Knowledge Management

Are there any instructions for getting eDirectory 8.8 data into Splunk?

AMCollins
Explorer

Could anyone share some insight on how to get data from eDirectory 8.8 or later into Splunk?

0 Karma
1 Solution

AMCollins
Explorer

I'm getting all of the eDirectory information now via syslog communication with a caching feature turned on each of our eDirectory servers in case communication gets interrupted for an extended period of time. I wanted to share what worked for us, in case someone else needs the guidance.

As a point of reference we are on eDirectory 8.8 SP 8

Used the following for guidance:
https://www.netiq.com/documentation/edir88/edirxdas_admin/data/bookinfo.html

On most of the servers I was dealing with I had to install the following:
novell-edirectory-xdasinstrument
novell-edirectory-xdaslog
novell-edirectory-xdaslog-conf
I also installed the novell-edirectory-log4cxx. I just used YaST2 as it was handy and quick.

I then went to the /etc/opt/novell/eDirectory/conf directory and used the xdasconfig.properties.template file to create my xdasconfig.properties file with the settings I wanted to use. Again, I choose syslog with caching. I had to create a data input on the Splunk server that matched the TCP port I setup in the xdasconfig.properties file. I had to log into our iManager, go to the eDirectory Auditing then Audit Configuration, picked the server in eDirectory I was attempting to audit and choose the values I wanted in there. Then back under /etc/opt/novell/eDirectory/conf folder there is another file that needed an additional setting. This is what I kept on missing.

You have to edit the ndsmodules.conf file and add the xdasauditds to the list. I choose auto for the option as I want it to autoload anytime the server is restarted or the service is started. I then used this command (/etc/init.d/ndsd stop) to stop eDirectory, and then /etc/init.d/ndsd start to start it back up.

Information starts to flow into Splunk as expected then.

Hope this will help someone!
Aaron

View solution in original post

kittu777
New Member

Hi, i have some reports in NetIQ, i need to migrate to splunk. Please can one help.

0 Karma

AMCollins
Explorer

I'm getting all of the eDirectory information now via syslog communication with a caching feature turned on each of our eDirectory servers in case communication gets interrupted for an extended period of time. I wanted to share what worked for us, in case someone else needs the guidance.

As a point of reference we are on eDirectory 8.8 SP 8

Used the following for guidance:
https://www.netiq.com/documentation/edir88/edirxdas_admin/data/bookinfo.html

On most of the servers I was dealing with I had to install the following:
novell-edirectory-xdasinstrument
novell-edirectory-xdaslog
novell-edirectory-xdaslog-conf
I also installed the novell-edirectory-log4cxx. I just used YaST2 as it was handy and quick.

I then went to the /etc/opt/novell/eDirectory/conf directory and used the xdasconfig.properties.template file to create my xdasconfig.properties file with the settings I wanted to use. Again, I choose syslog with caching. I had to create a data input on the Splunk server that matched the TCP port I setup in the xdasconfig.properties file. I had to log into our iManager, go to the eDirectory Auditing then Audit Configuration, picked the server in eDirectory I was attempting to audit and choose the values I wanted in there. Then back under /etc/opt/novell/eDirectory/conf folder there is another file that needed an additional setting. This is what I kept on missing.

You have to edit the ndsmodules.conf file and add the xdasauditds to the list. I choose auto for the option as I want it to autoload anytime the server is restarted or the service is started. I then used this command (/etc/init.d/ndsd stop) to stop eDirectory, and then /etc/init.d/ndsd start to start it back up.

Information starts to flow into Splunk as expected then.

Hope this will help someone!
Aaron

rodrigorsilva
Communicator
0 Karma

AMCollins
Explorer

Thank you for your response. I had already seen that. Our internal Novell guru has stated that eDirectory is a database. The instructions described in that link refer to log file, but don't say which ones or how to get the eDirectory database to output information to log files that I can then monitor. I'm trying to test this to see if we can replace our current vendor that is monitoring eDirectory for us, but they tie directly into the database as opposed to watching log files.

Aaron

0 Karma

rodrigorsilva
Communicator

Ok, this is good.
Maybe you should try with an add-on:

https://splunkbase.splunk.com/app/1852/#/overview

Rodrigo Ribeiro

0 Karma

dominiquevocat
Motivator

That one certainly works for eDirectory - part of it was made for us 😉

0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...