Blue Lance

Bluelance 2.0
Get a demo
View Categories

Forwarding eDirectory CEF Audit Logs to LT Auditor ᴹᴾ

5 min read

Once the LT Auditor MP receiver is configured and listening on the correct port, every eDirectory server in your environment must be configured to forward its audit logs to LT Auditor MP. eDirectory uses the Common Event Format (CEF) for audit log output, which LT Auditor MP ‘s transformation rules are designed to receive and process.

Every LDAP server in your environment must be configured to forward eDirectory audit logs. Missing even one server will result in gaps in your audit data that may affect compliance reporting and incident investigation.

Understanding CEF audit log forwarding:

eDirectory generates audit log data in CEF format and forwards it via syslog to a configured destination — in this case, the LT Auditor MP server. There are two ways to configure this forwarding depending on your environment:

MethodBest For
Option A — iManager (GUI)Administrators who prefer a graphical interface or are configuring a small number of servers
Option B — Configuration FileSLES Linux LDAP servers, large deployments, or environments where GUI access is not available

Both methods produce the same result — CEF audit events forwarded to LT Auditor MP on port 5014 (or your configured port).

Before you begin:

Confirm the following on each eDirectory server before proceeding:

  • The LT Auditor MP transformation rule for eDirectory is configured and the server is listening on port 5014 (or your configured port) — see the Modifying Receiver Settings in LT Auditor MP article
  • The firewall allows outbound syslog traffic from the eDirectory server to the LT Auditor MP server on the configured port
  • You have administrative access to each eDirectory server — either via iManager or direct server access for configuration file editing

Option A — Configure via iManager (GUI):

Use this method if you prefer a graphical interface or are configuring a small number of eDirectory servers.

  1. Open a browser and log in to iManager for the eDirectory server you are configuring
  2. Navigate to eDirectory Auditing
  3. Select your LDAP NCP server from the server list
  4. Select CEF as the audit output format
  5. Configure the syslog destination:
    • Host — the IP address or hostname of the LT Auditor MP server
    • Port — 5014 (or your configured port)
    • Protocol — TCP, UDP, or TLS to match your LT Auditor MP transformation rule setting
  6. Enable the following event categories and save:
Event CategoryDescription
Security EventsAuthentication attempts, password changes, account lockouts
Object EventsObject creation, modification, deletion, renaming, moving
Attribute EventsAttribute value additions, modifications, and deletions
LDAP EventsLDAP bind, search, add, modify, and delete operations
  1. Click Save
  2. Verify the configuration is active and eDirectory begins forwarding logs

[Your administrator should add screenshots of each iManager screen here to guide administrators who are less familiar with the iManager interface.]

Option B — Configure via configuration file (SLES LDAP Server):

Use this method for SLES Linux LDAP servers, large deployments, or where iManager access is not available.

Step 1 — Edit the audit log configuration file:

Open the audit configuration file on the eDirectory server:

sudo nano /etc/opt/novell/eDirectory/conf/auditlogconfig.properties

Uncomment and update the following lines. The example below uses TCP — replace TCP with UDP or TLS if required by your environment:

log4j.rootLogger=debug, S

log4j.appender.S=org.apache.log4j.net.SyslogAppender

log4j.appender.S.Host=<IP Address of LT Auditor MP>

log4j.appender.S.Port=5014

log4j.appender.S.Protocol=TCP

log4j.appender.S.Threshold=INFO

log4j.appender.S.CacheEnabled=no

log4j.appender.S.layout=org.apache.log4j.PatternLayout

log4j.appender.S.layout.ConversionPattern=%c: %m%n

Replace <IP Address of LT Auditor MP> with the actual IP address or hostname of your LT Auditor MP server.

Protocol options:

Protocol ValueDescription
TCPReliable delivery — recommended for production
UDPFast but no delivery guarantee
TLSEncrypted TCP — for environments requiring secure transport

Save the file after making your changes.

Step 2 — Update the modules configuration file:

To ensure the CEF audit daemon restarts automatically when eDirectory is restarted or the server reboots, add the following line to the modules configuration file:

Open the file:

sudo nano /etc/opt/novell/eDirectory/conf/ndsmodules.conf

Add the following line:

cefauditds   auto     #cefauditds

Save the file.

Step 3 — Restart the CEF audit daemon:

Apply the configuration changes by restarting the CEF audit daemon:

ndstrace –c “unload cefauditds”

ndstrace –c “load cefauditds”

The daemon will restart and begin forwarding eDirectory CEF audit events to the LT Auditor MP server on the configured port.

Verifying eDirectory log forwarding:

After configuring syslog forwarding on the eDirectory server, verify that LT Auditor MP is receiving the data:

  1. Log in to the LT Auditor MP Web UI
  2. Navigate to View
  3. Select the eDirectory environment and category
  4. Set the date range to Last 15–30 minutes
  5. Confirm that eDirectory events are appearing in the event list

If no events appear:

Confirm the CEF audit daemon is running on the eDirectory server:
ndstrace –c “modules” | grep cefauditds

  • Confirm no firewall is blocking outbound syslog traffic from the eDirectory server to the LT Auditor MP server on port 5014
  • Confirm the IP address and port in the configuration file match the LT Auditor MP transformation rule settings
  • Review the eDirectory server logs for any errors related to the CEF audit module

Repeating configuration across all eDirectory servers:

Repeat the configuration steps above — using either Option A or Option B — for every eDirectory LDAP server in your environment. Each server must be individually configured to forward its audit logs to LT Auditor MP.

To confirm all servers are forwarding:

  1. Navigate to View in the LT Auditor MP Web UI
  2. Filter by Source or Host and confirm events are appearing from each eDirectory server
  3. If any server is not appearing as a source, revisit the configuration on that server

[Your administrator should maintain a list of all eDirectory servers in the environment and confirm each one has been configured and verified before considering the deployment complete.]

Caching behavior during LT Auditor MP outages:

The eDirectory CEF audit configuration supports log caching to prevent data loss during temporary connectivity interruptions:

  • When CacheEnabled=no is set (as in the configuration above), events are not cached locally — if the LT Auditor MP server is temporarily unavailable, events generated during that period will be lost

To enable caching and ensure no audit events are lost during outages, change the setting:
log4j.appender.S.CacheEnabled=yes

  • When caching is enabled, events are stored locally on the eDirectory server and automatically forwarded to LT Auditor MP once connectivity is restored

[Your administrator should determine whether caching is required based on your organization’s audit data retention and compliance requirements. For compliance-critical environments, enabling caching is recommended.]

Best practices:

  • Configure all eDirectory servers before considering the deployment complete — a single unconfigured server represents a monitoring gap
  • Use TCP or TLS in production environments for reliable log delivery
  • Enable caching if your compliance requirements mandate that no audit events are lost during connectivity interruptions
  • Test log forwarding from each server individually after configuration rather than assuming all servers are working correctly
  • Document which eDirectory servers have been configured, the protocol and port used, and the date of configuration
  • Coordinate with your network team to confirm firewall rules are in place for all eDirectory servers — not just the first one you configure
  • Add screenshots of the iManager configuration screens to the Option A section of this article to assist administrators less familiar with iManager

[Your administrator should revisit this configuration whenever new eDirectory servers are added to the environment, or when the LT Auditor MP server IP address or syslog port changes.]

attribute events, audit daemon, audit forwarding, auditlogconfig, cache enabled, cef, cef audit logs, cefauditds, common event format, compliance, configuration, connectivity outage, deployment, edirectory, eDirectory configuration, firewall, getting started, imanager, ldap, ldap events, ldap server, linux, log caching, log4j, monitoring, ncp server, ndsmodules, ndstrace, nss, object events, oes, oes nss, opentext, port 5014, ports, security events, sles, syslog appender, syslog forwarding, syslogs, tls, transformation rules

Powered by BetterDocs

Newsletter

Let's get started and
enjoy the power of LT Auditor MP

© Copyright , BLUE LANCE 2.0. All Rights Reserved.

Powered by
Necessary cookies enable essential site features like secure log-ins and consent preference adjustments. They do not store personal data.
None
Functional cookies support features like content sharing on social media, collecting feedback, and enabling third-party tools.
None
Analytical cookies track visitor interactions, providing insights on metrics like visitor count, bounce rate, and traffic sources.
None
Advertisement cookies deliver personalized ads based on your previous visits and analyze the effectiveness of ad campaigns.
None
Powered by