Help banner

Defining an Event Verification

Event verification queries allow you to confirm that the events in your datastore have not been compromised. To use event verification, you must first enable event signing in each Platform Agent's configuration file (logevent.cfg) and set up the corresponding certificates. You can also enable event signing in the Secure Logging Server object's Configuration settings. For more information on these operations, see "Security and Non-Repudiation" in the Novell® Audit Administration Guide.

NOTE: Novell Audit Report (LReport) is recommended for verifications that take a considerable amount of time or have a large result set. The iManager plug-in should be used for smaller subset queries, and you should use filters to limit the scope of the query. Results vary depending on the processing power and memory available on the servers where the Secure Logging Server and the database are installed.

To define an event verification:

  1. In the Name field, specify a name for the verification query.

    This name appears in the Queries list and in the query results title.

  2. In the Product drop-down list, select the logging application whose events you want to verify.

  3. To create a filter:

    1. In the Optional Filter drop-down list, select And.

    2. Select the event field you want to filter by, either Time Frame or Source IP.

    3. Select the condition under which the logging server applies the value to the event field.

    4. Depending on the event field, you can select the following conditions from the drop-down list box:

      • Matches

      • Less Than

      • Greater Than

      • Is Between

    5. Select or specify a value for the designated event field.

      The verification query applies the value to the designated event field under the defined condition. If an event matches the criteria, it is included in the verification results.

    6. Select the End operator to finish the filter definition, or select the And or Or operators to define additional filter criteria.

  4. Browse to and select the logging application's public certificate file.

    IMPORTANT: If you change the logging application, you must import the correct certificate file for that application or your verification fails. We recommend you create separate verifications for each logging application to avoid re-importing the certificate file.

  5. When finished, click OK.

The verification now appears in the Queries list.

 

Editing an Event Verification

To edit an event verification:

  1. Select the check box next to the verification query you want to edit.

  2. Click Edit.

  3. Modify the verification fields.

    For more information on these fields, see the table below.

  4. When finished, click OK.

Verification Option

Description

Name

The name you want to use to refer to this verification query.

The verification name appears in the Queries list and in the query results title.

 

Product

The logging application whose events you want to verify.

IMPORTANT: If you change the logging application, you must import the correct certificate file for that application or your verification fails. We recommend you create separate verifications for each logging application to avoid re-importing the certificate file.

 

Optional Filter

Allows you to define an event filter for the verification query.

To create a filter, select And in the Optional Filter drop-down list and define the following fields.

 

 

Event Field

The event field you want to filter by, either Time Frame or Source IP.

 

 

Condition

The condition under which the logging server applies the value to the event field.

Depending on the event field, you can select the following conditions from the drop-down list box:

  • Matches

  • Less Than

  • Greater Than

  • Is Between

 

 

Value

The value for the designated event field.

The verification query applies the value to the designated event field under the defined condition. If an event matches the criteria, it is included in the verification results.

 

 

Operator

Use the End operator to complete a filter definition, or select the And or Or operators to define additional filter criteria.

The conditions are accumulative; that is, the logging server applies the first, then the second, etc., to progressively narrow the results.

 

Product Certificate

The logging application's public certificate file. Click Browse to locate and select the file.

IMPORTANT: If you change the logging application, you must import the correct certificate file for that application or your verification fails. We recommend you create separate verifications for each logging application to avoid re-importing the certificate file.

 

Related Topics

Running Queries and Event Verifications

Defining a Saved Query

Novell Audit Help

A trademark symbol (®, ™, etc.) denotes a Novell trademark. An asterisk (*) denotes a third-party trademark. For information on trademarks, see Legal Notices.

Close