background image

42

Sentinel Log Manager 1.0.0.4 Administration Guide

no

vd

ocx 

(e

n)

  

19

 Fe
bru
a

ry

 20
10

The high level approach is to configure Sentinel Log Manager to retain data for longer duration to 
perform searches and run report on the data you regularly need to access and to copy data to tape 
before Sentinel Log Manager deletes it. To search or run report on data that was copied to tape, but 
deleted from Sentinel Log Manager, copy the data from tape back into Sentinel Log Manager to 
include the newly recovered data in its search results. 

This section describes how to use tape or any other storage mechanism that Sentinel Log Manager 
does not support. 

Š

Section 3.7.1, “Determining What Data You Need to Copy to Tape,” on page 42

Š

Section 3.7.2, “Backing Up Data,” on page 42

Š

Section 3.7.3, “Configuring Sentinel Log Manager Storage Utilization,” on page 43

Š

Section 3.7.4, “Sentinel Log Manager Data Retention,” on page 43

Š

Section 3.7.5, “Copying Data to Tape,” on page 43

Š

Section 3.7.6, “Copying Data from Tape Back Into Sentinel Log Manager,” on page 44

3.7.1  Determining What Data You Need to Copy to Tape 

There are two types of data in Sentinel Log Manager: 

Š

Raw data are the unprocessed events that are received by the connector and sent directly to the 
Sentinel Log Manager message bus and then written to the disk on the Sentinel Log Manager 
server. Raw data retention comes under legal requirements. Raw data cannot be searched or 
reported on, because it is not processed or indexed.

Š

Event data is generated by a collector after processing the raw data. Event data is indexed for 
searching and can be searched and reported on. Although this data is not usually included in the 
legal requirements, it is often important to retain, because it makes the data search easier.

If you want to store raw data to comply with legal requirements and are not concerned to search or 
run report on that data at a later time, you can just copy the raw data to tape. However, if you want to 
perform search or report on the data, you should copy both the raw data and the event data to tape so 
that you can later recopy both sets of data back into Sentinel Log Manager. 

You can also search the raw data directly by using tools such as egrep or a text editor, but this search 
may not be sufficient for your requirements. The search mechanism provided by Sentinel Log 
Manager on event data is much more powerful than these tools.

3.7.2  Backing Up Data

Sentinel Log Manager provides following backup options: 

Configuration data: 

This option includes non-event or raw data backup. It is faster because it 

contains a small amount of data, including all the directories in the installation except the 

data

 

directory.

Data: 

This option takes longer because it involves backing up all the data in the data and archive 

directories.

NOTE: 

Archive directories can be located on a remote machine.

Summary of Contents for SENTINEL LOG MANAGER 1.0.0.5 - 03-31-2010

Page 1: ...Novell www novell com novdocx en 19 February 2010 AUTHORIZED DOCUMENTATION Sentinel Log Manager 1 0 0 4 Administration Guide SentinelTM Log Manager 1 0 0 5 1 0 0 5 March 31 2010 Administration Guide ...

Page 2: ... and the trade laws of other countries You agree to comply with all export control regulations and to obtain any required licenses or classification to export re export or import deliverables You agree not to export or re export to entities on the current U S export exclusion lists or to any embargoed or terrorist countries as specified in the U S export laws You agree to not use deliverables for ...

Page 3: ...ell Trademarks For Novell trademarks see the Novell Trademark and Service Mark list http www novell com company legal trademarks tmlist html Third Party Materials All third party trademarks are the property of their respective owners ...

Page 4: ...4 Sentinel Log Manager 1 0 0 4 Administration Guide novdocx en 19 February 2010 ...

Page 5: ...ords 16 2 2 1 Operating System Users 16 2 2 2 Sentinel Application and Database Users 17 2 3 Securing Sentinel Data 17 2 4 Securing the Operating System 19 2 5 Auditing Sentinel 20 2 6 Generating an SSL Certificate for the Server 20 3 Configuring Data Storage 21 3 1 Data Storage Overview 21 3 1 1 Raw Data 21 3 1 2 Event Data 25 3 1 3 Archiving 26 3 1 4 Data Retention 27 3 2 Configuring Data Archiv...

Page 6: ... Event Search 75 5 1 1 Running a Basic Search 75 5 1 2 Running an Advanced Search 77 5 1 3 Search Expression History 78 5 2 Refining Search Results 78 5 3 Viewing Search Results 82 5 3 1 Basic Event View 82 5 3 2 Event View with Details 83 5 4 Exporting Search Results 86 5 5 Saving a Search Query as a Report Template 88 5 6 Sending Search Results to an Action 90 6 Reporting 91 6 1 Running Reports ...

Page 7: ... Configuring Sentinel Link Integrator Settings 128 8 User Administration 129 8 1 Adding a User 129 8 2 Editing the User Details 131 8 2 1 Editing Your Own Profile 131 8 2 2 Changing Your Own Password 131 8 2 3 Editing Another User s Profile admin only 132 8 2 4 Resetting Another User s Password admin only 132 8 3 Deleting a User 132 8 4 Configuring Sentinel Log Manager Server for LDAP Authenticati...

Page 8: ...ripts 142 10 2 1 Operational Scripts 143 10 3 Getting Sentinel Log Manager jar Version Information 143 10 4 Reconfiguring Database Connection Properties 143 A Managing Data 145 A 1 Data Expiration Policy 145 A 2 Database Users 145 B Truststore 147 C Event Fields 149 D Sentinel Log Manager Reports 159 E Collector Scripts 165 F Syslog Collector Package Policy 167 ...

Page 9: ...Appendix F Syslog Collector Package Policy on page 167 Audience This guide is intended for Novell Sentinel Log Manager administrators and end users Feedback We want to hear your comments and suggestions about this manual and the other documentation included with this product Please use the User Comments feature at the bottom of each page of the online documentation or go to Novell Documentation Fe...

Page 10: ... 19 February 2010 Documentation Conventions In Novell documentation a greater than symbol is used to separate actions within a step and items in a cross reference path A trademark symbol TM etc denotes a Novell trademark An asterisk denotes a third party trademark ...

Page 11: ... Novell Sentinel Log Manager Interface For more information about Sentinel Log Manager Web interface see Novell Sentinel Log Manager Interface in the Sentinel Log Manager 1 0 0 4 Installation Guide 1 3 Architecture For more information about Sentinel Log Manager architecture see Architecture in the Sentinel Log Manager 1 0 0 4 Installation Guide 1 4 Terminologies This section describes the termino...

Page 12: ...ins that allow Sentinel systems to connect to other external systems JavaScript actions can use Integrators to interact with other systems Raw Data Raw data varies from Connector to Connector because of the format of the data stored on the device The system processes a record or data at a time The raw data contains the information about the raw data message raw data record ID time the raw data was...

Page 13: ...t the security of your system Section 2 1 1 Communication between Sentinel Log Manager Processes on page 13 Section 2 1 2 Communication between Sentinel Log Manager and the Event Source Manager Client Application on page 14 Section 2 1 3 Communication between the Server and the Database on page 15 Section 2 1 4 Communication between the Collector Managers and Event Sources on page 15 Section 2 1 5...

Page 14: ...itectural representation see Novell Sentinel Log Manager Architecture in the Sentinel Log Manager 1 0 0 4 Installation Guide XML Entry Description ssl Indicates that SSL is used for secure connection You should not modify this value localhost The hostname or IP address where the Java message service JMS server is running 61616 The port that the JMS server is listening on wireFormat maxInactivi tyD...

Page 15: ... concern needs to be weighed against your performance needs The database communication is not encrypted by default for this reason Lack of encryption is not a major concern because communication with the database occurs over the localhost network interface 2 1 4 Communication between the Collector Managers and Event Sources You can configure Sentinel Log Manager to securely collect data from vario...

Page 16: ...bilities If you choose to use CIFS or NFS it is important to configure the CIFS or NFS server properly to maximize the security of your data For more information about configuring the archive server settings see Configuring Archive Server Settings in the Sentinel Log Manager 1 0 0 4 Installation Guide 2 2 Securing Users and Passwords Section 2 2 1 Operating System Users on page 16 Section 2 2 2 Se...

Page 17: ...tion dbuser The dbauser is created as a superuser who can manage the database and is typically the user who can log in to the pgAdmin The password for the dbauser is accepted at the time of installation This password is stored in the user home directory pgpass file The system follows the PostgreSQL database password policies appuser The appuser is the non superuser used by Sentinel Log Manager to ...

Page 18: ...y common communication strategy jmsstrategy activemq Ac tiveMQStrategyFactory name ActiveMQ jms brokerURL ssl localhost 61616 wireFormat maxInactivityDuration 0 amp jms copyMessageOnSend false interceptors compression keystore config activemqclientkeystore jks keystorePassword password password ebccfebf4ec3dac874494b992a91a3c9 username system strategy The following database tables store passwords ...

Page 19: ... system at Install_Directory config This configuration information includes the encrypted database event source integrators and passwords The database EVENTS CORRELATED_EVENTS and the EVT_SMRY_ and AUDIT_RECORD tables and the file system at Install_Directory data events NOTE Event data can be archived to the file system as part of the partition management job Collector Manager The file system at I...

Page 20: ... ports 2 5 Auditing Sentinel Sentinel generates events for many of its internal actions These events can be accessed through a search or analyzed by a report To include only audit and internal events in your search results select the include system events check box and include the st I OR st A OR st P criteria in your search query 2 6 Generating an SSL Certificate for the Server You can replace th...

Page 21: ...essed file based storage to a user configured compressed archive storage location on a regular basis Data files are deleted from the local and archive storage locations on a configured schedule Raw data retention is governed by a single raw data retention policy Event data retention is governed by a set of event data retention policies All these policies are configured by the Sentinel Log Manager ...

Page 22: ...p extension After being compressed they are moved to archive storage and are no longer present in the local storage The following table describes the directory structure of the online raw data under the installation directory Table 3 1 Raw Data Directory Structure Directory structure Description data The primary directory for all data storage data rawdata The sub directory where all raw data is st...

Page 23: ... received on the 8th day of the month between 01 00 p m and 02 00 p m A name with the extension 08 0900 log indicates that the file contains uncompressed data received on the 8th day of the month between 09 00 a m and 10 00 a m and the file is closed but not yet compressed A name with the extension 08 0000 zip indicates that the file contains compressed data received on the 8th day of the month be...

Page 24: ...nector to which the event source was connected when the raw data was received Example A2A0C600 1C6C 102C A77A 000C2949BA91 NOTE Different raw events from the same event source can have different event source group IDs because event sources can be moved from one connector to other CollectorID The UUID of the Collector that the Connector and event source were connected to when the raw data was recei...

Page 25: ...he existing partitions and their location The following table describes the directory structure under the installation directory where event data is stored Table 3 3 Event Data Directory Structure ChainSequence A sequence number within a particular raw data chain The raw data events in a given raw data chain must have an uninterrupted sequence of numbers starting with 0 In addition all raw data ev...

Page 26: ...minutes by default These files appear in both the online and archive locations if archiving is configured and enabled If data archiving is configured and enabled compressed raw data files are copied in every 15 minutes to the configured archive location For more information about raw data storage see Raw Data Storage on page 22 Event Data Archiving The event data stored on the Sentinel Log Manager...

Page 27: ...ed NFS share For more information about the archive server configuration settings see Configuring Archive Server Settings in the Sentinel Log Manager 1 0 0 4 Installation Guide WARNING Only one Sentinel Log Manager should be configured to archive to a particular archive directory remote share Configuring the same archive location across multiple Sentinel Log Manager servers can cause system failur...

Page 28: ... location If the location is configured properly a message is displayed that the test is successful If the location is not configured the test fails and a message is displayed stating the reason for the failure 7 Click Save to configure the specified archive location Configuring a CIFS Server as an Archive Location For more information about configuring the CIFS server see CIFS Configuration in th...

Page 29: ...he CIFS server You can also specify a new mount options For more information about the available nfs mount options see mount cifs 8 Linux man page http linux die net man 8 mount cifs The default mount options are file_mode 0660 dir_mode 0770 10 Click the Restore Defaults button to restore the default mount options 11 The Mount options field specifies the options of the CIFS server You can also spe...

Page 30: ...ver is configured 6 In the Share field specify the share name of the NFS server The mounted shares are unmounted when the server stops and are mounted again when the server starts If the configured share unmounts the Sentinel Log Manager server detects this and mounts it again 7 The Mount options field specifies the options that are used while mounting the archived location of the NFS server You c...

Page 31: ...le writing to archive select Enabled You can write both the raw data and event data at the configured archive location To configure data archive locations refer to Configuring Archive Locations on page 27 5 To disable writing to archive the raw data select Disabled This selection disables the writing of raw data and event data archiving NOTE You cannot write to the archive location but you can sti...

Page 32: ... is displayed asking if you really want to unmount the archive location 5 Click Unmount Archive 3 2 4 Changing the Archive Location The Change Location option is displayed only if the archive location is configured 1 Log in to the Sentinel Log Manager as an administrator 2 Click the storage link in the upper left corner of the page 3 The Storage tab appears on the right pane of the page 4 Click th...

Page 33: ...the oldest data is deleted to make space for the incoming data 8 Configure the new archive location For more information about configuring the NIFS or CIFS or local SAN archive locations see Configuring Archive Locations on page 27 9 Click Save to save the changes and configure the new archive location 10 Manually copy the files from the old archive location to the new archive location ...

Page 34: ...plying Appropriate Retention Policy on page 37 3 3 1 Raw Data Retention Policy The raw data retention policy controls how long the raw data is kept in the system before being deleted The data retention policy table contains a raw data retention policy Like the default data retention policies for events the Raw Data Retention policy cannot be deleted or disabled However you can change the Keep at m...

Page 35: ...ed Search on page 77 7 Click the show tips link to view the tag names that can be used for defining the retention policy filter For example use sev 0 TO 1 to define a retention policy that applies to all events with a severity of 0 or 1 8 Specify the minimum number of days to retain the events in the system in the Keep at least field The value must be a valid positive integer 9 Optional Specify th...

Page 36: ...default data retention policy Editing a Data Retention Policy NOTE You cannot edit the name of the default data retention policy You can only change the Keep at Least and Keep at Most values 1 Log in to the Sentinel Log Manager as an administrator 2 Click the storage link in the upper left corner of the page The Storage tab is displayed on the right pane of the page 3 Click the Configuration tab T...

Page 37: ...ata retention table 3 3 3 Rules for Applying Appropriate Retention Policy You can apply multiple data retention policies that apply to the event data including the Default Data Retention policy To determine how long an event is retained before being deleted from the local and archive data stores apply the following rules 1 If an event meets the criteria of only one data retention policy filter tha...

Page 38: ...onfiguring Disk Space Usage If archiving is enabled the event data is copied to the archive location after two days and a local copy remains until space is available Raw data is moved to the archive location approximately after one hour 1 Log in to the Sentinel Log Manager as an administrator 2 Click the storage link in the upper left corner of the page The Storage tab is displayed on the right pa...

Page 39: ... local and archived raw data files for the selected event source 6 Click Select All to select all the files in the table 7 To select a raw data file click the check box on the left side of the raw data file The Verify Integrity and Download options are only enabled when you select a file from the table 8 Click Verify Integrity to verify the integrity of the selected archived files by comparing the...

Page 40: ...iewing Online and Archive Data Capacity The Data Storage Health page available only to administrators shows online and archive data capacity if configured To view the online and archive data capacity 1 Log in to the Sentinel Log Manager as an administrator 2 Click the storage link in the upper left corner of the page This page shows the free data space as gray and the used data archiving space as ...

Page 41: ...plays the archive capacity The health page of Sentinel Log Manager also forecasts the archive data capacity 3 7 Using Sequential Access Storage for Long Term Data Storage Sequential access storage such as tape is a cost effective storage mechanism to store large amount of data Sentinel Log Manager does not support interfacing with the data stored on tape directly as it requires the data to be on a...

Page 42: ...er server Raw data retention comes under legal requirements Raw data cannot be searched or reported on because it is not processed or indexed Event data is generated by a collector after processing the raw data Event data is indexed for searching and can be searched and reported on Although this data is not usually included in the legal requirements it is often important to retain because it makes...

Page 43: ...er Data Retention Sentinel Log Manager allows you to configure the duration to keep the data on disk before it deletes the data If your hard drive storage space is not sufficient to store data long enough to meet your legal requirements you can use tape storage mechanism to store the data beyond the specified data retention duration Therefore retention policies should be configured long enough to ...

Page 44: ... more information on event data directory hierarchy see Table 3 3 Event Data Directory Structure on page 25 You should wait until event data partitions have been copied to archive storage before copying them to tape Before you copy make sure that the directory is not currently being copied from local storage To do this see if there is a local storage directory partition of the same name If the cor...

Page 45: ...taining the original directory hierarchy The Sentinel Log Manager database keeps track of what event partitions were deleted so you will need to update the entry in the database to inform it that this partition is no longer deleted To do so execute an UPDATE SQL command similar to the following for each event partition you ve restored UPDATE ixlog_part SET state 60 WHERE name 20090811_408E7E50 C02...

Page 46: ...46 Sentinel Log Manager 1 0 0 4 Administration Guide novdocx en 19 February 2010 ...

Page 47: ...n the Event Source Management Live View Novell Sentinel Log Manager supports a wide variety of Connectors and also includes a variety of Collectors with parsing logic for specific event sources For a list of supported connectors and event sources packaged with this release see System Requirements in the Sentinel Log Manager 1 0 0 4 Installation Guide To download the new additional and updated Coll...

Page 48: ... Event Sources on page 57 Section 4 4 Managing Event Sources on page 60 Section 4 5 Viewing Events Per Second Statistics on page 72 4 1 Configuring Syslog Data Collection The Sentinel Log Manager is preconfigured to accept syslog data from syslog event sources that are sending data over TCP port 1468 UDP port 1514 or SSL port 1443 Additionally if your firewall is enabled and supports iptables Sent...

Page 49: ...ve syslog servers use the Event Source Management interface For more information see Launching Event Source Management on page 57 In the Syslog Server section you can start or stop data collection for each of the syslog server ports by using the on or off options next to them 1 Log in to the Sentinel Log Manager as an administrator 2 Click the collection link in the upper left corner of the page T...

Page 50: ...thentication for the SSL Syslog Server The client authentication settings determine how strictly the SSL syslog server verifies the identity of syslog event sources attempting to send their data Use a strict client authentication policy that is applicable in your environment to prevent rogue syslog event sources from sending undesired data into the Sentinel Log Manager Open No authentication is re...

Page 51: ...ertificates cert1 pem and cert2 pem It is protected by the password password1 The keystore file must be imported into the truststore Importing a Truststore For strict authentication the administrator can import a truststore by using the Import button This helps ensure that only authorized event sources are sending data to Log Manager The truststore must include either the event source certificate ...

Page 52: ...ving it 10 Click Save Listening on Ports Below 1024 NOTE The instructions in this section assume that your firewall is enabled and is compatible with the iptables command If this is not the case there are likely options in your firewall configuration interface to allow you to configure the same port forwarding as described here As Sentinel Log Manager runs as the novell user it cannot directly lis...

Page 53: ...s Section 4 2 1 Specifying the Audit Server Settings on page 53 Section 4 2 2 Setting the Audit Server Options on page 54 4 2 1 Specifying the Audit Server Settings To specify the data collection settings for the audit server 1 Log in to the Sentinel Log Manager as an administrator 2 Click the collection link in the upper left corner of the page The Collection tab is displayed on the right pane of...

Page 54: ...sconnect event sources that have not sent data for a certain period of time The event source connections are automatically re created when they start sending data again 9 Specify the number of minutes before an idle connection is disconnected 10 Select Event Signatures to receive a signature with the event To receive a signature the Platform Agent on the event source must be configured properly 11...

Page 55: ...ell com documentation for more instructions To configure port forwarding on the Sentinel Log Manager server 1 Log in to the Sentinel Log Manager server operating system as root or su to root 2 Open the etc init d boot local file for editing 3 Add the following command at the end of the bootup process iptables A PREROUTING t nat p protocol dport incoming port j DNAT to destination IP rerouted port ...

Page 56: ...y 5 Run the TruststoreCreator sh utility TruststoreCreator sh keystore tmp my keystore password password1 certs tmp cert1 pem tmp cert2 pem In this example the TruststoreCreator utility creates a keystore file called my keystore that contains two certificates cert1 pem and cert2 pem in it It is protected by the password password1 Importing a Truststore For strict authentication the administrator c...

Page 57: ...ustom 5 Click Browse and browse to the truststore file 6 Specify the password for the truststore file 7 Click Import If there is more than one public private key pair in the file select the desired key pair and click OK 8 Click Details to see more information about the server key pair 9 Click Reset to change the specified settings to previous setting before saving it 10 Click Save 4 3 Configuring ...

Page 58: ... repository Monitor data flowing through the Collectors and Connectors View the raw data information Design configure and create the components of the Event Source Hierarchy and execute required actions using these components Use the following procedure to launch the Event Source Management Live View window 1 Log in to the Sentinel Log Manager as an administrator 2 Click the collection link at the...

Page 59: ...monitored in real time within the ESM interface 8 The following table describes about the various components of the Event Source Management Live View interface Component Description Sentinel The single Sentinel icon represents the main SentinelTM Server that manages all events collected by the Sentinel system The Sentinel object is installed automatically through the Sentinel installer Collector M...

Page 60: ...tinel61 html For more information on customizing or creating new Collectors refer to the Novell Developer s Kit for Sentinel Web site http developer novell com wiki index php title Develop_to_Sentinel Connector Connectors are used to provide the protocol level communication with an event source using industry standards such as syslog JDBC and so forth Each instance of a Connector icon in ESM repre...

Page 61: ...sts all of the Collector Managers associated with the Sentinel system Event Source Servers Lists all of the event source servers associated with the Sentinel system Collector Plugins Lists all of the Collector plug ins associated with the Sentinel system The Event Sources section at the right pane lists the event sources based on the options selected from the left pane NOTE The Event Sources page ...

Page 62: ...will be displayed to indicate that the sort order is ascending If the column header is clicked a second time the sort order will be changed to descending and a blue up arrow will be displayed to indicate that the sort order is descending When you click the event source s Name or EPS value a pop up is displayed with additional information about the event source The pop up displays the Event Source ...

Page 63: ... that the event source is turned off The Sentinel Log Manager is not processing any data from it Orange Indicates that the event source is running with some warnings You can sort the event sources based on their health status Name The event source name is the name given to the event source by the system if auto created or by a user For syslog event sources if the event source was auto created by t...

Page 64: ... the name of the collector plug in not the name of the collector instance You can sort the event sources based on collector plug in name Drop Specifies whether data from the associated event source should be dropped or not YES If Drop Data is set to YES all data received from the event source is dropped This means that the raw data will not be saved and events will not be generated NO If Drop Data...

Page 65: ... box located at the top of the column The right pane displays the list of event sources connected to the selected Collector Managers NOTE If none of the Collector Managers are selected the event sources table displays all the configured event sources The following fields are available in the Collector Managers section To sort the Collector Managers by Health Name and EPS values click the respectiv...

Page 66: ...gured event sources including event sources which are not connected to any event source server To sort the event source servers by Health Name and EPS values click the respective column header When you click the column header the respective column header displays in bold text Health Indicates the health of the event source server You can sort the event source servers based on their health status N...

Page 67: ...ctor plug in It is essentially equivalent to selecting all of the collector plug ins To select or deselect the collector plug ins click the check boxes next to the respective collector plug in To select all the available collector plug ins click the check box at the top of the column The right pane displays the list of event sources connected to all the Collector instances of the selected Collecto...

Page 68: ... names of the collector plug in used to parse the data from the event sources for example Cisco Firewall 6 1r1 You can sort the collector plug ins in alphabetical order based on their names This lists all the configured collector plug ins and not the collector instances EPS Displays the events per second value received from the event sources You can sort the collector based on the events per secon...

Page 69: ...an event source select the event source from the list and click the Search link A new search results tab is displayed with the search results using the universally unique identifier UUID of the event source for example rv24 2CBFB8A0 F24B 102C A498 000C If multiple event sources are selected for search the rv24 UUID expressions are combined with the OR operator in the search filter expression Resul...

Page 70: ...ata If Allow Data is selected the selected event sources will forward events received to the Collector s they are connected to NOTE If you select a large number of event sources to change it may take a while to complete The event sources list will not show the Drop state YES or NO until after the changes are complete and the display is refreshed from the database 13 To change the associated collec...

Page 71: ...e number of event sources to change it may take a while to complete The event sources list will not show the new collector plug in until after the changes are complete and the display is refreshed from the database 15 To change the time zone setting for one or more event sources select the event source s from the list click the Configure link and select the Time Zone option The Set Time Zone windo...

Page 72: ...es on this page might take some time to display completely 4 5 Viewing Events Per Second Statistics Section 4 5 1 Viewing Graphical Representation of Events Per Second Value on page 72 Section 4 5 2 Viewing Events Per Second Value of Event Source Servers on page 73 4 5 1 Viewing Graphical Representation of Events Per Second Value 1 Log in to the Sentinel Log Manager as an administrator 2 Click the...

Page 73: ...Event Source Servers 1 Log in to the Sentinel Log Manager as an administrator 2 Click the collection link in the upper left corner of the page The Collection tab is displayed on the right pane of the page 3 Click the Event Sources tab The Event Sources page is displayed 4 The EPS column of the Event Source Servers section specifies the events per second value received from all the event source ser...

Page 74: ...74 Sentinel Log Manager 1 0 0 4 Administration Guide novdocx en 19 February 2010 ...

Page 75: ...on about the target represented by a bull s eye icon This section gives you an understanding of searching for an event refining search results viewing search results exporting the search results saving a search query as report template and sending the search results to an action instance Section 5 1 Running an Event Search on page 75 Section 5 2 Refining Search Results on page 78 Section 5 3 Viewi...

Page 76: ...corner of the page Sentinel Log Manager is configured to run a default search for non system events with severity 3 to 5 when a user clicks the Search button for the first time Otherwise it reuses the last search term the user entered To know more about the case sensitive fields and tokenized not case sensitive fields see Appendix C Event Fields on page 149 2 For using a different search criteria ...

Page 77: ...rt names that are used in advanced searches and to know whether the fields are visible in the basic and detailed event views see Table C 1 Event Fields on page 149 NOTE To perform a search click the search tips link to use the tag names defined in the table To search for a value in a specific field use the short name of the field a colon and the value For example to search for an authentication at...

Page 78: ...he Search text box the search expression list displays the recently used search expressions The most recent search expression value appears at the top of the list For each user a maximum of 250 search expressions values are stored Once the number of search expressions exceeds the 250 value the oldest ones are deleted from the list The following image displays the recently used search expressions l...

Page 79: ...ents where sample size will be replaced by the actual sampling size To refine search results 1 Log in to Novell Sentinel Log Manager 2 Run an event search For more information on how to run an event search see Running an Event Search on page 75 3 Select an option from SORT BY to sort the search results You can sort the search results based on the time when the event occurred and when the event was...

Page 80: ...s based on the first 50 000 events found In the following two scenarios the number of events returned from a refinement will be greater than the number of values listed for an event field 1 The refinement performs a new search with the additional terms intersected with the initial search string using an AND operator The new search will be run against all the events in the system including the resu...

Page 81: ...of times the value appears in the search result If there are multiple unique values occurring at the same number of times in a search then the values are ordered by the most recent occurrence of the value For example if events of severity 1 and 4 occurred 34 times in the search results of which an event of severity 4 was logged most recently then the unique value 4 would appear at the top of the l...

Page 82: ... set of events You can view the search results in the basic view or in the advanced view When results are sorted by relevance only the top 50 000 events can be viewed When they are sorted by time all the events in the system are displayed Section 5 3 1 Basic Event View on page 82 Section 5 3 2 Event View with Details on page 83 5 3 1 Basic Event View The information in each event is grouped into G...

Page 83: ...inserted into the data directory If you run a search that returns events that were not inserted into the data directory you get a message indicating that some events match the search query but they are not found in the data directory If you run the search again later the events are in the data directory and the search is shown as successful 5 3 2 Event View with Details 1 To view the details about...

Page 84: ...llector Script Displays the name of the collector script When you click the Collector Script field value the value is added to the current search and provides information about other events parsed by the same collector script Collector name Displays the name of the collector When you click the Collector name field value the value is added to the current search and provides information about other ...

Page 85: ...search and provides information about other events coming from the same Event Source If the Collector Collector Manager Connector and EventSource plug in instances are deleted then the IDs are displayed instead of the names 4 Click the show all fields link to view information about all associated fields for the particular event The list shows only the event fields that have values ...

Page 86: ...eceived from the event If the search result is a system or an internal event the get raw data link does not appear To verify and download the raw data files see Section 3 5 Verifying and Downloading Raw Data Files on page 39 5 4 Exporting Search Results You can use the Export Results link to export your search results as a zip file The export results link is displayed at the top of the search resu...

Page 87: ... 4 In the File Name field specify the filename to which you want to export the search results 5 In the Event Limit field specify the event limit to be saved The default value for the event limit is the number of search results displayed All the search results are written into a csv file which is then zipped and provided for download 6 Click the Export button to display an Opening Search_xevents zi...

Page 88: ...r are synchronized If the time is not synchronized there might be differences in the total events in the Sentinel Log Manager user interface and the exported events 7 Click OK to save the Search_xevents zip file This zip file contains information about the various fields of the event source 5 5 Saving a Search Query as a Report Template You can save a search result as a report template by using th...

Page 89: ...e search 7 In the Name field specify the name of the report 8 To mail the report template to a user specify the e mail address in the Email Report to field To send the report template to more than one user enter multiple e mail addresses separated by commas 9 To save more than 1000 results in a report use the Event Limits text field to specify the number of results to show By default 1000 results ...

Page 90: ...orm a search 3 To send the search results to an action click the send results to link A Send Results To window is displayed 4 The Action field displays the list of actions Select an action from the drop down list For more information about actions and configuring actions see Section 7 2 Configuring Actions on page 114 5 In the Event Limit field specify the maximum number of events to be sent to th...

Page 91: ...7 Section 6 12 Deleting Reports on page 108 6 1 Running Reports You can run and schedule the report definitions that are saved in the system You can also view the report results of the report definitions The Report Viewer pane of Sentinel Log Manager page displays all the report definitions in the system Reports run asynchronously so users can continue to do other things in the application while t...

Page 92: ...o change the parameters to run a report for example report name start date and end date The Sentinel Log Manager also allows you to schedule a report to run at regular intervals 2 Set the run options for running the report 3 Specify a name to identify the report results As the username and time are also used to identify the report results the report name need not be unique 4 To run a search report...

Page 93: ...st 90 days events Whenever Shows all events stored in the system Custom Date Range If you selected Custom Date Range set the start date From Date and the end date To Date for the report If any of the other settings is selected for the report type these time settings are ignored Parameter Description Help Click Help to open the doc_plugin pdf and to read the getting started notes for the selected J...

Page 94: ...09 4 00 00 p m the report runs on the 26th day of the month at 4 00 00 p m every month Date Range If the report includes time period parameters choose the date range All time periods are based on the local time for the browser Current Day Shows events from midnight of the current day until 11 59 00 p m of the current day If the current time is 8 00 00 AM the report shows 8 hours of data Previous D...

Page 95: ...t results in the Report Viewer pane All the report results are ordered by the creation time If there are more than one report the show more link displays the other report results In the Report Viewer the All and Favorite sections show the number of unread reports with a blue dot next to them A report result without a blue dot next to it indicates that the report result has been read A blue dot nex...

Page 96: ...nitions display a Sample Report link if a report definition contains a sample report 4 Click the Sample Report to display a View link 5 Click View to find out how the completed report looks with a set of sample data Report results are organized from newest to oldest 6 4 Viewing Report Parameters The Report Viewer pane on the left side of the page displays a status pane at the bottom left corner of...

Page 97: ...allows you to extract the collector pack contents You can use the instructions and scripts to configure the associated event sources The reports that are extracted from the new collector can be uploaded to the Sentinel Log Manager These collector packs are available on the Sentinel Content Web site http support novell com products sentinel sentinel61 html To extract the reports from the collector ...

Page 98: ...e needed for event source configuration follow the steps given in the instructions txt file Otherwise to add a report see Adding the Report Definitions on page 98 6 6 Adding the Report Definitions Additional report plug ins special zip or rpz files that include the report definition other than the metadata and resources used by the report can be uploaded into the Sentinel Log Manager Both JasperRe...

Page 99: ... ID whether to replace the existing report or not Sentinel Log Manager displays details of both the reports The new report definition is added to Report Template list in alphabetical order and can be run immediately if required 6 7 Renaming a Report Result 1 Click a report definition to view the report results in the Report Viewer pane 2 Select a report result 3 Click the more drop down list in th...

Page 100: ...100 Sentinel Log Manager 1 0 0 4 Administration Guide novdocx en 19 February 2010 4 Specify a name in the bottom left status pane 5 Click Rename ...

Page 101: ...hows the number of unread reports next to it NOTE The reports marked as read or unread are on a per user basis Each user can have a different set of read or unread reports Section 6 8 1 Marking a Single Report Result as Read on page 101 Section 6 8 2 Marking Single Report Result as Unread on page 102 Section 6 8 3 Marking Multiple Report Results as Read on page 102 Section 6 8 4 Marking Multiple R...

Page 102: ...nread The report result changes to the Unread state with a blue dot next to the report result 6 8 3 Marking Multiple Report Results as Read 1 Click the more drop down list in the Report Viewer pane and click Select Multiple Reports 2 A check box is displayed next to each report result in the Report Viewer pane Click the check boxes to select one or more report results You can also use the select a...

Page 103: ...report results the Mark Read x link is displayed in the Report Viewer pane where x is the number of selected report results 3 Click the Mark Read x link The selected report results change to the Read state without a blue dot next to the report results 6 8 4 Marking Multiple Report Results as Unread 1 Click the more drop down list in the Report Viewer pane and click Select Multiple Reports ...

Page 104: ...r pane Click the check boxes to select one or more report results You can also use the select all link to select all the available report results To deselect all the selected reports click the unselect all link If the selected report results are Read the Mark Unread x link is displayed in the Report Viewer where x is the number of selected report results ...

Page 105: ...esults 6 9 Managing Favorite Reports Section 6 9 1 Adding Reports as Favorites on page 105 Section 6 9 2 Removing Favorite Reports on page 106 6 9 1 Adding Reports as Favorites You can mark individual report definitions as Favorite 1 Select a report definition from the All node 2 Click the more drop down list in the Report Viewer pane and click Add to Favorite ...

Page 106: ...ts marked as favorites are on a per user basis Each user can have a different set of favorite reports 6 9 2 Removing Favorite Reports 1 Select a report definition from the Favorite node 2 Click the more drop down list in the Report Viewer pane and click Remove from Favorite 3 The selected report definition is removed from the Favorite list and added to the All list in the Report Viewer pane ...

Page 107: ... Name zip file on your local machine 6 10 2 Exporting All Reports You can use the Export All Reports option to export all reports as a zip file 1 Log in to Novell Sentinel Log Manager 2 Select the All or Favorite list of the Report Viewer pane 3 Click the more drop down list in the Report Viewer pane and select Export All Reports All reports are zipped into a file and provided to you for download ...

Page 108: ...nt source 6 12 Deleting Reports You can delete either a report definition or a report result If a report definition is deleted all associated report results are also deleted Section 6 12 1 Deleting a Report Definition on page 108 Section 6 12 2 Deleting a Report Result on page 109 Section 6 12 3 Deleting Multiple Report Results on page 109 6 12 1 Deleting a Report Definition 1 Log in to Novell Sen...

Page 109: ... pane 4 The following confirmation message is displayed 5 Click Delete to delete the selected report result The selected report result under the report definition is deleted from the Report Viewer pane 6 12 3 Deleting Multiple Report Results You can select multiple report results and delete all of them 1 Log in to Novell Sentinel Log Manager 2 Click the more drop down list in the Report Viewer pan...

Page 110: ...ts click the unselect all link If the report results are not selected the Delete and Mark Read links are disabled 4 The Delete x in the Report Viewer pane shows the number of selected report results where x is the number of selected report results 5 Click Delete x 6 The following confirmation message is displayed 7 Click Delete The selected report results are deleted from the Report Viewer pane ...

Page 111: ...e can be associated with one or more of the configured actions The rules are evaluated on a first match basis in top down order and the first matched rule is applied to the events that matches the filter criteria Section 7 1 1 Filter Criteria on page 111 Section 7 1 2 Adding a Rule on page 111 Section 7 1 3 Editing a Rule on page 112 Section 7 1 4 Ordering Rules on page 112 Section 7 1 5 Deleting ...

Page 112: ...n comes from the configuration details for the action 7 Click icon to select additional actions to be performed 8 Click to remove the selected action for this rule 9 Click Save to save the rule The newly created rule appears under the Rules tab 7 1 3 Editing a Rule 1 Log in to the Sentinel Log Manager as an administrator 2 Click rules in the upper left corner of the page 3 The Rules tab is display...

Page 113: ...ion 5 The following confirmation message is displayed 6 Click Delete to delete the selected rule If the rule is deleted a Successfully Deleted Rule message is displayed 7 1 6 Activating or Deactivating a Rule New rules are activated by default If you deactivate a rule incoming events are no longer evaluated according to that rule If there are already events in queue for one or more actions it migh...

Page 114: ...m that accepts e mail input Send SNMP Trap This type of action sends the SNMP traps Send to Sentinel Link This type of action uses Sentinel Link to forward events to another Sentinel Log Manager Sentinel or Sentinel RD system For more information on how to configure these actions see Adding Actions on page 115 NOTE Events are processed by the associated actions one at a time You should therefore c...

Page 115: ...ger events that meet the filter criteria for which the Execute a Script action is defined are passed as argument to the same script To configure the Execute a Script action you need to specify the path of the script that will be executed The script must already exist and the novell user must have permissions to execute it 1 Log in to the Sentinel Log Manager as an administrator 2 Click rules in th...

Page 116: ...eft corner of the page 3 The Rules tab is displayed on the right pane of the page 4 Select the Actions tab 5 Click the Add Action link on the right side of the screen 6 Select the Log to File action type The Filename screen appears 7 Specify an action name The action name should be unique 8 Specify the path to the file to which you want the events to be written Specify either an absolute path or a...

Page 117: ...by an E Mail All Sentinel Log Manager events that meet the filter criteria for which the Send an E mail action is defined are sent to the associated SMTP relay and e mail addresses To configure the Send to e mail action you need the IP address and port number of an SMTP relay and the To and From e mail addresses To send events to more than one e mail addresses use a comma separated list NOTE To av...

Page 118: ... separated by commas 13 Specify the subject line for the e mail 14 Click Save If the action is configured a Successfully Added Action message is displayed The newly created action appears under the Actions tab Sending the SNMP Traps All Sentinel Log Manager events that meet the filter criteria for which the Send SNMP Traps action is defined are sent to the specified SNMP addresses To configure the...

Page 119: ...no Object ID is specified the Novell Audit internal OID is used 2 16 840 1 113719 1 347 3 1 12 Click Save If the action is configured a Successfully Added Action message is displayed The newly created action appears under the Actions tab Sending the Events to a Sentinel Link Sentinel Link provides the ability to hierarchically link multiple Sentinel systems including Sentinel Log Manager and the t...

Page 120: ... RD system that receives the data The following instructions describe how to configure the system sending the data 1 Set up the Sentinel Link connection to receive messages from another Sentinel or Sentinel Log Management system For more information about configuring Sentinel systems for receiving events see Sentinel Link Solution Guide http support novell com products sentinel zip utilities Senti...

Page 121: ...e should be unique 9 Specify the IP address or hostname of the destination Sentinel system where a Sentinel Link connector is configured 10 Specify the port number for the sentinel system The default port is 1290 If required click Test to validate the hostname or IP address and port fields ...

Page 122: ...rator always verifies the receiver s certificate when connecting to the receiver If this option is selected the Integrator immediately attempt to retrieve the receiver s certificate over the network and validate that it is issued by an authorized CA If the certificate is not validated for some reason it is still presented to the user to accept or reject The certificate is considered to be valid if...

Page 123: ...is option to schedule event forwarding You can specify the Time Of Day and Duration in minutes for each day of the week The valid format for the Time Of Day is hh mm am pm The duration must be between 1 and 1440 minutes If you do not specify a time or the duration for any of the days of the week the schedule is considered to be 24 hours a day seven days a week It would be equivalent to the Forward...

Page 124: ... is displayed 7 2 3 Deleting an Action 1 Log in to the Sentinel Log Manager as an administrator 2 Click rules in the upper left corner of the page 3 The Rules tab is displayed on the right pane of the page 4 Select the Actions tab 5 To delete the selected action click the remove link next to the action NOTE The remove link is only enabled if an action is not associated with a rule The following co...

Page 125: ... newly created event source If a new event source group or a new Collector is also created their respective names and UUIDs are also indicated in the message The message also indicates if any timezone was assigned to the event source when it was created If the event source was created without a time zone it shows the text EMPTYTZ at the end of the message When the defined conditions are met an e m...

Page 126: ...onfiguring Settings for Sending E Mail In addition to activating the Event Source Created With Unspecified Timezone rule you should also configure the settings to receive the e mail notifications for event sources that are auto created without a time zone 1 Log in to the Sentinel Log Manager as an administrator 2 Click rules in the upper left corner of the page 3 The Rules tab is displayed on the ...

Page 127: ...entinel system for more in depth reporting and analysis Section 7 4 1 Activating the Forward Events To Another Sentinel System Rule on page 128 Section 7 4 2 Configuring Sentinel Link Integrator Settings on page 128 Fields Description Action name Specify an action name The action name should be unique SMTP Server Specify the hostname or IP address of the SMTP server Port Specify the port of the SM...

Page 128: ... Events To Another Sentinel System rule is displayed under the Rules tab 4 To activate the Forward Events To Another Sentinel System rule click the check box next to the rule If the rule is activated a Successfully activated the rule message is displayed 7 4 2 Configuring Sentinel Link Integrator Settings In addition to activating the Forward Events To Another Sentinel System rule you must also co...

Page 129: ...e 3 Click Add a user 4 Specify the name and e mail address of the user The e mail address format is validated The fields with an asterisk are mandatory and the username must be unique If the username already exists with the specified name a Username taken message is displayed 5 Specify one of the following options to give more granular permissions for the user to control the Sentinel Log Manager s...

Page 130: ...the Sentinel Log Manager server Enable Sentinel Log Manager configuration reporting Select this option to run the reports if you are using SQL queries in the report definition 7 Select the authentication type Local By default the Local option is selected Directory The Directory option is enabled only if the user has configured LDAP authentication For more information about configuring LDAP authent...

Page 131: ...ection 8 2 1 Editing Your Own Profile on page 131 Section 8 2 2 Changing Your Own Password on page 131 Section 8 2 3 Editing Another User s Profile admin only on page 132 Section 8 2 4 Resetting Another User s Password admin only on page 132 8 2 1 Editing Your Own Profile To edit a profile 1 Click the logged in user name in the upper left corner of the page 2 The Users tab is displayed on the righ...

Page 132: ... corner of the page 3 Click Edit under the Users tab 4 Click Delete this user in the upper right corner of the Users tab 5 To delete the user permanently click Delete 8 4 Configuring Sentinel Log Manager Server for LDAP Authentication You can enable users to log in to Sentinel Log Manager by using their Novell eDirectory username or Microsoft Active Directory sAMAccountName and password You do thi...

Page 133: ...e the default value Parameter Description Sentinel Log Manager install location The default location of Sentinel Log Manager server installation directory is opt novell Sentinel_log_mgr_1 0_x86 64 LDAP directory The value is 1 for Novell eDirectory or 2 for Active Directory The default value is 1 LDAP server hostname or IP address The hostname or the IP address of the machine where the LDAP server...

Page 134: ...on edir88 edir88 data a7elxuq html Active Directory For more information on exporting an Active Directory CA certificate see How to enable LDAP over SSL http support microsoft com kb 321051 For the Sentinel LDAP authentication the ANONYMOUS LOGON user object must be given read access to sAMAccountName and objectclass attributes For more information see Configuring Active Directory to Allow Anonymo...

Page 135: ...server as the novell user su novell 2 Change to the Install_Directory config directory cd Install_Directory config 3 Modify the LdapLogin entry in the auth login file of the Install_Directory config directory 4 Modify the activemqkeystore jks file in the Install_Directory config directory 5 Perform Step 1 through Step 7 in Section 8 4 Configuring Sentinel Log Manager Server for LDAP Authentication...

Page 136: ...en 19 February 2010 IMPORTANT Modifying the auth login or activemqkeystore jks incorrectly causes LDAP authentication to fail The user can also modify the activemqkeystore jks file with the java keytool utility available in the Install_Directory jre bin directory ...

Page 137: ...g in type vendor and device name For example the Collector Novell eDirectory license allows Sentinel Log Manager to collect events only from the eDirectory application where Collector is the plug in type Novell is the Vendor and eDirectoryTM is the device name You can also create a more generalized license such as Collector Novell which allows Sentinel Log Manager to collect events from all applic...

Page 138: ...ng the Web UI or through the command line Adding a License Key By Using the Web UI on page 138 Adding a License Key Through Command Line When the License has Expired on page 139 Adding a License Key By Using the Web UI 1 Log in to the Sentinel Log Manager as an administrator 2 Click the About link in the upper left corner of the page 3 Click the Licenses tab 4 In the License section click Add Lice...

Page 139: ... the Licenses tab The Licenses section specifies the features hostname serial number and expiry date of the added licenses The Max EPS shows the maximum number of EPS value among the various licenses For example if Sentinel Log Manager contains EPS licenses with values of 500 1500 2500 and 7500 the 7500 EPS value is displayed in the Max EPS field The Licensed Features section lists the features an...

Page 140: ...140 Sentinel Log Manager 1 0 0 4 Administration Guide novdocx en 19 February 2010 ...

Page 141: ...r Version on page 142 Section 10 1 5 Restarting the Sentinel Log Manager on page 142 Section 10 1 6 Starting the Database on page 142 Section 10 1 7 Stopping the Database on page 142 10 1 1 Starting the Sentinel Log Manager 1 Log in to the Sentinel Log Manager server by using Sentinel Log Manager s Administrator Operating System user by default novell 2 Go to the Install_Directory bin directory 3 ...

Page 142: ... run the following command server sh restart 10 1 6 Starting the Database 1 Log in to the Sentinel Log Manager server by using Sentinel Log Manager s Administrator Operating System user by default novell 2 Go to the Install_Directory bin directory 3 To start database run the following command server sh startdb 10 1 7 Stopping the Database 1 Log in to the Sentinel Log Manager server by using Sentin...

Page 143: ...nnection Properties The primary settings in these configuration files that can be configured using the dbconfig utility are related to the database connection including username password hostname port number database database name server postgresql WARNING Do not manually edit the database connection properties Use the dbconfig utility to change any database connection values within these files To...

Page 144: ...tall_Directory config u username p password h hostname t portnum d database s server help version Other settings in the files that can be adjusted manually without using dbconfig are maxConnections batchSize loadSize Changing these settings might affect database performance and should be done with caution ...

Page 145: ...d amount of space is available If at least half of the desired space is not yet been freed then partitions are deleted prematurely considering that the incoming data is more important than any old data 4 Partitions that are not archived and completed their policy s keep at most time limit ordered by the shortest amount of time before the keep at most limit until none left or at least half of the d...

Page 146: ...146 Sentinel Log Manager 1 0 0 4 Administration Guide novdocx en 19 February 2010 ...

Page 147: ... below but for more information on keytool see the Sun Web site http java sun com j2se 1 3 docs tooldocs win32 keytool html 1 Go to the bin directory for Java for example JAVA_HOME bin 2 Run the following command keytool genkey alias alias keystore keystore 3 Specify a password for the truststore This password is used when you import the truststore 4 Specify the following information First and las...

Page 148: ...148 Sentinel Log Manager 1 0 0 4 Administration Guide novdocx en 19 February 2010 ...

Page 149: ...ed from the search index Tokenized fields are marked in the following table and these fields are not case sensitive while performing a search NOTE In addition to the below mentioned tokenized field if you do a search without specifying a field name full text search that search will be performed tokenized not case sensitive Table C 1 Event Fields Field Short Name Description Tokenized Visible in Ba...

Page 150: ...rarchy Level 4 CustomerVar1 CustomerVar10 cv1 10 Reserved for use by customers for customer specific data Number Y Y CustomerVar100 cv100 Reserved for use by customers for customer specific data String CustomerVar101 CustomerVar130 cv101 130 Reserved for use by customers for customer specific data Integer Stored in DB CustomerVar11 CustomerVar20 cv11 20 Reserved for use by customers for customer s...

Page 151: ...stance for a database table Y Y DataTagId rv3 An Id for user defined event tagging DataValue43 rv43 Data Value String Y DeviceCategory rv32 Device category FW IDS AV OS DB DeviceName rv31 The name of the device generating the event If this device is supported by Advisor the name should match the name known by Advisor String Y Y EffectiveUserDomain eudom The domain namespace in which the effective ...

Page 152: ...sset map String GLBA cv92 Set to 1 if the asset is governed by the Gramm Leach Bliley Act regulation via an asset map String HIPAA cv91 Set to 1 if the asset is governed by the Health Insurance Portability and Accountability Act regulation via an asset map String InitFunction rv37 Initiator function Y InitHostDomain rv42 The domain portion of the initiating system s fully qualified hostname Y Y In...

Page 153: ...n raw device data Y InitUserIdentity iuident The internal UUID of the identity associated with the initiating account InitUserName sun The initiating user s account name SourceUsername Y Y NISPOM cv94 Set to 1 if the asset is governed by National Industrial Security Program Operating Manual NISPOM regulation via an asset map String ObserverChannel rv150 The channel on which the observer delivered ...

Page 154: ...that delivered the event to this server Y Resource res The resource name RetentionPolicyConflic t rv101 Set to 1 true if more than one retention policy matched this event but only one was chosen Integer Stored in DB Y SARBOX cv90 Set to 1 if the asset is governed by Sarbanes Oxley via an asset map String SensorType st The single character designator for the sensor type N H O V C W A I SentinelServ...

Page 155: ...twork port accessed on the target Y TargetThreatLevel rv44 Target threat level TargetTrustDomain ttd The domain namespace within which the target trust exists TargetTrustID ttid The source specific identifier of the trust group role profile etc affected TargetTrustName ttn The name of the trust group role profile etc affected TargetUserDepartmen t tudep The department of the identity associated wi...

Page 156: ...evel3 TaxonomyLevel4 Y Y Y TaxonomyLevel3 rv52 Event code categorization level 3 Displayed under the event name in the format TaxonomyLevel1 TaxonomyLevel2 TaxonomyLevel3 TaxonomyLevel4 Y Y Y TaxonomyLevel4 rv53 Event code categorization level 4 Displayed under the event name in the format TaxonomyLevel1 TaxonomyLevel2 TaxonomyLevel3 TaxonomyLevel4 Y Y Y VendorEventCode rv40 Event code reported by...

Page 157: ...lure or denial XDASOutcomeName xdasoutcome name Human readable XDAS outcome Y Y XDASProvider xdasprov The XDAS Provider ID refer to XDAS specification XDASRegistry xdasreg The XDAS Registry ID refer to XDAS specification XDASTaxonomyName xdastaxname Human readable XDAS event taxonomy string Y Y Field Short Name Description Tokenized Visible in Basic View Visible in Detailed View ...

Page 158: ...158 Sentinel Log Manager 1 0 0 4 Administration Guide novdocx en 19 February 2010 ...

Page 159: ...ssword Changes All Vendors All Products Trust Access Assignments All Vendors All Products Trust Management All Vendors All Products Trust Provisioning All Vendors All Products User Account Provisioning Cisco Firewall Authentication By Server Cisco Firewall Authentication by User Cisco Firewall Event Count Trend Cisco Firewall Password Resets Cisco Firewall Per User Modification Cisco Firewall Self...

Page 160: ... Self Password Changes HP HP UX Trust Management HP HP UX Trust Provisioning HP HP UX User Account Provisioning IBM AIX Account Access Assignments IBM AIX Account Trust Assignments IBM AIX Authentication By Server IBM AIX Authentication by User IBM AIX Event Count Trend IBM AIX Password Resets IBM AIX Per Trust Modification IBM AIX Per User Modification IBM AIX Self Password Changes IBM AIX Trust ...

Page 161: ...fee VirusScan Enterprise Event Count Trend Microsoft Active Directory Account Access Assignments Microsoft Active Directory Account Trust Assignments Microsoft Active Directory Authentication By Server Microsoft Active Directory Authentication by User Microsoft Active Directory Event Count Trend Microsoft Active Directory Object Provisioning Microsoft Active Directory Password Resets Microsoft Act...

Page 162: ...assword Resets Novell eDirectory Per Object Modification Novell eDirectory Per Trust Modification Novell eDirectory Per User Modification Novell eDirectory Self Password Changes Novell eDirectory Trust Access Assignments Novell eDirectory Trust Management Novell eDirectory Trust Provisioning Novell eDirectory User Account Provisioning Novell Identity Manager Account Access Assignments Novell Ident...

Page 163: ...t Trend Novell Sentinel Link Event Count Trend Novell SUSE Linux Enterprise Server Account Access Assignments Novell SUSE Linux Enterprise Server Account Trust Assignments Novell SUSE Linux Enterprise Server Authentication By Server Novell SUSE Linux Enterprise Server Authentication by User Novell SUSE Linux Enterprise Server Event Count Trend Novell SUSE Linux Enterprise Server Object Provisionin...

Page 164: ...nux User Account Provisioning Sourcefire Snort Event Count Trend Sun Solaris Account Access Assignments Sun Solaris Account Trust Assignments Sun Solaris Authentication By Server Sun Solaris Authentication by User Sun Solaris Event Count Trend Sun Solaris Password Resets Sun Solaris Per Trust Modification Sun Solaris Per User Modification Sun Solaris Self Password Changes Sun Solaris Trust Managem...

Page 165: ... Connector to select and use the best collector for the operating system where the script is installed For parsing the data the identifier matches the most appropriate UniqueMatchingRule in the connection mode property of the Collector If this script is not used you can still configure the system to route data to the right Collector by manually reconfiguring the event source to send data by using ...

Page 166: ...166 Sentinel Log Manager 1 0 0 4 Administration Guide novdocx en 19 February 2010 ...

Page 167: ...ritative UniqueMatchingRule This property contains a regular expression that can be used to find a matching syslog message A device that generates a matching syslog message is assigned to this Collector and connection mode It is important that matching rules from different Collectors should never match the same message to avoid ambiguity about which Collector connection mode the device that genera...

Page 168: ...168 Sentinel Log Manager 1 0 0 4 Administration Guide novdocx en 19 February 2010 ...

Reviews: