background image

Sentinel 6.1 Rapid Deployment Correlation Engine RuleLG Language

39

no

vd

ocx 

(e

n)

  

13

 Ma
y 20

09

Boolean Operators

Filter expressions can be combined using the Boolean operators AND, OR and NOT. The filter 
boolean operator precedence (from highest [top] to lowest [bottom] precedence) is:

Table 3-1   

Boolean Operators

In addition to Boolean operators, filter supports the following operators.

Standard Arithmetic Operators

Standard arithmetic operators can be used to build a condition that compares the value of a Sentinel 
metatag and a user-specified value (either a numeric value or a string field). The standard arithmetic 
operators in Sentinel are =, <, >, !=, <=, and >=.

Examples:

filter(e.Severity > 3)
filter(e.BeginTime < 1179217665)
filter(e.SourceUserName != “Administrator”)

Match Regex Operators

The match regex operator can be used to build a condition where the value of a metatag matches a 
user-specified regular expression value specified in the rule. This operator is used only for string 
tags, and the user-specified values for this operator are case-sensitive.

Examples:

filter(e.Collector match regex ("IBM"))
filter(e.EventName match regex ("Attack"))

Match Subnet Operators

The match subnet operator can be used to build a condition where the value of a metatag maches a 
user-specified subnet specified in the rule in CIDR notation. This operator is used only for IP 
address fields.

Example:

filter(e.DestinationIP match subnet (10.0.0.1/22))

Inlist Operator

The inlist operator is used to perform a lookup on an existing dynamic list of string values, returning 
true if the value is present in the list. For more information on Dynamic Lists, see “Correlation Tab” 
in 

Sentinel 6.1 Rapid Deployment User Guide

.

Operator

Meaning

Operator Type

Associativity

Not

logical not

unary

None

And

logical and

binary

left to right

Or

logical or

binary

left to right

Summary of Contents for Sentinel Rapid Deployment 6.1

Page 1: ...Novell www novell com novdocx en 13 May 2009 AUTHORIZED DOCUMENTATION Sentinel 6 1 Rapid Deployment Reference Guide SentinelTM Rapid Deployment 6 1 June 15 2009 Reference Guide ...

Page 2: ...or re export to entities on the current U S export exclusion lists or to any embargoed or terrorist countries as specified in the U S export laws You agree to not use deliverables for prohibited nuclear missile or chemical biological weaponry end uses See the Novell International Trade Services Web page http www novell com info exports for more information on exporting Novell software Novell assum...

Page 3: ... Trademarks For Novell trademarks see the Novell Trademark and Service Mark list http www novell com company legal trademarks tmlist html Third Party Materials All third party trademarks are the property of their respective owners ...

Page 4: ...4 Sentinel 6 1 Rapid Deployment Reference Guide novdocx en 13 May 2009 ...

Page 5: ...tive Views 28 2 3 1 Active Views Menu Items 29 2 4 iTRAC 29 2 4 1 iTRAC Template Management 29 2 4 2 iTRAC Process Management 30 2 5 Incidents 30 2 6 Integrators 30 2 7 Actions 31 2 8 Event Source Management 31 2 9 Analysis Tab 32 2 10 Administration 32 2 10 1 Administration Global Filters 32 2 10 2 Administration Server Views 33 2 11 Correlation 33 2 12 Solution Pack 33 2 13 Identity 33 2 14 Repo...

Page 6: ...M_RPT_V 58 6 1 2 ACTVY_REF_PARM_VAL_RPT_V 59 6 1 3 ACTVY_REF_RPT_V 59 6 1 4 ACTVY_RPT_V 59 6 1 5 ADV_ATTACK_MAP_RPT_V 60 6 1 6 ADV_ATTACK_PLUGIN_RPT_V 60 6 1 7 ADV_ATTACK_RPT_V 61 6 1 8 ADV_ATTACK_SIGNATURES 62 6 1 9 ADV_FEED_RPT_V 62 6 1 10 ADV_MASTER_RPT_V 63 6 1 11 ADV_PRODUCT_RPT_V 63 6 1 12 ADV_PRODUCT_SERVICE_PACK_RPT_V 64 6 1 13 ADV_PRODUCT_VERSION_RPT_V 64 6 1 14 ADV_VENDOR_RPT_V 65 6 1 15...

Page 7: ...EVT_ASSET_RPT_V3 93 6 1 60 EVT_DEST_EVT_NAME_SMRY_1_RPT_V 94 6 1 61 EVT_DEST_SMRY_1_RPT_V 94 6 1 62 EVT_DEST_TXNMY_SMRY_1_RPT_V 95 6 1 63 EVT_NAME_RPT_V 95 6 1 64 EVT_PORT_SMRY_1_RPT_V 96 6 1 65 EVT_PRTCL_RPT_V 96 6 1 66 EVT_PRTCL_RPT_V3 97 6 1 67 EVT_RSRC_RPT_V 97 6 1 68 EVT_SEV_SMRY_1_RPT_V 97 6 1 69 EVT_SRC_COLLECTOR_RPT_V 98 6 1 70 EVT_SRC_GRP_RPT_V 98 6 1 71 EVT_SRC_MGR_RPT_V 99 6 1 72 EVT_SR...

Page 8: ..._RPT_V 116 6 1 113 VULN_RSRC_SCAN_RPT_V 117 6 1 114 VULN_SCAN_RPT_V 117 6 1 115 VULN_SCAN_VULN_RPT_V 118 6 1 116 VULN_SCANNER_RPT_V 118 6 1 117 WORKFLOW_DEF_RPT_V 118 6 1 118 WORKFLOW_INFO_RPT_V 119 6 2 Deprecated Views 119 A Sentinel 6 1 Rapid Deployment Troubleshooting Checklist 121 B Sentinel 6 1 Rapid Deployment Service Permission Tables 125 B 1 Advisor 125 B 2 Collector Manager 126 B 3 Correl...

Page 9: ...ions on page 25 Chapter 3 Sentinel 6 1 Rapid Deployment Correlation Engine RuleLG Language on page 37 Chapter 4 Sentinel 6 1 Rapid Deployment Data Access Service on page 47 Chapter 6 Sentinel 6 1 Rapid Deployment Database Views for PostgreSQL on page 55 Appendix A Sentinel 6 1 Rapid Deployment Troubleshooting Checklist on page 121 Appendix B Sentinel 6 1 Rapid Deployment Service Permission Tables ...

Page 10: ...ript and JavaScript correlation actions Documentation Conventions In this documentation a greater than symbol is used to separate actions within a step and items within a cross reference path A trademark symbol etc denotes a Novell trademark An asterisk denotes a third party trademark When a single path name can be written with a backslash for some platforms or a forward slash for other platforms ...

Page 11: ... 6 1 Rapid Deployment User Guide InitUserName is the default label to represent the account name of the user who initiated the event but this can be changed by the administrator When a user changes the default label the changes are reflected in most areas of the interface including any correlation rules filters and right click menu options WARNING Changing the default label for variables other tha...

Page 12: ... January 1 1970 00 00 00 GMT When displayed in Sentinel Control Center meta tags of type date are displayed in a regular date format IPv4 IP address in dotted decimal notation that is xxx xxx xxx xxx This section has the following information Section 1 1 1 Free Form Filters and Correlation Rules on page 12 Section 1 1 2 Actions on page 13 Section 1 1 3 Proprietary Collectors on page 15 Section 1 1...

Page 13: ...n special cases w may be used to refer to a field in a past event for example w InitUserName For more information about the RuleLG language see Chapter 3 Sentinel 6 1 Rapid Deployment Correlation Engine RuleLG Language on page 37 1 1 2 Actions Users can use either the tag or the label when they define parameters to be sent to right click Event Menu actions correlation actions and iTRAC workflow ac...

Page 14: ...e correlated event sun in a correlation action refers to the value of InitUser in the current trigger event the final event that caused the correlation rule to fire NOTE In a right click menu event operating on a single event there is no functional difference between sun and sun For example to pass the Initiator User Name to a command line action to look up information from a database about that u...

Page 15: ...Event Configuration in the Sentinel Control Center For a Sentinel system with a default configuration for example the Initiator User Name would be referred to as e InitUserName in the JavaScript Collector There are some exceptions to this general rule Refer to the Sentinel Collector SDK http developer novell com wiki index php title Develop_to_Sentinel for more details 1 2 List of Fields and Repre...

Page 16: ... and time the event stopped occurring for repeated events RepeatCount e rc rc s_RC integer The number of times the same event occurred if multiple occurrences were consolidated EventTime e dt dt date The normalized date and time of the event as given by the Collector SentinelServiceID e src src UUID Unique identifier for the Sentinel service which generated this event Severity e sev sev i_Severity...

Page 17: ...cePort e spint spint s_SPINT integer Port used by service application that initiated the connection InitServicePortName e sp sp s_SP string Name of the initiating service that caused the event TargetHostName e dhn dhn s_DHN string Unqualified hostname of the target system TargetServicePort e dpint dpint s_DPINT integer Network port accessed on the target TargetServicePortName e dp dp s_DP string N...

Page 18: ...g Reserved by Novell for expansion Ct1 thru Ct2 e ct1 thru e ct2 ct1 thru ct2 s_CT1 and s_CT2 string Reserved for use by customers for customer specific data Rt3 e rt3 rt3 integer Reserved by Novell for expansion Ct3 e ct3 ct3 s_CT3 integer Reserved for use by customers for customer specific data CorrelatedEventUuids e ceu ceu s_RT3 string List of event UUIDs associated with th correlated event On...

Page 19: ...endent numeric value InitIPCountry e rv29 rv29 s_RV29 string Country where the IPv4 address of the initiating system is located TargetIPCountry e rv30 rv30 s_RV30 string Country where the IPv4 address of the target system is located DeviceName e rv31 rv31 s_RV31 string Name of the device generating the event If this device is supported by Advisor the name should match the name known by Advisor Use...

Page 20: ...tus TargetFunction e rv47 rv47 s_RV47 string Target function TargetOperationalContext e rv48 rv48 s_RV48 string Target operational context TaxonomyLevel4 e rv53 rv53 s_RV53 string Sentinel event code categorization level 4 CustomerHierarchyLevel2 e rv54 rv54 s_RV54 string Customer Hierarchy Level 2 used by MSSPs VirusStatus e rv56 rv56 s_RV56 string Virus Status InitMacAddress e rv57 rv57 s_RV57 s...

Page 21: ...thru rv97 s_RV84 thru s_rv97 string Variables not currently in use TargetDepartment e rv98 rv98 s_RV98 string Target Department Part of target host asset data TargetAssetId e rv99 rv99 s_RV99 string Internal asset identifier of the target CustomerHierarchyLevel4 e rv100 rv100 s_RV100 string Customer Hierarchy Level 4 used by MSSPs Variables reserved for future use by Novell e rv101 thru e rv200 rv...

Page 22: ...ru CustomerVar110 e cv101 thru e cv110 cv101 thru cv110 s_CV101 thru s_CV110 string Integer variable reserved for customer use Stored in database CustomerVar111 thru CustomerVar120 e cv111 thru e cv120 cv111 thru cv120 s_CV111 thru s_CV120 string Date variable reserved for customer use Stored in database CustomerVar121 thru CustomerVar130 e cv121 thru e cv130 cv121 thru cv130 s_CV121 thru s_CV130 ...

Page 23: ...0 string UUID variable reserved for customer use Not stored in database CustomerVar181 thru CustomerVar190 e cv181 thru e cv190 cv181 thru cv190 s_CV181 thru s_CV190 string IPv4 variable reserved for customer use Not stored in database CustomerVar191 thru CustomerVar200 e cv191 thru e cv200 cv191 thru cv200 s_CV191 thru s_CV200 string String variable reserved for customer use Not stored in databas...

Page 24: ...24 Sentinel 6 1 Rapid Deployment Reference Guide novdocx en 13 May 2009 ...

Page 25: ...rmissions on page 25 Section 2 2 General on page 27 Section 2 3 Active Views on page 28 Section 2 4 iTRAC on page 29 Section 2 5 Incidents on page 30 Section 2 6 Integrators on page 30 Section 2 7 Actions on page 31 Section 2 8 Event Source Management on page 31 Section 2 9 Analysis Tab on page 32 Section 2 10 Administration on page 32 Section 2 11 Correlation on page 33 Section 2 12 Solution Pack...

Page 26: ...26 Sentinel 6 1 Rapid Deployment Reference Guide novdocx en 13 May 2009 4 Right click user and select User Details 5 Select the Permissions tab ...

Page 27: ... 1 Permissions General Permission Name Description Save Workspace Allows user to save preferences If this permission is unavailable user will never be prompted to save changes to preferences when logging out or exiting the Sentinel Control Center Column Management Allows user to manage the columns in the Active View tables Snapshot Allows user to take a snapshot of Active View tables ...

Page 28: ...lic Filters Allows user to delete a public filter Permission Name Description Create Private Filters for Other Users Allows user to create private filters for themselves or for other users Modify Private Filters of Other Users Allows user to modify their own private filters and private filters created by other users Delete Private Filters of Other Users Allows user to delete their own private filt...

Page 29: ...nts from an existing incident using the Events tab Events table the right click menu Email Events Allows user to e mail events using the Active Views Events table the right click menu View Advisor Attack Data Allows user to view the Advisor Attack Data stream View Vulnerability Allows user to view the vulnerabilities present in the Sentinel database Permission Name Description View iTRAC Tab Allow...

Page 30: ...r double clicks an Incident in the Incident View window or right clicks the incident or selects the Modify option Create Incident s Allows user to create Incidents in the in the Incident View window or by right clicking on the incident and select Modify option Alternatively you can select Create Incident menu item in the Incidents menu bar and clicking Create Incident option in the tool bar Modify...

Page 31: ...e Description View Actions Allows user to use Action Manager and view Actions Manage Actions Allows user to add edit delete actions of type Execute Action Plugins Manage Action Plugins Allows user to add edit delete Action Plugins Permission Name Description View Status Allows user to view the status of ESM components View Scratchpad Allows user to design and configure ESM components Configure ESM...

Page 32: ...et mappings from mapping files This function is associated with Mapping Configuration Map Data Configuration Allows user to add edit and delete mapping files Event Menu Configuration Allows user to access the Menu Configuration window and add new options that display on the Event menu when you right click an event Report Data Configuration Allows user to enable or disable summary tables used in ag...

Page 33: ...s Allows user to start restart and stop processes Permission Name Description View Correlation Tab Allows user to use the Correlation functions View Use Correlation Rule Manager Allows user to start or stop the Correlation Rules View Use Correlation Engine Manager Allows user to deploy undeploy the Correlation Rules View Use Dynamic Lists Allows user to Create use view modify the Dynamic Lists Per...

Page 34: ...er Guide NOTE Users with Run View permission cannot schedule reports They cannot use the run options Daily Once Weekly and Monthly Delete the report results Rename the report results Restart report runs Manage Reports Allows user for the following Access the reporting features listed under Run View Reports permission Schedule report runs In addition to the the run option Now the user can also run ...

Page 35: ...Download Client Installers Allows user for the following Download Collector Manager Installer The Collector Manager Installer helps you install the Sentinel Collector Manager on any machine from which you want to forward events Download Client Installer The Client Installer helps you install the Sentinel Control Center and Sentinel Data Manager on any client machine Permission Name Description Run...

Page 36: ...36 Sentinel 6 1 Rapid Deployment Reference Guide novdocx en 13 May 2009 ...

Page 37: ...g rule types Simple Rule Composite Rule Aggregate Rule Sequence Rule These rules are converted to the Correlation RuleLg language when the rules are saved The same rule types plus even more complex rules can be created in the Sentinel Control Center using the Custom Freeform option To use the Custom Freeform option the user must have a good understanding of the Correlation RuleLg language RuleLg u...

Page 38: ...s that have been stored in memory Trigger Counts events to determine whether enough events have occurred to trigger a rule Each operation works on a set of events receiving a set of events as input and returning a set of events as output The current event processed by a rule often has a special meaning for the semantic of the language The current event is always part of the set of events in and ou...

Page 39: ...ld a condition where the value of a metatag matches a user specified regular expression value specified in the rule This operator is used only for string tags and the user specified values for this operator are case sensitive Examples filter e Collector match regex IBM filter e EventName match regex Attack Match Subnet Operators The match subnet operator can be used to build a condition where the ...

Page 40: ...er isnull e SIP Output Sets The output of a filter is either the empty set if the Boolean expression evaluates to false or a set containing the current event and all of the other events from the incoming set if the Boolean expression evaluates to true If filter is the last or only operation of a correlation rule then the output set of the filter is used to construct a correlated event The trigger ...

Page 41: ... denial of service attack has a service stopped within 60 seconds of the attack filter e rv51 Service and e rv52 Stop and e st H flow window e sip w dip filter e rv52 Dos 60s flow trigger 1 0 Output Sets If any past event evaluates to true with the current event for the simple boolean expression the output set is the incoming event plus all matching past events If no events in the window match the...

Page 42: ... within the specified duration then a set of events containing all of the events maintained by the trigger is output if not the empty set is output When receiving a new input set of events a trigger first discards the outdated events events that have been maintained for more than the duration and then inserts the current event If the number of resulting events is greater than or equal to the speci...

Page 43: ...events matching the filter expression are maintained specified in seconds s minutes m or hours h If no letter is specified seconds are assumed discriminator is a field to group by For example this rule is a typical perimeter security IDS inside outside rule filter e sev 3 flow gate filter e sn in filter e sn out all 60s discriminator e dip e evt 3 4 2 Sequence Operation Sequence rules are similar ...

Page 44: ...igger only counts events with severity equal to 5 3 5 2 Union Operator The union of the left side operation output set and the right side operation output set The resulting output set contains events from either the left hand side operation output set or the right hand side operation output set without duplicates For example filter e sev 5 union filter e sip 10 0 0 1 is equivalent to filter e sev ...

Page 45: ...ce from highest top to lowest bottom are Table 3 2 Operator Precedence 3 7 Differences between Correlation in 5 x and 6 x There are several new functionalities updated included in 6 x to widen the usage of Correlation to meet user s requirements and for the ease of use Table 3 3 Comaprison Table Operator Meaning Operator Type Associativity flow Output set becomes input set binary left to right int...

Page 46: ...criteria must be defined in the correlation wizard or language Update functionality for rules Updates to a rule were based on a sliding window based on the trigger time period The update functionality for a rule that is triggered more than once is configurable in Sentinel 6 x The update functionality can be set when the rule is deployed the rule actions might happen every time the rule is triggere...

Page 47: ...al Query Provides the server side functionality for Active Views Calculates event data summaries that are used in reports Provides the server side functionality for the Sentinel iTRAC functionality Provides a command line interface to certain DAS services Used primarily for third party integration Provides the server side of the SSL proxy connection to Sentinel Server DAS Binary Performs event dat...

Page 48: ...nd dbconfig a Install_directory config u username p password h hostname t portnum d database s server help version Other settings in the files can be adjusted manually without using dbconfig maxConnections batchSize loadSize Changing these settings might affect database performance and should be done with caution 4 1 2 DAS Logging Properties Configuration Files The following files are used to conf...

Page 49: ... second intervals the logging properties file will be checked to see if any changes have occurred since it was last read If the file has changed the LogManagerRefreshService will re read the logging properties file Therefore it is not necessary to restart the processes to begin using the updated logging levels Log messages are written to Install_Directory log in the following files das_binary_0 lo...

Page 50: ...50 Sentinel 6 1 Rapid Deployment Reference Guide novdocx en 13 May 2009 ...

Page 51: ... root The following users are all created as database users in the PostgreSQL Server database postgres This user owns the database and is for system use only It is not possible to log in as this user dbauser This user owns the Sentinel schema and the password is set during installation This account should be used to log into the Sentinel Database Manager admin This user is the Sentinel administrat...

Page 52: ...ted and stored in configuration files and used in normal Sentinel operations These configuration files must be updated after the passwords are changed System user passwords can be updated using standard database utilities IMPORTANT Changing password for the postgre user is not supported in Sentinel 6 1 Rapid Deployment Updating PostgreSQL Database Password on page 52 Updating Sentinel Configuratio...

Page 53: ... This utility is used to set the database connection related information in the config file s under opt novell sentinel6_rd_x86 config directory such as username password database name port hostname Updating Sentinel Data Manager Connection Properties If the dbauser password is changed the Sentinel Data Manager connection properties must be updated in order for any automated Sentinel Data Manager ...

Page 54: ...54 Sentinel 6 1 Rapid Deployment Reference Guide novdocx en 13 May 2009 ...

Page 55: ...on page 60 Section 6 1 7 ADV_ATTACK_RPT_V on page 61 Section 6 1 8 ADV_ATTACK_SIGNATURES on page 62 Section 6 1 9 ADV_FEED_RPT_V on page 62 Section 6 1 10 ADV_MASTER_RPT_V on page 63 Section 6 1 11 ADV_PRODUCT_RPT_V on page 63 Section 6 1 12 ADV_PRODUCT_SERVICE_PACK_RPT_V on page 64 Section 6 1 13 ADV_PRODUCT_VERSION_RPT_V on page 64 Section 6 1 14 ADV_VENDOR_RPT_V on page 65 Section 6 1 15 ADV_VU...

Page 56: ..._CTRL_RPT_V on page 77 Section 6 1 44 ESEC_DISPLAY_RPT_V on page 78 Section 6 1 45 ESEC_PORT_REFERENCE_RPT_V on page 79 Section 6 1 46 ESEC_PROTOCOL_REFERENCE_RPT_V on page 79 Section 6 1 47 ESEC_SEQUENCE_RPT_V on page 80 Section 6 1 48 ESEC_UUID_UUID_ASSOC_RPT_V on page 80 Section 6 1 49 EVENTS_ALL_RPT_V legacy view on page 80 Section 6 1 50 EVENTS_ALL_RPT_V1 legacy view on page 81 Section 6 1 51...

Page 57: ...w on page 103 Section 6 1 81 HIST_EVENTS_RPT_V legacy view on page 103 Section 6 1 82 IMAGES_RPT_V on page 103 Section 6 1 83 INCIDENTS_ASSETS_RPT_V on page 103 Section 6 1 84 INCIDENTS_EVENTS_RPT_V on page 104 Section 6 1 85 INCIDENTS_RPT_V on page 104 Section 6 1 86 INCIDENTS_VULN_RPT_V on page 105 Section 6 1 87 L_STAT_RPT_V on page 105 Section 6 1 88 LOGS_RPT_V on page 106 Section 6 1 89 MSSP_...

Page 58: ...KFLOW_DEF_RPT_V on page 118 Section 6 1 118 WORKFLOW_INFO_RPT_V on page 119 6 1 1 ACTVY_PARM_RPT_V View contains information about iTRAC activities Column Name Datatype Comment ACTVY_PARM_ID uuid Activity parameter identifier ACTVY_ID uuid Activity identifier PARM_NAME character varying 255 Activity Parameter name PARM_TYP_CD character varying 1 Activity parameter type code DATA_TYP character vary...

Page 59: ...zone Date the entry was modified CREATED_BY integer User who created object MODIFIED_BY integer User who last modified object Column Name Datatype Comment ACTVY_ID uuid Activity identifier SEQ_NUM integer Sequence number REFD_ACTVY_ID uuid Referenced activity identifier DATE_CREATED timestamp with time zone Date the entry was created DATE_MODIFIED timestamp with time zone Date the entry was modifi...

Page 60: ...reference the attack entry SERVICE_PACK_ID integer ID used to reference the attack entry ATTACK_NAME character varying 256 Name of the Attack ATTACK_CODE character varying 256 Attack code DATE_PUBLISHED timestamp with time zone Date the attack has been published DATE_UPDATED timestamp with time zone Date the attack has been uptimestamp with time zoned DATE_CREATED timestamp with time zone Date the...

Page 61: ...FEED_DATE_UPDATED timestamp with time zone Last timestamp with time zone when the information on this attack has been uptimestamp with time zoned ATTACK_CATEGORY character varying 256 Category of the attack URGENCY_ID integer The urgency associated with this attack SEVERITY_ID integer Severity associated with this attack LOCAL integer Indicates if this attack was executed locally REMOTE integer In...

Page 62: ...trusion detection system ATTACK_NAME character varying 256 Name of the attack ATTACK_ID character varying 256 ID of the attack Column Name Datatype Comment FEED_NAME character varying 128 Name of feed FEED_FILE character varying 256 File name that contains the feed data BEGIN_DATE timestamp with time zone The timestamp with time zone from which this feed file carries the advisor information END_DA...

Page 63: ...th time zone Date from which the entry is valid END_EFFECTIVE_DATE timestamp with time zone Date until which the entry is valid DATE_CREATED timestamp with time zone Date the entry was created DATE_MODIFIED timestamp with time zone Date the entry was modified CREATED_BY integer User who created object MODIFIED_BY integer User who last modified object Column Name Datatype Comment PRODUCT_ID integer...

Page 64: ...eated object MODIFIED_BY integer User who last modified object Column Name Datatype Comment SERVICE_PACK_ID integer Service Pack ID VERSION_ID integer Version ID SERVICE_PACK_NAME character varying 32 Name of the Service Pack FEED_DATE_CREATED timestamp with time zone Date of the Feed that carried information on this product FEED_DATE_UPDATED timestamp with time zone Date of the Feed that uptimest...

Page 65: ...nt VENDOR_ID integer ID of the vendor VENDOR_NAME character varying 128 Name of the vendor CONTACT_PERSON character varying 128 Contains the contact person name for the vendor ADDRESS_LINE_1 character varying 128 Address of the vendor ADDRESS_LINE_2 character varying 128 Address of the vendor ADDRESS_LINE_3 character varying 128 Address of the vendor ADDRESS_LINE_4 character varying 128 Address of...

Page 66: ...ID mapping CVE_ID OSVDB_ID BUGTRAQ_ID CVE_ID character varying 10 CVE ID for the related vulnerability OSVDB_ID integer OSVDB ID for the related vulnerability BUGTRAQ_ID integer Bugtraq id for the related vulnerability DATE_PUBLISHED timestamp with time zone Date the entry was published DATE_UPDATED timestamp with time zone Date the entry was uptimestamp with time zoned DATE_CREATED timestamp with...

Page 67: ...256 Vulnerability name VULN_ID character varying 256 Vulnerability ID Column Name Datatype Comment ANN_ID integer Annotation identfier sequence number TEXT character varying 4000 Documentation or notes DATE_CREATED timestamp with time zone Date the entry was created DATE_MODIFIED timestamp with time zone Date the entry was modified MODIFIED_BY integer User who last modified object CREATED_BY integ...

Page 68: ...REATED timestamp with time zone Date the entry was created DATE_MODIFIED timestamp with time zone Date the entry was modified CREATED_BY integer User who created object MODIFIED_BY integer User who last modified object Column Name Datatype Comment ASSET_IP_ID uuid Asset alternate IP identifier PHYSICAL_ASSET_ID uuid Physical asset identifier IP_ADDRESS integer Asset IP address CUST_ID bigint Custo...

Page 69: ...r User who created object MODIFIED_BY integer User who last modified object Column Name Datatype Comment ASSET_ID uuid Asset identifier CUST_ID bigint Customer identifier ASSET_NAME character varying 255 Asset name PHYSICAL_ASSET_ID uuid Physical asset identifier PRODUCT_ID bigint Product identifier ASSET_CATEGORY_ID bigint Asset category identifier ENVIRONMENT_IDENTITY_CD bigint Environment ident...

Page 70: ...eger User who last modified object Column Name Datatype Comment PERSON_ID uuid Person identifier ORGANIZATION_ID uuid Organization identifier ROLE_CODE character varying 5 Role code ASSET_ID uuid Asset identifier ENTITY_TYPE_CODE character varying 5 Entity type code PERSON_ROLE_SEQUENCE integer Order of persons under a particular role DATE_CREATED timestamp with time zone Date the entry was create...

Page 71: ...er varying 32 Attachment subtype FILE_EXTENSION character varying 32 File extension ATTACHMENT_DESCRIPTION character varying 255 Attachment description DATA text Attachment data DATE_CREATED timestamp with time zone Date the entry was created DATE_MODIFIED timestamp with time zone Date the entry was modified CREATED_BY integer User who created object MODIFIED_BY integer User who last modified obje...

Page 72: ...with time zone Date the entry was modified Column Name Datatype Comment USR_ID character varying 32 User name APPLICATION character varying 255 Application identifier UNIT character varying 64 Application unit VALUE character varying 255 Text value if any DATA text XML data DATE_CREATED timestamp with time zone Date the entry was created DATE_MODIFIED timestamp with time zone Date the entry was mo...

Page 73: ...created DATE_MODIFIED timestamp with time zone Date the entry was modified CREATED_BY integer User who created object MODIFIED_BY integer User who last modified object Column Name Datatype Comment PARENT_EVT_ID uuid Event Universal Unique Identifier UUID of parent event CHILD_EVT_ID uuid Event Universal Unique Identifier UUID of child event PARENT_EVT_TIME timestamp with time zone Parent event tim...

Page 74: ...cter varying 255 Customer hierarchy level 1 CUST_HIERARCHY_LVL2 character varying 255 Customer hierarchy level 2 CUST_HIERARCHY_LVL3 character varying 255 Customer hierarchy level 3 CUST_HIERARCHY_LVL4 character varying 255 Customer hierarchy level 4 DATE_CREATED timestamp with time zone Date the entry was created DATE_MODIFIED timestamp with time zone Date the entry was modified CREATED_BY intege...

Page 75: ...s modified CREATED_BY integer User who created object MODIFIED_BY integer User who last modified object Column Name Datatype Comment ENVIRONMENT_IDENTITY_ID bigint Environment identity code ENV_IDENTITY_NAME character varying 255 Environment identity name DATE_CREATED timestamp with time zone Date the entry was created DATE_MODIFIED timestamp with time zone Date the entry was modified CREATED_BY i...

Page 76: ... identifier DATE_CREATED timestamp with time zone Date the entry was created DATE_MODIFIED timestamp with time zone Date the entry was modified CREATED_BY integer User who created object MODIFIED_BY integer User who last modified object Column Name Datatype Comment CONTENT_PACK_ID uuid Content pack identifier CONTENT_PACK_DESC text Content pack description CONTENT_PACK_NAME character varying 255 C...

Page 77: ...ODIFIED_BY integer User who last modified object CREATED_BY integer User who created object Column Name Datatype Comment CTRL_CTGRY_ID uuid Control category identifier CTRL_CTGRY_DESC text Control category description CTRL_CTGRY_NAME character varying 255 Control category name CONTENT_PACK_ID uuid Content pack identifier CONTENT_EXTERNAL_ID character varying 255 Content external identifier DATE_CR...

Page 78: ...haracter varying 32 The parent object of the property TAG character varying 32 The native tag name of the property LABEL character varying 32 The display string of tag POSITION integer Position of tag within display WIDTH integer The column width ALIGNMENT integer The horizontal alignment FORMAT integer The enumerated formatter for displaying the property ENABLED boolean Indicates if the tag is sh...

Page 79: ...t PORT_KEYWORD character varying 64 Per http www iana org assignments port numbers http www iana org assignments port numbers the keyword representation of the port PORT_DESCRIPTION character varying 512 Port description DATE_CREATED timestamp with time zone Date the entry was created DATE_MODIFIED timestamp with time zone Date the entry was modified CREATED_BY integer User who created object MODI...

Page 80: ...er who last modified object Column Name Datatype Comment TABLE_NAME character varying 32 Name of the table COLUMN_NAME character varying 255 Name of the column SEED integer Current value of primary key field DATE_CREATED timestamp with time zone Date the entry was created DATE_MODIFIED timestamp with time zone Date the entry was modified CREATED_BY integer User who created object MODIFIED_BY integ...

Page 81: ...NTS_RPT_V2 EVENTS_RPT_V2 is included for legacy reports but has been replaced in SentinelRD with EVENTS_RPT_V3 Column Name Datatype Comment EVENT_ID uuid Event identifier RESOURCE_NAME character varying 255 Resource name SUB_RESOURCE character varying 255 Subresource name SEVERITY integer Event severity EVENT_PARSE_TIME timestamp with time zone Event time EVENT_DATETIME timestamp with time zone Ev...

Page 82: ...on host name DESTINATION_PORT character varying 32 Destination port SOURCE_USER_NAME character varying 255 Source user name DESTINATION_USER_NAME character varying 255 Destination user name FILE_NAME character varying 1000 File name EXTENDED_INFO character varying 1000 Extened information CUSTOM_TAG_1 character varying 255 Customer Tag 1 CUSTOM_TAG 2 character varying 255 Customer Tag 2 CUSTOM_TAG...

Page 83: ...25 uuid Reserved Value 21 25 Reserved for future use by Novell to store UUIDs Use of this field for any other purpose might result in data being overwritten by future functionality RV26 31 character varying 255 Reserved Value 26 31 Reserved for future use by Novell Use of this field for any other purpose might result in data being overwritten by future functionality RV33 character varying 255 Rese...

Page 84: ...n by future functionality RV40 43 character varying 255 Reserved Value 40 43 Reserved for future use by Novell Use of this field for any other purpose might result in data being overwritten by future functionality RV44 character varying 255 Reserved Value 44 Reserved for DestinationThreatLevel Use of this field for any other purpose might result in data being overwritten by future functionality RV...

Page 85: ...gint Taxonomy identifier REFERENCE_ID_01 20 bigint Reserved for future use by Novell Use of this field for any other purpose might result in data being overwritten by future functionality CV01 10 integer Custom Value 1 10 Reserved for use by Customer typically for association of Business relevant data CV11 20 timestamp with time zone Custom Value 11 20 Reserved for use by Customer typically for as...

Page 86: ...one Events begin time END_TIME timestamp with time zone Events end time REPEAT_COUNT integer Repeat count TARGET_SERVICE_PORT integer Target service port INIT_SERVICE_PORT integer Service port BASE_MESSAGE character varying 4000 Base message EVENT_NAME character varying 255 Event name EVENT_TIME character varying 255 Event time CUST_ID bigint Customer identifier INIT_ASSET_ID bigint Initiator asse...

Page 87: ...RUST_ID character varying 255 Target trust ID TARGET_TRUST_DOMAIN character varying 255 Target trust domain OBSERVER_IP integer Observer IP address in numeric format OBSERVER_IP_DOTTED character varying Observer IP REPORTER_IP integer Reporter IP address in numeric format REPORTER_IP_DOTTED character varying Reporter ID OBSERVER_HOST_DOMAIN character varying 255 Observer host domain REPORTER_HOST_...

Page 88: ... of this field for any other purpose might result in data being overwritten by future functionality RV11 RV20 timestamp with time zone Reserved Value 11 20 Reserved for future use by Novell Use of this field for any other purpose might result in data being overwritten by future functionality RV21 RV25 uuid Reserved Value 21 25 Reserved for future use by Novell Use of this field for any other purpo...

Page 89: ...RV46 character varying 255 Reserved Value 46 TARGET_FUNCTION character varying 255 Target function TARGET_OPERATIONAL_CONEXT character varying 255 Target operational context RV49 character varying 255 Reserved Value 49 TAXONOMY_ID bigint Taxonomy identifier XDAS_TAXONOMY_ID bigint XDAS taxonomy identifier REFERENCE_ID_01 REFERENCE_ID_20 bigint Reference ID 01 20 CV01 CV10 integer Custom Value 01 1...

Page 90: ...AR_131_DOTTED CUSTOMER_VAR_140_DOTTED character varying Customer variable 131 140 Dotted CUSTOMER_VAR_141 CUSTOMER_VAR_150 character varying 255 Customer variable 141 150 Column Name Datatype Comment AGENT_ID bigint Collector identifier CUST_ID bigint Customer identifier AGENT character varying 64 Collector name PORT character varying 64 Collector port REPORT_NAME character varying 255 Reporter na...

Page 91: ...ent AGENT_ID bigint Collector identifier CUST_ID bigint Customer identifier AGENT character varying 64 Collector PORT character varying 64 Port REPORTER_HOST_NAME character varying 255 Reporter host name PRODUCT_NAME character varying 255 Product name OBSERVER_HOST_NAME character varying 255 Observer host name SENSOR_TYPE character varying 5 Sensor type H host based N network based V virus O other...

Page 92: ...TWORK_IDENTITY_NAME character varying 255 Asset network identity name ENVIRONMENT_IDENTITY_NAME character varying 255 Environment name ASSET_VALUE_NAME character varying 50 Asset value name CRITICALITY_NAME character varying 50 Asset criticality name SENSITIVITY_NAME character varying 50 Asset sensitivity name CONTACT_NAME_1 character varying 255 Name of contact person organization 1 CONTACT_NAME_...

Page 93: ... varying 255 Physical asset name REFERENCE_ASSET_ID character varying 100 Reference asset identifier links to source asset management system MAC_ADDRESS character varying 100 MAC address RACK_NUMBER character varying 50 Rack number ROOM_NAME character varying 100 Room name BUILDING_NAME character varying 255 Building name CITY character varying 100 City STATE character varying 100 State COUNTRY ch...

Page 94: ... identifier EVENT_COUNT integer Event count DATE_CREATED timestamp with time zone Date the entry was created DATE_MODIFIED timestamp with time zone Date the entry was modified CREATED_BY integer User who created object MODIFIED_BY integer User who last modified object DESTINATION_HOST_NAME character varying 255 Destination host name Column Name Datatype Comment DESTINATION_IP integer Destination I...

Page 95: ...ted object MODIFIED_BY integer User who last modified object DESTINATION_HOST_NAME character varying 255 Destination host name Column Name Datatype Comment DESTINATION_IP integer Destination IP address DESTINATION_EVENT_ASSET_ID bigint Event asset identifier TAXONOMY_ID bigint Taxonomy identifier SEVERITY integer Event severity CUST_ID bigint Customer identifier EVENT_TIME timestamp with time zone...

Page 96: ...bject Column Name Datatype Comment DESTINATION_PORT character varying 32 Destination port SEVERITY integer Event severity CUST_ID bigint Customer identifier EVENT_TIME timestamp with time zone Event time EVENT_COUNT integer Event count DATE_CREATED timestamp with time zone Date the entry was created DATE_MODIFIED timestamp with time zone Date the entry was modified CREATED_BY integer User who crea...

Page 97: ...bject MODIFIED_BY integer User who last modified object Column Name Datatype Comment RESOURCE_ID bigint Resource identifier CUST_ID bigint Customer Identifier RESOURCE_NAME character varying 255 Resource name SUB_RESOURCE_NAME character varying 255 Subresource name DATE_CREATED timestamp with time zone Date the entry was created DATE_MODIFIED timestamp with time zone Date the entry was modified CR...

Page 98: ...or prop MAP_FILTER text Map filter CREATED_BY integer User who created object MODIFIED_BY integer User who last modified object DATE_CREATED timestamp with time zone Date the entry was created DATE_MODIFIED timestamp with time zone Date the entry was modified Column Name Datatype Comment EVT_SRC_GRP_ID uuid Event source group identifier EVT_SRC_COLLECTOR_ID uuid Event source collector identifier S...

Page 99: ...haracter varying 255 Event source manager name STATE_IND boolean State indicator EVT_SRC_MGR_CONFIG text Event source manager configu CREATED_BY integer User who created object MODIFIED_BY integer User who last modified object DATE_CREATED timestamp with time zone Date the entry was created DATE_MODIFIED timestamp with time zone Date the entry was modified Column Name Datatype Comment EVT_SRC_ID u...

Page 100: ...ce IP address SOURCE_EVENT_ASSET_ID bigint Source event asset identifier SOURCE_PORT character varying 32 Source port SOURCE_USER_ID bigint Source user identifier TAXONOMY_ID bigint Taxonomy identifier EVENT_NAME_ID bigint Event name identifier RESOURCE_ID bigint Resource identifier AGENT_ID bigint Collector identifier PROTOCOL_ID bigint Protocol identifier SEVERITY integer Event severity CUST_ID ...

Page 101: ... source server configuration CREATED_BY integer User who created object MODIFIED_BY integer User who last modified object DATE_CREATED timestamp with time zone Date the entry was created DATE_MODIFIED timestamp with time zone Date the entry was modified Column Name Datatype Comment TAXONOMY_ID bigint Taxonomy identifier TAXONOMY_LEVEL_1 character varying 100 Taxonomy level 1 TAXONOMY_LEVEL_2 chara...

Page 102: ...me zone Date the entry was modified CREATED_BY integer User who created object MODIFIED_BY integer User who last modified object Column Name Datatype Comment XDAS_TAXONOMY_NAME character varying 255 XDAS taxonomy name XDAS_OUTCOME_NAME character varying 255 XDAS outcome name XDAS_REGISTRY integer XDAS registry XDAS_PROVIDER integer XDAS provider XDAS_CLASS integer XDAS class XDAS_IDENTIFIER intege...

Page 103: ... SentinelRD Console Column Name Datatype Comment EXTERNAL_DATA_ID integer External data identifier SOURCE_NAME character varying 50 Source name SOURCE_DATA_ID character varying 255 Source data identifier EXTERNAL_DATA text External data EXTERNAL_DATA_TYPE character varying 10 External data type DATE_CREATED timestamp with time zone Date the entry was created DATE_MODIFIED timestamp with time zone ...

Page 104: ...Y integer User who last modified object Column Name Datatype Comment INC_ID integer Incident identifier sequence number EVT_ID uuid Event Universal Unique Identifier UUID EVT_TIME timestamp with time zone Event time DATE_CREATED timestamp with time zone Date the entry was created DATE_MODIFIED timestamp with time zone Date the entry was modified CREATED_BY integer User who created object MODIFIED_...

Page 105: ...ho created object MODIFIED_BY integer User who last modified object INC_DESC character varying 4000 Incident description INC_CAT character varying 255 Incident category INC_PRIORITY integer Incident priority INC_RES character varying 4000 Incident resolution Column Name Datatype Comment INC_ID integer Incident identifier sequence number VULN_ID uuid Vulnerability Universal Unique Identifier UUID D...

Page 106: ... character varying 4000 Log text Column Name Datatype Comment TABLE1 character varying 64 Table name 1 ID1 bigint ID1 TABLE2 character varying 64 Table name 2 ID2 uuid ID2 DATE_CREATED timestamp with time zone Date the entry was created DATE_MODIFIED timestamp with time zone Date the entry was modified CREATED_BY integer User who created object MODIFIED_BY integer User who last modified object Col...

Page 107: ...mestamp with time zone Date the entry was modified CREATED_BY integer User who created object MODIFIED_BY integer User who last modified object Column Name Datatype Comment PERSON_ID uuid Person identifier FIRST_NAME character varying 255 First name LAST_NAME character varying 255 Last name CUST_ID bigint Customer identifier PHONE_NUMBER character varying 50 Phone number EMAIL_ADDRESS character va...

Page 108: ...t MODIFIED_BY integer User who last modified object Column Name Datatype Comment PRODUCT_ID bigint Product identifier PRODUCT_NAME character varying 255 Product name PRODUCT_VERSION character varying 100 Product version VENDOR_ID bigint Vendor identifier DATE_CREATED timestamp with time zone Date the entry was created DATE_MODIFIED timestamp with time zone Date the entry was modified CREATED_BY in...

Page 109: ...tamp with time zone Date the entry was created DATE_MODIFIED timestamp with time zone Date the entry was modified CREATED_BY integer User who created object MODIFIED_BY integer User who last modified object Column Name Datatype Comment SENTINEL_HOST_ID uuid SentinelRD host identifier SENTINEL_ID uuid SentinelRD identifier SENTINEL_HOST_NAME character varying 255 SentinelRD host name HOST_NAME char...

Page 110: ...PKG text Content package FILE_HASH character varying 255 File hash AUX_FILE_NAME character varying 512 Auxilary file name CREATED_BY integer User who created object MODIFIED_BY integer User who last modified object DATE_CREATED timestamp with time zone Date the entry was created DATE_MODIFIED timestamp with time zone Date the entry was modified Column Name Datatype Comment SENTINEL_ID uuid Sentine...

Page 111: ... entry was created DATE_MODIFIED timestamp with time zone Date the entry was modified MODIFIED_BY integer User who last modified object CREATED_BY integer User who created object Name Datatype Comment INC_ID integer Incident identifier NAME character varying 255 Name SEVERITY integer Severity STT_ID integer identifier SEVERITY_RATING character varying 32 Severity rating VULNERABILITY_RATING charac...

Page 112: ... assigned to the SentinelRD user FILTER character varying 128 Current security filter assigned to the SentinelRD user UPPER_NAME character varying 64 User name in upper case DOMAIN_AUTH_IND boolean Domain authentication indication Column Name Datatype Comment ACCOUNT_ID bigint Account identifier USER_NAME character varying 255 User name USER_DOMAIN character varying 255 User domain CUST_ID bigint ...

Page 113: ...varying 255 Distinguished name CUST_ID bigint Customer identifier SRC_IDENTITY_ID character varying 100 Source identity identifier WFID character varying 100 Workforce identifier FIRST_NAME character varying 255 First name LAST_NAME character varying 255 Last name FULL_NAME character varying 255 Full name JOB_TITLE character varying 255 Job title DEPARTMENT_NAME character varying 100 Department na...

Page 114: ...dentifier VENDOR_NAME character varying 255 Vendor name DATE_CREATED timestamp with time zone Date the entry was created DATE_MODIFIED timestamp with time zone Date the entry was modified CREATED_BY integer User who created object MODIFIED_BY integer User who last modified object Column Name Datatype Comment RSRC_ID uuid Resource identifier IP text IP HOST_NAME text Host name CRITICALITY integer A...

Page 115: ...ID uuid Vulnerability info identifier VULN_ID uuid Vulnerability identifier VULN_INFO_TYPE character varying 36 Vulnerability info type VULN_INFO_VALUE character varying 2000 Vulnerability info value DATE_CREATED timestamp with time zone Date the entry was created DATE_MODIFIED timestamp with time zone Date the entry was modified CREATED_BY integer User who created object MODIFIED_BY integer User ...

Page 116: ...scanner VULN_USER_DOMAIN character varying 64 Domain of user used by scanned VULN_TAXONOMY character varying 1000 Vulnerability taxonomy SCANNER_CLASSIFICATION character varying 255 Scanner classification VULN_NAME character varying 300 Vulnerability name VULN_MODULE character varying 64 Vulnerability module DATE_CREATED timestamp with time zone Date the entry was created DATE_MODIFIED timestamp w...

Page 117: ...entifier DATE_CREATED timestamp with time zone Date the entry was created DATE_MODIFIED timestamp with time zone Date the entry was modified CREATED_BY integer User who created object MODIFIED_BY integer User who last modified object Column Name Datatype Comment SCAN_ID uuid Vulnerability scan identifier SCANNER_ID uuid Vulnerability scanner identifier SCAN_TYPE character varying 10 Vulnerability ...

Page 118: ...st modified object Column Name Datatype Comment SCANNER_ID uuid Vulnerability scanner identifier PRODUCT_NAME character varying 100 Product Name PRODUCT_VERSION character varying 64 Product Version SCANNER_TYPE character varying 64 Vulnerability Scanner Type VENDOR character varying 100 Vendor SCANNER_INSTANCE character varying 64 Scanner Instance DATE_CREATED timestamp with time zone Date the ent...

Page 119: ...ERITY_RPT_V ADV_SUBALERT_RPT_V ADV_URGENCY_RPT_V MODIFIED_BY integer User who last modified object Column Name Datatype Comment INFO_ID bigint Info identifier PROCESS_DEF_ID character varying 100 Process definition identifier PROCESS_INSTANCE_ID character varying 150 Process instance identifier DATE_CREATED timestamp with time zone Date the entry was created DATE_MODIFIED timestamp with time zone ...

Page 120: ...120 Sentinel 6 1 Rapid Deployment Reference Guide novdocx en 13 May 2009 ...

Page 121: ...for your particular issue Is this a known issue with a work around Is this issue fixed in the latest patch release or hot fix Is this issue currently scheduled to be fixed in a future release 2 Determine the nature of the problem Can it be reproduced Can the steps to reproduce the problem be enumerated What user action if any will cause the problem Is the issue periodic in nature 3 Determine the s...

Page 122: ... novell can be used Check for any core dumps in any of the sub directories of Install_Directory Find out which process core dumped cd Install_Directory find name core print Make sure the ActiveMQ broker is running Connectivity can be verified using the ActiveMQ management console Check that the various connections are active from Novell processes Make sure that a lock file is not preventing Active...

Page 123: ...e installed product Check if any cron jobs are setup causing interference with our product s functionality If the product is installed on NFS mounts check the sanity of NFS mounts NFS NIS services 8 Is there a possible memory leak Obtain the statistics on how fast the memory is being consumed and by which process Gather the metrics of the events throughput per Collector Run the prstat command on S...

Page 124: ...124 Sentinel 6 1 Rapid Deployment Reference Guide novdocx en 13 May 2009 ...

Page 125: ...n s required Permission Explanation Advisor Sentinel java Download and processes Advisor attack data Network access Internet access over port 443 optional File read access to Install_Directo ry config Install_Directo ry lib Install_Directo ry jre File write access to Install_Directo ry data Install_Directo ry log It connects to the database to read and insert data It communicates over the network ...

Page 126: ...om security devices and systems producing event vulnerability and asset data that Sentinel can analyze and store in its database Network access both outgoing access and local access to bind to ports greater than 1024 File read access to Install_Directo ry config Install_Directo ry lib Install_Directo ry jre File write access to Install_Directo ry data Install_Directo ry log NOTE Additionally will ...

Page 127: ...Collector Manager and publishes correlated events based on user defined correlation rules Network access File read access to Install_Directo ry config Install_Directo ry lib Install_Directo ry jre File write access to Install_Directo ry data Install_Directo ry log It communicates over the network with ActiveMQ for configuration event processing and correlated event generation It reads local config...

Page 128: ...y data Install_Direct ory log It connects to the database to read and insert data It communicate s over the network with ActiveMQ for configuration and event processing and other general data processing It reads local configuration files and uses the java executable It writes log files as well as caches data in the local file system java das_core Provides the following General database access serv...

Page 129: ...vemq It binds to local ports to accept TCP connections in order to perform its duties as a communication server It reads local configuration files and uses the java executable java das_co re ActiveMQ also has an SSL proxy that acts as an SSL bridge between the message bus and a client connecting through SSL Network access binds to ports greater than 1024 File read access to Install_Directo ry conf...

Page 130: ...ted launches the java Sentinel Service Network access File read access to Install_Direct ory config Install_Direct ory lib Install_Direct ory jre File write access to Install_Direct ory log It communicates over the network with ActiveMQ for configuration and status reporting It reads local configuration files and uses the java executable It writes log files to the local file system java sentinel T...

Page 131: ...interface to the JasperReportEngine library methods The Jasper Reporting Service uses the JasperReportEngine library methods to execute reports and format the report output and place the results in the report result plugins that are displayed as a results on the Reporting Page of the Web UI Admin rights The Jasper Reporting Service needs permissions to Read jar files from the Install_ Directory li...

Page 132: ...132 Sentinel 6 1 Rapid Deployment Reference Guide novdocx en 13 May 2009 ...

Page 133: ...4 Section C 10 Solution Designer on page 134 Section C 11 Multiple Instances on page 134 The naming convention for the log files is that they include with the name of the process the instance number almost always 0 unless there are multiple instances of das_binary installed and the log number in the log rotation sequence For examples see below C 1 Sentinel Data Manager Logs activities executed usi...

Page 134: ... Engine Logs activities related to Correlation Engine Install_Directory log correlation_engine0 log C 9 Sentinel Control Center Logs activities related to the Sentinel Control Center Install_Directory log control_center0 log C 10 Solution Designer Logs activities related to Solution Designer Install_Directory log solution_designer0 log C 11 Multiple Instances In some environments there can be mult...

Page 135: ...Sentinel 6 1 Rapid Deployment Log Locations 135 novdocx en 13 May 2009 If other processes have log files for more than one instance running that could indicate a system problem ...

Page 136: ...136 Sentinel 6 1 Rapid Deployment Reference Guide novdocx en 13 May 2009 ...

Reviews: