NSS file activity auditing requires a dedicated agent installed on every SLES OES server that hosts NSS volumes you want to monitor. The NSS Audit Agent collects file system activity from NSS volumes and forwards it to the LT Auditor MP server via syslog on port 5015 (or your configured port). This article covers the complete installation and configuration process for the NSS Audit Agent.
Understanding the NSS Audit Agent:
Unlike eDirectory auditing which is configured directly within eDirectory itself, NSS file activity auditing requires a separate agent component โ the LT Auditor MP OES module โ to be installed on each OES server hosting NSS volumes. The agent:
- Monitors file system activity on NSS volumes in real time
- Captures file reads, writes, deletions, renames, and permission changes
- Forwards collected activity to LT Auditor MP via syslog
- Caches audit streams locally if the LT Auditor MP server is temporarily unavailable and automatically resends once connectivity is restored โ no audit data is lost during outages
The agent must be installed individually on each OES server you want to monitor. Missing even one server results in a gap in your NSS file activity audit data.
Prerequisites:
Before installing the NSS Audit Agent, confirm the following on each target OES server:
| Requirement | Details |
| Operating System | SLES OES Linux |
| Privileges | Root access required |
| NSS Volumes | At least one NSS volume must be present on the server |
| Network Access | Outbound syslog traffic to the LT Auditor MP server on port 5015 must be permitted |
| LT Auditor MP | Server must be installed and running with the NSS transformation rule configured on port 5015 |
| Agent Package | LTAuditorMP-OES-xx.x.x.x-x.x86_64.rpm โ obtain from your administrator or Blue Lance |
[Your administrator should confirm the current version of the agent package and where to obtain it for your environment.]
Step 1 โ Copy the agent package to the OES server:
Copy the agent RPM package to the target OES server. The package filename follows the format:
LTAuditorMP-OES-25.0.0.0-0.x86_64.rpm
[Your administrator should note the current package filename and version used in your environment here.]
Step 2 โ Switch to root:
Open a terminal on the OES server and switch to root:
su
Enter the root password when prompted.
Step 3 โ Install the agent package:
Install the RPM package using the following command:
rpm -ivh LTAuditorMP-OES-25.0.0.0-0.x86_64.rpm
The agent installs to:
/opt/bluelance/
The installation process:
- Installs the agent binaries and configuration files to /opt/bluelance/
- Registers the ltaudit service with systemd
- Does not start the service automatically โ configuration must be completed first
Step 4 โ Configure syslog forwarding:
Navigate to the agent bin directory and run the configuration script:
cd /opt/bluelance/bin
./update_syslog_config.sh
The script will prompt you for the following information:
Host/IP of the LT Auditor MP server: Enter the IP address or hostname of your LT Auditor MP server:
Enter LT Auditor MP host: <LT_AuditorMP_IP_or_Hostname>
Port: Enter the port configured in the LT Auditor MP NSS transformation rule (default: 5015):
Enter port [default: 5015]: 5015
Protocol: Select the communication protocol to match your LT Auditor MP NSS transformation rule:
Enter protocol [UDP/TCP/TLS, default: TCP]: TCP
If TLS is selected, you will be prompted for additional settings:
| Prompt | Description | Default |
| CA Certificate Path | Path to the CA certificate file for server verification | None |
| Enable Mutual TLS | Require the agent to present a client certificate | No |
| Verify Server Certificate | Validate the LT Auditor MP server certificate | Yes |
| Server Name | SNI hostname for certificate validation | syslog.example.com |
[Your administrator should update the TLS defaults above with the actual values used in your environment if TLS is selected.]
Once all prompts are completed, the configuration script automatically saves the settings and starts the required daemons.
Step 5 โ Configure the firewall:
Ensure no firewall is blocking outbound traffic from the OES server to the LT Auditor MP server on the configured syslog port.
Test connectivity from the OES server:
nc -zv <LT_AuditorMP_Host> <Port>
A successful response confirms the connection is open. If the connection fails, review your firewall rules to permit outbound traffic on the configured port.
Step 6 โ Verify the agent service is running:
After the configuration script completes, confirm the ltaudit service is running:
Using systemctl:
systemctl status ltaudit.service
Using the control script:
/opt/bluelance/bin/ltaudit.rc status
The service should show as active (running). If the service is not running, check the agent logs for errors before proceeding.
Step 7 โ Verify audit log collection:
After confirming the service is running, verify that NSS audit data is being collected and forwarded to LT Auditor MP:
Check NSS audit status:
cat /opt/bluelance/log/nssstatus.log
Confirm the file contains:
Successfully opened live vigil file
This message confirms the agent has successfully connected to the NSS audit subsystem and is collecting file activity data.
Review general application logs:
ls /opt/bluelance/logs/
Check for forwarding failures:
cat /opt/bluelance/log/syslog_send.log
Review this log for any errors related to forwarding data to the LT Auditor MP server.
Step 8 โ Verify data in LT Auditor MP:
Confirm that NSS file activity data is appearing in LT Auditor MP:
- Log in to the LT Auditor MP Web UI
- Navigate to View
- Select the NSS environment and category
- Set the date range to Last 15โ30 minutes
- Perform a file operation on an NSS volume on the configured server (e.g., create or modify a file)
- Confirm the event appears in the LT Auditor MP event list within a short period
If no events appear:
- Confirm the ltaudit service is running on the OES server
- Confirm the nssstatus.log shows Successfully opened live vigil file
- Confirm no firewall is blocking traffic on the configured syslog port
- Confirm the port and protocol in the agent configuration match the LT Auditor MP NSS transformation rule settings
- Review the syslog_send.log for forwarding errors
Managing the NSS Audit Agent service:
Use the following commands to manage the ltaudit service after installation:
Using systemctl:
# Start the service
systemctl start ltaudit.service
# Stop the service
systemctl stop ltaudit.service
# Restart the service
systemctl restart ltaudit.service
# Check service status
systemctl status ltaudit.service
# Enable the service to start automatically on boot
systemctl enable ltaudit.service
Using the control script:
# Start the service
/opt/bluelance/bin/ltaudit.rc start
# Stop the service
/opt/bluelance/bin/ltaudit.rc stop
# Check service status
/opt/bluelance/bin/ltaudit.rc status
Enable the service to start automatically on boot using systemctl enable ltaudit.service to ensure NSS audit collection resumes automatically after a server reboot without manual intervention.
Caching behavior during LT Auditor MP outages:
If the LT Auditor MP server is temporarily unavailable, the NSS Audit Agent automatically caches audit streams locally on the OES server. Once connectivity to the LT Auditor MP server is restored, the cached data is automatically forwarded โ no NSS audit events are lost during outages.
This behavior is built into the agent and requires no additional configuration.
Repeating installation across all OES servers:
Repeat all steps in this article for every OES server in your environment that hosts NSS volumes you want to monitor. Each server must have the agent installed and configured individually.
To confirm all servers are forwarding:
- Navigate to View in the LT Auditor MP Web UI
- Filter by Source or Host
- Confirm NSS file activity events are appearing from each OES server
- If any server is not appearing as a source, revisit the installation and configuration on that server
[Your administrator should maintain a list of all OES servers in the environment, confirm each one has been installed and verified, and document the agent version, configuration date, and protocol used for each server.]
Uninstalling the NSS Audit Agent:
If the agent needs to be removed from an OES server:
- Stop the service:
systemctl stop ltaudit.service
- Remove the RPM package:
rpm -e LTAuditorMP-OES
- Confirm the package has been removed:
rpm -qa | grep LTAuditorMP
No output confirms the package has been successfully removed.
Best practices:
- Install the agent on all OES servers hosting NSS volumes before considering the deployment complete โ a single unmonitored server is a gap in your audit coverage
- Always verify the nssstatus.log after installation to confirm the agent has successfully connected to the NSS audit subsystem
- Enable the ltaudit service to start automatically on boot on every OES server to prevent monitoring gaps after reboots
- Use TCP or TLS in production environments for reliable log delivery
- Test firewall connectivity before running the configuration script to catch network issues early
- Document the agent version, configuration date, port, and protocol for each OES server
- Include NSS Audit Agent installation in your OES server provisioning checklist so new servers are automatically configured for monitoring when they are deployed
[Your administrator should revisit agent installations whenever the LT Auditor MP server IP address or NSS syslog port changes, as the agent configuration will need to be updated on every OES server to reflect the new values.]