Understanding the ltaudit service:

The ltaudit service is the NSS Audit Agent daemon that runs continuously on each OES server, collecting NSS file activity and forwarding it to the LT Auditor ^MP server via syslog. It is registered with systemd during installation and can be managed using standard systemctl commands or the agent’s built-in control script located at /opt/bluelance/bin/ltaudit.rc.

Both management methods produce the same result — use whichever is more familiar or appropriate for your environment.

When you need to manage the service:

Checking service status:

Always check the service status first before taking any other management action — it tells you whether the service is running, stopped, or in an error state.

Using systemctl:

systemctl status ltaudit.service

Using the control script:

/opt/bluelance/bin/ltaudit.rc status

Interpreting the status output:

Starting the service:

If the service is stopped and needs to be started:

Using systemctl:

systemctl start ltaudit.service

Using the control script:

/opt/bluelance/bin/ltaudit.rc start

After starting, confirm the service is running:

systemctl status ltaudit.service

Stopping the service:

If the service needs to be stopped for maintenance, configuration changes, or troubleshooting:

Using systemctl:

systemctl stop ltaudit.service

Using the control script:

/opt/bluelance/bin/ltaudit.rc stop

Stopping the service suspends NSS file activity collection on that server. Any events that occur while the service is stopped will not be captured. Stop the service only when necessary and restart it as soon as possible to minimize monitoring gaps.

Restarting the service:

Restart the service to apply configuration changes or reset connections to the LT Auditor ^MP server:

Using systemctl:

systemctl restart ltaudit.service

Using the control script:

/opt/bluelance/bin/ltaudit.rc stop

/opt/bluelance/bin/ltaudit.rc start

After restarting, confirm the service returns to an active (running) state:

systemctl status ltaudit.service

Enabling automatic startup on boot:

To ensure the ltaudit service starts automatically when the OES server reboots, enable it with systemctl:

systemctl enable ltaudit.service

Confirm the service is enabled:

systemctl is-enabled ltaudit.service

The output should return enabled. If it returns disabled, run the enable command again.

Enabling automatic startup is strongly recommended for all production OES servers. Without it, NSS audit collection will not resume after a server reboot until an administrator manually starts the service — potentially leaving a significant monitoring gap.

Disabling automatic startup on boot:

If automatic startup needs to be disabled (e.g., for a server being decommissioned):

systemctl disable ltaudit.service

Reviewing service logs:

If the service fails to start or is behaving unexpectedly, review the agent logs for error details:

General application logs:

ls /opt/bluelance/logs/

NSS audit status log:

cat /opt/bluelance/log/nssstatus.log

Syslog forwarding log:

cat /opt/bluelance/log/syslog_send.log

systemd journal (for service startup errors):

journalctl -u ltaudit.service -n 50

The -n 50 flag returns the last 50 log entries. Increase this number if you need to look further back.

Common errors to look for:

• Connection refused — firewall blocking syslog port
• Certificate errors — TLS configuration issue
• Permission denied — agent lacks required access to NSS volumes
• Failed to open live vigil file — NSS audit subsystem not available

Service management after a configuration change:

Whenever the syslog forwarding configuration is updated using update_syslog_config.sh, restart the service to apply the new settings:

systemctl restart ltaudit.service

Confirm the service is running after the restart, then verify that events are appearing in LT Auditor ^MP to confirm the new configuration is working correctly.

Best practices:

• Always check the service status before investigating log collection issues — a stopped service is the most common cause of missing NSS audit data
• Enable automatic startup on boot on every production OES server to prevent monitoring gaps after reboots
• Restart rather than stop-and-start when applying configuration changes — it is faster and reduces the monitoring gap
• Review the nssstatus.log and syslog_send.log as the first step when troubleshooting collection or forwarding issues
• Include systemctl status ltaudit.service in your regular OES server health check routine alongside other service checks
• Document any planned service interruptions (maintenance windows, upgrades) so the security team is aware of expected monitoring gaps

[Your administrator should include ltaudit service status in any OES server monitoring dashboards or health check scripts used in your environment.]

Understanding the NSS Audit Agent:

Unlike eDirectory auditing which is configured directly within eDirectory itself, NSS file activity auditing requires a separate agent component — the LT Auditor ^MP OES module — to be installed on each OES server hosting NSS volumes. The agent:

• Monitors file system activity on NSS volumes in real time
• Captures file reads, writes, deletions, renames, and permission changes
• Forwards collected activity to LT Auditor ^MP via syslog
• Caches audit streams locally if the LT Auditor ^MP server is temporarily unavailable and automatically resends once connectivity is restored — no audit data is lost during outages

The agent must be installed individually on each OES server you want to monitor. Missing even one server results in a gap in your NSS file activity audit data.

Prerequisites:

Before installing the NSS Audit Agent, confirm the following on each target OES server:

[Your administrator should confirm the current version of the agent package and where to obtain it for your environment.]

Step 1 — Copy the agent package to the OES server:

Copy the agent RPM package to the target OES server. The package filename follows the format:

LTAuditorMP-OES-25.0.0.0-0.x86_64.rpm

[Your administrator should note the current package filename and version used in your environment here.]

Step 2 — Switch to root:

Open a terminal on the OES server and switch to root:

su

Enter the root password when prompted.

Step 3 — Install the agent package:

Install the RPM package using the following command:

rpm -ivh LTAuditorMP-OES-25.0.0.0-0.x86_64.rpm

The agent installs to:

/opt/bluelance/

The installation process:

• Installs the agent binaries and configuration files to /opt/bluelance/
• Registers the ltaudit service with systemd
• Does not start the service automatically — configuration must be completed first

Step 4 — Configure syslog forwarding:

Navigate to the agent bin directory and run the configuration script:

cd /opt/bluelance/bin

./update_syslog_config.sh

The script will prompt you for the following information:

Host/IP of the LT Auditor ^MP server: Enter the IP address or hostname of your LT Auditor ^MP server:

Enter LT Auditor ^MP host: <LT_AuditorMP_IP_or_Hostname>

Port: Enter the port configured in the LT Auditor ^MP NSS transformation rule (default: 5015):

Enter port [default: 5015]: 5015

Protocol: Select the communication protocol to match your LT Auditor ^MP NSS transformation rule:

Enter protocol [UDP/TCP/TLS, default: TCP]: TCP

If TLS is selected, you will be prompted for additional settings:

[Your administrator should update the TLS defaults above with the actual values used in your environment if TLS is selected.]

Once all prompts are completed, the configuration script automatically saves the settings and starts the required daemons.

Step 5 — Configure the firewall:

Ensure no firewall is blocking outbound traffic from the OES server to the LT Auditor ^MP server on the configured syslog port.

Test connectivity from the OES server:

nc -zv <LT_AuditorMP_Host> <Port>

A successful response confirms the connection is open. If the connection fails, review your firewall rules to permit outbound traffic on the configured port.

Step 6 — Verify the agent service is running:

After the configuration script completes, confirm the ltaudit service is running:

Using systemctl:

systemctl status ltaudit.service

Using the control script:

/opt/bluelance/bin/ltaudit.rc status

The service should show as active (running). If the service is not running, check the agent logs for errors before proceeding.

Step 7 — Verify audit log collection:

After confirming the service is running, verify that NSS audit data is being collected and forwarded to LT Auditor ^MP:

Check NSS audit status:

cat /opt/bluelance/log/nssstatus.log

Confirm the file contains:

Successfully opened live vigil file

This message confirms the agent has successfully connected to the NSS audit subsystem and is collecting file activity data.

Review general application logs:

ls /opt/bluelance/logs/

Check for forwarding failures:

cat /opt/bluelance/log/syslog_send.log

Review this log for any errors related to forwarding data to the LT Auditor ^MP server.

Step 8 — Verify data in LT Auditor ^MP:

Confirm that NSS file activity data is appearing in LT Auditor ^MP:

1. Log in to the LT Auditor ^MP Web UI
2. Navigate to View
3. Select the NSS environment and category
4. Set the date range to Last 15–30 minutes
5. Perform a file operation on an NSS volume on the configured server (e.g., create or modify a file)
6. Confirm the event appears in the LT Auditor ^MP event list within a short period

If no events appear:

• Confirm the ltaudit service is running on the OES server
• Confirm the nssstatus.log shows Successfully opened live vigil file
• Confirm no firewall is blocking traffic on the configured syslog port
• Confirm the port and protocol in the agent configuration match the LT Auditor ^MP NSS transformation rule settings
• Review the syslog_send.log for forwarding errors

Managing the NSS Audit Agent service:

Use the following commands to manage the ltaudit service after installation:

Using systemctl:

# Start the service

systemctl start ltaudit.service

# Stop the service

systemctl stop ltaudit.service

# Restart the service

systemctl restart ltaudit.service

# Check service status

systemctl status ltaudit.service

# Enable the service to start automatically on boot

systemctl enable ltaudit.service

Using the control script:

# Start the service

/opt/bluelance/bin/ltaudit.rc start

# Stop the service

/opt/bluelance/bin/ltaudit.rc stop

# Check service status

/opt/bluelance/bin/ltaudit.rc status

Enable the service to start automatically on boot using systemctl enable ltaudit.service to ensure NSS audit collection resumes automatically after a server reboot without manual intervention.

Caching behavior during LT Auditor ^MP outages:

If the LT Auditor ^MP server is temporarily unavailable, the NSS Audit Agent automatically caches audit streams locally on the OES server. Once connectivity to the LT Auditor ^MP server is restored, the cached data is automatically forwarded — no NSS audit events are lost during outages.

This behavior is built into the agent and requires no additional configuration.

Repeating installation across all OES servers:

Repeat all steps in this article for every OES server in your environment that hosts NSS volumes you want to monitor. Each server must have the agent installed and configured individually.

To confirm all servers are forwarding:

1. Navigate to View in the LT Auditor ^MP Web UI
2. Filter by Source or Host
3. Confirm NSS file activity events are appearing from each OES server
4. If any server is not appearing as a source, revisit the installation and configuration on that server

[Your administrator should maintain a list of all OES servers in the environment, confirm each one has been installed and verified, and document the agent version, configuration date, and protocol used for each server.]

Uninstalling the NSS Audit Agent:

If the agent needs to be removed from an OES server:

1. Stop the service:

systemctl stop ltaudit.service

2. Remove the RPM package:

rpm -e LTAuditorMP-OES

3. Confirm the package has been removed:

rpm -qa | grep LTAuditorMP

No output confirms the package has been successfully removed.

Best practices:

• Install the agent on all OES servers hosting NSS volumes before considering the deployment complete — a single unmonitored server is a gap in your audit coverage
• Always verify the nssstatus.log after installation to confirm the agent has successfully connected to the NSS audit subsystem
• Enable the ltaudit service to start automatically on boot on every OES server to prevent monitoring gaps after reboots
• Use TCP or TLS in production environments for reliable log delivery
• Test firewall connectivity before running the configuration script to catch network issues early
• Document the agent version, configuration date, port, and protocol for each OES server
• Include NSS Audit Agent installation in your OES server provisioning checklist so new servers are automatically configured for monitoring when they are deployed

[Your administrator should revisit agent installations whenever the LT Auditor ^MP server IP address or NSS syslog port changes, as the agent configuration will need to be updated on every OES server to reflect the new values.]