured and verified before considering the deployment complete.]

Caching behavior during LT Auditor ^MP outages:

The eDirectory CEF audit configuration supports log caching to prevent data loss during temporary connectivity interruptions:

• When CacheEnabled=no is set (as in the configuration above), events are not cached locally — if the LT Auditor ^MP server is temporarily unavailable, events generated during that period will be lost

To enable caching and ensure no audit events are lost during outages, change the setting:
log4j.appender.S.CacheEnabled=yes

• When caching is enabled, events are stored locally on the eDirectory server and automatically forwarded to LT Auditor ^MP once connectivity is restored

[Your administrator should determine whether caching is required based on your organization’s audit data retention and compliance requirements. For compliance-critical environments, enabling caching is recommended.]

Best practices:

• Configure all eDirectory servers before considering the deployment complete — a single unconfigured server represents a monitoring gap
• Use TCP or TLS in production environments for reliable log delivery
• Enable caching if your compliance requirements mandate that no audit events are lost during connectivity interruptions
• Test log forwarding from each server individually after configuration rather than assuming all servers are working correctly
• Document which eDirectory servers have been configured, the protocol and port used, and the date of configuration
• Coordinate with your network team to confirm firewall rules are in place for all eDirectory servers — not just the first one you configure
• Add screenshots of the iManager configuration screens to the Option A section of this article to assist administrators less familiar with iManager

[Your administrator should revisit this configuration whenever new eDirectory servers are added to the environment, or when the LT Auditor ^MP server IP address or syslog port changes.]