Table of Contents
Advertisement
The Event Source, Event Source Server, Collector, and Connector are configuration related objects
and can be added through the ESM user interface.
Event Source: This node represents a connection to a specific source of data, such as a
specific file, firewall or Syslog relay, and contains the configuration information necessary to
establish the connection. The health of this node represents the health of the connection to the
data source. This node will send raw data to its parent Connector node.
Event Source Server: This node represents a deployed instance of a server-type Connector
plug-in. Some protocols, such as Syslog UDP/TCP, NAudit and others, push their data from the
source to a server that is listening to accept the data. The Event Source Server node represents
this server and can be configured to accept data from protocols that are supported by the
selected Connector plug-in. This node will redirect the raw data it receives to an Event Source
node that is configured to receive data from it.
Collector: This node represents a deployed instance of a Collector Script. It specifies which
Collector Script to use as well as the parameter values with which the Collector should run.
This node will send Sentinel events to its parent Collector Manager node.
Connector: This node represents a deployed instance of a Connector plug-in. It includes the
specification of which Connector plug-in to use as well as some configuration information,
such as "auto-discovery." This node will send raw data to its parent Collector node.
Common Services
All of the above-described components in this Collection and Enrichment layer are driven by a set of
common services. These utility services form the fabric of the data collection and data enrichment
and assist in filtering the noise from the information (through global filters), applying user-defined
tags to enrich the events information (through business relevance and taxonomy mapping services)
and governing the data Collectors' functions (through command and control services).
Taxonomy:
Nearly all security products produce events in different formats and with varying content. For
example, Windows and Solaris report a failed login differently.
Sentinel's taxonomy automatically translates heterogeneous product data into meaningful terms,
which allows for a real-time homogeneous view of the entire network security. Sentinel Taxonomy
formats and filters raw security events before adding event context to the data stream. This process
formats all the security data in the most optimal structure for processing by the Sentinel Correlation
engine, as you can see in the following diagram.
Sentinel Taxonomy
Figure A-10
Sentinel Architecture 455
Advertisement
Table of Contents
Related Manuals for Novell SENTINEL 6.1 SP2 - 02-2010
Related Products for Novell SENTINEL 6.1 SP2 - 02-2010
- NOVELL CLIENT FOR LINUX 2.0 SP2 - 03-2009
- NOVELL ACCESS MANAGER 3.1 SP2 - J2EE AGENT GUIDE 2010
- NOVELL BUSINESS CONTINUITY CLUSTERING 1.1 SP1 - 9-21-2010 ADMINISTRATION GUIDE FOR OPEN ENTERPRISE SERVER 1 SP2 LINUX
- NOVELL CLIENT FOR LINUX 2.0 SP1 - 08-2008
- NOVELL CLIENT FOR LINUX 2.0 SP3 - 11-2009
- NOVELL SP2 - S
- NOVELL SUSE LINUX ENTERPRISE DESKTOP 11 SP1 - 8-18-2010 VIRTUALIZATION WITH ZEN
- NOVELL ZENWORKS 10 CONFIGURATION MANAGEMENT SP3 - NETWORK DISCOVERY DATABASE STRUCTURE
- NOVELL ACCESS MANAGER 3.1 SP1 - S 11-20-2009
- NOVELL DATA SYNCHRONIZER - 07-2010
- NOVELL SUPPORT ADVISOR 2.0.1
- NOVELL SENTINEL RAPID DEPLOYMENT 6.1 - INSTALLATION GUIDE 12-2009
- Novell DATA SYNCHRONIZER MOBILITY PACK
- Novell SUSE LINUX Retail Solution 8
- Novell INTELLISYNC MOBILE SUITE 7.0
- NOVELL SENTINEL 6.1 SP2 - INSTALLATION GUIDE 02-2010