Blue Lance

Bluelance 2.0
Get a demo
View Categories

Verifying Audit Log Collection

8 min read

After installing and configuring the NSS Audit Agent, and after any significant changes to your eDirectory or NSS auditing configuration, it is important to verify that audit log collection is working end-to-end. This means confirming that events are being generated on your OpenText systems, forwarded to the LT Auditor MP server, and appearing correctly in the Web UI. This article covers a complete verification workflow for both eDirectory and NSS audit collection.

When to run a verification check:

SituationVerification Needed
Initial installation of eDirectory or NSS auditingFull end-to-end verification for every configured server
After changing the syslog port or protocolConfirm events are still flowing after the change
After a LT Auditor MP server IP address changeConfirm all OpenText servers are forwarding to the new address
After an OES server rebootConfirm the ltaudit service restarted and is collecting
After an eDirectory server restartConfirm the CEF audit daemon restarted and is forwarding
Missing events suspected during an investigationTargeted verification to identify collection gaps
Routine health checkPeriodic confirmation that all sources are active

Step 1 โ€” Verify the LT Auditor MP transformation rules are active:

Before checking the OpenText systems, confirm that LT Auditor MP is ready to receive data on the correct ports.

  1. Log in to the LT Auditor MP Web UI
  2. Navigate to Configure
  3. Locate the eDirectory transformation rule (default port 5014) and the NSS transformation rule (default port 5015)
  4. Confirm both rules show a status of Active
  5. If either rule is inactive, click the three vertical action buttons and select Enable

Step 2 โ€” Verify firewall connectivity from OpenText servers:

Confirm that each eDirectory and OES server can reach the LT Auditor MP server on the configured syslog ports.

Run the following from each OpenText server:

For eDirectory servers (port 5014):

nc -zv <LT_AuditorMP_Host> 5014

For OES NSS servers (port 5015):

nc -zv <LT_AuditorMP_Host> 5015

A successful response confirms connectivity is open. If the connection fails:

  • Review firewall rules between the OpenText server and the LT Auditor MP server
  • Confirm the LT Auditor MP server is running and the transformation rules are active
  • Confirm the correct IP address is being used

Step 3 โ€” Verify the eDirectory CEF audit daemon is running:

On each eDirectory server, confirm the CEF audit daemon is loaded and active:

ndstrace โ€“c “modules” | grep cefauditds

The output should show cefauditds as a loaded module. If it does not appear:

Manually load the daemon:

ndstrace โ€“c “load cefauditds”

Confirm it loads successfully, then check again:

ndstrace โ€“c “modules” | grep cefauditds

Also confirm the audit configuration file is correctly set up:

cat /etc/opt/novell/eDirectory/conf/auditlogconfig.properties

Verify the host, port, and protocol values match your LT Auditor MP transformation rule settings.

Step 4 โ€” Verify the NSS Audit Agent service is running:

On each OES server, confirm the ltaudit service is running:

systemctl status ltaudit.service

The service should show as active (running). If it is stopped or failed:

systemctl start ltaudit.service

systemctl status ltaudit.service

Confirm the service returns to active (running) before proceeding.

Step 5 โ€” Check the NSS audit status log:

On each OES server, confirm the NSS Audit Agent has successfully connected to the NSS audit subsystem:

cat /opt/bluelance/log/nssstatus.log

Confirm the log contains:

Successfully opened live vigil file

If this message is not present:

  • The agent may not have access to the NSS audit subsystem
  • NSS may not be running or volumes may not be mounted

Review the general application logs for more detail:
ls /opt/bluelance/logs/

Step 6 โ€” Check the syslog forwarding log:

On each OES server, confirm that events are being successfully forwarded to LT Auditor MP:

cat /opt/bluelance/log/syslog_send.log

Look for:

  • Successful forwarding messages confirming events are reaching the LT Auditor MP server
  • Any connection errors, timeout messages, or TLS certificate errors that may indicate a forwarding problem

If forwarding errors are present:

  • Confirm network connectivity using the nc test in Step 2
  • Confirm the port and protocol in the agent configuration match the LT Auditor MP transformation rule
  • If using TLS, confirm certificate configuration is correct on both ends

Step 7 โ€” Generate test events on OpenText systems:

To confirm the full end-to-end pipeline is working, generate known test events on your OpenText systems and verify they appear in LT Auditor MP.

Generating a test eDirectory event:

Perform a simple directory operation that eDirectory auditing is configured to capture โ€” for example, modify an attribute on a test user object in iManager or via an LDAP command:

ldapmodify -H ldap://<eDirectory_Host> -D “<admin_DN>” -W <<EOF

dn: cn=testuser,ou=users,o=yourorg

changetype: modify

replace: description

description: Audit verification test

EOF

Generating a test NSS file event:

Perform a simple file operation on an NSS volume on the OES server โ€” for example, create and then delete a test file:

touch /media/nss/<VolumeName>/audit_verification_test.txt

rm /media/nss/<VolumeName>/audit_verification_test.txt

Replace <VolumeName> with the name of an NSS volume on the server.

[Your administrator should confirm the correct NSS volume mount path used in your environment.]

Step 8 โ€” Verify test events appear in LT Auditor MP:

After generating test events, confirm they appear in LT Auditor MP:

  1. Log in to the LT Auditor MP Web UI
  2. Navigate to View
  3. Select the relevant environment and category:
    • For eDirectory events: eDirectory environment โ†’ Object Events or Attribute Events category
    • For NSS events: NSS environment โ†’ File Activity category
  4. Set the date range to Last 15 minutes
  5. Look for the test events you just generated
  6. Click on a test event row to view full details and confirm the event data is correctly structured and normalized

If test events do not appear within a few minutes:

  • Confirm the relevant daemon or service is running (Steps 3 and 4)
  • Confirm firewall connectivity is open (Step 2)
  • Confirm the transformation rule is active (Step 1)
  • Review the syslog forwarding log for errors (Step 6)

Check the LT Auditor MP server logs for any ingestion errors:

On Linux:

cd /opt/bluelance/lcollector/logs/general/

 On Windows:

\Program Files\Blue Lance 2-0\Collector\Logs\General\

Step 9 โ€” Confirm all servers are represented as sources:

After verifying individual servers, confirm that all configured eDirectory and OES servers are appearing as active sources in LT Auditor MP:

  1. Navigate to View in the LT Auditor MP Web UI
  2. Select the eDirectory or NSS environment
  3. Set the date range to cover the last 24 hours
  4. Filter by Source or Host and review the list of servers generating events
  5. Cross-reference against your list of configured servers
  6. If any server is missing from the source list:
    • Confirm the CEF audit daemon or ltaudit service is running on that server
    • Confirm syslog forwarding is configured correctly on that server
    • Revisit the relevant configuration article for that server type

[Your administrator should maintain a reference list of all eDirectory and OES servers that should be appearing as sources in LT Auditor MP, and use it during routine verification checks to quickly identify any gaps.]

Routine verification schedule:

Rather than verifying collection only after problems occur, incorporate collection verification into your regular operational routine:

FrequencyVerification Actions
DailyCheck LT Auditor MP View for recent eDirectory and NSS events โ€” confirm data is flowing from all sources
WeeklyReview the source list to confirm all configured servers are represented
MonthlyRun the full end-to-end verification workflow above for a sample of servers
After any changeRun targeted verification for any server or configuration that was modified

[Your administrator should assign ownership of routine verification checks to a specific team member and document the results so the verification history is available for compliance audits.]

Common issues and resolutions:

SymptomLikely CauseResolution
No eDirectory events in LT Auditor MPCEF audit daemon not loadedLoad cefauditds using ndstrace
No eDirectory events from a specific serverSyslog forwarding misconfiguredReview auditlogconfig.properties on that server
No NSS events in LT Auditor MPltaudit service stoppedStart the ltaudit service
NSS events missing from a specific volumeAgent lacks access to NSS volumeReview agent permissions and NSS volume mount
nssstatus.log missing success messageNSS audit subsystem unavailableConfirm NSS is running and volumes are mounted
Syslog forwarding errors in logFirewall blocking portOpen the required port between the OES server and LT Auditor MP
TLS errors in forwarding logCertificate mismatch or expiryReview TLS configuration and certificate validity
Events appearing with incorrect structureTransformation rule misconfiguredReview and update the transformation rule in LT Auditor MP
Events delayed or intermittentNetwork congestion or high volumeReview network path and buffer settings
Events missing after server rebootService not enabled for auto-startRun systemctl enable ltaudit.service

Best practices:

  • Run the full end-to-end verification workflow immediately after initial installation โ€” do not assume the deployment is working without confirming test events appear in LT Auditor MP
  • Incorporate routine verification checks into your regular operational schedule rather than waiting for problems to be reported
  • Maintain a reference list of all configured eDirectory and OES servers and use it during verification to quickly identify any gaps
  • Generate and retain verification records as evidence of your audit program’s ongoing effectiveness for compliance audits
  • Address any identified collection gaps promptly โ€” unmonitored servers represent both a security monitoring gap and a potential compliance violation
  • Include collection verification in your change management process for any changes to OpenText systems, network infrastructure, or the LT Auditor MP server

[Your administrator should document the results of each verification cycle and retain them as part of your organization’s compliance evidence library.]

audit, audit log verification, cefauditds, change management, collection gaps, collection verification, compliance, compliance evidence, deployment, edirectory, end-to-end verification, event structure, health check, incident response, ingestion errors, investigation, ldapmodify, linux, live vigil, logs, ltaudit, ltaudit service, monitoring, ndstrace, nss, nss volume, nssstatus.log, oes, oes nss, opentext, port 5014, port 5015, routine verification, services, source list, syslog forwarding, syslog send log, syslogs, test events, tls, transformation rules, troubleshooting, verification, verification records, verification schedule, volume mount

Powered by BetterDocs

Newsletter

Let's get started and
enjoy the power of LT Auditor MP

ยฉ Copyright , BLUE LANCE 2.0. All Rights Reserved.

Powered by
Necessary cookies enable essential site features like secure log-ins and consent preference adjustments. They do not store personal data.
None
Functional cookies support features like content sharing on social media, collecting feedback, and enabling third-party tools.
None
Analytical cookies track visitor interactions, providing insights on metrics like visitor count, bounce rate, and traffic sources.
None
Advertisement cookies deliver personalized ads based on your previous visits and analyze the effectiveness of ad campaigns.
None
Powered by