Novell Sentinel Rapid Deployment 6.1 Page 15 Installation Manual Download | Manualshive

Page: 15 / 84

background image

Introduction

15

no

vd

ocx

(e

n)

17

Sep

te

m

be

r 20

09

1.3.2 Message Bus

Sentinel 6.1 Rapid Deployment uses the open source message broker named Apache*Active MQ.
The message bus is capable of moving thousands of message packets in a second between the
components of Sentinel. Its architecture is built around the Java Message Oriented Middleware
(JMOM) that supports asynchronous calls between the client and server applications. Message
queues provide temporary storage when the destination program is busy or not connected. For more
information, see “

Communication Server

” in the

Sentinel 6.1 Rapid Deployment User Guide

.

1.3.3 Sentinel Database

The Sentinel product is built around a back-end database that stores security events and all of the
Sentinel metadata. Sentinel 6.1 Rapid Deployment supports PostgreSQL. The events are stored in
normalized form, along with asset and vulnerability data, identity information, incident and
workflow status, and many other types of data. For more information, see “

Sentinel Data Manager

”

in the

Sentinel 6.1 Rapid Deployment User Guide

.

1.3.4 Sentinel Collector Manager

The Sentinel Collector Manager manages data collection, monitors system status messages, and
performs event filtering as needed. The main functions of the Collector Manager include
transforming events, adding business relevance to events through taxonomy, performing global
filtering on events, routing events, and sending health messages to the Sentinel server. The Sentinel
Collector Manager directly connects to the message bus. For more information, see “

Collectors

” in

the

Sentinel 6.1 Rapid Deployment User Guide

.

1.3.5 Correlation Engine

Correlation adds intelligence to security event management by automating analysis of the incoming
event stream to find patterns of interest. Correlation allows you to define rules that identify critical
threats and complex attack patterns so that you can prioritize events and initiate effective incident
management and response. For more information, see “

Correlation Tab

” in the

Sentinel 6.1 Rapid

Deployment User Guide

.

1.3.6 iTRAC

Sentinel provides an iTRAC™ workflow management system to define and automate processes for
incident response. Incidents that are identified in Sentinel, either by a correlation rule or manually,
can be associated with an iTRAC workflow. For more information, see “

iTRAC Workflows

” in the

Sentinel 6.1 Rapid Deployment User Guide

.

1.3.7 Sentinel Advisor and Exploit Detection

Sentinel Advisor is an optional data subscription service that includes known attacks,
vulnerabilities, and remediation information. This data, combined with known vulnerabilities and
real-time intrusion detection or prevention information from your environment, provide proactive
exploit detection and the ability to immediately act when an attack takes place against a vulnerable
system.

«
...
13
14
15
16
17
...
»

Summary of Contents for Sentinel Rapid Deployment 6.1

Page 1: ...Novell www novell com novdocx en 17 September 2009 AUTHORIZED DOCUMENTATION Sentinel 6 1 Rapid Deployment Installation Guide SentinelTM Rapid Deployment 6 1 December 2009 Installation Guide ...

Page 2: ...rt or re export to entities on the current U S export exclusion lists or to any embargoed or terrorist countries as specified in the U S export laws You agree to not use deliverables for prohibited nuclear missile or chemical biological weaponry end uses See the Novell International Trade Services Web page http www novell com info exports for more information on exporting Novell software Novell as...

Page 3: ...ell Trademarks For Novell trademarks see the Novell Trademark and Service Mark list http www novell com company legal trademarks tmlist html Third Party Materials All third party trademarks are the property of their respective owners ...

Page 4: ...4 Sentinel 6 1 Rapid Deployment Installation Guide novdocx en 17 September 2009 ...

Page 5: ... 8 Web Server 16 1 4 Sentinel Plug Ins 16 1 4 1 Collectors 16 1 4 2 Connectors and Integrators 17 1 4 3 Correlation Rules and Actions 17 1 4 4 Reports 17 1 4 5 iTRAC Workflows 17 1 4 6 Solution Packs 17 1 5 Language Support 17 2 What s New in Sentinel 6 1 Rapid Deployment 19 2 1 New and Updated Features 19 2 2 Comparing Sentinel 6 1 and Sentinel 6 1 Rapid Deployment Features and Capabilities 19 3 ...

Page 6: ...ntinel 6 1 Rapid Deployment SP1 48 4 10 Updating the License Key from an Evaluation Key to a Production Key 48 5 Security Considerations for Sentinel 6 1 Rapid Deployment 49 5 1 Securing Communication Across the Network 49 5 1 1 Communication between Sentinel Server Processes 49 5 1 2 Communication between the Sentinel Server and the Sentinel Client Applications 50 5 1 3 Communication between the ...

Page 7: ...rocedures 75 A Updating the Sentinel 6 1 Rapid Deployment Hostname 77 A 1 Server 77 A 2 Client Applications 77 B Troubleshooting Tips 79 B 1 Database Authentication Fails on Entering Invalid Credentials 79 B 2 Sentinel Web Interface Does Not Start Up 79 B 3 Remote Collector Manager Throws Exception on Windows 2008 When UAC is Enabled 80 C Manually Configuring Sentinel 6 1 Rapid Deployment Server f...

Page 8: ...8 Sentinel 6 1 Rapid Deployment Installation Guide novdocx en 17 September 2009 ...

Page 9: ...6 1 Rapid Deployment Installation on page 61 Chapter 8 Uninstalling Sentinel 6 1 Rapid Deployment on page 73 Appendix A Updating the Sentinel 6 1 Rapid Deployment Hostname on page 77 Appendix B Troubleshooting Tips on page 79 Appendix C Manually Configuring Sentinel 6 1 Rapid Deployment Server for LDAP Authentication on page 81 Appendix D Documentation Updates on page 83 Audience This documentatio...

Page 10: ... is used to separate actions within a step and items within a cross reference path A trademark symbol etc denotes a Novell trademark An asterisk denotes a third party trademark When a single path name can be written with a backslash for some platforms or a forward slash for other platforms the path name is presented with forward slashes to reflect the Linux convention Users of platforms that requi...

Page 11: ...ecurity and non security information from across the networked infrastructure of an organization as well as the third party systems devices and applications Sentinel presents the collected data in a GUI identifies security or compliance issues and tracks remedial activities to streamline the error prone processes and build a more rigorous and secure management program Automated incident response m...

Page 12: ...ted and implemented through Solution Packs The following is an illustration of the conceptual architecture of Sentinel 6 1 Rapid Deployment which shows the components involved in performing security and compliance management Figure 1 1 Conceptual Architecture of Sentinel 1 2 Sentinel Rapid Deployment User Interfaces Sentinel includes the following easy to use user interfaces Sentinel Rapid Deploym...

Page 13: ...ol Center include Active Views Real time analytics and visualization Analysis Runs and saves offline queries Incidents Incident creation and management Correlation Correlation rules definition and management iTRAC Process management for documenting enforcing and tracking incident resolution processes Event Source Management Collector deployment and monitoring Solution Manager Install implement and...

Page 14: ...ary legacy language to process events You can create and customize the templates so that the Collector can parse the data For more information on developing your own Collectors see Developing Sentinel Collector Plug ins http developer novell com wiki index php Collectors 1 3 Sentinel Server Components Sentinel is made up of the following components Section 1 3 1 Data Access Service on page 14 Sect...

Page 15: ...s relevance to events through taxonomy performing global filtering on events routing events and sending health messages to the Sentinel server The Sentinel Collector Manager directly connects to the message bus For more information see Collectors in the Sentinel 6 1 Rapid Deployment User Guide 1 3 5 Correlation Engine Correlation adds intelligence to security event management by automating analysi...

Page 16: ...4 5 iTRAC Workflows on page 17 Section 1 4 6 Solution Packs on page 17 1 4 1 Collectors Sentinel collects data from source devices and delivers a richer event stream by injecting taxonomy exploit detection and business relevance into the data stream before events are correlated and analyzed and sent to the database A richer event stream means that data is correlated with the required business cont...

Page 17: ...tegrator For more information see Correlation Tab in the Sentinel 6 1 Rapid Deployment User Guide 1 4 4 Reports You can run a wide variety of dashboard and operational reports from the Sentinel 6 1 Rapid Deployment Web interface by using JasperReports The reports are typically distributed via Solution Packs 1 4 5 iTRAC Workflows iTRAC workflows provide consistent repeatable processes for managing ...

Page 18: ...18 Sentinel 6 1 Rapid Deployment Installation Guide novdocx en 17 September 2009 Japanese Dutch Polish Portuguese Simplified Chinese Spanish Traditional Chinese ...

Page 19: ...se a simplified single machine server installer Use the Web interface for the following Accessing the reporting and free form search functionalities Running the Sentinel Control Center SCC the Solution Designer and the Sentinel Data Manager SDM clients by using Java Web Start Downloading the multiplatform client installer and the Collector Manager Use a single multiplatform client installer to ins...

Page 20: ...onal set of credentials for the Sentinel Advisor service Server components including the embedded database the reporting engine a Collector Manager and a Web console are all included in the package and are installed and configured automatically on a single machine This allows you deploy and begin using the product very quickly and with a minimum amount of effort Additional Collector Managers can b...

Page 21: ...tion Manager Search A new Web based search tool allows you to quickly search for strings and patterns within the Sentinel event database You can search for text in a specific Sentinel event field or across all fields Data within the search results is hyperlinked to narrow down the search results with a single click You can also run the search by using the Sentinel Control Center Event searches can...

Page 22: ...22 Sentinel 6 1 Rapid Deployment Installation Guide novdocx en 17 September 2009 ...

Page 23: ... Browsers on page 24 Section 3 3 Hardware Requirements on page 24 Section 3 4 Virtualization on page 26 3 1 Software Requirements NOTE Sentinel 6 1 Rapid Deployment is not supported on the Open Enterprise Server installs of SLES 10 SP2 Table 3 1 Software and Operating System Combinations Platforms Sentinel Server Components Sentinel Client Applications Collector Manager Collector Builder SLES 10 S...

Page 24: ... ranges However these recommendations are based on the following assumptions The event rate is at the high end of the EPS range The average event size is 600 bytes SLES 10 SP2 32 bit Limited Support NOTE A demo only package of Novell Sentinel Rapid Deployment is designed for limited scale demonstration and testing environments by using 32 bit hardware and operating systems Customers or partners wi...

Page 25: ...so it is recommended that Novell Consulting Services or any of Novell Sentinel partners be consulted prior to finalizing the Sentinel architecture The recommendations below can be used as a guideline NOTE Because of high event loads and local caching the Sentinel Server is required to have a local or shared striped disk array RAID with a minimum of 4 disk spindles Table 3 2 Single Machine Configur...

Page 26: ...mponents RAM Space CPU Machine 1 Sentinel 6 1 Rapid Deployment Server Maximum EPS 3750 Collector Manager 1200 MB DAS_Core 1024MB DAS_Binary 512MB Correlation Engine 512 MB 4 General Event Collectors 4 eDirectory Event Sources generating 250 eps each 16 GB 1 TB SAS 15K rpm Hard Disk s Hardware RAID 10 SLES10 SP2 Dell PowerEdge 2900 2 x Quad Core Intel Xeon E5310 1 6 GHz with Gigabit Ethernet NIC Ma...

Page 27: ...e 39 Section 4 8 Post Installation Configuration on page 40 Section 4 9 LDAP Authentication on page 42 Section 4 10 Updating the License Key from an Evaluation Key to a Production Key on page 48 4 1 Installer Overview The Sentinel 6 1 Rapid Deployment installation package installs the following PostgreSQL database to store events and configuration information A Web based user interface for reporti...

Page 28: ...ent analysis Advisor Advisor provides real time correlation between detected IDS attacks and vulnerability scan output in order to immediately indicate increased risk to an organization An Advisor data snapshot is installed by default if you have an Advisor licence You need an Advisor license to subscribe to the ongoing Advisor data updates Data Access Service Includes data storage query display a...

Page 29: ...pid Deployment Client Components Use the following ports to configure your firewall setting to allow access between the Sentinel 6 1 Rapid Deployment server and the client components Sentinel Collector Manager Service that handles connections to event sources data parsing mapping and so on A Collector Manager is installed on the Sentinel server but additional Collector Managers can be installed on...

Page 30: ...hine meets the minimum system requirements For more information on prerequisites see Chapter 3 Sentinel 6 1 Rapid Deployment System Requirements on page 23 Install and configure an SMTP server if you want to be able to send mail notifications from the Sentinel system 4 4 2 Client Ensure that each client machine meets the minimum system requirements Ensure that you create a directory with ASCII onl...

Page 31: ...he subscription use your Novell eLogin to download and update the Advisor data 4 5 Installing the Sentinel 6 1 Rapid Deployment Server The Sentinel 6 1 Rapid Deployment Server can be installed in the following ways Section 4 5 1 Single Script Installation with Root Privileges on page 31 Section 4 5 2 Non Root Installation on page 33 4 5 1 Single Script Installation with Root Privileges 1 Log in as...

Page 32: ...cations for Advisor For more information on configuring SMTP integrator see Section 4 8 1 Configuring an SMTP Integrator to Send Sentinel Notifications on page 40 13 You are prompted to specify if you have the Advisor User account Do one of the following Enter 1 if you have purchased the Advisor account subscription Enter 2 if you have not purchased the account 14 Conditional If you have purchased...

Page 33: ...Sentinel 4 Create a directory for Sentinel For example mkdir p opt novell 5 Set the directory to be owned by the novell user and novell group For example chown R novell novell opt novell 6 Log in as the novell user su novell 7 Extract the installer tar file to installation directory you have created For example cd opt novell tar xfz sentinel6_rd_x86 64 tar gz 8 Run the installation script as follo...

Page 34: ...ERVER_IP 8443 sentinel The SERVER_IP is the IP of the machine where Sentinel is installed Launch the Sentinel Control Center by running opt novell sentinel6_rd_x86 64 bin control_center sh as the novell user 4 6 Installing the Client Applications Use the Novell Sentinel 6 1 Rapid Deployment Web interface to download the Collector Manager installer and the Client installer Section 4 6 1 Accessing N...

Page 35: ...staller allows you install the Sentinel Collector Manager on supported Windows and Linux platforms Click download Collector Manager installer and follow the on screen instructions Client Installer The Client Installer allows you install the Sentinel Control Center Sentinel Collector Builder Sentinel Solution Designer and Sentinel Data Manager on supported platforms Click download Client installer ...

Page 36: ...d only by Sentinel Control Center The allowed range is 64 1024 MB 10 Specify the Sentinel Administrator username and the path to the corresponding home directory This option is not available if any Sentinel applications are already installed This is the username of the user who owns the installed Sentinel product If the user does not exist a user is created along with a home directory in the speci...

Page 37: ...of these ports for future installations on other machines 12 Click Next 13 A summary of the installation is displayed Click Install 14 Click Finish to complete installation NOTE When you log in again use the username you specified in Step 10 If you forget the username that you have set open a terminal console and enter the following command as a root user env grep ESEC_USER This command returns th...

Page 38: ...onding home directory in the specified directory OS Sentinel Administrator User Home Directory The default is export home If esecadm is the username the corresponding home directory is export home esecadm To log in as the esecadm user you need to first set its password 9 Specify the following then click Next Message bus port The port on which the communication server is listening Components connec...

Page 39: ...lectormanager cefc76062c58e2835aa3d777778f9295 Where collectormanager is the username and cefc76062c58e2835aa3d777778f9295 is the corresponding password You must use the collectormanager user and its corresponding password during the Collector Manager service installation In this case the collectormanager user has the access rights only to the required communication channels for the Collector Mana...

Page 40: ...he following situations When a Correlation rule deployed with a Send Email action is triggered The Send Email action referred here is the action indicated by the gear icon which is only valid for correlation as opposed to the JavaScript SendEmail Action which is indicated by the JS JavaScript icon Workflow includes a Mail Step or Activity that is configured to send email User opens an incident and...

Page 41: ...ndwidth requirements and provides additional data security Allow installation on additional operating systems For example installing a Collector Manager node on Microsoft Windows to enable data collection by using the WMI protocol Allow file caching that enables the remote collector manager to cache large amounts of data when the server is temporarily busy with archiving or processing a spike in e...

Page 42: ...als Section 4 9 1 Configuring the Sentinel 6 1 Rapid Deployment Server for LDAP Authentication on page 42 Section 4 9 2 Configuring LDAP Failover Servers on page 46 Section 4 9 3 LDAP Authentication without Performing Anonymous Searches on page 47 Section 4 9 4 Migrating LDAP Users from Sentinel 6 1 Rapid Deployment Hotfix 2 to Sentinel 6 1 Rapid Deployment SP1 on page 48 4 9 1 Configuring the Sen...

Page 43: ...ll user su novell 5 Change to the following directory Install_Directory bin 6 Run the ldap_auth_config sh script ldap_auth_config sh The script takes a backup of the auth login and configuration xml configuration files in the Install_Directory config directory and saves them as auth login sav and configuration xml sav in the same directory before modifying them for LDAP authentication 7 Perform ei...

Page 44: ... subtree is specified then the search is run on the entire directory Active Directory CN users DC TEST AD DC provo DC novell DC com NOTE For Active Directory the subtree cannot be blank Enter n if you do not want to perform anonymous searches on the LDAP directory Filename of the LDAP server certificate The filename of the eDirectory Active Directory CA certificate that you copied in Step 2 Parame...

Page 45: ...tion you have selected for Anonymous searches on LDAP directory on page 44 y Create a LDAP user with the same username as the eDirectory username or Active Directory sAMAccountName n Create a LDAP user The username does not need to be the same as the eDirectory username or Active Directory sAMAccountName You must specify the fully qualified DN of the LDAP user in the LDAP User DN field NOTE In the...

Page 46: ...stall_Directory config directory cd Install_Directory config 4 Open the auth login file for editing vi auth login 5 Update the userProvider in the LdapLogin section to specify multiple LDAP URLs Separate each URL by a blank space For example userProvider ldap ldap url1 ldap ldap url2 For more information on specifying multiple LDAP URLs see the description of the userProvider option in Class LdapL...

Page 47: ... the ldap_auth_config sh script 3 In Sentinel Control Center open User Manager then create an LDAP user Sentinel Rapid Deployment SP1 The LDAP User DN must be the same as the Active Directory sAMAccountName Sentinel Rapid Deployment Hotfix 2 The LDAP User Name must be the same as the Active Directory sAMAccountName 4 On the Sentinel Rapid Deployment server edit the LdapLogin section in the Install...

Page 48: ...or each existing LDAP user right click and select User Details The LDAP user who was created by using the Domain option is displayed as LDAP type 4 Optional If you selected n for Anonymous searches on LDAP directory specify the fully qualified DN of the LDAP user in the LDAP User DN field For more information see Creating a User Account Through LDAP Authentication in the Sentinel 6 1 Rapid Deploym...

Page 49: ...n between Sentinel Server Processes on page 49 Section 5 1 2 Communication between the Sentinel Server and the Sentinel Client Applications on page 50 Section 5 1 3 Communication between the Server and the Database on page 50 Section 5 1 4 Communication between the Collector Managers and Event Sources on page 51 Section 5 1 5 Communication with the Web Browsers on page 51 Section 5 1 6 Communicati...

Page 50: ...hrough Web Start the communication strategy is defined on the server in the Install_Dirirectory 3rdparty tomcat webapps ROOT novellsiemdownloads configuration xml file as follows strategy active yes id proxied_client location com esecurity common communication strategy proxystrategy ProxiedCl ientStrategyFactory transport type ssl ssl host 164 99 18 162 port 10013 keystore novell sentinel proxyCli...

Page 51: ...tion see the Tomcat documentation http tomcat apache org tomcat 4 0 doc ssl howto html 5 1 6 Communication between the Database and Other Clients You can configure the PostgreSQL SIEM database to allow connection from any client machine by using the Sentinel Data Manager or by using any third party application such as Pgadmin To allow the Sentinel Data Manager to connect from any client machine ad...

Page 52: ...e the user and group created at the time of first installation 2 Clear the environment variables ESEC_USER from etc profile Windows No users are created The password policies for system users are defined by the operating system that is being used 5 2 2 Sentinel Application and Database Users All Sentinel 6 1 Rapid Deployment application users are native database users and their passwords are prote...

Page 53: ...l Database Credentials The Database credentials are stored in the Installation_Directory config server xml file class esecurity base ccs comp dataobject ConnectionManager class property name username appuser property property name password 7fA ogBMeK7cRbJ S6xJ InLBUi sRVGK5qYycDxfIqGDHVX9FApWg property Advisor Credentials obj component id DownloadComponent class esecurity ccs comp advisor feed New...

Page 54: ...VX9FApWg property das_core xml class esecurity base ccs comp dataobject ConnectionManager class property name username appuser property property name password 7fA ogBMeK7cRbJ S6xJ InLBUi sRVGK5qYycDxfIqGDHVX9FApWg property Some database tables store passwords and certificates This sensitive data is encrypted and is stored in the tables listed below you must limit the access to these tables EVT_SRC...

Page 55: ...ation_engine cache DAS Core Install_Directory config das_core cache DAS Binary Install_Directory config Event data might be cached if the database is down das_binary cache Collector Manager File system Install_Directory config The only sensitive configuration information is the client key pair used to connect to the message bus Event data might be cached on the file system during error conditions ...

Page 56: ...yption keys Use an encryption appliance that encrypts sensitive backup media as data is backed up If you transport and store media offsite use a company that specializes in media shipment and storage Make sure that your tapes are tracked via bar codes stored in environmentally friendly conditions and are handled by a company whose reputation rests on its ability to handle your media properly Load ...

Page 57: ...ime of installation substitute in the port numbers that were prompted for at the time of installation For more information on enabling a firewall on SLES 10 see Configuring Firewalls with YaST http www novell com documentation sles10 sles_admin data sec_fire_suse html in the SLES 10 Administration Guide 5 6 Auditing Sentinel Sentinel automatically generates events for many of its internal actions ...

Page 58: ...h a certificate signed by a major Certificate Authority CA such as VeriSign Thawte or Entrust You can also replace the self signed certificate with a certificate signed by a less common CA such as a CA within your company or organization For more information see Certificate Management for Sentinel 6 1 Rapid Deployment Server in the Sentinel 6 1 Rapid Deployment Reference Guide ...

Page 59: ...lling Advisor A snapshot of the Advisor data is installed as part of the sentinel 61 rd installation However to download and install the ongoing Advisor data updates from the Advisor server you need a current subscription and valid credentials During the installation you can specify the credentials to access the Advisor server After sentinel installation Advisor new feed files from the Internet ar...

Page 60: ...n mail Changing the scheduled data update time Updating Advisor data manually to be effective the Advisor data must be updated on a regular basis as new attacks and vulnerabilities are added to the data feed If these updates are not taking place by default they must be performed manually For more information see Section 6 2 1 Updating Advisor Data in a Secured Environment on page 59 For more infor...

Page 61: ...into the database and can be retrieved by using a report Incidents can be created and viewed Rules are evaluated and correlated events are triggered by the Correlation Engine The Sentinel Data Manager is connected to the database and can read the partition information If any of these tests fail review the installation log and other log files and contact Novell Technical Support http support novell...

Page 62: ...ct Live View 7 In the Graphical view right click 5 eps event source and select Start 8 Close the Event Source Management Live View window 9 Click the Active Views tab You can view the Active window titled PUBLIC High_Severity Severity It might take some time for the Collector to start and the data to be displayed in this window 10 Click the Event Query button in the toolbar The Historical Event Qu...

Page 63: ...ntinel 6 1 Rapid Deployment Installation 63 novdocx en 17 September 2009 15 Hold down the Ctrl or Shift key and select multiple events from the Historical Event Query window 16 Right click and select Create Incident ...

Page 64: ... a success notification displays click OK 18 Click the Incident tab to see the incident you just created in the Incident View Manager 19 Double click the incident to display 20 Close the Incident Window 21 Click the Analysis tab 22 Click Offline Queries from the Analysis menu or from the Navigator 23 In the Offline Query window click Add ...

Page 65: ...e period then click OK 25 Click Browse to view the list of events and associated details in the Active Browser window You can view the details such as Collector Target IP Severity Target Service Port Resource etc 26 Select the Correlation tab The Correlation Rule Manager is displayed 27 Click Add The Correlation Rule Wizard displays ...

Page 66: ...66 Sentinel 6 1 Rapid Deployment Installation Guide novdocx en 17 September 2009 28 Click Simple Simple Rule window displays ...

Page 67: ...enu to set the time period to 1 minute Click Next The General Description window displays 31 Name the rule as TestRule1 provide a description and click Next 32 Select No do not create another rule and click Next 33 Create an action to associate with the rule you have created 33a Perform either of the following Select Tools Action Manager Add In the Deploy Rule window click Add Action For more info...

Page 68: ...y to 5 Specify the EventName For example CorrelatedEvent Specify a message if required For more information on creating an action see Creating Actions in the Sentinel 6 1 Rapid Deployment User Guide 33c Click Save 34 Open the Correlation Rule Manager window 35 Select a rule and click Deploy Rules link The Deploy Rule window displays 36 In the Deploy Rule window select the Engine to deploy the rule...

Page 69: ...ion to fire the deployed correlation rule For example open a Sentinel Control Center login window and give wrong user credentials to generate such an event 40 Click the Active Views tab and verify that the Correlated Event is generated 41 Close the Sentinel Control Center 42 In the Applications page click Launch Sentinel Data Manager 43 Log into Sentinel Data Manager by using the Database Administ...

Page 70: ...e system verification you should remove the objects created for the tests 1 Log into the system using the Sentinel Administrative User specified during installation admin by default 2 Select the Correlation tab 3 Open the Correlation Engine Manager 4 Right click TestRule1 in the Correlation Engine Manager and select Undeploy 5 Open the Correlation Rule Manager 6 Select TestRule1 and click Delete 7...

Page 71: ...ect Delete 7 3 Getting Started To get started with real data you will need to import and configure Collectors that are appropriate for your environment configure your own rules build iTRAC workflows and so on For more information see Sentinel 6 1 Rapid Deployment User Guide Sentinel Solution Packs can help you get started quickly See The Sentinel Content Page http support novell com products senti...

Page 72: ...72 Sentinel 6 1 Rapid Deployment Installation Guide novdocx en 17 September 2009 ...

Page 73: ...lowing command to ensure that all the Sentinel processes have stopped working ps ef grep novell 3 Stop any remaining processes manually by entering the following command kill 9 pid 4 Use the following command with necessary root permissions to uninstall the Sentinel service sudo opt novell sentinel6_rd_x86 64 setup root_uninstall_service sh 5 Verify with necessary root permissions that the service...

Page 74: ... user then remove the user corresponding home directory and group by using the following commands userdel r novell groupdel novell 8 2 Uninstalling the Remote Collector Manager and Sentinel Client Applications Section 8 2 1 Linux on page 74 Section 8 2 2 Windows on page 75 Section 8 2 3 Post Uninstallation Procedures on page 75 8 2 1 Linux 1 Log in as root 2 Go to the following location Install_Di...

Page 75: ...installation Procedures After uninstalling the applications certain systems settings remain which can be manually removed These settings should be removed before performing a clean installation of Sentinel particularly if the Sentinel uninstallation encountered errors NOTE On Linux uninstalling Collector Manager or Client Applications does not remove the Sentinel Administrator User from the operat...

Page 76: ...l_Directory folder by default C Program Files Novell Sentinel6 3 Right click My Computer Properties the Advanced tab 4 Click the Environment Variables button 5 If they exist delete the following variables ESEC_HOME ESEC_VERSION ESEC_JAVA_HOME ESEC_CONF_FILE WORKBENCH_HOME 6 Remove any entries in the PATH environment variable that point to the Sentinel installation 7 Delete all Sentinel shortcuts f...

Page 77: ...pdated All references to the local loop localhost or 127 0 0 1 in the install_home config configuration xml file remain unaffected A 2 Client Applications For the client applications you must manually change the server hostname or IP address at the following locations to point to the correct server install_home config configuration xml The Sentinel Control Center and the Solution Designer use this...

Page 78: ...78 Sentinel 6 1 Rapid Deployment Installation Guide novdocx en 17 September 2009 ...

Page 79: ...ed Sentinel 6 1 Rapid Deployment on a machine where an Identity Audit process is either running or its uninstall is incomplete Action Sentinel 6 1 Rapid Deployment and Novell Identity Audit cannot be installed on a same machine Before you install Sentinel 6 1 Rapid Deployment on the machine where Identity Audit is installed ensure that you uninstall Identity Audit completely If the Identity Audit ...

Page 80: ...ies Maps are not being initialized You can not choose any event source file on the Collector Manager Win2008 machine s file system by using the File Connector Common Cause You have installed the Collector Manager on a Windows 2008 SP1 standard edition 64 bit The machine has the User Access Control UAC by default set to Enabled Action Change the Log On owner for the Sentinel services to the current...

Page 81: ...y config 3 Open the file auth login in a text editor vi auth login 4 Modify the entry LdapLogin as follows 4a Change the class name of the login module from esecurity ccs auth jaas LdapLoginModule to com sun security auth module LdapLoginModule 4b Add the following parameters after the word required and before the ending semicolon by separating them with white space userProvider url where url is t...

Page 82: ...entinel server 11 After the configuration is completed create users with passwords in eDirectory by using iManager or in Active Directory by using Microsoft Management Console to test the LDAP Authentication 12 Login to the Sentinel Control Center as the admin user and create a domain user with same username either as the eDirectory username or the Active Directory sAMAccountName After configurati...

Page 83: ...s appear in reverse chronological order according to the publication date Within a dated entry changes are grouped and sequenced according to where they appear in the document itself Each change entry provides a link to the related topic and a brief description of the change This document was updated on the following dates D 1 December 2009 Updates were made to the following section The changes ar...

Page 84: ... 1 Rapid Deployment on page 49 Updated the following sections for technical accuracy Section 5 2 1 Operating System Users on page 51 Section 5 2 2 Sentinel Application and Database Users on page 52 Section 5 3 Securing Sentinel Data on page 53 Section 5 4 Backing Up Information on page 56 Chapter 7 Testing the Sentinel 6 1 Rapid Deployment Installation on page 61 Updated Section 7 1 Testing the Ra...

Reviews:

No comments

Related manuals for Sentinel Rapid Deployment 6.1

Element Manager 2.1

Brand: Cabletron Systems Pages: 108

Brand: Brocade Communications Systems Pages: 41

DIMAGE VIEWER 2.1

Brand: Minolta Pages: 84

Veritas CommandCentral 5.1

Brand: Symantec Pages: 52

Brand: Seagate Pages: 2

GForce M-Tron Pro

Brand: M-Audio Pages: 4

DRUM AND BASS RIG

Brand: M-Audio Pages: 3

Brand: Internet Security Systems Pages: 126

BACKUP AND RECOVERY 10 SERVER FOR LINUX -

Brand: ACRONIS Pages: 14

Backup & Recovery 10 Advanced Editions

Brand: ACRONIS Pages: 10

Brand: GameShark Pages: 15

Brand: Hasselblad Pages: 6

Brand: FieldServer Pages: 34

Brand: Palm Pages: 30

SmartST SmartST Professional

Brand: Navman Pages: 60

Brand: Xerox Pages: 20

FREEFLOW 701P46740

Brand: Xerox Pages: 38

TonePrint Editor

Brand: TC Electronic Pages: 19

Brands by name

0 1 2 3 4 5 6 7 8 9 A B C D E F G H I J K L M N O P Q R S T U V W X Y Z

Popular brands

Load more brands