1. Manuals
  2. Brands
  3. Novell Manuals
  4. Software
  5. SENTINEL LOG MANAGER 1.0.0.5 - 03-31-2010
  6. Administration manual

Novell SENTINEL LOG MANAGER 1.0.0.5 - ADMINISTRATION GUIDE 03-31-2010 Administration Manual

Hide thumbs Also See for SENTINEL LOG MANAGER 1.0.0.5 - ADMINISTRATION GUIDE 03-31-2010:
Table of Contents

Advertisement

Quick Links

Download this manual See also: Installation Manual
AUTHORIZED DOCUMENTATION
Administration Guide
Novell
®
Sentinel
Log Manager 1.0.0.5
TM
1.0.0.5
March 31, 2010
www.novell.com
Sentinel Log Manager 1.0.0.4 Administration Guide

Advertisement

Table of Contents
loading

Related Manuals for Novell SENTINEL LOG MANAGER 1.0.0.5 - ADMINISTRATION GUIDE 03-31-2010

Summary of Contents for Novell SENTINEL LOG MANAGER 1.0.0.5 - ADMINISTRATION GUIDE 03-31-2010

  • Page 1 AUTHORIZED DOCUMENTATION Administration Guide Novell ® Sentinel Log Manager 1.0.0.5 1.0.0.5 March 31, 2010 www.novell.com Sentinel Log Manager 1.0.0.4 Administration Guide...
  • Page 2 Further, Novell, Inc., reserves the right to make changes to any and all parts of Novell software, at any time, without any obligation to notify any person or entity of such changes.
  • Page 3 Novell Trademarks For Novell trademarks, see the Novell Trademark and Service Mark list (http://www.novell.com/company/legal/ trademarks/tmlist.html). Third-Party Materials All third-party trademarks are the property of their respective owners.
  • Page 4 Sentinel Log Manager 1.0.0.4 Administration Guide...

  • Page 5: Table Of Contents

    Novell Sentinel Log Manager Features ........
  • Page 6 Configuring Data Collection for Novell Audit Server....... . . 53...
  • Page 7 6.12 Deleting Reports ............108 6.12.1 Deleting a Report Definition .
  • Page 8 10.1.6 Starting the Database ..........142 10.1.7 Stopping the Database .

  • Page 9: About This Guide

    This guide assumes that you have already installed Novell Sentinel Log Manager on your machine. This guide provides an overview of Novell Sentinel Log Manager and also guides in administering the product and users. Chapter 2, “Security Considerations for Sentinel Log Manager,” on page 13 Chapter 3, “Configuring Data Storage,”...
  • Page 10 Documentation Conventions In Novell documentation, a greater-than symbol (>) is used to separate actions within a step and items in a cross-reference path. ® A trademark symbol ( , etc.) denotes a Novell trademark. An asterisk (*) denotes a third-party trademark.

  • Page 11: Overview

    Log Manager collects data from a wide variety of devices and applications, including intrusion detection systems, firewalls, operating systems, routers, Web servers, databases, switches, mainframes, and antivirus event sources. Novell Sentinel Log Manager provides high event-rate processing, long-term data retention, regional data aggregation, and simple searching and reporting functionality for a broad range of applications and devices.
  • Page 12 Events Per Second: Events per second (EPS) is a value to measure how fast a network generates data from its security devices and applications. It is also a rate on which Sentinel Log Manager can collect and store data from the security devices. Integrator: Integrators are plug-ins that allow Sentinel systems to connect to other external systems.

  • Page 13: Security Considerations For Sentinel Log Manager

    Security Considerations for Sentinel Log Manager This section provides specific instructions on how to securely install, configure, and maintain ® Novell Sentinel Log Manager. Section 2.1, “Securing Communication Across the Network,” on page 13 Section 2.2, “Securing Users and Passwords,” on page 16 Section 2.3, “Securing Sentinel Data,”...

  • Page 14: Communication Between Sentinel Log Manager And The Event Source Manager Client Application

    ActiveMQ Web site (http:// activemq.xml activemq.apache.org/). However, Novell does not support the modification of the server-side settings. 2.1.2 Communication between Sentinel Log Manager and the Event Source Manager Client Application The Sentinel Log Manager Event Source Management (ESM) client application by default uses SSL communication via the SSL proxy server.

  • Page 15: Communication Between The Server And The Database

    <strategy active="yes" id="proxied_client" location="com.esecurity.common.communication.strategy.proxystrategy.ProxiedCl ientStrategyFactory"> <transport type="ssl"> <ssl host="164.99.18.132" port="10013" keystore="./novell/sentinel/ .proxyClientKeystore" /> </transport> </strategy> 2.1.3 Communication between the Server and the Database The protocol used for communication between the server and the database is defined by a JDBC* driver.

  • Page 16: Communication Between Sentinel Log Manager And Nfs/Cifs Archive Servers

    . By default, if a new user is created, the password for the user is not set in order to maximize novell security. If you want to log in to the system as the novell user, you must set a password for the user after installation.

  • Page 17: Sentinel Application And Database Users

    home directory. By default, if a new user is created, the password for the user is not set in order to maximize security. If you want to log in to the system as the user, you must set a password for the user after installation.
  • Page 18 Even when the password is encrypted, you must be careful that the access to the stored password data is protected in order to avoid password exposure. For example, you can use permissions to ensure that files with sensitive data are not readable by other users. Database credentials are stored in the <...

  • Page 19: Securing The Operating System

    Linux Enterprise Server (SLES) 11. For more information on securing a SLES machine, see the SUSE Linux Enterprise Server 11 documentation (http://www.novell.com/documentation/sles11/book_sle_security/?page=/ documentation/sles11/book_sle_security/data/book_sle_security.html). If the Sentinel Log Manager is accessible from outside the corporate network, a firewall should be employed to prevent direct access to the Sentinel Log Manager server.

  • Page 20: Auditing Sentinel

    TCP port numbers. For the system to function properly, connections from localhost to any port should be allowed. For more information on enabling a firewall on SLES 11, see Configuring the Firewall with YaST (http://www.novell.com/documentation/sles11/book_sle_security/?page=/ documentation/sles11/book_sle_security/data/book_sle_security.html) in the SLES 11 Security Guide.

  • Page 21: Configuring Data Storage

    Configuring Data Storage ® Novell Sentinel Log Manager stores compressed event data on the server file system and then archives it to a configured location for the long-term storage. Section 3.1, “Data Storage Overview,” on page 21 Section 3.2, “Configuring Data Archiving,” on page 27 Section 3.3, “Configuring Data Retention Policies,”...
  • Page 22 The time-based raw data files are closed (changed to read-only) after a duration and no more events are written to them. After these files are closed, they are compressed and archived to the configured location. “Raw Data Storage” on page 22 “Raw Data Representation”...
  • Page 23 Directory structure Description Each file in the directory contains data received during a specific /data/rawdata/ Month one-hour period. Most data in the file have a time stamp that are within the EventSource UUID/ one-hour period. Month/1 Hour Data Files The name of the file indicates the day of the month and the one-hour period that is represented.
  • Page 24 Field Name Description EventRecordID The record ID of the corresponding event record in the event store. NOTE: If no event record was ever created (because of filtering) this record ID might not point to anything. Example: "595829C0-1C8F-102C-A922-000C2949BA91" RawData The original raw data received by the event source. RawDataHash The SHA256 hash of the RawData value represented as a HEX string.

  • Page 25: Event Data

    Field Name Description ChainSequence A sequence number within a particular raw data chain. The raw data events in a given raw data chain must have an uninterrupted sequence of numbers starting with 0. In addition, all raw data events in a given raw data chain must appear sequentially in the files, with no other chains intermixed.

  • Page 26: Archiving

    Directory structure Description A partition consists of the events for a single day (midnight-midnight UTC) /data/eventdata/ within a given data retention class and is held within a sub-directory named YYYYMMDD_<classid> YYYYMMDD_<class-id>. Where, YYYYMMDD: is the UTC date stamp. <class_id>: is a UUID identifier associated with the data retention class. directory contains the binary event data for the partition.

  • Page 27: Data Retention

    If archiving is enabled, the closed files are archived whenever the server starts. They are also archived at midnight UTC every night. These files are already compressed in the local storage location, but the indexes for these files are compressed before being moved to the archive. If the archive location is not configured or if there is any problem while archiving, attempts are made every 60 seconds until archiving succeeds.
  • Page 28 The Storage tab is displayed on the right pane of the page. 3 Click the Configuration tab. 4 In the Data Archiving section, select the local/SAN option. 5 In the Location field, specify the local directory path or the location on which the SAN is mounted.
  • Page 29 5 In the Server field, specify the IP address or host name of the machine where the CIFS server is configured. 6 In the Share field, specify the share name of the CIFS server. The mounted shares are unmounted when the server stops and are mounted again when the server starts.
  • Page 30 Configuring an NFS Server as an Archive Location The NFS protocol requires significant configuration to improve performance and security, and it is recommended only when you already have a well-established NFS infrastructure in your environment. For more information about configuring the NFS server, see “NFS Configuration”...

  • Page 31: Enabling Or Disabling Data Archiving

    NOTE: This procedures tests a subset of all of the settings that are necessary for the NFS server and client. 10 Click Save to configure the specified archive location. 3.2.2 Enabling or Disabling Data Archiving The enabling and disabling data archiving options appear only when the archive location is configured.

  • Page 32: Changing The Archive Location

    The Storage tab is displayed on the right pane of the page. 3 Click the Configuration tab. 4 To unmount the data archiving, select Unmount Archive. When you unmount the archive location, Sentinel Log Manager can no longer access the archive data.
  • Page 33 7 Select the check box to disable data collection if local storage fills up before archiving is resumed at new location. Otherwise, the oldest data is deleted to make space for the incoming data. 8 Configure the new archive location. For more information about configuring the NIFS or CIFS or local/SAN archive locations, see “Configuring Archive Locations”...

  • Page 34: Configuring Data Retention Policies

    11 After copying the files, select the Copy Done option to start data archiving to the new location. 12 Click Cancel to return to the previous archive configuration. 3.3 Configuring Data Retention Policies You can configure one or more data retention policies to control the duration for which specific types of events are retained in the Sentinel Log Manager.
  • Page 35 4 In the Data Retention section, click the Add a policy option located at the top right corner of the policy table. 5 Specify a name for the retention policy. The policy name must be unique and must contain alphanumeric characters. If a duplicate policy name is specified an error message is displayed when you save the retention policy.
  • Page 36 Events: Displays the number of events count for the selected retention policy. The policies are sorted in alphabetical order by policy name. The default retention policy is always shown as the last policy in the list. If there is any error when saving a retention policy, an error message is displayed on top of the policy table.

  • Page 37: Rules For Applying Appropriate Retention Policy

    The data retention policy table is displayed in the Data Retention section. 4 To delete the retention policy, click the Edit link next to the configured policy. The policy editor opens within the policy table. 5 Click Delete. A confirmation message is displayed. 6 Click Delete.

  • Page 38: Configuring Disk Space Usage

    3. If an event meets the criteria for more than one of the data retention policies, the following guidelines are used to determine, which data retention policy should be applied: If the maximum retention period of a policy is shorter than the others, that policy is applied.

  • Page 39: Verifying And Downloading Raw Data Files

    3.5 Verifying and Downloading Raw Data Files The raw data files for each event source are compressed and archived every one hour and the file hash is computed for archived files. The file hash is used to check the integrity of the archived files. 1 Log in to the Sentinel Log Manager as an administrator.

  • Page 40: Viewing Online And Archive Data Capacity

    The selected files are downloaded in the form of a zip file that contains a .csv (comma separated values) file. If the archived files are selected, the zip file would also contains a hash file corresponding to each of the archive files downloaded. The SHA-256 algorithm is used to generate the file hash and the generated hash is Base64 encoded.

  • Page 41: Using Sequential-Access Storage For Long Term Data Storage

    The Click here link displays the Data Archive page to configure the archive location. For more information refer to “Configuring Data Archiving” on page If Sentinel Log Manager is configured to archive data, the health page displays the archive capacity: The health page of Sentinel Log Manager also forecasts the archive data capacity.

  • Page 42: Determining What Data You Need To Copy To Tape

    The high level approach is to configure Sentinel Log Manager to retain data for longer duration to perform searches and run report on the data you regularly need to access and to copy data to tape before Sentinel Log Manager deletes it. To search or run report on data that was copied to tape, but deleted from Sentinel Log Manager, copy the data from tape back into Sentinel Log Manager to include the newly recovered data in its search results.

  • Page 43: Configuring Sentinel Log Manager Storage Utilization

    Events should be archived regularly. You should periodically export all the ESM configurations and save them. When the environment is relatively stable, you can generate a full ESM export including the entire tree of the ESM components. This action captures the plug-ins as well as the configuration of each node.

  • Page 44: Copying Data From Tape Back Into Sentinel Log Manager

    have a extension. Sometime after they are closed, they will be compressed and will then have .log extension. After being compressed, they are moved to archive storage and are no longer .zip present in the local storage. The directory hierarchy in which the raw data files are placed is organized by the event source and the date of the raw data.
  • Page 45 For Event Data: Once a day, at midnight UTC (GMT) “Restoring Raw Data from Tape” on page 45 “Restoring Event Data from Tape” on page 45 Restoring Raw Data from Tape To restore raw data, copy the data from tape back into its original location (maintaining the original directory hierarchy).
  • Page 46 Sentinel Log Manager 1.0.0.4 Administration Guide...

  • Page 47: Configuring Data Collection

    Hierarchy of Plug-ins In the Event Source Management (Live View) Figure 4-1 Novell Sentinel Log Manager supports a wide variety of Connectors and also includes a variety of Collectors with parsing logic for specific event sources. For a list of supported connectors and event sources packaged with this release, see “System...

  • Page 48: Configuring Syslog Data Collection

    Sentinel 6.1 Content Web site (http://support.novell.com/products/ sentinel/sentinel61.html). Novell recommends that you review the full documentation for any new event source integration to ensure that all available features are enabled. NOTE: Every Collector has its own associated Collector packs. The new Collector packs include reports that can be uploaded and used in the Sentinel Log Manager interface.
  • Page 49 appears in the header portion of the syslog messages. This entry enables you to identify the machines that are generating the syslog messages, regardless of whether they are being aggregated by a syslog relay or not. The Sentinel Log Manager web interface allows you to configure ports to listen on to receive syslog data.

  • Page 50: Setting The Syslog Server Options

    The default ports for TCP, UDP, and SSL are 1468, 1514, and 1443 respectively. 5 To start or stop the data collection for each of the syslog server, select the on or off options next to them. 6 To change the port values, specify a valid port value. The following table shows the description of the status messages you get after entering the valid or non-valid port values.
  • Page 51 (CA) that signed the event source certificate. After you have a DER or PEM certificate, you can create the truststore by using the CreateTruststore utility that comes with Log Manager. 1 Log in to the Sentinel Log Manager server as novell. 2 Go to /opt/novell/sentinel_log_mgr_1.0_x86/data/updates/done 3 To extract the file.
  • Page 52 As Sentinel Log Manager runs as the novell user, it cannot directly listen on ports that are less than 1024. To listen on a port that is less than 1024, use port forwarding to forward data to a port that Sentinel Log Manager can directly listen on.

  • Page 53: Configuring Data Collection For Novell Audit Server

    4.2 Configuring Data Collection for Novell Audit Server The following sections describe how you can configure audit server port to receive data and how you can set the audit server options: Section 4.2.1, “Specifying the Audit Server Settings,” on page 53 Section 4.2.2, “Setting the Audit Server Options,”...

  • Page 54: Setting The Audit Server Options

    4 In the Audit Server section, to start or stop the data collection for the audit server, select the On and Off options. 5 In the Audit Server section, specify the port on which the Sentinel Log Manager server listens to messages from the event sources.
  • Page 55 5 Restart the Platform Agent. The method varies by operating system and application. Reboot the machine or refer to the application specific documentation on the Novell Documentation Web Site (http:// www.novell.com/documentation) for more instructions. To configure port forwarding on the Sentinel Log Manager server:...
  • Page 56 (CA) that signed the event source’s certificate. After you have a DER or PEM certificate, you can create the truststore by using the CreateTruststore utility that comes with Log Manager. 1 Log in to the Sentinel Log Manager server as novell. 2 Go to /opt/novell/sentinel_log_mgr_1.0_x86/data/updates/done 3 Unzip the file.

  • Page 57: Configuring Data Collection For Other Event Sources

    8 If desired, click Details to see more information about the truststore. 9 Click Reset to change the specified settings to previous setting before saving it 10 Click Save. After the truststore is imported successfully, you can click Details to see the certificates included in the truststore.
  • Page 58 5 The Novell Sentinel Event Source Management Login window is displayed. 6 Specify the administrators username and password, to login to Novell Sentinel Log Manager, then click Login. The report administrator user’s and auditor user’s cannot login to Novell Sentinel Event Source Management interface.
  • Page 59 The Event Source Management (Live View) interface provides a set of tools to manage and monitor connections between Sentinel and the event sources that are providing data to Sentinel. The graphical interface shows the current event sources and the software components that are processing data from that event source.

  • Page 60: Managing Event Sources

    You can download the Collectors from the Sentinel 6.1Content Web site (http:/ /support.novell.com/products/sentinel/secure/sentinel61.html). For more information on customizing or creating new Collectors, refer to the Novell Developer’s Kit for Sentinel Web site (http://developer.novell.com/wiki/ index.php?title=Develop_to_Sentinel). Connector Connectors are used to provide the protocol-level communication with an event source, using industry standards such as syslog, JDBC*, and so forth.
  • Page 61 To view the event sources: 1 Log in to the Sentinel Log Manager as an administrator. 2 Click the collection link in the upper left corner of the page. The Collection tab is displayed on the right pane of the page. 3 Click the Event Sources tab.
  • Page 62 4 In the Event Sources section, to select or deselect the event sources, click the check boxes next to the respective event source. To select all the available event sources, click the check box at the top of the column. To sort the event sources by Health, Name, Collector Plugin, Drop Data, Create Date, and EPS values, click the respective column header.
  • Page 63 The following table explains each column of the event source table: Columns Description Health Shows the health of the event source. The colored icon indicates the event source health. Green: Indicates that the event source is healthy and Sentinel Log Manager has received data from it.
  • Page 64 Columns Description Collector Plugin Specifies the collector plug-in name the event source is connected to. NOTE: This is the name of the collector plug-in, not the name of the collector instance. You can sort the event sources based on collector plug-in name. Drop Specifies whether data from the associated event source should be dropped or not.
  • Page 65 6 To view the event sources based on the health status, select the Healthy, Warning, Error, and Offline check boxes. The Event source table displays the list of event sources with the selected health states. NOTE: If none of the health states are selected, health state filtering is not performed. It is essentially equivalent to selecting all four health states.
  • Page 66 8 To display only event sources connected to particular event source servers, select one or more event source servers from the Event Source Servers section. NOTE: If none of the event source servers are selected, event sources refinement is not performed based on the event source servers.
  • Page 67 9 To display only those event sources connected to particular collector plug-ins, select one or more collector plug-ins from the Collectors Plugins section. NOTE: If none of the collector plug-ins are selected, event sources refinement is not performed based on the collector plug-in. It is essentially equivalent to selecting all of the collector plug-ins.
  • Page 68 To sort the collector plug-ins by Name or EPS values, click the appropriate column header. When you click the column header the respective column header displays in bold text. Health: Indicates the aggregate health of all event sources that are connected to the collector plug-in.
  • Page 69 10 In the Event Source section, click the Next, Previous, First, and Last arrow links to scroll through all the event sources. The Event source section displays 30 event sources per page. 11 To view the event search result for an event source, select the event source from the list and click the Search link.
  • Page 70 12 To change the data logging status for one or more event sources, select the event sources from the list, click the Configure link, and select either Drop Data or Allow Data option, Drop Data: If Drop Data is selected, the selected event source(s) will drop all the events received.
  • Page 71 14 Select a new Collector plug-in name, then click Set. The selected event sources are connected to the selected Collector plug-in. NOTE: If you select a large number of event sources to change, it may take a while to complete. The event sources list will not show the new collector plug-in until after the changes are complete, and the display is refreshed from the database.

  • Page 72: Viewing Events Per Second Statistics

    16 Select a new time zone, then click Set. The selected event sources are set to the new time zone setting. NOTE: If you select a large number of event sources to change, it may take a while to complete. The event sources list will not show the new time zone until after the changes are complete, and the display is refreshed from the database.

  • Page 73: Viewing Events Per Second Value Of Event Source Servers

    The graph shows the last 90 day statistics of all the events coming to the Sentinel Log Manager server. 4.5.2 Viewing Events Per Second Value of Event Source Servers 1 Log in to the Sentinel Log Manager as an administrator. 2 Click the collection link in the upper left corner of the page.
  • Page 74 Sentinel Log Manager 1.0.0.4 Administration Guide...

  • Page 75: Searching

    Searching ® Novell Sentinel Log Manager can perform a search on events. Each time you perform a search for an event, a tab opens with the search results. In each tab you can again refine your search. The search includes all the online data currently in the flat files at the...
  • Page 76 NOTE: If time is not synchronized across your server, client, and event sources, you might get unexpected results from your search. Searches for the time durations such as Custom, Last 1 hour, and Last 24 hours display results based on the timezone of the machine on which the search is performed.

  • Page 77: Running An Advanced Search

    3 Select a time period for the search. Most of the time settings are self-explanatory, and the default is Last 30 Days. Custom allows you to select a start date and time and an end date and time for the query. The start date should be lower than the end date, and the time is based on the machine’s local time.

  • Page 78: Search Expression History

    The advanced search criteria are modeled on the search criteria for the Apache* Lucene* open source package. More details about the search criteria is available at Lucene Query Parser Syntax (http://lucene.apache.org/java/2_3_2/queryparsersyntax.html). 5.1.3 Search Expression History Sentinel Log Manager allows you to select a search expression value from the recently used search expressions list, while performing a search.
  • Page 79 <sample-size> replaced by the actual sampling size. To refine search results: 1 Log in to Novell Sentinel Log Manager. 2 Run an event search. For more information on how to run an event search, see “Running an Event Search” on page 3 Select an option from SORT BY to sort the search results.
  • Page 80 4b To deselect all the selected event fields, click the Clear all link. 4c To undo any changes, and click Cancel. 5 The selected event fields are displayed in the REFINE pane. A count at the right side of each event field displays the number of unique values that exist for that field in the data directory.
  • Page 81 2. If there are more than 50,000 events, the event field statistics will be calculated only on the first 50,000 events. There could be an event field value that occurs 50 times in the first 50,000 events, but it could occur 1,000 times in all other stored events. So, in the above scenario the displayed value count would be 50, but when the search is refined with this value it would return 1,000 events.

  • Page 82: Viewing Search Results

    10 Repeat Step 4-Step 9 to further refine the search. 11 Click clear to clear the selected unique event field values from the REFINE pane and to return to the previous search results. 12 Click add to search to add the refined search values to the current search tab and to perform a new search after recalculating the unique event field values and counts.

  • Page 83: Event View With Details

    2 Select the Open Raw Data Tap option to display the Raw Data window. You can view the detailed information in the Raw Data Details section. If you do not see the information, check to see if you need to reconfigure the system to send the syslog data to include the missing information If the Collector parsing logic could not parse the existing raw data, the fields might not be displayed or might be labeled Unknown.
  • Page 84 For example, you can display the Message, Event ID, and default data retention duration information for the events. 3 Click the show extended info link to view additional details of the events. You can expand or collapse this information by using the show extended information or hide extended information links.
  • Page 85 Event Source ID: Displays the name of the Collector Manager. When you click the Event Source ID field value, the value is added to the current search and provides information about other events coming from the same Event Source. If the Collector, Collector Manager, Connector, and EventSource plug-in instances are deleted, then the IDs are displayed instead of the names.

  • Page 86: Exporting Search Results

    5 Click the get raw data link to open a new Raw Data tab with event source hierarchy and event source fields populated, based on the information received from the event. If the search result is a system or an internal event, the get raw data link does not appear. To verify and download the raw data files, see Section 3.5, “Verifying and Downloading Raw Data Files,”...
  • Page 87 NOTE: If there are no results for the search, the Export Results link does not appear. 1 Log in to Novell Sentinel Log Manager. 2 Perform a search. 3 To export the search result, click the export results link. An Export Results window is displayed.

  • Page 88: Saving A Search Query As A Report Template

    You can save a search result as a report template by using the Save as Report link at the top of the search results. You can use this report as a reference to create future reports. 1 Log in to Novell Sentinel Log Manager. 2 Perform a search.
  • Page 89 4 Use the Report Name field to specify the report template name for the search. 5 Select one of the following report type formats: Event List: Select the Event List option to save the report in the search report format. Visualization: The Based on field lists the Jasper Reports saved in Sentinel Log Manager.

  • Page 90: Sending Search Results To An Action

    The send results to link is displayed after performing a search. 1 Log in to Novell Sentinel Log Manager. 2 Perform a search. 3 To send the search results to an action, click the send results to link.

  • Page 91: Reporting

    JasperReports appear with a bar graph icon ( ), and Search reports appear with a magnifying glass icon ( ) next to the report definition. You can categorize the reports as All and Favorite reports. The following sections describe the reporting feature of Novell Sentinel Log Manager: Section 6.1, “Running Reports,” on page 91 Section 6.2, “Scheduling a Report to Run Automatically,”...
  • Page 92 Use the following procedure to run a report: 1 In the Report Viewer pane, select the report you want to run, and click the Run button located on top of the first Report Definition. When the report definition runs, a Run Report Name screen is displayed that allows you to change the parameters to run a report (for example, report name, start date, and end date).
  • Page 93 Parameter Description Durations If the report includes time period parameters, choose the date range. All time periods are based on the local time for the browser. Last 1 hour: Shows events of the last 1 hour. Last 12 hours: Shows events of the last 12 hours. Last 24 hours: Shows events of the last 24 hours.

  • Page 94: Scheduling A Report To Run Automatically

    Parameter Description Date Range If the report includes time period parameters, choose the date range. All time periods are based on the local time for the browser. Current Day: Shows events from midnight of the current day until 11:59:00 p.m. of the current day. If the current time is 8:00:00 AM, the report shows 8 hours of data.

  • Page 95: Viewing The Reports

    Report schedules can be removed or modified by using the Delete and Edit links. 6.3 Viewing the Reports Novell Sentinel Log Manager users can view the report template and report results that are in the system. The reports are loaded and displayed on the left pane of the page.

  • Page 96: Viewing Report Parameters

    3 Click View. If the selected report is a Jasper report, clicking the View button displays the report in PDF format in a new window. If the selected report is a Search report, clicking the View button displays the report in the right pane of the Search Dashboard.

  • Page 97: Extracting The Reports From The Collector Packs

    The reports that are extracted from the new collector can be uploaded to the Sentinel Log Manager. These collector packs are available on the Sentinel Content Web site (http://support.novell.com/ products/sentinel/sentinel61.html). To extract the reports from the collector packs:...

  • Page 98: Adding The Report Definitions

    Log Manager interface. They must adhere to the file and format requirements of the report plug-ins. For more information about database fields and file and format requirements for report plug-ins, see Sentinel SDK Web site (http://developer.novell.com/wiki/ index.php?title=Develop_to_Sentinel). Use the following procedure to add or upload a report: 1 Click the more drop-down list in the Report Viewer pane and select Upload.

  • Page 99: Renaming A Report Result

    2 Browse and select the report plug-in . file from your local machine. 3 Click Open. 4 Click Upload. 5 If the same report already exists in the report repository, decide based on the report’s unique ID whether to replace the existing report or not. Sentinel Log Manager displays details of both the reports.
  • Page 100 4 Specify a name in the bottom left status pane. 5 Click Rename. 100 Sentinel Log Manager 1.0.0.4 Administration Guide...

  • Page 101: Marking Report Results As Read Or Unread

    The selected report result is renamed under the report definition. 6.8 Marking Report Results as Read or Unread When a report result is created under a report definition, the report result is in unread state. An unread report result appears with a blue dot next to the report result in the Report Viewer. When you view a report result, the blue dot is removed to indicate that the report has been read.

  • Page 102: Marking Single Report Result As Unread

    6.8.2 Marking Single Report Result as Unread 1 Select a read report result without a blue dot next to it under a report definition in the Report Viewer pane. 2 Click the more drop-down list in the Report Viewer pane and click Mark Unread. The report result changes to the Unread state with a blue dot next to the report result.

  • Page 103: Marking Multiple Report Results As Unread

    If the report results are not selected, the Mark Read link is disabled. If the selected report results are all Unread or a mixture of Read and Unread report results, the Mark Read (x) link is displayed in the Report Viewer pane, where x is the number of selected report results.
  • Page 104 2 A check box is displayed next to each report result in the Report Viewer pane. Click the check boxes to select one or more report results. You can also use the select all link to select all the available report results. To deselect all the selected reports, click the unselect all link.

  • Page 105: Managing Favorite Reports

    3 Click the Mark Unread (x) link. The selected report results changes to unread state with a blue dot next to the report results. 6.9 Managing Favorite Reports Section 6.9.1, “Adding Reports as Favorites,” on page 105 Section 6.9.2, “Removing Favorite Reports,” on page 106 6.9.1 Adding Reports as Favorites You can mark individual report definitions as Favorite.

  • Page 106: Removing Favorite Reports

    The selected report definition is displayed under the Favorite node in the Reports Viewer pane. NOTE: The reports marked as favorites are on a per-user basis. Each user can have a different set of favorite reports. 6.9.2 Removing Favorite Reports 1 Select a report definition from the Favorite node.

  • Page 107: Exporting Report

    .zip option is only available when a report definition is selected. 1 Log in to Novell Sentinel Log Manager. 2 Select a report definition from the Report Viewer pane. 3 Click the more drop-down list in the Report Viewer pane and select the Export Report.

  • Page 108: Deleting Reports

    Section 6.12.3, “Deleting Multiple Report Results,” on page 109 6.12.1 Deleting a Report Definition 1 Log in to Novell Sentinel Log Manager. 2 Select a report definition from the Report Viewer pane. 3 Click the Delete button in the Report Viewer pane.

  • Page 109: Deleting A Report Result

    The selected report definition is deleted from the Report Viewer pane. 6.12.2 Deleting a Report Result 1 Log in to Novell Sentinel Log Manager. 2 Select a report result under a report definition from the Report Viewer pane. 3 Click the Delete button in the Report Viewer pane.
  • Page 110 You can also use the select all link to select all the available report results. To deselect all the selected reports, click the unselect all link. If the report results are not selected, the Delete and Mark Read links are disabled. 4 The Delete(x) in the Report Viewer pane shows the number of selected report results, where (x) is the number of selected report results.

  • Page 111: Configuring Rules

    For example, each severity 5 event can be e-mailed to a security analyst distribution list or to an administrator. ® This section describes the event channels and rules that can be used to send events from Novell Sentinel Log Manager to another system.

  • Page 112: Editing A Rule

    4 Specify a name for the rule. 5 Specify a filter value. The filter value can be the same value required to perform a search. Click the show tips link to use the tag names defined in the table for defining rule filter. For example, to define a rule that applies to all events with a severity of 3 or 5 use sev:[3 TO 5].

  • Page 113: Deleting A Rule

    2 Click rules in the upper left corner of the page. 3 The Rules tab is displayed on the right pane of the page. The created rules appear on the page. 4 Mouse over the icon to the left of the rule numbering to enable drag-and-drop. The cursor changes.

  • Page 114: Configuring Actions

    (such as “Start”), separated by commas. For example: {"st":"I","evt":"Start","sev":"1","sres":"Collector","res":"CollectorManager" ,"rv99":"0","rv1":"0","repassetid":"0","rv77":"0","agent":"Novell SecureLogin","obsassetid":"0","vul":"0","port":"Novell SecureLogin","msg":"Processing started for Collector Novell SecureLogin (ID D892E9F0-3CA7-102B-B5A1-005056C00005).","dt":"1224204655689","id":"751D97B0- 7E13-112B-B933-000C29E8CEDE","src":"D892E9F0-3CA7-102B-B5A2-005056C00004"} The following sections describe how you can add, edit, and delete the actions: Section 7.2.1, “Adding Actions,” on page 115...

  • Page 115: Adding Actions

    To configure the Execute a Script action, you need to specify the path of the script that will be executed. The script must already exist and the novell user must have permissions to execute it. 1 Log in to the Sentinel Log Manager as an administrator.
  • Page 116 If required, click Test to test if script exists and novell user has the required permissions. 9 Click Save. If the action is configured, a message is displayed. Successfully Added Action The newly created action appears under the Actions tab.
  • Page 117 2 Click rules in the upper left corner of the page. 3 The Rules tab is displayed on the right pane of the page. 4 Select the Actions tab. 5 Click the Add Action link on the right side of the screen. 6 Select the Log to Syslog action type.
  • Page 118 The Email screen appears. 7 Specify an action name. The action name should be unique. 8 Specify the hostname or IP address of an available SMTP server. 9 Specify the port number of an available SMTP server. 10 If the SMTP server requires authentication, specify a username and password. If required, click Test to validate the hostname or IP address, port, username, and password fields.
  • Page 119 Sentinel Link provides the ability to hierarchically link multiple Sentinel systems, including Sentinel Log Manager and the two Sentinel SIEM (Security Information Event Management) systems, Novell Sentinel and Novell Sentinel Rapid Deployment (RD) systems. Sentinel Link provides several benefits: Several Sentinel Log Managers can be linked in a hierarchical manner. Regional or distributed...
  • Page 120 Management system. For more information about configuring Sentinel systems for receiving events, see Sentinel Link Solution Guide (http://support.novell.com/products/sentinel/zip/utilities/Sentinel- Link_Solution.pdf). 2 Log in to the Sentinel Log Manager as an administrator. 3 Click rules in the upper left corner of the page.
  • Page 121 8 Specify an action name. The action name should be unique. 9 Specify the IP address or hostname of the destination Sentinel system where a Sentinel Link connector is configured. 10 Specify the port number for the sentinel system. The default port is 1290. If required, click Test to validate the hostname or IP address and port fields.
  • Page 122 11 Select either of the following: Not Encrypted (HTTP): Establish an unsecured connection. Encrypted (HTTPS): Establish a secured connection. If you select the encrypted (HTTPS) option, you are optionally allowed to specify a Server validation mode and an Integrator key pair. Field Description Server Validation...

  • Page 123: Editing An Action

    Repeat alerts interval (minutes): The repeat alert interval is the number of minutes between repeating the alert. The alert is sent repeatedly at this NoEventsReceived interval until sentinel link starts receiving the events again. 13 In the Maximum Event Queue Size (MB) field, specify the maximum event queue size value in megabytes.

  • Page 124: Deleting An Action

    6 Edit the parameter values for the action. 7 Click Save to save the settings. If the action settings are changed, a message is displayed. Successfully Saved Action 7.2.3 Deleting an Action 1 Log in to the Sentinel Log Manager as an administrator. 2 Click rules in the upper left corner of the page.

  • Page 125: Configuring E-Mail Notification Of Auto-Created Event Sources Without A Time Zone

    6 Click Delete to delete the action. If the action is deleted, a message is displayed. Successfully Deleted Action The selected action is deleted from the configured action list. 7.3 Configuring E-Mail Notification of Auto- Created Event Sources without a Time Zone When event sources are auto-created without a time zone, it is recommended that an administrator receives a notification so that a time zone can be manually assigned to the event sources, if necessary.

  • Page 126: Configuring Settings For Sending E-Mail

    3 The Rules tab is displayed on the right pane of the page. The Event Source Created With Unspecified Timezone rule is displayed under the Rules tab. 4 To activate the Event Source Created With Unspecified Timezone rule, click the check box next to the rule.

  • Page 127: Forwarding The Events To Another Sentinel System

    You can also change the conditions of the rule to filter more events or remove conditions to filter fewer events. Novell recommends that you configure the rule to forward only those events that you want to store on the Sentinel system for more in-depth reporting and analysis.

  • Page 128: Activating The Forward Events To Another Sentinel System Rule

    7.4.1 Activating the Forward Events To Another Sentinel System Rule The Forward Events To Another Sentinel System rule is installed with Log Manager, but it is in the inactive (off) state. To forward the system events to another Sentinel system, the rule must be activated, and the Sentinel Link Integrator settings must be configured.

  • Page 129: User Administration

    User Administration ® This section describes the user administration feature of Novell Sentinel Log Manager. You can add, edit, delete, and grant different user level permissions. You can edit the details of your own user profiles. Section 8.1, “Adding a User,” on page 129 Section 8.2, “Editing the User Details,”...
  • Page 130 View reports Add and delete Report Templates and Report results Export all reports Export results Save as report NOTE: A user who has Report Administrator rights cannot access the collections, storage, rules, and users configuration links. Auditor: Selecting this option gives the auditor rights to the users in Sentinel Log Manager system.

  • Page 131: Editing The User Details

    If this is a directory user, the name must match the eDirectory user name (if the directory is eDir) or the sAMAccountName (if the directory is Active Directory). 10 Specify a password in the Password field. 11 Re-enter the password in the Verify field. 12 The Title, Office #, Mobile #, Fax #, and Ext.

  • Page 132: Editing Another User's Profile (Admin Only)

    8.4 Configuring Sentinel Log Manager Server for LDAP Authentication You can enable users to log in to Sentinel Log Manager by using their Novell eDirectory™ username or Microsoft Active Directory* sAMAccountName and password. You do this by configuring a Sentinel Log Manager server for LDAP authentication.
  • Page 133 /opt/novell/Sentinel_log_mgr_1.0_x86-64 LDAP directory The value is 1 for Novell eDirectory or 2 for Active Directory. The default value is 1. LDAP server hostname or The hostname or the IP address of the machine where the LDAP IP address server is installed.
  • Page 134 (CA) for the eDirectory/Active Directory tree to a Base64- encoded file. eDirectory: For exporting an eDirectory CA certificate in iManager, the Novell Certificate Server plug-ins for iManager must be installed. For more information on installing an iManager plug-in, see Downloading and Installing Plug-in Modules (http://www.novell.com/...

  • Page 135: Modifying The Ldap Authentication Configuration

    For eDirectory, if no subtree is specified, the search is run on the entire directory. Active Directory: CN=users, DC=TEST AD, DC=provo, DC=novell, DC=com For Active Directory, the subtree cannot be blank. Filename of the LDAP The filename of the eDirectory/Active Directory CA certificate that you...
  • Page 136 IMPORTANT: Modifying the incorrectly causes auth.login .activemqkeystore.jks LDAP authentication to fail. The user can also modify the file with the .activemqkeystore.jks java utility available in the directory. keytool Install_Directory/jre/bin 136 Sentinel Log Manager 1.0.0.4 Administration Guide...

  • Page 137: Managing License Keys

    Licenses are generated based on the plug-in type, vendor, and device name. For example, the Collector.Novell.eDirectory license allows Sentinel Log Manager to collect events only from the eDirectory application, where Collector is the plug-in type, Novell is the Vendor, and eDirectory is the device name.

  • Page 138: Adding A License Key

    NOTE: To add, view, or delete a license, you must have admin rights. Section 9.2.1, “Adding a License Key,” on page 138 Section 9.2.2, “Viewing License Features,” on page 139 Section 9.2.3, “Deleting a License Key,” on page 139 9.2.1 Adding a License Key This section describes the procedure to add a license key either by using the Web UI or through the command line.

  • Page 139: Viewing License Features

    1 Log in to the Novell Sentinel Log Manager server as novell 2 Change to the directory.
  • Page 140 140 Sentinel Log Manager 1.0.0.4 Administration Guide...

  • Page 141: Command Line Utilities

    Command Line Utilities ® The command line utilities included with Novell Sentinel Log Manager are useful for managing and configuring many lower level functions of the system. Section 10.1, “Managing the Sentinel Log Manager Services,” on page 141 Section 10.2, “Sentinel Scripts,” on page 142 Section 10.3, “Getting Sentinel Log Manager .jar Version Information,”...

  • Page 142: Checking The Sentinel Log Manager Version

    3 To check Sentinel Log Manager service status, run the following command: ./server.sh status 10.1.4 Checking the Sentinel Log Manager Version 1 Log in to the Sentinel Log Manager server by using Sentinel Log Manager’s Administrator Operating System user (by default novell). 2 Go to the directory. Install_Directory/bin 3 To check Sentinel Log Manager version, run the following command: ./server.sh version...

  • Page 143: Operational Scripts

    To Reconfigure Database Connection Properties 1 Log in to the Novell Sentinel Log Manager server as novell user on UNIX. 2 Go to the directory. Install_Directory/bin 3 Enter the following command:...
  • Page 144 For UNIX: dbconfig –a Install_Directory/config [-u username] [-p password] [-h hostname] [-t portnum] [-d database] [-s server] [-help] [-version] Other settings in the files that can be adjusted manually (without using ) are: dbconfig maxConnections batchSize loadSize Changing these settings might affect database performance and should be done with caution. 144 Sentinel Log Manager 1.0.0.4 Administration Guide...

  • Page 145: A Managing Data

    Managing Data Section A.1, “Data Expiration Policy,” on page 145 Section A.2, “Database Users,” on page 145 A.1 Data Expiration Policy This section lists the order in which Sentinel Log Manager chooses to delete data from the archive or from the local storage locations. Sentinel Log Manager deletes the data types in their listed order until the required space is available.
  • Page 146 146 Sentinel Log Manager 1.0.0.4 Administration Guide...

  • Page 147: B Truststore

    Truststore ® If you are using strict authentication for the connection between Log Manager and the Novell applications, a truststore can improve data security. A truststore can be created using the Java* “keytool” executable, which comes with any JRE* installation. This truststore holds a public and private keypair that can be used to replace the default certificate that comes with Sentinel Log Manager.
  • Page 148 148 Sentinel Log Manager 1.0.0.4 Administration Guide...

  • Page 149: C Event Fields

    NOTE: The taxonomy values that you can search for the TaxonomyLevel* and XDAS* fields are documented at the Sentinel Taxonomy Web page (http://developer.novell.com/wiki/index.php/ Sentinel_Taxonomy). Some fields are tokenized. Tokenizing also makes it possible to search for an individual word in the field without a wildcard.
  • Page 150 Visible in Visible in Field Short Name Description Tokenized Basic Detailed View View Criticality The criticality of the asset identified in this event. Reserved for use by customers for customer-specific data. (String) Reserved for use by customers for customer-specific data. (String) Reserved for use by customers for customer-specific data.
  • Page 151 Visible in Visible in Field Short Name Description Tokenized Basic Detailed View View CustomerVar161-170 cv161-170 Reserved for use by customers for customer-specific data. (Date; Not stored in DB) CustomerVar171-180 cv171-180 Reserved for use by customers for customer-specific data. (UUID; Not stored in DB) CustomerVar181-190 cv181-190 Reserved for use by customers...
  • Page 152 Visible in Visible in Field Short Name Description Tokenized Basic Detailed View View EventMetric An event-dependent numeric value. EventMetricClass rv28 The class of the event- dependent numeric value. EventName The descriptive name of the event as reported (or given) by the sensor.
  • Page 153 Visible in Visible in Field Short Name Description Tokenized Basic Detailed View View InitServiceName The name of the initiating service that caused this event. InitServicePort spint The port used by the service/ application that initiated the connection. InitThreatLevel rv34 Initiator threat level. InitUserDepartment iudep The department of the identity...
  • Page 154 Visible in Visible in Field Short Name Description Tokenized Basic Detailed View View ProductName Indicates the type, vendor and product code name of the sensor from which the event was generated. Protocol prot The protocol used between the initiating and target services. RepeatCount The number of times the same event occurred if multiple...
  • Page 155 Visible in Visible in Field Short Name Description Tokenized Basic Detailed View View TargetHostDomain rv41 The domain portion of the target system's fully-qualified hostname. TargetHostName The unqualified hostname of the target system. TargetIP The IPv4 address of the target system. TargetIPCountry rv30 The country where the IPv4...
  • Page 156 Visible in Visible in Field Short Name Description Tokenized Basic Detailed View View TargetUserIdentity tuident The internal UUID of the identity associated with the target account. TargetUserName The target user's account name (DestinationUsername). TaxonomyLevel1 rv50 Event code categorization - level 1. Displayed under the event name in the format: TaxonomyLevel1>>...
  • Page 157 Visible in Visible in Field Short Name Description Tokenized Basic Detailed View View XDASIdentifier xdasid The XDAS Event Identifier; refer to XDAS specification. XDASOutcome xdasoutcome The XDAS major outcome; success, failure, or denial. XDASOutcomeName xdasoutcome Human-readable XDAS name outcome. XDASProvider xdasprov The XDAS Provider ID;...
  • Page 158 158 Sentinel Log Manager 1.0.0.4 Administration Guide...

  • Page 159: D Sentinel Log Manager Reports

    Sentinel Log Manager Reports ® This section lists all the pre-installed reports that are bundled with Novell Sentinel Log Manager. All Vendors All Products Account Access Assignments All Vendors All Products Account Trust Assignments All Vendors All Products Authentication By Server...
  • Page 160 Extreme Networks Summit Series Password Resets Extreme Networks Summit Series Per Object Modification Extreme Networks Summit Series Per User Modification Extreme Networks Summit Series Self Password Changes Extreme Networks Summit Series User Account Provisioning Generic Event Collector Event Count Trend HP HP UX Account Access Assignments HP HP UX Account Trust Assignments HP HP UX Authentication By Server...
  • Page 161 Juniper Netscreen Series Per Trust Modification Juniper Netscreen Series Per User Modification Juniper Netscreen Series Self Password Changes Juniper Netscreen Series Trust Access Assignments Juniper Netscreen Series Trust Management Juniper Netscreen Series Trust Provisioning Juniper Netscreen Series User Account Provisioning McAfee ePolicy Orchestrator Event Count Trend McAfee Firewall Enterprise Authentication By Server McAfee Firewall Enterprise Authentication by User...
  • Page 162 Nortel VPN Authentication By Server Nortel VPN Authentication by User Nortel VPN Event Count Trend Nortel VPN Trust Access Assignments Novell Access Manager Event Count Trend Novell eDirectory Account Access Assignments Novell eDirectory Account Trust Assignments Novell eDirectory Authentication By Server...
  • Page 163 Novell Open Enterprise Server Per Object Modification Novell Privileged User Manager Event Count Trend Novell Sentinel Link Event Count Trend Novell SUSE Linux Enterprise Server Account Access Assignments Novell SUSE Linux Enterprise Server Account Trust Assignments Novell SUSE Linux Enterprise Server Authentication By Server...
  • Page 164 Red Hat Enterprise Linux Event Count Trend Red Hat Enterprise Linux Password Resets Red Hat Enterprise Linux Per Trust Modification Red Hat Enterprise Linux Per User Modification Red Hat Enterprise Linux Self Password Changes Red Hat Enterprise Linux Trust Management Red Hat Enterprise Linux Trust Provisioning Red Hat Enterprise Linux User Account Provisioning Sourcefire Snort Event Count Trend...

  • Page 165: E Collector Scripts

    Collector documentation. The scripts are located in the directory of the Sentinel Log setup Manager installation directory. oes2sentinelsetup.sh: This script is used in conjunction with the Novell Open Enterprise Server Collector. The script is located in the directory of the Sentinel Log Manager installation setup directory.
  • Page 166 166 Sentinel Log Manager 1.0.0.4 Administration Guide...

  • Page 167: F Syslog Collector Package Policy

    Syslog Collector Package Policy Event sources, Connectors, and Collectors can be auto-created based on policy information contained in installed Syslog Collector packages. These policies are specified in special properties of the connection modes in a SYSLOG connection method. A connection mode might contain an Applications, UniqueMatchingRule, or UniversalSyslogCollector property.
  • Page 168 168 Sentinel Log Manager 1.0.0.4 Administration Guide...

This manual is also suitable for:

Sentinel log manager 1.0.0.5

Table of Contents