1. Manuals
  2. Brands
  3. Novell Manuals
  4. Software
  5. SENTINEL RAPID DEPLOYMENT 6.1 - 12-2009
  6. User manual

Novell SENTINEL RAPID DEPLOYMENT 6.1 - 12-2009 User Manual

Hide thumbs
1
2
3
4
Table Of Contents
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
Table of Contents

Advertisement

Quick Links

Download this manual
AUTHORIZED DOCUMENTATION
User Guide
Novell
®
Sentinel
Rapid Deployment
TM
6.1
December 2009
www.novell.com
Sentinel 6.1 Rapid Deployment User Guide

Advertisement

Table of Contents
loading

Related Manuals for Novell SENTINEL RAPID DEPLOYMENT 6.1 - 12-2009

Summary of Contents for Novell SENTINEL RAPID DEPLOYMENT 6.1 - 12-2009

  • Page 1 AUTHORIZED DOCUMENTATION User Guide Novell ® Sentinel Rapid Deployment December 2009 www.novell.com Sentinel 6.1 Rapid Deployment User Guide...
  • Page 2 Further, Novell, Inc., reserves the right to make changes to any and all parts of Novell software, at any time, without any obligation to notify any person or entity of such changes.
  • Page 3 Novell Trademarks For Novell trademarks, see the Novell Trademark and Service Mark list (http://www.novell.com/company/legal/ trademarks/tmlist.html). Third-Party Materials All third-party trademarks are the property of their respective owners.
  • Page 4 Sentinel 6.1 Rapid Deployment User Guide...

  • Page 5: Table Of Contents

    Accessing the Novell Sentinel Web Interface ........
  • Page 6 Sending Mail Messages about Events and Incidents....... . 62 Creating Incidents ............63 Viewing Events That Trigger Correlated Events .
  • Page 7 5 Incidents Tab Understanding an Incident ........... 109 Introduction to User Interface .
  • Page 8 Process Management ............155 6.8.1 Instantiating a Process .
  • Page 9 10 Administration 10.1 Understanding the Admin Tab ..........219 10.2 Introduction to the User Interface .
  • Page 10 11.2.3 Connecting to the Database ......... . 268 11.2.4 Partitions Tab.
  • Page 11 Integration with Novell Identity Manager ........
  • Page 12 17 Advisor Usage and Maintenance 17.1 Understanding Advisor ............379 17.2 Installing Advisor .
  • Page 13 B.3.4 Failing to Drop Online CurrentPartition ........423 B.3.5 Database Space Reached Specified Percent Threshold.
  • Page 14 B.7.11 Rule Deployment is Modified ......... . 443 B.7.12 Rule Deployment Is Started .
  • Page 15 B.14 Data Objects ............. 462 B.14.1 Activity Definition .
  • Page 16 Sentinel 6.1 Rapid Deployment User Guide...

  • Page 17: About This Guide

    Please use the User Comments feature at the bottom of each page of the online documentation or go to Novell Documentation Feedback (http://www.novell.com/ documentation/feedback.html) and enter your comments there. Additional Documentation Sentinel technical documentation includes several different volumes: Novell Sentinel 6.1 Rapid Deployment Installation Guide (http://www.novell.com/ documentation/sentinel61rd/s61rd_install/data/index.html) About This Guide...
  • Page 18 In this documentation, a greater-than symbol (>) is used to separate actions within a step and items within a cross-reference path. A trademark symbol (®, ™, etc.) denotes a Novell trademark. An asterisk (*) denotes a third-party trademark. When a single path name can be written with a backslash for some platforms or a forward slash for other platforms, the path name is presented with forward slashes to reflect the Linux* convention.

  • Page 19: Managing Sentinel 6.1 Rapid Deployment Through The Web Interface

    Make sure to configure your browser's Languages setting to support the desired language. 5 Click Sign in. 1.2 Applications and Installers Click Applications in the left panel of the Novell Sentinel 6.1 Rapid Deployment Web interface to download the Sentinel components. Managing Sentinel 6.1 Rapid Deployment Through the Web Interface...
  • Page 20 WebStart Figure 1-1 Downloading Options Table 1-1 Options Description Action The Sentinel Control The Sentinel Control Center 1. Click Launch Control Center. Center (SCC) allows you monitor, configure, 2. Open SCC with the Java* Web Start and control most features of Launcher.

  • Page 21: Reporting

    Options Description Action The Sentinel Data The Sentinel Data Manager 1. Click Launch Data Manager. Manager (SDM) allows you manage the 2. Open SDM with the Java Web Start Sentinel database. Launcher. You can monitor database 3. Specify the server, database, host, and port space utilization, view and number.
  • Page 22 IMPORTANT: If a report in progress is canceled by using the Cancel link, the query on the database is canceled. Manually Running a Report 1 Click Reports to display the available reports. 2 If desired, click a report definition to expand it. If you see a Sample Report link, you can click View to find out how the completed report looks with a set of sample data.
  • Page 23 Report Parameters Description Run Option Set the schedule for running the report. If you want the report to run later, you must also enter a start time. Now: This is the default. It runs the report immediately. Once: Runs the report once at the specified date and time. Daily: Runs the report once a day at the specified time.

  • Page 24: Viewing Reports

    Report Parameters Description MinSev Specify the minimum severity of events to be included in the report. The range is 0-5. MaxSev Specify the maximum severity of events to be included in the report. The range is 0-5. Email Report To If the report should be mailed to a user or users, specify their e- mail addresses, separated by commas.
  • Page 25 2 Click show parameters to see the exact values used to run the report. For Date Range, D=Current Day, PD=Previous Day, W=Week To Date, PW=Previous Week, M=Month To Date, PM=Previous Month, and DR=Custom Date Range. For Language, en=English, fr=French, de=German, it=Italian, ja=Japanese, pt=Brazilian Portuguese, es=Spanish, zh=Simplified Chinese, and zh_TW=Traditional Chinese.

  • Page 26: Scheduling A Report

    TIP: Report results are organized from newest to oldest. 1.3.3 Scheduling a Report When you run a report, you can run the report immediately or schedule it to be run later, either once or on a recurring basis. For scheduled reports, you must choose a frequency and enter a time at which the report should run.

  • Page 27: Managing Reports

    Any user can add or update reports in Sentinel 6.1 Rapid Deployment. “Downloading New or Updated Reports” on page 27 “Adding New Reports” on page 27 Downloading New or Updated Reports New or updated reports by Novell can be downloaded from the Novell Content Web site (http:// support.novell.com/products/sentinel/secure/identityaudit.html). Adding New Reports Sentinel Rapid Deployment comes preloaded with reports, but new report plug-ins (special .
  • Page 28 No Reports Loaded Figure 1-3 To add a report: 1 Click the Reports button on the left side of the screen. 2 Click the Upload Report button. 3 Browse and select the report plug-in . file on your local machine. 4 Click Open.
  • Page 29 Rapid Deployment Web interface. They must adhere to the file and format requirements of the report plug-ins. For more information about database fields and file and format requirements for report plug-ins, see the Sentinel SDK Web site (http://developer.novell.com/wiki/ index.php?title=Develop_to_Sentinel). Renaming Report Results Report results (but not report definitions) can be renamed in the interface.
  • Page 30 Deleting Report Results There are two ways to delete report results. Delete a single report by using the button at the right side of the report result. IMPORTANT: Users with the Run/View Reports or Manage Reports permission can delete the report results. For more information on permissions, see “Reporting” in the Sentinel 6.1 Rapid Deployment Reference Guide.

  • Page 31: Searching Events

    Reports” on page 1.4 Searching Events Novell Sentinel Rapid Deployment provides the ability to perform a search events. The search includes all online data currently in the database, but internal events generated by the Sentinel system are excluded unless you select Include System Events. By default, events are sorted based on the search engine’s relevancy algorithm.
  • Page 32 Basic Search A basic search runs against all of the event fields in Table 1-2 on page 37. Some sample basic searches include the following: root 127.0.0.1 Lock* driverset0 NOTE: If time is not synchronized between the end user machine and the Sentinel Rapid Deployment server (for example, one machine is 25 minutes behind), you might get unexpected results from your search.
  • Page 33 The event summaries are displayed. Advanced Search An advanced search can search for a value in a specific event field or fields. The advanced search criteria are based on the short names for each event field and the search logic for the index. To view the field names and descriptions, the short names that are used in advanced searches, and whether the fields are visible in the basic and detailed event views, see Table 1-2 on page...

  • Page 34: Viewing Search Results

    Special characters must be escaped by using a \ symbol: + - && || ! ( ) { } [ ] ^ " ~ * ? : \ The advanced search criteria are modeled on the search criteria for the Apache* Lucene* open source package.
  • Page 35 Events Indexed but Not Yet in Database Figure 1-7 Event View with Details You can view additional details about any event or events by clicking the details link on the right side of the page.The details for all events on a page can be expanded or collapsed by using the all details ++ or details-- link.
  • Page 36 TIP: This adds the value to your filter with an AND operator. To add the value to your filter with an NOT operator, press the Alt key as you click the value. 3 Click Search. Some fields cannot be selected to refine a search this way: EventTime Message Any field related to the Reporter...

  • Page 37: Event Fields

    1.4.3 Event Fields Each event has fields that might or might not be populated, depending on the specific event. The values for these event fields can be viewed by using a search or running a report. Each field has a short name that is used in advanced searches.
  • Page 38 Visible in Short Visible in Field Description Detailed Name Basic View View TargetUserID tuid User ID of the user who was the target of Invisible the event, based on the raw data reported by the device. TargetUserDomain rv45 Domain of the user who was the target of Invisible the event.
  • Page 39 Visible in Short Visible in Field Description Detailed Name Basic View View ObserverHostName Hostname of the machine that forwarded Invisible Invisible the event to the security information event management system (for example, the hostname of a syslog server). Searchable but not displayed in either event view.
  • Page 40 Visible in Short Visible in Field Description Detailed Name Basic View View DataContext rv36 Container for the FileName data object (for example, a directory for a file or a database instance for a database table) TaxonomyLevel1 rv50 Target classification for event. Displayed under the event name in the format: TaxonomyLevel1>>...

  • Page 41: Sentinel Control Center

    Go to Start > Programs > Sentinel and select Sentinel Control Center. The Sentinel Login window displays. Click Applications in the left panel of the Novell Sentinel 6.1 Rapid Deployment Web interface, then click Launch Control Center: Sentinel Control Center...

  • Page 42: About Sentinel Control Center

    2 Specify your username and password. 3 Click Login. On the first login, the following warning message displays. You must accept the certificate in order to securely log in to the Sentinel Control Center 4 Select Accept, if you want this message to display every time you start Sentinel on your system. To avoid this, you can select Accept Permanently.

  • Page 43: Active Views

    Section 2.2.4, “Analysis,” on page 44 Section 2.2.5, “Admin,” on page 44 Section 2.2.6, “Correlation,” on page 44 Section 2.2.7, “Event Source Management,” on page 44 Section 2.2.8, “Solution Packs,” on page 45 Section 2.2.9, “Identity Integration,” on page 45 2.2.1 Active Views The Active Views tab presents events in near-real time.

  • Page 44: Analysis

    Associate activities with workflow steps Initiate and execute processes 2.2.4 Analysis The Analysis tab is used to run and save an offline query for later quick retrieval of search results. 2.2.5 Admin The Admin tab provides you access to perform the administrative actions and configuration settings in Sentinel.

  • Page 45: Solution Packs

    Add/edit connections to event sources through the configuration wizards View the real-time status of the connections to event sources Monitor data flowing through the Collectors and Connectors Sentinel Collectors The Collectors parse the data and deliver a richer event stream by injecting taxonomy, exploit detection, and business relevance into the data stream before events are correlated and analyzed and sent to the database.

  • Page 46: Menu Bar

    Sentinel Control Center Figure 2-1 2.3.1 Menu Bar The menu bar has the menus required to navigate, perform activities, and change the appearance of the Sentinel Control Center. Menu Bar Figure 2-2 The File, Options, Event Source Management, Windows, and Help menus are always available. The availability of other menus depends on your location in the console and the permissions you have.
  • Page 47 System-Wide Toolbar The system-wide toolbar buttons are: Toolbar Buttons Figure 2-3 Tab-Specific Toolbar Buttons Tab-specific toolbar buttons allows you to perform the functions related to each tab. Tab-Specific Toolbar Buttons Table 2-1 Toolbar View Active Views Correlation Incidents iTRAC Analysis Admin For more information on tab-specific toolbar buttons, see the sections on each of the tabs listed in Section 2.3.3, “Tabs,”...

  • Page 48: Tabs

    2.3.3 Tabs Depending on your access permissions, Sentinel Control Center displays the following tabs. Active Views tab. For more information, see Chapter 3, “Active Views Tab,” on page 53 Correlation tab. For more information, see Chapter 4, “Correlation Tab,” on page 83 Incidents tab.

  • Page 49: Changing The Appearance Of The Sentinel Control Center

    NOTE: This procedure is generic for all the tabs in the Sentinel Control Center. Navigation procedures for tabs are discussed in the relevant sections. 2.3.6 Changing the Appearance of the Sentinel Control Center You can change the Sentinel Control Center’s look by: “Setting the Tab Position”...

  • Page 50: Saving User Preferences

    2.3.7 Saving User Preferences If the user has permissions to save the workspace, they can save the following preferences: Permanent windows that are not dependent on data that was available at the time of their original creation. Active Views Summary displays Window positions Window sizes, including the application window Tab positions...
  • Page 51 2 Click Add. The Attachment Identification window displays. Specify the extension type (such as and so on) and click Browse or .doc .xls .txt .html type in the application program to launch the file type (such as for Notepad). notepad.exe 3 Click OK.
  • Page 52 Sentinel 6.1 Rapid Deployment User Guide...

  • Page 53: Active Views Tab

    Active Views Tab The Active Views tab presents events in near-real time. Section 3.1, “Understanding Active Views,” on page 53 Section 3.2, “Introduction to the User Interface,” on page 54 Section 3.3, “Reconfiguring Total Display Time,” on page 57 Section 3.4, “Viewing Real-Time Events,” on page 57 Section 3.5, “Showing and Hiding Event Details,”...

  • Page 54: Introduction To The User Interface

    A successful login reported by an operating system A customer-defined situation such as a user accessing a file Internal events (an event generated by Sentinel), including: A correlation rule being disabled The database filling up Correlated events You can monitor the events in a tabular form or you can use several different types of charts to perform queries for recent events.
  • Page 55 User Interface Description The toolbar buttons Active Views provides two types of views that display the events in tables and graphs. The Table format displays the variables of the events as columns in a table. You can sort the information in the grid by clicking the column name. Active View Tabular Format Figure 3-1 The Graphical format displays events as graphs.
  • Page 56 Gray Line Smallest Possible Display Interval Figure 3-3 If there are more than 750 events per 30-second time period, a red separation line displays indicating that there are more events than are displayed. The other events can be viewed by using Historical Queries. Red Line More Events Displayed Figure 3-4 On saving user preferences, the system continues to collect data for four days.

  • Page 57: Reconfiguring Total Display Time

    You can change labels (column names) to user-friendly names and the new names are populated throughout the system. For more information, see Section 3.15, “Using Custom Menu Options with Events,” on page 3.3 Reconfiguring Total Display Time Active View Properties allows you to configure the cached time in each client. The default cache time value in an Active View is 24 hours.
  • Page 58 After making your selection, you can click Next or Finish. If you select Finish, the following default values are selected: Display Interval and Refresh rate of 30 seconds Total Display Time of 15 minutes Y-axis as Event Count Chart type of Stacked Bar 2D 4 If you click Next, click the down-arrows and fill in the fields: Display Interval and Refresh rate: Display Interval is the time interval to display events.
  • Page 59 The five buttons to the left of the chart perform the following functions: Functions of the Buttons Table 3-2 Buttons Description Lock/Unlock the Chart Used when performing a drill-down, zoom in, zoom out, and zoom to selection, and saving a chart as an HTML file. Increase Display Interval Increases the display time interval for the incoming events.

  • Page 60: Resetting The Parameters And Chart Type Of An Active View

    3.4.1 Resetting the Parameters and Chart Type of an Active View When viewing an Active View, you can reset your chart parameters and change your chart type. 1 Within an Active View displaying a chart, right-click and select Properties. 2 Under the Parameters tab, set the following options: Display Interval: Time between each interval.

  • Page 61: Rotating A 3D Bar Or Ribbon Chart

    3 Under the Chart Types tab, set your chart to Stacked Bar2D, Bar 3D, Line, or Ribbon. 3.4.2 Rotating a 3D Bar or Ribbon Chart 1 Click anywhere on the chart and hold the mouse button. 2 Reposition the chart as desired by moving the mouse and holding the button. 3.5 Showing and Hiding Event Details To show event details: 1 In a Real Time Event Table of the Navigator or in a Snapshot, double-click or right-click an...

  • Page 62: Sending Mail Messages About Events And Incidents

    To hide event details: 1 In a Real Time Event Table of the Navigator or in a Snapshot, with event details displayed in the left panel, right-click an event and click Show Details. The Event Details window closes. 3.6 Sending Mail Messages about Events and Incidents IMPORTANT: Before you send a mail by using the Sentinel Control Center, ensure that you have an SMTP Integrator configured with connection information and with the...

  • Page 63: Creating Incidents

    To e-mail an incident: 1 After you save your incident, click the Incidents tab, Incidents > Incidents View. 2 Click the All Incidents option in the Switch View drop-down list located at the bottom right corner. 3 Double-click an incident. 4 Click Email Incident icon.

  • Page 64: Viewing Events That Trigger Correlated Events

    Vulnerability: Show related asset vulnerabilities Advisor: Asset attack and alert information iTRAC: Under this tab, you can assign a WorkFlow (iTRAC History: Incident history Attachments: You can attach any document or text file with pertinent information to this incident Notes: You can specify any general notes regarding this incident. 3 In the Create Incident dialog box, specify: Title State...

  • Page 65: Investigating An Event Or Events

    3.9 Investigating an Event or Events The right-click option Investigate allows you to: Perform an event query for the last hour on a single event for: Other events with the same target IP address Other events with the same source (initiator) IP address Other targets with the same event name NOTE: You cannot perform a query on a null (empty) field.

  • Page 66: Investigate: Event Query

    3.9.1 Investigate: Event Query This function allows you to perform an event query within the last hour for events similar to the selected event. 1 In a Navigator or Snapshot window, right-click an event, click Investigate, and select one of three options given below: Option Function...

  • Page 67: Historical Event Query

    2 You must specify the From and To fields and click Finish. The Graph Mapper window displays. 3.9.3 Historical Event Query You can query the database for the past events through a historical event query. The events can be queried according to the filter and severity criteria in required batch size. You can export the results in HTML or CSV file format.

  • Page 68: Active Browser

    3 Click Severity icon. The Select Severity Values window displays. 4 Select one or more values for Severity and click OK. 5 Select a From and To date and time.The time you select corresponds your system time. 6 Select a batch size. The events queried display in the batch size you specify. If you select a batch size of 100, the first 100 events are displayed in the window.
  • Page 69 The events are grouped according to the meta tags. In these meta tags, various sub categories are defined. The numbers in the parentheses against these sub categories displays the total number of event counts corresponding to the value of the meta tag. To view events in Active Browser: 1 In the Active Views tab, select the event or events you want to view in Active Browser.

  • Page 70: Viewing Advisor Data

    To add attributes in Active Browser: 1 Click the Add an attribute for categorization icon as shown below: 2 Select an attribute in the Add an Attribute for categorization window that displays. 3 Click OK. 3.10 Viewing Advisor Data The Advisor provides a cross-reference between real-time intrusion detection systems attack signatures and the Advisor's knowledge base of vulnerabilities.

  • Page 71: Viewing Asset Data

    If the DeviceAttackName field is properly populated, a report similar to the one below displays. This example is for a WEB-MISC amazon 1-click cookie theft. 3.11 Viewing Asset Data This function allows you to view and save your view as an HTML file of your Asset report. You must run your asset management Collector to view this data.

  • Page 72: Viewing Vulnerabilities

    Vendor Product Version Contacts Order Name Role Email Phone Number Location Room Rack Address To view Asset Data: 1 In a Real Time Event Table of the Navigator or a Snapshot window, right-click an event or click events >Analyze >Asset Data. A window similar to the one below displays.
  • Page 73 Vulnerability Visualization requires that a vulnerability Collector is running and adding vulnerability scan information to the Sentinel database. The Novell Sentinel Content (http:// support.novell.com/products/sentinel/secure/sentinel61.html) provides Collectors for several industry-standard vulnerability scanners, and additional vulnerability Collectors can be written by using the Sentinel SDK (http://developer.novell.com/wiki/index.php?title=Develop_to_Sentinel).
  • Page 74 Organic View Figure 3-7 Hierarchical View Figure 3-8 Sentinel 6.1 Rapid Deployment User Guide...
  • Page 75 Circular View Figure 3-9 Orthogonal View Figure 3-10 The graphical display has four panels: Graph panel Tree panel Control panel Details/events panel The graph panel display associates vulnerabilities to a port/protocol combination of a resource (IP address). For example, if a resource has five unique port/protocol combinations that are vulnerable, there are five nodes attached to that resource.
  • Page 76 NOTE: Event mapping takes place only between the selected events and the vulnerability data returned. The tree panel organizes data in same hierarchy as the graph. The tree panel also allows users to hide/show nodes at any level in the hierarchy. The control panel exposes all the functionality available in the display.

  • Page 77: Ticketing System Integration

    Zoom in and out of selected areas 3.13 Ticketing System Integration Novell provides optional integration modules for BMC Remedy* that allow you to send events from any display screen to one of these external ticketing systems. You can also send incidents and their associated information (asset data, vulnerability data, or attached files) to Remedy.

  • Page 78: Managing Columns In A Snapshot Or Navigator Window

    tracert Whois? You can further assign user permissions to view vulnerability and to perform HP actions. You can add options by using the Event Menu Configuration option on the Admin tab. 3.16 Managing Columns in a Snapshot or Navigator Window To select and arrange columns in a Snapshot or Navigator: 1 With a Snapshot or Navigator window open, click Active View >...

  • Page 79: Taking A Snapshot Of A Navigator Window

    Use the up-arrow and down-arrow buttons to arrange the order of the columns as you want them to display in the Real Time Event Table. The top-to-bottom order of column titles in the Manage Column dialog box determines the left-to-right order of the columns in the Real Time Event Table.
  • Page 80 The Select Incident window displays. 3 Click Search to view a list of incidents with the selected criteria. You can define your criteria to search for a particular incident or incidents in Select Incident window. 4 Select an incident and click Add. Sentinel 6.1 Rapid Deployment User Guide...
  • Page 81 5 Click OK. The event or events selected are added to the incident in the Incidents Navigator. If events are not initially displayed in a newly created incident, it is probably because of a lag in the time between displaying in the Real Time Events window and insertion into the database. If this occurs, it takes a few minutes for the original events to be inserted into the database and display in the incident.
  • Page 82 Sentinel 6.1 Rapid Deployment User Guide...

  • Page 83: Correlation Tab

    Correlation Tab Sometimes, an event viewed in the system might not necessarily draw your attention. However, when you correlate a set of similar or comparable events in a given period, it might lead you to a significant event. Sentinel helps you correlate such events with the rules you create and deploy in the Correlation engine so you can take appropriate action to mitigate any alarming situation.

  • Page 84: Technical Implementation

    Correlation relies on the data that is collected, parsed, and normalized by the Collectors, so a ® working understanding of the data is necessary to write rules. Many Novell Correlation rules rely on an event taxonomy that ensures that a “failed login” and an “unsuccessful logon” from two devices are classified the same.

  • Page 85: Introduction To The User Interface

    In the Correlation tab, you can: Create/modify Correlation rules and rule folders Deploy Correlation rules on the Correlation engine Create and associate an action to a rule Configure dynamic lists NOTE: Access to the correlation functions can be enabled by the administrator on a user-by-user basis.

  • Page 86: Opening The Correlation Rule Manager

    Section 4.3.3, “Renaming a Rule Folder,” on page 86 Section 4.3.4, “Deleting a Rule Folder,” on page 86 Section 4.3.5, “Creating a Correlation Rule,” on page 86 Section 4.3.6, “Creating Correlation Rules,” on page 87 Section 4.3.7, “Deploying and Undeploying Correlation Rules,” on page 95 Section 4.3.8, “Enabling and Disabling Rules,”...

  • Page 87: Creating Correlation Rules

    3 The Rule Wizard displays. Select one of the following rule types and follow the steps for that particular rule type: Simple Composite Aggregate Sequence Custom/Freeform 4 Define the update criteria for the rule. If you select Continue to perform actions every time this rule fires, the rule fires every time the criteria is met.
  • Page 88 Simple Rule A simple rule is defined by specifying the events that can trigger the rule to fire (For example, firewall events, firewall events of severity 3 or higher). The filter criteria can be intersected (using the “all”option in the GUI or the “AND” operator in RuleLG) or the filter criteria can be unioned (using the “any”...
  • Page 89 4 Click Add to add additional definitions for this rule. 5 Preview the rule in the RuleLG preview window. For example, filter(e.sev=3) 6 Click Next.The Update Criteria window displays. 7 Enable the update criteria for the rule to fire and click Next. The General Description window displays.
  • Page 90 8 Provide a name for this rule. You have an option to modify the rule folder. 9 Provide rule description and click Next. 10 You have an option to create another rule from this wizard. Select your option and click Next. Aggregate Rule An aggregate rule is defined by specifying a subrule and the number of times the subrule must fire within a specific time window in order to trigger the aggregate rule.
  • Page 91 3 In Aggregate Rule window, click the Add Rule button to select a sub rule to create an aggregate rule. The Add Rule window displays. You can select only one sub rule when creating an aggregate rule. 4 Select a rule and click OK. 5 Set parameters for the rule to fire.
  • Page 92 Composite Rule A composite rule is comprised of two or more subrules. A composite rule can be defined so that all or a specified number of the subrules must fire within the defined time frame. Composite rules have an optional group by field, which can be any populated field from the events. NOTE: When a subrule is used to create a composite rule, a copy of the subrule is added to the composite rule’s definition.
  • Page 93 11 Provide a rule description and click Next. 12 You have an option to create another rule from this wizard. Select your option and click Next. Sequence A sequence rule is comprised of two or more subrules that must be triggered in a specific order within the defined time frame.
  • Page 94 10 Provide rule description and click Next. 11 You have an option to create another rule from this wizard. Select your option and click Next. Custom or Freeform Correlation Rules The custom or freeform rule option is the most powerful option for creating a correlation rule. This allows the user to create any of the previous types of rules by typing the RuleLG correlation rule language directly into the Correlation Rule Wizard.

  • Page 95: Deploying And Undeploying Correlation Rules

    4.3.7 Deploying and Undeploying Correlation Rules Correlation rules can be deployed or undeployed from the Correlation Engine Manager or the Correlation Rule Manager. You can undeploy all rules or a single rule. The rules can be associated with one or more actions. If no action is selected, a default correlated event is generated with the following values: Default Correlated Event Details Table 4-2...

  • Page 96: Enabling And Disabling Rules

    If nothing is selected, a Correlated event with default values is created. 5 Click Deploy. To undeploy a single rule: 1 In the Correlation Engine Manager, right-click the rule and select Undeploy Rule. In the Correlation Rule Manager, select the rule and click the Undeploy rule link. To undeploy all correlation rules: 1 Open the Correlation Engine Manager window.

  • Page 97: Moving A Correlation Rule

    4.3.11 Moving a Correlation Rule 1 Open the Correlation Rule Manager window and click Manage Folder. 2 Drag a correlation rule from one folder to another. 4.3.12 Importing a Correlation Rule 1 Open the Correlation Rule Manager window and click the Import/Export Correlation Rule icon.

  • Page 98: Exporting A Correlation Rule

    IMPORTANT: If you import a correlation rule using the operator, the dynamic list inlist aligned to that rule must exist or you must create the dynamic list with the same name on the system to which it is imported. 4.3.13 Exporting a Correlation Rule 1 Open the Correlation Rule Manager window and click the Import/Export Correlation Rule icon.

  • Page 99: Adding A Dynamic List

    Regardless of how the values were added, they can be persistent (active until manually removed or until the maximum list size is reached) or transient (active only for a specified time frame after being added to the list, also known as the Time to Live). The Time to Live can range from 60 seconds to 90 days.

  • Page 100: Modifying A Dynamic List

    To make an existing element persistent, select the check box next to the element name in the Dynamic Properties window. 6 Select Transient elements life span, then specify the time the persistent values are active in the list 7 Specify the maximum number of elements. The number defined here limits the number of elements in the list.
  • Page 101 Where, represents a meta tag in the incoming event, such as (Source Host e.<tagname> e.shn Name) or (Destination IP address) e.dip <Dynamic List Name> is the name of an existing Dynamic List, such as CriticalServerList The following instructions assume that a dynamic list already exists. To add a dynamic list to correlation rule: 1 Open the Correlation Rule Manager window and select a folder from the drop-down list to which this rule is added.

  • Page 102: Correlation Engine

    4.5 Correlation Engine Section 4.5.1, “Starting or Stopping a Correlation Engine,” on page 102 Section 4.5.2, “Renaming a Correlation Engine,” on page 102 4.5.1 Starting or Stopping a Correlation Engine 1 Open the Correlation Engine Manager window. 2 Right-click a correlation engine and select Start Engine or Stop Engine. 4.5.2 Renaming a Correlation Engine A Sentinel system can have one or more correlation engines.

  • Page 103: Configuring A Correlated Event

    Default Settings Table 4-4 Field Name Default Values Severity Event Name Final Event Name Message <message> Resource Correlation SubResource <Rule Name> 4.6.1 Configuring a Correlated Event Configure Correlated Event Figure 4-2 NOTE: This type of action can only be used in Correlation deployments. To override the default values for the correlated event created when a rule fires, an action can be created to populate the following fields in the correlated event: Severity...

  • Page 104: Adding To A Dynamic List

    4.6.2 Adding to a Dynamic List Adding to a Dynamic List Figure 4-3 NOTE: This type of action can only be used in Correlation deployments. This action type can be used to add a constant value or the value of an event attribute (such as Target IP or Initiator User Name) to an existing dynamic list.

  • Page 105: Removing A Value From A Dynamic List

    4.6.3 Removing a Value from a Dynamic List Removing a Value from a Dynamic List Figure 4-4 NOTE: This type of action can only be used in Correlation deployments This action type can be used to add a constant value or the value of an event attribute (such as Target IP or Initiator User Name) from an existing dynamic list.

  • Page 106: Executing A Command

    4.6.4 Executing a Command Executing a Command Figure 4-5 NOTE: This type of action can only be used in Correlation deployments This action type can be used to execute a command when a correlated event triggers. You can set the following parameters: Command: Arguments: This can include constants or references to an event attribute in the last event, the one that caused the rule to fire.

  • Page 107: Creating An Incident

    4.6.5 Creating an Incident Configure Action:Create Incident Figure 4-6 NOTE: This type of action can only be used in Correlation deployments. This action type create an incident whenever a correlated event fires. You can also initiate an iTRAC workflow process for remediation of that incident. For more information about the values of the following parameters, see Chapter 5, “Incidents Tab,”...

  • Page 108: Sending An E-Mail

    4.6.6 Sending an E-mail Configure Action: Send Email Figure 4-7 NOTE: This type of action can only be used in Correlation deployments This action type can be used to send an e-mail when a correlated event triggers. The various parameters available are: Parameters Table 4-7 Option...

  • Page 109: Incidents Tab

    Incidents Tab In Sentinel , a set of related events (for example, a possible attack) can be grouped together to form an incident. An incident in the Open state alerts you to investigate, resolve, and close the incident. For example, the resolution to an attack might be to close a port, block a source IP, or rebuild a machine.

  • Page 110: Incident View

    User Interface Description The Navigation Tree in the Navigation pane The toolbar buttons 5.2.1 Incident View In the Incident View Manager, you can view the list of incidents and the parameters you specified when adding an incident. To open the Incident View Manager: 1 Click Incidents on the menu bar and select Display Incident Views or click the Display Incident View button in the toolbar 5.2.2 Incident...

  • Page 111: Manage Incident Views

    Add/Edit Incident Figure 5-1 Events: Lists events attached to this incident. You can attach events to incidents in an Active View Assets: Lists assets affected by the events of this incident. Vulnerability: Lists asset vulnerabilities. Advisor: Displays asset attack and alert information. iTRAC: Allows you to add a workflow to an incident from the iTRAC tab.
  • Page 112 2 Open the view options by doing one of the following: Click the down-arrow on the Manage Views button located in bottom right corner of the window and select Add View. Click the down-arrow on the Manage Views button located in the bottom right corner of the window, select Manage Views and then click the Add View button.
  • Page 113 Sort By: Set rules to sort the incidents in the display view. Incidents Tab 113...

  • Page 114: Modifying A View

    Filter: Set incident filters. Only the incidents that match your filter display in the view. Leaf Attribute: Select an attribute from the list that is displayed as the first column in the incident view. 4 Click Save. 5.3.2 Modifying a View 1 Click Incidents >...

  • Page 115: Deleting A View

    5.3.3 Deleting a View 1 Click Incidents > Incident View Manager or click the Display Incident View button on the toolbar. 2 Click the down-arrow next to the Manage Views button located in bottom right corner of the screen and select Manage View from the list. The Manage View window displays. Select a view and click Delete.

  • Page 116: Viewing An Incident

    2 Specify the following information: Title: Specify the title of the incident. State: To set state of the incident, select from the drop-down list. Severity: To indicate the severity of the incident, select from the drop-down list. Priority: To indicate the priority of the incident, select from the drop-down list. Category: Specify the category of the incident.

  • Page 117: Adding Notes To Incidents

    2 In the Incident window, click the iTRAC tab. 3 Select an iTRAC process from the drop-down list. 4 Click Save. NOTE: You can attach only one process to an incident. 5.4.4 Adding Notes to Incidents 1 In the Incident window, click the Notes tab. 2 Click Add.

  • Page 118: Executing Incident Actions

    5 Click OK, then click Save. Right-click the attachment to view or save. 5.4.6 Executing Incident Actions Any configured JavasScript action or iTRAC activity can be executed on an incident. 1 Open an incident. 2 Click Actions > Execute Incident Action or click Execute Incident Action icon.

  • Page 119: E-Mailing An Incident

    To mail an incident by using the preinstalled Email Incident action, you must have an SMTP Integrator configured with valid connection information and with the SentinelDefaultEMailServer property set to “true”. For more information, see the SMTP Integrator documentation available at Novell Sentinel Content Web site (http://www.novell.com/documentation/sentinel61). 1 Open an incident.

  • Page 120: Modifying Incidents

    3 Provide the following: Email Address Email Subject Email Message 4 Select which HTML attachments should be included in the mail message, such as the events included in the incident, assets, vulnerabilities, Advisor attacks, incident history, attachments, and notes. 5 Click OK. 5.4.8 Modifying Incidents 1 Click the Incident tab, then click Incidents >...

  • Page 121: Deleting Incidents

    5.4.9 Deleting Incidents 1 Click the Incident tab, then.click Incidents > Display Incident View Manager, or click the Display Incident View button on the toolbar. The Incident View window displays. 2 Right-click the incident you want to delete and select Delete. 3 A confirmation Message displays.
  • Page 122 122 Sentinel 6.1 Rapid Deployment User Guide...

  • Page 123: Itrac Workflows

    iTRAC Workflows The iTRAC workflows are designed to provide a simple, flexible solution for automating and tracking an enterprise’s incident response processes. iTRAC leverages the Sentinel internal incident system to track security or system problems from identification (through correlation rules or manual identification) through resolution.

  • Page 124: Introduction To The User Interface

    Major Components of iTRAC Table 6-2 Step A step is an individual unit of work within a workflow; there are manual steps, decision steps, command steps, mail steps, and activity-based steps. Each step displays as an icon within a given workflow template. Transition A transition defines how the workflow moves from one state (activity) to another.

  • Page 125: Template Manager

    User Interface Description The Navigation Tree in the Navigation pane The toolbar buttons 6.3 Template Manager The Template Manager can be used to create, view, modify, copy, or delete a template. Within the Template Manager you can add, delete, copy, view, and edit templates. Templates can be sorted into folders for easy management In the Template Manager, you can: Create new workflow templates...

  • Page 126: Template Builder Interface

    ConditionalTransitionExample CommandExample 6.4 Template Builder Interface Template Builder Interface Figure 6-2 The following panes display in the Template Builder window: Process Tree: This pane displays the steps, transitions and variables added to the template. Users can add steps or variables, and edit or remove steps, variables and transitions. To perform an action on a step, variable or transition: Expand the relevant group in the Tree.

  • Page 127: Creating Templates

    Step Palette: There are four types of steps in the Step Palette. You can drag and drop the steps into the Process pane. Decision Step Mail Step Manual Step Command Step Activities: The activities added in the Activity Manager are shown in this pane and can be added to a workflow template.

  • Page 128: Managing Templates

    4 In the Process Details window, provide a name and description (optional) of the template and click OK. 5 Do one of the following: Drag and drop a step from the Step Palette or an activity from the Activities pane into the Process window.

  • Page 129: Steps

    “Copying Templates” on page 129 “Deleting Templates” on page 129 Viewing/Editing Templates 1 In the Navigator, click iTRAC Administration > Template Manager. 2 Select a template and click View/Edit. The Template Builder displays. Copying Templates One way to create a new workflow template is to copy one of the default templates and modify it. 1 Click the iTRAC tab.

  • Page 130: Start Step

    Section 6.5.3, “Decision Step,” on page 134 Section 6.5.4, “Mail Step,” on page 134 “Command Step” on page 134 Section 6.5.6, “Activity Step,” on page 135 Section 6.5.7, “End Step,” on page 136 Section 6.5.8, “Adding Steps to a Workflow,” on page 136 Section 6.5.9, “Managing Steps,”...
  • Page 131 NOTE: If the value is going to be used later as part of a decision step, it should be marked “Required.” For example, an integer variable can be set by the user to hold the event rate. Output transitions from the manual step can be defined so that if the event rate is greater than 500, one path is followed;...
  • Page 132 Integer Variable: String Variable: 132 Sentinel 6.1 Rapid Deployment User Guide...
  • Page 133 Float Variable: 6 Click OK. iTRAC Workflows 133...

  • Page 134: Decision Step

    6.5.3 Decision Step This type of step selects between exit transitions depending on the values of variables defined in prior steps. See Section 6.5.2, “Manual Step,” on page 130 for the available variable types. The decision step itself is very simple; you can edit only the step name and description. The workflow path is determined by the transitions.

  • Page 135: Activity Step

    Arguments (Can be explicit or variable-driven) Output Variable NOTE: The command must be stored in the directory on <Install_directory>/config/exec the iTRAC workflow server. Symbolic links are not supported Variables The command output can also be used to set a variable to the appropriate values. Command steps must use String variable types.

  • Page 136: End Step

    NOTE: If the first step of a workflow fails without an error transition, the iTRAC process cannot proceed. 6.5.7 End Step Every workflow template must have an End step to complete every branch of the workflow path. 6.5.8 Adding Steps to a Workflow Steps can be added to a workflow by using the Step Palette or by using a right-click in the Process Builder.
  • Page 137 “Modifying Steps” on page 137 “Deleting Steps” on page 140 Copying Steps 1 Click the iTRAC tab. 2 In the Navigator, click iTRAC Administration > Template Manager. 3 Select an existing template, then click View/Edit.The iTRAC Process Builder window displays. 4 Select an existing step, right-click, and select Copy Step.
  • Page 138 2 Provide a name for the step. 3 Attach a role to this step by selecting a role from the drop-down list. For more information on roles, see Chapter 10, “Administration,” on page 219. 4 Click Associate to associate a variable; select the variable from the list or create new variables to be associated.
  • Page 139 2 Provide a name. 3 Click the Description tab to provide a description for this step. 4 Click OK. To edit a mail step: 1 Right-click a mail step and select Edit Step. 2 Provide a name for the step. 3 Provide To and From mail addresses and a Subject in the General tab.
  • Page 140 2 Provide a name for this step. 3 Specify the path and name of the command or script to execute (relative to the <Install_directory>/config/exec) 4 If you want to run a command or script referenced in a variable that is populated during the workflow process, select the Use Variables check box.

  • Page 141: Transitions

    6.6 Transitions Transitions are used to connect steps. There are several types of transitions: Unconditional Conditional Timeout Alert Else Error A transition can have the following attributes: Name Description Destination Expression Timeout Values Different steps have different properties and therefore they are associated with different transition types.

  • Page 142: Conditional Transitions

    To add an unconditional transition: 1 Open the Process Builder. 2 Right-click an existing step and select Add Transition. 3 Specify a name for the transition. 4 Select Unconditional from the Transition Type list. 5 Click the down-arrow for the Destination field and select a step. 6 Provide a description for this transition and click OK.
  • Page 143 5 Specify the destination step. 6 Click Set to add an expression. The empty Expression window displays. 7 Click EXP to add the first expression. The evaluation expression is an expression that evaluates to TRUE or FALSE during the workflow process. Select the appropriate drop-down list under Relations to compare a variable to a constant value (Variables and Values) or to another variable (Variables and Variables).
  • Page 144 8 Select a variable from the Attribute drop-down list or add a new one if desired. 9 Select a condition from the Condition drop-down list. The condition list varies depending on the type of Attribute variable chosen. String Variable Conditions: Integer and Float Variable Conditions: 144 Sentinel 6.1 Rapid Deployment User Guide...
  • Page 145 Boolean Variable Conditions: 10 Set the value. 11 Click OK. 12 If a second expression is desired, select the root folder. 13 Repeat steps 7-12 as needed. 14 By default, all expressions at the root level are separated by AND operators. To nest expressions or to use the OR operator, click the appropriate operator button and drag and drop expressions onto that operator.

  • Page 146: Else Transitions

    15 When the expression is complete, click You can edit/delete an existing expression using the Edit and Delete buttons in the Expression window. 16 Click OK. The expressions you provided displays in the Transition window under the Expression section. 17 Provide a description for your transition and click OK. 6.6.3 Else Transitions An Else transition leads to a path that is taken from a decision step when the criteria for the Conditional transitions are not met.

  • Page 147: Alert Transitions

    Step_accepted_time is the time when a user accepts (or takes ownership) of the worklist item for this step. If the timeout time period passes without the step being completed, control moves to the next step. Timeout transitions can be set for a manual step or a command step. Step_accepted_time is only relevant for manual steps and should not be selected for a command step.

  • Page 148: Error Transition

    6 Specify the Alert Time value, in minutes, hours, or days. Click OK. 7 Provide a description for your transition and click OK. 6.6.6 Error Transition An Error transition leads to a path that is taken if an automated step cannot successfully complete. Error transitions can be used for command, mail, and activity steps (for example, if a command step fails to execute).

  • Page 149: Activities

    7 Edit as needed. 8 Click OK until you exit the Transitions window. 9 Click Save. Deleting Transitions 1 Click iTRAC tab. 2 In the Navigator, click iTRAC Administration > Template Manager. 3 Select an existing template, then click View/Edit. The iTRAC Process Builder window displays.

  • Page 150: Incident Command Activity

    Section 6.7.5, “Creating iTRAC Activities,” on page 151 Section 6.7.6, “Managing Activities,” on page 154 Activity Pane Figure 6-3 iTRAC activities can be used in iTRAC templates to define a workflow step, or they can be manually executed from within an incident. Sentinel provides three types of actions that can be used to build Activities: Section 6.7.1, “Incident Command Activity,”...

  • Page 151: Incident Internal Activity

    6.7.2 Incident Internal Activity An incident internal activity enables you to mail or attach information from the Sentinel database to the incident associated with the workflow process. Each of these options has a prerequisite. Vulnerability for the Initiator IP address (SIP) or the Target IP address (DIP): This requires that you run a vulnerability scanner and bring the results of the scan into Sentinel by using a Vulnerability (or “information”) Collector.
  • Page 152 6 (Conditional) If you selected an incident command activity, configure the settings: 6a In the Command Arguments Wizard, specify the command. 6b Provide the arguments for this command. You can select None, Incident Output (Values from the Drop-down list), or specify Custom values. 6c Click Next.
  • Page 153 6d (Optional) Configure an incident command activity to e-mail the output to a specific address or attach the output to the incident associated with the workflow process in this window. 6e Select Mail and specify the To and From e-mail address and subject. 6f Select Attach to Incident, if required.

  • Page 154: Managing Activities

    7c Click Next. 7d Select your options (Mail and attach). 7e If you select Mail, you are prompted to provide To and From e-mail address and subject. Provide this information and click Next. View and confirm the details you chose in the Summary page and click Finish. 8 Conditional) If you selected an incident composite activity, configure the settings: 8a Select the activities from the list of available activities and click Next.

  • Page 155: Process Management

    2 In the Navigator, click iTRAC Administration > Activity Manager. 3 Click the Import/Export Activity icon. The Import/Export Wizard window displays. 4 Select Export Activity and click Explore. 5 Navigate to where you want save your exported file. 6 Click Next. 7 Select one or more activities to be exported.

  • Page 156: Instantiating A Process

    Process execution is the time period during which the process is operational, with process instances being created and managed. When an iTRAC process is executed or instantiated in the iTRAC server, a process instance is created, managed, and eventually terminated by the iTRAC server in accordance with the process definition.

  • Page 157: Manual Step Execution

    6.8.3 Manual Step Execution On encountering a manual step, the iTRAC server sends out notifications in the form of work items to the assigned resource. If the step was assigned to a role, a work item is sent to all users within the role.

  • Page 158: Changing Views In The Process Manager

    The current step is highlighted in red. 5 Close the window. 6.8.6 Changing Views in the Process Manager 1 Click the iTRAC tab. 2 Click the Display Process Manager icon. 3 Click the drop-down list in Manage View and select Edit Current View option. 158 Sentinel 6.1 Rapid Deployment User Guide...

  • Page 159: Starting Or Terminating A Process

    4 In the View Option window, set the following options as necessary: Fields Group by Sort Filter Tree Display 5 Click Apply and Save. The following is view with Tree Display set to Status (running and not started). 6.8.7 Starting or Terminating a Process 1 Click the iTRAC tab.
  • Page 160 160 Sentinel 6.1 Rapid Deployment User Guide...

  • Page 161: Work Items

    Work Items A work item is a workflow task assigned to a particular user or role in the iTRAC application. The individual activities to be performed to complete an iTRAC process are listed as work items in the Work Item Summary in the Sentinel Control Center.
  • Page 162 Work Item Summary Example Figure 7-2 To view a work item: 1 In the Work Item Summary, click the yellow or green bar. A work item list for the group or the current user displays and shows the name and ID of the incident, the workflow process name, and the step name and description 2 Double-click any work item and click View Details.
  • Page 163 4 Click Incident to view the details of the associated incident. 5 To take responsibility for this work item, click Acquire.Otherwise, click Cancel. NOTE: Any changes to the incident from this screen must be saved. There is a Save button on the toolbar and another Save button at bottom of the screen.

  • Page 164: Processing A Work Item

    The information on the Process Details and Process Overview tabs is defined by the iTRAC workflow designer. For more information on creating workflow templates, see Chapter 6, “iTRAC Workflows,” on page 123. 7.2 Processing a Work Item A work item can be accessed from any part of the main tabbed Sentinel Control Center interface. You can process a work item in a group even if you have logged in as a different user.

  • Page 165: Managing Work Items Of Other Users

    Work item assigned to a group (role) Work item assigned to the user under the Analyst role. When you acquire (accept) a work item, it is removed from the queue of all other users in the same role. The work item can be returned to the group by clicking Release. 3 Click View Details.
  • Page 166 3 In the Work Items window, set the following: User: Name of the user that has acquired the process Group: Name of the group that the user belongs to. In the above example, the user belongs to the Analyst group. Owner Select either <All>...

  • Page 167: Analysis Tab

    The toolbar buttons 8.1.1 Top Ten Dashboard The following Top 10 dashboards are available in Sentinel 6.1 and can be downloaded from the Sentinel Content page (http://support.novell.com/products/sentinel/secure/sentinel61.html): Top 10 Target IP Addresses Top 10 Initiating IP Addresses Top 10 Target Host Names...
  • Page 168 Top 10 Initiating User Names Top 10 Target Port Names Top 10 Event Names The Top 10 dashboards are enabled by default, and the following summaries are turned on to enable the Top 10 dashboards: EventDestSummary EventSevSummary EventSrcSummary If Top 10 dashboards are not needed, you can disable these summaries, or you can enable additional summaries in order to use them for reporting.

  • Page 169: Offline Query

    5 Right-click DAS_Binary and select Restart. 8.2 Offline Query An offline query is most often used to run queries against large amounts of data. An offline query continues to run even after the user logs out of the Sentinel Control Center, if necessary. NOTE: You can view the result of your query only after it is completely processed.

  • Page 170: Viewing, Exporting, Or Deleting An Offline Query

    3 Provide a query name, then select an existing filter to be used for generation of offline query. For more information on the selection and creation of filters see Chapter 3, “Active Views Tab,” on page 4 Select the start date and end date for which you want to generate an offline query. 5 Specify the description in the Description tab.

  • Page 171: Event Source Management

    Event Source Management The Event Source Management (ESM) panel provides a set of tools to manage and monitor connections between Sentinel and the event sources that are providing data to Sentinel. The graphical interface shows at a glance the current event sources and the software components that are processing data from that event source.

  • Page 172: Plug-In Repository

    Some plug-ins, such as database Connectors, require one or more auxiliary files in order to function. Auxiliary files are typically files that can not be shipped by Novell within the standard plug-in, such as user-specific configuration files or third-party libraries that require specific licenses. In all cases the documentation for the plug-in includes detailed instructions about which auxiliary files are necessary and where they can be obtained.

  • Page 173: Menu Bar

    Event Source Management Live View Figure 9-1 9.2.1 Menu Bar The menu bar has File, View, Tools, and Help options. Event Source Management Menu Bar Figure 9-2 The following are the options available in the each of the menu bar options that are described in the document: File Export Configuration...

  • Page 174: Toolbar

    Help About Help 9.2.2 Toolbar Event Source Management User Interface Table 9-1 User Interface Description Launch the wizard for connecting to a new event source Import/Export, Reload Event Source Management configurations, and plug-ins. The toolbar contains several tools for displaying objects in ESM. You can zoom the entire graphical view in and out, or zoom directly to a selected region.

  • Page 175: Frames

    You can increase or decrease the magnification factor with the following key combinations: To increase the size of the size of the magnification glass cursor: Ctrl key + backward scrolling of the mouse wheel To decrease the size of the size of the magnification glass cursor: Ctrl key + forward scrolling of the mouse wheel To Zoom in: Forward movement of the mouse wheel To Zoom out: Backward movement of the mouse wheel...
  • Page 176 Hierarchy Filter The Hierarchy filter sets the display based on the hierarchy you select in this frame. It allows the user to filter the nodes that are displayed in the graphical and tabular view based on the node hierarchy. All children and parents of selected nodes are shown. Hierarchy Filter Frame Figure 9-4 To set Hierarchy filter for displaying components:...
  • Page 177 Connector Frame Icons Table 9-2 Icon Name Description Adds Connectors to the system. Delete Deletes Connectors. Refresh Refreshes the list. Add Auxiliary Files Adds auxiliary files. For more information, see Auxiliary Files. To add Connector plug-ins: 1 In Sentinel Control Center, click Event Source Management in the menu bar and select Live View or Scratch Pad.
  • Page 178 Icon Name Description Add Auxiliary Files Adds auxiliary files. For more information, see Section 9.1.3, “Auxiliary Files,” on page 172. To add Collector plug-ins: 1 In Sentinel Control Center, click Event Source Management in the menu bar and select Live View or Scratch Pad.
  • Page 179 Status Details This frame displays the status details of a selected component in the Health Monitor Display frame. Available status information includes the current state, the number bytes processed, the number of records sent, the number of Sentinel events sent, and various other status and statistical information. NOTE: The status information varies based on the type of component that is selected.

  • Page 180: Live View

    Overview Frame Figure 9-10 9.3 Live View The ESM panel provides the main user interface to Event Source Management. You can view configuration data in a graphical or tabular view. 9.3.1 Graphical ESM View The graphical view of ESM is the default view in Event Source Management. In the graphical view, you can view the status of a Collector and access the configuration settings of Collectors and Collector related objects as a graph of connected nodes.
  • Page 181 Collapsed/Expanded nodes: To improve the manageability and performance of the graphical display, Sentinel automatically contracts any node with 20 or more immediate children. This is especially useful for Connectors such as Syslog or Novell Audit that have the ability to automatically configure a large number of event sources.

  • Page 182: Tabular Esm View

    If you choose not to show this message again, the preferences are saved on that machine and any user logging into Sentinel from that machine does not get an alert again. 9.3.2 Tabular ESM View The components visible in the graphical view of ESM can also be viewed in tabular format. In the tabular view, you can view the status of a Collector in a table and access the configuration settings of Collectors and Collector-related objects.
  • Page 183 Move: Moves the selected object from its current parent object to another parent object. You can move objects between the views; that is, move from the Live View to the Scratchpad and vice versa. Clone: Creates a new object that has its configuration information prepopulated with the settings of the currently selected object.

  • Page 184: Components Of Event Source Hierarchy

    Remove selected objects: Removes the selected object along with its children TIP: Press Shift and click the object to select multiple objects. 9.4 Components of Event Source Hierarchy ESM displays the information on the Collectors and other components in a hierarchy specific to ESM.

  • Page 185: Component Status Indicators

    Icon Name Description Event Source The event source represents the actual source of data for Sentinel. Server Unlike other components this is not a plug-in, but is a container for metadata, including runtime configuration, about the event source. In some cases a single event source could represent many real sources of event data, for example if multiple devices are writing to a single file.

  • Page 186: Adding Components To The Event Source Hierarchy

    4 Select the component type by which to limit the view. 9.4.2 Adding Components to the Event Source Hierarchy Although some Sentinel components are preinstalled with the Sentinel system, Novell recommends that you check the Sentinel Content Web site (http://support.novell.com/products/sentinel/ sentinel61.html)
  • Page 187 2 Select Import Collector Script or Connector plugin package file (.zip). Click Next. 3 Browse to the location of the Connector plugin package file and click OK, then click Next. If the file imported is not in the format specified for the Collector scripts or for the Connector plug-in package, the system displays an error message.
  • Page 188 To add a Collector plug-in: 1 Click Tools on the menu bar and select Import plugin. The Import Plugin Wizard window displays. You can select from the two options available in this window. 2 Click Next. 3 Do one of the following: If you chose the first option, browse to a location of the Collector script file and click OK., then click Next.
  • Page 189 Updating Connector/Collector Plug-Ins If a new version of a Connector or Collector is released, you can update the Sentinel system and any deployed instances of the Connector or Collector. NOTE: When you use the Sentinel Control Center to browse to locate a file on the desktop of the Collector Manager, clicking Desktop takes you to the desktop of the user running the Collector Manager, usually SYSTEM.
  • Page 190 The Plugin details window displays. 5 Select the Update Deployed Plugins option to update any currently deployed plug-ins that use this Connector or Collector. 6 Click View Deployed Plugins to view the plug-ins deployed in the ESM Live View. The number in parentheses represents the number of instances of this plug-in that are currently deployed and configured.
  • Page 191 Description User Interface Affected Collectors Affected Event Sources/ Connectors/ Event Source Servers: 7 Click Finish. NOTE: When you add a plug-in into Sentinel, it is placed in the Plugin Repository, which enables Sentinel components on other machines to start using the plug-in without adding the plug-in separately.
  • Page 192 3 Follow the prompts in the Add Connector Wizard. 4 Click Finish. Deploying an Event Source 1 In the main ESM display, locate the Connector to which the new event source will be associated. 2 Right-click the Connector and select the Add Event Source menu item. 3 Follow the prompts in the Add Event Source Wizard.
  • Page 193 (4.x or 5.x), or built by using the Collector Builder. Connector: A Connector can also be downloaded from the Sentinel Content Web site (http:// support.novell.com/products/sentinel/sentinel61.html). There are also some Connectors included in the installed Sentinel system, but there might be more recent versions on the Web site.
  • Page 194 Event source types for which you currently have compatible Collector parsing scripts are listed here. 2 Select an event source from the list to which you want to connect to and collect data from. You can click Add More to import an event source. 3 Click Next.
  • Page 195 5 Click Next. The Select Connection Method window displays. 6 Select a connection method from the list. You can also install additional Connectors by clicking on the Install More Connectors button. For more information, see “Adding Connectors/Collector Plug-Ins” on page 186 to install Connectors.
  • Page 196 Based on the existing Collectors and Connectors in your system that is compatible with your new event source, one or more of these options might be unavailable. “Creating a new Collector and Connector” on page 198 “Using an existing Collector:” on page 200 “Using an Existing Connector”...
  • Page 197 Options Description Trust Event Source Time Select Trust Event Source Time to display the Device Time (time when the event occurred) instead of the Event Source Time (time when the event was reported to the console). Set Filter Set the filter by using the Set Filter button. In the Filter window, add/ edit the filters and click OK.
  • Page 198 Creating a new Collector and Connector 1 In the Select Collector Manager window, select the Collector Manager you want to use and click Next.The Configure Collector Property window displays. 2 Configure the parameters available and click Next. The Configure Collector window displays. 3 Provide the name of the Collector and configure the options as desired: 198 Sentinel 6.1 Rapid Deployment User Guide...
  • Page 199 Options Descriptions Name Specify the name of the event source. Select the Run check box if you want to run your Collector automatically. Details Click the Details button to see plug-in details. Alert if no data is received in Set alerts (with repeated option) indicating what to do if no data is specified time period received in a specific period.
  • Page 200 5 Provide the name of the Connector and configure the options as desired: Options Descriptions Name Specify the name of the event source. Select the Run check box if you want to run your Collector automatically. Details Click the Details button to see plug-in details. Alert if no data is received in Set alerts (with repeated option) indicating what to do if no data is specified time period...
  • Page 201 After you select this option and click Next, the Select Collector window displays. 2 Select the Collector you want to use and click Next. The Configure Connector window displays. 3 Provide the name of the Connector and configure the options as desired: Options Descriptions Select the Run check box if you want to run your Collector...

  • Page 202: Debugging

    Collector code running in place on the Collector Manager For more information on customizing or creating new Collectors, obtain the Novell Developer Kit for Sentinel (http://developer.novell.com/wiki/ index.php?title=Develop_to_Sentinel). Section 9.5.1, “Collector Workspace and Collector Directory,” on page 203 Section 9.5.2, “Debugging Proprietary Collectors,”...

  • Page 203: Collector Workspace And Collector Directory

    9.5.2 Debugging Proprietary Collectors The Debugging Collector window allows you to debug Collectors written in the Novell proprietary language. The left column on the debugger displays the commands for the current script state. The highlighted command is being executed.
  • Page 204 Debug Collector Window Figure 9-16 The Events tab displays the events generated using this Collector, and the Upload/Download tab allows you to upload/download another Collector script file to make modifications. The debugger has the following four controls: Debugger Icons Table 9-6 Icon Action Description...

  • Page 205: Debugging Javascript Collectors

    You can view events as well as upload and download the Collector’s script from the Events tab and the Upload/Download tab. Multiple Sentinel Control Center users might connect to the same debugging session. For this reason, a Collector remains in Debug mode until one of the users specifically clicks the debugger’s Stop button.
  • Page 206 Upload/Download: Upload/Download a JavaScript file here. You can download an existing JavaScript file, edit it, and upload it again into the system to continue debugging. Context: Displays the variable that the debugger is pointing to and its value. Expression: Displays the values of a selected parameter. You can use the following when debugging a Collector.
  • Page 207 You can choose to debug in Standalone or Live mode. “Standalone Mode” on page 207 “Live Mode” on page 208 Standalone Mode Standalone debug mode allows you to debug a Collector even if the associated Collector Manager is not running. For standalone mode, input to the script comes from an input file rather than a live event source.
  • Page 208 4 In the Debug Collector window, click Run In the Source text area, the source code of the Collector appears and stops at the first line of the text script. 5 Click the bar on the left and toggle a breakpoint in the script code, then click to go to the next breakpoint.

  • Page 209: Using The Raw Data Tap To Generate A Flat File

    NOTE: If no event source is started during the debug session, then no data is available in the buffer for the Collector and you see the Collector script’s readData method blocking. In Live debug mode, Output from the script is via live Sentinel events. The events can be viewed on the Active Views displays.

  • Page 210: Exporting A Configuration

    IMPORTANT: The account running the Sentinel service on the Collector Manager machine must have permissions to write to the file location. 9.6 Exporting a Configuration You can export the configuration of ESM objects along with their Collector scripts and the Connector plug-ins.
  • Page 211 3 Select the Collector scripts from the list to export, then click Next. You can select or deselect all. The Select Connectors Plugin window displays. Event Source Management 211...

  • Page 212: Importing A Configuration

    4 Select the Connector plug-ins from the list to export, then click Next. You can select or deselect all. The Specify Export File window displays. If you want to view the description and dependents of a particular plug-in in the above window, select that plug-in from the table.

  • Page 213: Enabling Or Disabling The Import Configuration

    9.7.1 Enabling or Disabling the Import Configuration The Import Configuration option is enabled under the following circumstances: In Live View when you select the Collector manager, Collector, or Connector In the Scratchpad when you select any node other then the event source Import Configuration in Live View and the Scratchpad is disabled if you do the following: Select Sentinel or event source nodes (only in Live View) Do not select any node in Live View...
  • Page 214 4 Select the Collector script from the list to import. A color indicator is displayed in the Select Collector Script and Select Connector Plugins window to indicate whether the plug-in is already present in the repository or not. If the plug-in is not present in the repository, the color is displayed as red and if the same version of plug-in exists, the color is green or orange.

  • Page 215: Resetting The Layout

    6 Select the Connector plug-ins from the list to import. NOTE: To view the description and dependents of a particular plug-in in the above window, select that plug-in from the table. If there are any Collectors or Connectors in the ESM panel that are affected on importing the plug-in, the Affected Collectors or Affected Connectors window is displayed.

  • Page 216: Event Source Management Scratchpad

    9.8 Event Source Management Scratchpad Scratchpad is the Design Mode of the Health Monitor. Through Scratchpad, you can design and configure various items: Collector Managers Collectors Event Sources Connectors Event Source Servers You can right-click the Sentinel icon and add the components. For more information, see Section 9.4.2, “Adding Components to the Event Source Hierarchy,”...
  • Page 217 Component Sentinel 5.x Sentinel 6.0 Collectors Scripts Collector scripts were managed from In Sentinel Control Center, Collector the Collector Builder in Sentinel 5.x. scripts are plug-ns in 6.0. A Collector script plug-in must be added to the plug-in repository before it can be deployed as a Collector.
  • Page 218 218 Sentinel 6.1 Rapid Deployment User Guide...

  • Page 219: Administration

    Administration You use the Admin tab to configure filters and reports. You use the User Manager option in the Admin tab to create users and you can assign rights to the users. Section 10.1, “Understanding the Admin Tab,” on page 219 Section 10.2, “Introduction to the User Interface,”...

  • Page 220: Introduction To The User Interface

    Sentinel Control Center Figure 10-1 10.2 Introduction to the User Interface In the Admin tab, you can see server views, filter configuration, and user configuration in the Admin Navigator. You can navigate to these functions from: Admin Tab User Interface Table 10-1 User Interface Description...

  • Page 221: Servers View

    User Interface Description The Navigation Tree in the Navigation pane The tool bar buttons 10.3 Servers View Through the Servers view you can start, stop, or restart processes that are installed on the product installation. Servers view also allows you to monitor the status of all Sentinel server processes across the system.

  • Page 222: Monitoring A Process

    Servers View Window Figure 10-2 Start, Stop, or Restart processes: Take these actions on a process by right-clicking the process entry. You cannot either stop or restart the following processes by using the right-click options Action > Stop/Restart in the Servers view. DAS_Core Web Server Unix Communication Server...

  • Page 223: Starting, Stopping, And Restarting Processes

    To arrange which fields you want to be shown, click Fields. To group different attributes, click GroupBy. To sort by different attributes, click Sort. To filter, click Filter. To change the display values of the processes shown in the servers view, click Leaf Attribute.

  • Page 224: Private Filters

    Filter Manager Window Figure 10-3 10.4.2 Private Filters Private filters are user-owned. Private filters are display filters and are shareable if you have the View Private Filters permission. 10.4.3 Global Filters Global filters are classified as Public filters. Global filters are sequentially processed at the Collector Manager for each event.
  • Page 225 Global Filter Configuration Figure 10-4 NOTE: The Action column and the Action Manager button are available only on systems that have Sentinel 6.1 RD Hotfix 2 or later installed. Creating a Global Filter 1 Click the Admin tab. 2 Click Admin > Global Filter Configuration or select Global Filter Configuration in the navigation tree.
  • Page 226 The following are the options available in the Route drop-down list: drop: Events are dropped and are not sent to Sentinel Control Center or the Sentinel Server database. database: Events are sent directly to the Sentinel Server database and not sent to the Sentinel Control Center.

  • Page 227: Configuring Public And Private Filters

    Rearranging Global Filters 1 In the Global Configuration window, select a filter and click Up or Down to move it to a different location on the list. 2 Click Save. Deleting a Global Filter NOTE: When you delete a global filter, the confirmation message is not displayed. 1 In the Global Configuration window, select a filter from the list and click Delete.
  • Page 228 3 Specify a filter name. The table editor is the default selection for editing the contents. Optionally, you can click Use free form editor to display a free form editor. The free form editor allows you to create complex expressions not possible with the table editor. However, after the expression is modified with the free form editor, the table editor cannot be used with the expression.

  • Page 229: Color Filter Configuration

    Cloning a Public or Private Filter Cloning is a convenient way to duplicate a filter to assure consistency of criteria among a group of filters or users. 1 Open the Filter Manager window. 2 Click Clone. 3 Provide a new filter name. 4 Change any original filter’s criteria.
  • Page 230 Color Filter Configuration Figure 10-6 The Color Filter Configuration GUI displays a list of all the color filters that are defined in the order in which they should be applied. If an event meets the criteria for more than one of the color filters, the first color filter configuration is applied.
  • Page 231 4 From the list, select a filter to which you want to apply the color filter configuration and click Select, or click Add to create a new filter. For more information on configuring filters, see Section 10.4.4, “Configuring Public and Private Filters,”...

  • Page 232: Configure Menu Options

    8 In the Color Filter Configuration window, click Background Color. The Pick a Color window displays. 9 Select a color from the Swatches tab. Alternatively, click the HSB or RGB tab and specify the HSB or RGB color value in the respective tab. 10 Click OK.
  • Page 233 Event Menu Configuration Figure 10-7 Ping: Ping the destination (or target) IP of the selected event nslookup: Perform an nslookup on the Source (or initiator) IP of the selected event tracert: Perform a traceret from the Source (or initiator) IP of the selected event to the Sentinel Server Whois?: Perform an ARIN Whois? lookup on the Source (or initiator) IP of the selected event To view the configuration details for any of these options, select the item and click Details.The...

  • Page 234: Adding An Option To The Event Menu

    Section 10.5.4, “Viewing Event Menu Option Parameters,” on page 236 Section 10.5.5, “Activating or Deactivating an Event Menu Option,” on page 236 Section 10.5.6, “Rearranging Event Menu Options,” on page 236 Section 10.5.7, “Deleting an Event Menu Option,” on page 236 Section 10.5.8, “Editing Your Event Menu Browser Settings,”...

  • Page 235: Cloning An Event Menu Option

    5 Select an action from the drop-down menu or click Add Action to configure a new JavaScript action. The available settings vary based on which action is chosen: Option Description Use browser Displays the output of your command by using the defaults configured for the Web browser, based on the file type.

  • Page 236: Modifying An Event Menu Option

    Launch Web Browser. Any JavaScript action configured in the Action Manager For a list of available tags you can use when specifying parameters, click Help on the Event Menu Configuration dialog box or see “Sentinel 6.1 Rapid Deployment Event Fields” in the Sentinel 6.1 Rapid Deployment Reference Guide.

  • Page 237: Editing Your Event Menu Browser Settings

    10.5.8 Editing Your Event Menu Browser Settings This option allows you to send your Event Menu output to an external browser. The external browser can be any application. It is not restricted to Internet browsers. By changing the file extension, you can launch whatever application is associated with that extension. For example, txt is often associated with Notepad.

  • Page 238: Das Statistics

    4 After you set your configuration, click OK. 10.6 DAS Statistics This feature is for internal monitoring of your system. It is not intended for the average user. DAS Statistics monitors the following: DAS_Binary DAS_Core Unix Communication Server Collector_ Manager Correlation _Engine Web Server Statistics includes the following:...

  • Page 239: Mapping

    For Services, the remote method calls from user-defined services (your XML services) are all under services.RemoteObjectService. Under that it puts the name of the service (such as EMap in the above example) and if asked, the name of the method (getMapPK in the above example). When a request such as a DAS query is received by a server, a task is created and scheduled.
  • Page 240 The Mapping tab allows you to: Add new map definitions Edit map definitions Delete map definitions Update map data Mapping works together with the Referenced from Map Data Source setting for individual fields under Section 10.8, “Event Configuration,” on page 249.

  • Page 241: Adding Map Definitions

    The main Mapping GUI displays a listing of all of the maps that have been defined for the system. NOTE: Default Sentinel maps cannot be edited or deleted. 10.7.1 Adding Map Definitions 1 Navigate to the Admin tab and select Map Data Configuration from the navigation pane or click the Map Data Configuration button.
  • Page 242 Column names: Specify the column name. Column types: The currently supported column types are: String: A group of characters used as a single object by a computer. A string might consist of a single letter, word, or number. The word FINANCE or IP address 192.168.2.40 might be a string.

  • Page 243: Adding A Number Range Map Definition

    11 If you selected Local File in Step 7, you are prompted to upload your file to the Remote Files virtual folder located at <Install_directory>\data\map_data 12 Specify a filename and click OK. 10.7.2 Adding a Number Range Map Definition To use the range map functionality, a map definition must have exactly one key column and the key column must be of type NumberRange.
  • Page 244 An example event configuration on the above map might look like: Event Configuration Figure 10-12 In this example, CustomerVar97 is expected to contain a numeric value or is of a type that can be converted to a numeric value, such as an IP or Date. When you look into the example range map, the value in CustomerVar97 takes the range map and searches for the range that the value belongs in (if any).
  • Page 245 Using the same setup as the previous example, if: The Event Tag is set to TargetIP and key column set to column 1 (range) Map Column is set to column 2 (value). The output values are for CustomerVar89. Number Range Map Definition Figure 10-13 Event Configuration Figure 10-14...

  • Page 246: Editing Map Definitions

    10.7.3 Editing Map Definitions 1 Navigate to the Admin tab and select Map Data Configuration from the navigation pane or click the Map Data Configuration button. 2 Expand the folder of interest. 3 Select a map definition and click Edit. The editing function is disabled for map definitions that are under the UNMANAGED ITEMS folder.

  • Page 247: Updating Map Data

    3 Select the map definition to be deleted. 4 Click Delete. NOTE: Default Sentinel maps cannot be edited or deleted. 10.7.5 Updating Map Data Updating allows you to replace the map source data file of a map on the server running DAS with another file.
  • Page 248 4 Select the new map data source file by clicking Browse and selecting the file with the new map data. After you select the file, the data from the new map data source file displays under the New tab. The map data you are replacing is under the Current tab. 5 Deselect or leave the default setting for Backup Existing Data On Server.

  • Page 249: Event Configuration

    map_updater.sh <uuid> <source path> [nobackup] 6 The data from the new map data source file is uploaded to the server, replacing the contents of the existing map data source file. After the source data is completely uploaded, the map data is regenerated and distributed to map clients (for example, Collector Manager).
  • Page 250 is linked to a physical asset. The primary automated update mechanism for asset data is through an asset Collector reading data from a scanner such as Nmap. The asset Collector automates the retrieval of asset information by reading asset data from the scanner and populating the asset schema tables with this data.
  • Page 251 Event Mapping Configuration Figure 10-17 Device and Attack Signature Corresponds to the Asset Name Figure 10-18 To configure event tags (columns) to use mapping: 1 Navigate to the Admin tab and click Event Configuration in the navigation pane or click the Event Configuration button.
  • Page 252 Select one of the available default maps or select a map you have created. 5 Click the Map Column field down-arrow and select a Map Column name. Depending on your Map Name choice in the previous step, these values vary. _EXIST_ : This is a special map column that exists in every map.

  • Page 253: Renaming Tags

    Clicking Apply saves the changes you made for the currently selected event column in a temporary buffer. If you don't click Apply, the changes you made to the previously selected event column are lost when you select a different event column. Changes won’t be saved to the server until you click Save.

  • Page 254: Report Data Configuration

    4 Click Apply. Clicking Apply saves the changes you made for the currently selected event tag in a temporary buffer. If you don't click Apply, the changes you made to the previously selected event tag are lost when you select a different event tag. Changes aren’t saved to the server until you click Save.

  • Page 255: Disabling Or Enabling A Summary

    Report Data Configuration tab allows you to: Enable/disable any predefined summaries View attributes of each summary See the validity of a summary for a period of time Query which Event files need to be run so that the summary is complete The following are all summaries already defined in the system.

  • Page 256: Viewing Information For A Summary

    2 To disable a summary, click Active in the Status column until it changes to say Inactive. 3 To enable a summary, click InActive in the Status column until it changes to say Active. 10.9.2 Viewing Information for a Summary 1 Click Report Data Configuration in the navigation pane or click the Report Data Configuration button.

  • Page 257: Query The Event Files For A Summary

    4 Select a time interval. 5 Click Show Graph. The green bars signify that the summary is complete for that time frame. The red sections signify that the summary is missing data during that time period. 10.9.4 Query the Event Files for a Summary 1 Click Report Data Configuration in the navigation pane or click the Report Data Configuration button.

  • Page 258: Running The Event Files For A Summary

    4 Select a time interval. 5 Click Show Event. 6 The event files needed to complete the summary display in a list format. To complete summaries, see Section 10.9.5, “Running the Event Files for a Summary,” on page 258. 10.9.5 Running the Event Files for a Summary 1 Click Report Data Configuration in the navigation pane or click the Report Data Configuration button.

  • Page 259: User Configurations

    7 Click Process. 10.10 User Configurations You must have the user permission in order to work in the User Configuration window. User configuration allows you to: Section 10.10.1, “Opening the User Manager Window,” on page 259 Section 10.10.2, “Creating a User Account,” on page 259 Section 10.10.3, “Modifying a User Account,”...
  • Page 260 Click Add to create, then select a new filter. After assigning a security filter to a user, you cannot delete that filter. 5d Specify the LDAP User DN. For example, cn=sentinel_ldap_user,o=novell NOTE: This field is available only if you have selected “Anonymous searches on LDAP directory ”...
  • Page 261 5e (Optional) Under Details, specify the following: First Name Last Name Department Phone Email 5f Click the Permissions tab and assign user permissions. For more information about permissions, see “Sentinel Control Center User Permissions” in Sentinel 6.1 Reference Guide. 5g Click the Roles tab and select an iTRAC workflow role for the user. This affects what work items appear in the user’s work list.
  • Page 262 Creating a User Account Through Local Authentication 1 Select the Admin tab. 2 Open the User Configuration folder. 3 Open the User Manager window. 4 Click Add a new User Right-click any user and select Add User. 5 Under Authorization: Select Local for Authentication.
  • Page 263 Creating a User Account Through Domain Authentication NOTE: In Sentinel 6.1 Rapid Deployment Hotfix 2, LDAP users are also created by using this option. 1 Select the Admin tab. 2 Open the User Configuration folder. 3 Open the User Manager window. Click Add a new User.

  • Page 264: Modifying A User Account

    8 Click the Roles tab and select an iTRAC workflow role for the user. This affects what work items appear in the user’s work list. 9 Click OK. NOTE: PostgreSQL does not allow the creation of users named the same as one of the PostgreSQL Reserved words.

  • Page 265: Adding An Itrac Role

    You are prompted for a termination message. This option is provided so that you can inform the user why you are killing the session. 3 Provide a message, then click OK. Close the window to terminate the session without sending a message. NOTE: If the client machine has multiple network interfaces, the IP Address displayed in the Active User Sessions window might not be the desired IP address, as the non-loop back IP address of the first NetworkInterface returned by the system is displayed.
  • Page 266 266 Sentinel 6.1 Rapid Deployment User Guide...

  • Page 267: Sentinel Data Manager

    Sentinel Data Manager The Sentinel Data Manager (SDM) is a tool by which users can manage the Sentinel database. Section 11.1, “Understanding the Sentinel Data Manager,” on page 267 Section 11.2, “Using the SDM GUI,” on page 267 Section 11.3, “Using the SDM Command Line,” on page 275 11.1 Understanding the Sentinel Data Manager The SDM allows users to perform the following operations: Monitor Database Space Utilization...

  • Page 268: Starting The Sdm Gui

    Using the Web Interface 1 Log in to the Sentinel 6.1 RD Web interface, then click Applications. 2 For more information, see Section 1.1, “Accessing the Novell Sentinel Web Interface,” on page 3 Click Launch Data Manager. 4 Open the SDM with the Java Web Start Launcher.

  • Page 269: Partitions Tab

    Database Interface PostgreSQL If you select to save your connection settings, the settings are saved to the local sdm.connect file. By default the file is located in . Next time sdm.connect <Install_directory>/bin you start the GUI, the connection settings are repopulated from the file.
  • Page 270 Status Description Online Archived Imported Partition with data that has been archived, dropped from the database, and then re-imported into the database NOTE: If you delete a partition without archiving it, it is deleted from the partition list in the GUI. Sentinel Data Manager Figure 11-1 At the bottom of the Partitions page, there are several smaller tabs that allow the user to perform the...
  • Page 271 Sentinel partitioned tables are organized into two groups. One is the EVENTS table group, which includes EVENTS and CORRELATED_EVENTS; the other is the summary table group, which includes all summary, or aggregate, tables. If any one of the tables in the group is selected, the changes apply to all the tables in the group.

  • Page 272: Tablespaces Tab

    You can specify the archive directory in the Archive Destination field in the Partition configuration tab in the SDM GUI. 3 Click Archive. 11.2.5 Tablespaces Tab The Tablespaces tab in the SDM allows users to view the current database space utilization, including: Total space allocated for each tablespace Space used by each tablespace...

  • Page 273: Partition Configuration

    Sentinel Data Manager Figure 11-2 Color-coded bar graphs help to visualize the total space allocated for each tablespace and the percent used of each tablespace. 11.2.6 Partition Configuration The Partition Configuration tab in the SDM allows you to set parameters to auto-archive partitions. It also allows you to auto-add partitions.
  • Page 274 Partition Job scheduling through the SDM is reflected only after the partition job refresh interval.The default partition job refresh interval is 5 minutes. To change the partition job refresh interval, edit the option partitionJobRefreshInterval specified in the file. The /opt/novell/sentinel6_rd_x86-64/config/das_core.xml option is provided as part of the component in partitionJobRefreshInterval Scheduler container. DAS_Core...

  • Page 275: Managing Disk Space Allocation

    The SDM command line functions can be used instead of the GUI. The command line can be used to ® create a batch file or cron job for SDM operations, but Novell recommends using auto-archiving instead. Auto-archiving can be configured on the Partition Configuration tab of the SDM GUI.

  • Page 276: Prerequisite

    Section 11.3.6, “Dropping Partitions,” on page 278 Section 11.3.7, “Viewing Partition Summaries,” on page 279 Section 11.3.8, “Archiving Data,” on page 280 Section 11.3.9, “Importing Data,” on page 281 Section 11.3.10, “Deleting Imported Data,” on page 282 Section 11.3.11, “Viewing Sentinel Database Space Usage,” on page 283 11.3.1 Prerequisite The first step to using the SDM command line is to create a file that stores the connection properties for the database.

  • Page 277: Adding Partitions

    Command Command Flags winAuth Used for Windows authentication. When using this option, -user and –password are not needed. connectFile <filenameToSaveConnection> The application saves all the above connection details along with the encrypted password to the file. All other SDM command line commands refer to the specified file. This step sdm.connect should be completed the first time you use the SDM command line on a machine and every time you want to change the connection details the application uses.

  • Page 278: Dropping Partitions

    This action uses the following flags: Adding Partition Flags Table 11-3 Command Command FLags -action addPartitions -connectFile <filePath> -tableName <table name> -keepDays <days to add> To run addPartitions: 1 Execute this command as follows: -action addPartitions -connectFile <filePath> -tableName <table name> - keepDays <days to add>...

  • Page 279: Viewing Partition Summaries

    Dropping Partition Flags Table 11-4 Command Command Flags -action dropPartitions -keepDays <number of days to keep> -forceDelete (optional) <either “true” or “false”> This defaults to false if not specified, meaning that only the partitions that are older than keepDays and are already archived are dropped. If this is set to true, all partitions older than keepDays are dropped, even if they have not been archived.

  • Page 280: Archiving Data

    EVT_SEV_SMRY_1 EVT_SRC_SMRY_1 NOTE: You need to have the SDM installed in order to view the partition summary. This command uses the following flags: Viewing Partition Summaries Flags Table 11-5 Command Command Flags -action viewPartitions -tableName <table name> -connectFile <filePath> To View Partition Summaries: 1 Execute this command as follows: -action viewPartitions -tableName <table name>...

  • Page 281: Importing Data

    NOTE: Sentinel partitioned tables are organized into two groups. One is the EVENTS table group, which includes EVENTS and CORRELATED_EVENTS; the other is the summary table group, which includes all summary, or aggregate, tables. If any one of the table in the group is specified by the –tableName parameter, the archiveData operation is applied to all tables in that table group.

  • Page 282: Deleting Imported Data

    If the data has already been imported or there is no archived data found between the specified dates, the command returns a notification. The application imports data from each file into a table and builds the historical view on all the historical tables.

  • Page 283: Viewing Sentinel Database Space Usage

    EVT_DEST_SMRY_1 EVT_DEST_TXNMY_SMRY_1 EVT_PORT_SMRY_1 EVT_SEV_SMRY_1 EVT_SRC_SMRY_1 NOTE: The tables are imported in Oracle with the same name they are archived with. If there is no data imported between two specified dates, the command returns a notification. This command uses the following flags: Deleting Imported Data Flags Table 11-8 -action...
  • Page 284 Viewing Sentinel Database Space Usage Flags Table 11-9 Command Command Flags -action dbstats -connectFile <filePath> To view Sentinel Database Space Usage (Command Line): 1 Execute the following command: -action dbStats -connectFile <filePath> The following example displays the tablespaces of Sentinel database with their total space, used space and free space available.

  • Page 285: Utilities

    Utilities This section helps you to understand the utilities provided by Sentinel Section 12.1, “Introduction to Sentinel Utilities,” on page 285 Section 12.2, “Starting and Stopping a Sentinel Server,” on page 285 Section 12.3, “Sentinel Scripts,” on page 286 Section 12.4, “Version Information,” on page 289 Section 12.5, “Database Cleanup,”...

  • Page 286: Starting A Sentinel Server

    Patches Hotfixes Section 12.2.1, “Starting a Sentinel Server,” on page 286 Section 12.2.2, “Stopping a Sentinel Server,” on page 286 12.2.1 Starting a Sentinel Server 1 Log in to the machine where the Sentinel server you want to start as the Sentinel Administrator operating system user.

  • Page 287: Troubleshooting Scripts

    Script File Description BackupIncidentData.sh Used to back up incident-related data before running the delete incident utilities. For more information, contact Novell Support (http://support.novell.com/ phone.html?sourceidint=suplnav4_phonesup). Clean_Database.sh Used to delete incidents or Identity information from the database. For more information, see Section 12.5, “Database Cleanup,” on page 289.
  • Page 288 Troubleshooting Scripts Table 12-2 Script File Description Removes Sonic lock files in the event of an abnormal shutdown. start_broker.sh Starts the message bus component of the communication server. This script is useful if you are having problems starting the message bus. This script is automatically run by the installer. For more information, see “Starting the Communication Server in Console Mode”...

  • Page 289: Version Information

    12.4 Version Information The following processes provide information about versions: Section 12.4.1, “Executable Version Information,” on page 289 Section 12.4.2, “Sentinel .jar Version Information,” on page 289 12.4.1 Executable Version Information Sentinel has a command line option to display the version information of the agentengine executable: 1 Go to:...

  • Page 290: Components

    Clean_Database The user running the script must be a user, and each script must have the permission set novell so that only the user is allowed to execute the cleanup script. novell The user running the PostgreSQL script must have permission to access/execute all of the database tools and utilities.
  • Page 291 NOTE: You can cancel the execution of the cleanup script at any time by entering at any prompt. 2 At the prompt, indicate which objects you want to remove from the database: Which objects would you like to cleanup? (1) Incidents (2) Identities (3) Both 3 At the prompts, enter the following information to connect to the PostgreSQL database:...

  • Page 292: Updating Your License Key

    5c At the prompt, enter the novell user’s password. 12.6 Updating Your License Key If your Sentinel license key has expired and Novell has issued you a new one, run the software key program to update your license key. 1 Log into the Sentinel Server machine as the Sentinel Administrator operating system user.

  • Page 293: Quick Start

    Quick Start This section assumes that your security administrator has built the necessary filters and configured Collectors for your system. Section 13.1, “Security Analysts,” on page 293 Section 13.2, “Creating Incidents,” on page 297 Section 13.3, “iTRAC,” on page 298 Section 13.4, “Correlation,”...

  • Page 294: Exploit Detection

    4 Click Finish. If you have an active network, you might see something similar to: NOTE: To display a 3-D graph without real-time events, click the Display Events down-arrow and select No. 13.1.2 Exploit Detection To view any events indicating a possible exploitation, you must have the following: Advisor Feed Intrusion detection Vulnerability scanning...

  • Page 295: Asset Data

    Severity, Vulnerability, and AttackId Columns Figure 13-1 Within an event, the values in the Vulnerability field convey the following: When the Vulnerability field equals 1, the asset or destination device is possibly exploited. When the Vulnerability field equals 0, the asset or destination device is not being exploited. When the Vulnerability field is blank, the exploit detection feature of Sentinel is not enabled.

  • Page 296: Event Query

    13.1.4 Event Query You can use an event query to find out if your system has been attacked. For example, during monitoring, you see numerous Telnet attempts from source IP 10.0.0.1 Telnet attempts could be an attack. Telnet potentially allows an attacker to remotely connect to a remote computer as if they were locally connected.

  • Page 297: Creating Incidents

    If you want to see how often in general this user is attempting a Telnet, remove DestinationIP, SensorType and, Severity from your filter or create a new filter. The results show all the destination IPs this user is attempting to Telnet to. If any of your events are correlated events, you can right-click View Trigger Events to find what events triggered that correlated event.

  • Page 298: Itrac

    2 In the Create Incident dialog box, provide the following information: Title State Severity Priority Category Responsible Description Resolution 3 Click Create. The incident is added to the Incidents page of the Sentinel Control Center. To do this, you must have user permission to create incidents. 13.3 iTRAC This section gives and idea relevant to iTRAC.
  • Page 299 The example procedure does the following: Asks the user to decide if a preliminary look indicates that the network has been attacked. This leads to a decision step. NOTE: All decision steps provide different execution paths, depending on the value of the variable defined in the previous step.
  • Page 300 5a4 In the Process Variables window, select the Variable Type as String. 5a5 Set the Default Value to yes. 5a6 (Optional) Under the Description tab, specify Initial evaluation of events to determine if there has been an attack. 5a7 Click OK. 5a8 Select the newly created association, then click until the step is renamed.
  • Page 301 5b4 (Optional) Under the Description tab, specify To further evaluate after collecting of events to determine if there has been an attack. 5b5 Click OK to rename the step. 5c Manual Step-2 to Prevent Future Attacks: 5c1 Set Role to Analyst. 5c2 (Optional) Under the Description tab, specify Take measures to stop the attack.
  • Page 302 5d5 Click OK. 5e Mail Step-4 to Prevent Future Attacks: 5e1 In the To field, specify your e-mail address. 5e2 In the From field, specify a made up e-mail address. 5e3 In the Subject field, specify Proper Attack Measures Taken. 5e4 (Optional) Under the Body tab, specify This e-mail is generated from a tutorial (simulation) iTRAC process.
  • Page 303 Under the Description tab, provide a description such as Decision if there has been an attack or not. 6 Right-click Start and select Add Start Transition. Select Decide If Hacked as the destination. 7 Right-click Decide If Hacked and select Add Transition. Specify the following: Name: Specify Decision.
  • Page 304 13 Click Set > EXP. 13a Select Variables and Values. 13b Select Attribute Hacked. 13c Select Condition equals. 13d Specify a value of yes. 13e Click OK until the transition is complete. 304 Sentinel 6.1 Rapid Deployment User Guide...
  • Page 305 14 Right-click Collect Data and select Add Transition. Select and specify the following: Name: Hacked or Not? Type: Unconditional Destination: Hacked or Not 15 Right-click Hacked or Not and select Add Transition. Specify the following: Name: Not Hacked. Type: Else. Destination: Not Hacked.
  • Page 306 To run this process, this process must first be assigned to an incident. To start or terminate a process: 1 Click the Incident tab. 2 Click Incidents > Create Incidents. 3 Specify the following: Title: iTRAC Tutorial. Category: Other. Responsible: assign this incident to yourself. 4 Click the iTRAC tab, then select iTRAC Process Tutorial.
  • Page 307 The red highlighted step indicates what step this process is currently in. 9 To start the steps within this process, click the Process Details tab. For this manual step, the variable yes is specified. Providing another value such as no or else (no attack) results in an e-mail that completes the process.

  • Page 308: Correlation

    10 In the Work Items window, select the process and click View Details. The Collect Data step should be highlighted in red. As before, this is a manual step. 11 Click the Process Details tab. 12 Again, the variable page displays. In the previous step of the iTRAC Process, Collect Data is a step to further determine by analyzing the events of interest if an attack has occurred.

  • Page 309: Creating A Simple Correlation Rule

    13.4.1 Creating a Simple Correlation Rule 1 Click the Correlation tab and select Correlation Rule Manager in the navigation bar. 2 In the Correlation Rule Manager window, click Add. 3 Click Simple to create a simple rule. 4 Select All in the Fire if drop-down menu. 5 Specify the following SourcePort = 10025 DestinationPort = 25...

  • Page 310: Viewing The Events That Triggered Your Correlated Event

    3 (Optional) In the Deploy Rule window, add an action. This allows you to: Configure Correlated Event Add to Dynamic List Remove from Dynamic List Execute a Command Send Email Create Incident 4 Click Next. The rule indicates deployed by the color green. 13.4.3 Viewing the Events that Triggered Your Correlated Event 1 Right-click the correlated event.

  • Page 311: Solution Packs

    Although Solution Packs have many uses, one of the most important use is to package content related to governance and regulatory compliance into a comprehensible and easily enforceable framework that is easy to deploy. Novell and its partners offer and extend Solution Packs around such regulations or other customer needs.

  • Page 312: Components Of A Solution Pack

    14.1.1 Components of a Solution Pack Solution Packs consist of categories, controls, content, and content groups. These components are represented in a hierarchy. The following image depicts the hierarchy in a Solution Pack: Solution Pack Hierarchy Figure 14-1 The table below describes each level in a Solution Pack hierarchy. Solution Pack Hierarchy Levels Table 14-1 Icon...

  • Page 313: Permissions For Using Solution Packs

    Table 14-2: Types of Content Group Table 14-2 Event Configuration A content group that contains a map definition and the configuration of one or more related Sentinel meta tags. This icon is also used for the meta tag configuration definition. Indicates the map definition instance.

  • Page 314: Solution Manager

    The user should change the status of the control to Implemented after following all of these steps. Testing a control is the process to verify the content associated with the control. Novell Solution Packs include detailed documentation describing testing steps. The user should change the status of the control to Tested after following all of these steps.

  • Page 315: Solution Manager Interface

    14.2.1 Solution Manager Interface The Solution Manager window is divided into two frames: Content and Documentation. “Content Frame” on page 315 “Documentation Frame” on page 316 Content Frame A content frame provides Solution Pack extracted information in ZIP format. The Content frame displays a hierarchical view of the category, control, content group, and various types of content.

  • Page 316: Managing Solution Packs

    Documentation Frame The Documentation frame provides a description of selected node.The information was provided when you created the Solution Pack by using the Solution Designer. For more information on the Solution Designer, see Section 14.4, “Solution Designer,” on page 331. The following informational tabs, which are populated and edited by using the Solution Designer, are available in Documentation frame: Description: Displays the description of selected node.

  • Page 317: Importing Solution Packs

    (http://support.novell.com/products/sentinel/sentinel61.html) (an additional license might be needed). Solution Pack can also be provided by one of Novell’s partners, or they can be created from content in your own Sentinel system. The first step in using a Solution Pack is to import the file into the system by using the Import .zip...
  • Page 318 3 Select Import Solution package plug-in file (.zip), then click Next. The Choose Plugin Package File window displays. 4 Use the Browse button to the locate Solution Pack to import to the plug-in repository. Select a ZIP file and click Open. If you have selected a Solution Pack that already exists, the Replace Existing Plugin window displays.

  • Page 319: Opening Solution Packs

    If you select the Launch Solution Manager check box, the Solution Manager displays. 8 Click Finish. 14.3.2 Opening Solution Packs To use the Solution Manager and view the contents of a Solution Pack, a user must be assigned Solution Manager permissions. For more information, see Section 14.1.2, “Permissions for Using Solution Packs,”...
  • Page 320 Content Comparison When the Solution Pack is opened, the Solution Manager compares the contents of the Solution Pack to other Solution Pack content from different Solution Packs or previous versions of the same Solution Pack. Content Status Table 14-3 Icon Name Description Installed...

  • Page 321: Installing Content From Solution Packs

    14.3.3 Installing Content from Solution Packs To use the content of a Solution Pack in the Sentinel Control Center, you must install the Solution Pack or selected controls in a Sentinel system (also known as the “target” Sentinel system). “Installing the Contents of a Solution Pack” on page 321 “Correlation Rules and Actions”...
  • Page 322 5 Click Install. After installation the Finish button displays 6 Click Finish. If the installation fails for any content item in the control, the Solution Manager rolls back all the contents in that control to uninstalled. There are special considerations for installing certain types of content, including correlation rules and reports;...
  • Page 323 Unavailable Correlation Engines Figure 14-4 The Execute Script Correlation action (created in Sentinel 6.0) cannot run on a particular correlation engine if the installation of the JavaScript code fails for that correlation engine. The file can be manually copied to the proper directory on the correlation engine. In a default installation, the proper directory is <Install_directory>/config/exec If an Execute Command correlation action is associated with the correlation rule, the Solution...
  • Page 324 Sentinel Core Event Source List Sentinel Core Event Source Overview Sentinel Core Incident Management Dashboard Sentinel Core Incident Status Summary Sentinel Core Internal Events Sentinel Core Solution Pack Audit Trail Sentinel Core Solution Pack Status Dashboard Content Placeholders Only fully defined controls can be installed. For controls that contain placeholders, the Install option is disabled: The following warning displays in the Description frame: Duplicate Content within a Solution Pack...

  • Page 325: Implementing Controls

    For example, the rule from the Solution Pack might be named Unauthorized Firewall Change (1). The existing rule in the Sentinel system is unchanged. NOTE: To prevent confusion for end users, Novell recommends that one of these rules be renamed. 14.3.4 Implementing Controls...

  • Page 326: Testing Controls

    5 Add notes to the Notes tab of the Documentation frame as necessary to document progress or necessary deviations from the recommended implementation steps. 6 When the implementation is complete, select the control and change the status drop-down to Implemented. An audit event is generated and sent to the Sentinel Control Center.
  • Page 327 When a control is uninstalled, the status for the control reverts to Not Implemented and child content is deleted from the Sentinel system. There are a few exceptions and special cases: Dependencies are checked to ensure that no content that is still in use is deleted. Some examples of this include a dynamic list that is used by a correlation rule created in the target Sentinel system, a report that is used in a control that is still installed, an iTRAC workflow template that is used in a Solution Pack that is still installed, or a folder that still contains other...

  • Page 328: Viewing Solution Pack Status

    4 Click Uninstall. The selected contents are uninstalled. You cannot uninstall local reports from a different Sentinel Control Center machine than the one that they were installed on or if the files were copied to a new location after installation. If the Solution Manager cannot find the files in the expected location, a message is logged .rpt...
  • Page 329 Tested: This status indicates that a user has completed all of the testing steps and manually set the control status to Tested. Out of Sync: This status indicates that a different version of the content in the Solution Pack is deployed in the Sentinel target system by another Solution Pack or a previous version of the same Solution Pack.

  • Page 330: Deleting Solution Packs

    5 To save the PDF, click Browse. Navigate the location where you want to save the PDF and specify a filename. Click Save. Audit Events in the Sentinel Control Center All major actions related to Solution Packs and controls are audited by the Sentinel system, with information about which user performed the action.

  • Page 331: Solution Designer

    All deletions are audited by the Sentinel system and sent to both the Sentinel Control Center and the Sentinel database. 1 Click the Tool menu and select Solution Packs. The Solution Packs window displays. 2 Select the Solution Pack you want to delete and click the Open icon on the toolbar. 3 Select the Solution Pack node and click Uninstall.
  • Page 332 Table 14-4: Solution Designer - User Interface Table 14-4 Frames Image Content Palette Content Description 332 Sentinel 6.1 Rapid Deployment User Guide...

  • Page 333: Connection Modes

    Frames Image Solution Pack Documentation 14.4.2 Connection Modes Solution Packs can be created or edited in the Solution Designer in connected or offline modes. In offline mode, there is no connection to an active Sentinel server or its content (such as event enrichment or correlation rules).

  • Page 334: Creating A Solution Pack

    To open the Solution Designer in offline mode: 1 Start the Solution Designer by executing the following command: <Install_directory>/bin/solution_designer.sh The Sentinel Solution Designer login window is displayed. 2 Provide your login credentials. Select the Work Offline check box if desired, then click Login. The Solution Designer is displayed.

  • Page 335: Managing Content Hierarchy Nodes

    2 Click File > New. An empty Solution Pack displays in the Solution Pack frame. 3 Add Categories, controls, content groups, and content placeholders, using the proper procedures for each. 4 Add file attachments to the hierarchy nodes as desired. 5 Click File >...

  • Page 336: Adding Content To A Solution Pack

    14.4.5 Adding Content to a Solution Pack A vital part of creating a Solution Pack is adding content to the controls. Each control can have one or more types of content associated with it. “Sentinel Content” on page 336 “JasperReports” on page 337 “Placeholders”...
  • Page 337 JasperReports You can add a JasperReport ( file) from a local file system. Adding a JasperReport is similar to .jpz adding other types of contents. 1 Log into Solution Designer in connected mode or offline mode, then open or create a Solution Pack.

  • Page 338: Documenting A Solution Pack

    Icon Name Description View Views an attachment. Select a node, right-click the attachment in the Attachment panel, then select View File. The file displays in the associated application. Rename Renames an attachment. Select a node, right-click the attachment in the Attachment panel, then select Rename.

  • Page 339: Editing A Solution Pack

    14.4.7 Editing a Solution Pack A saved Solution Pack can be edited by using the Solution Designer. For information about deploying the changes into an existing system, see Section 14.5, “Deploying an Edited Solution Pack,” on page 340. When an existing Solution Pack is saved, the user has several options: Save: Saves an updated version of the original Solution Pack.

  • Page 340: Deploying An Edited Solution Pack

    6 Click File > Save, Save As, or Save As New, and save the file to the location you want. If you selected Save or Save As and some of the content is out of sync, you are prompted to synchronize.

  • Page 341: Action Manager And Integrator

    Action Manager and Integrator Actions are used to execute some type of action in Sentinel, either manually or automatically. An action plug-in framework was introduced in Sentinel 6.1. This framework consolidates several different ways of executing actions in Sentinel 6.0. The same Action framework is now used to execute actions in all of the following contexts: When a deployed correlation rule fires (automatic) When a user chooses the action from within an incident...
  • Page 342 Send an Email Create an Incident Execute JavaScript Action Plug-ins NOTE: Except for JavaScript actions, the actions above can only be used in the context of a correlation rule deployment. For more information about correlation-only actions, see the Correlation section. This section focuses exclusively on JavaScript action plug-ins and actions. Using the Action Manager you can import, create, and manage action plug-ins ( files) and .zip...

  • Page 343: Action Plug-Ins

    15.2 Action Plug-Ins You can download action plug-ins from the Sentinel Content Site (http://support.novell.com/ products/sentinel/sentinel61.html). Action plug-ins are frequently included in Solution Packs. Also, JavaScript actions used in Execute Script actions in versions of Sentinel before Sentinel 6.1 Rapid Deployment can be converted to action plug-ins by using the Action Manager.
  • Page 344 3 Click the Add icon on the top left corner to import plug-ins. The Plugin Import Type window displays. 4 Select Import an Action plugin file ( ). Click Next. .zip The Choose Plugin Package File window displays. 344 Sentinel 6.1 Rapid Deployment User Guide...
  • Page 345 5 Browse to a location of the plug-in package file and click OK, then click Next. If the file you have selected is not the proper format, the Next button does not activate. If you are updating an already-imported plug-in file, you are provided with the option of updating the existing plug-in, going back and selecting a different plug-in, or canceling the import.

  • Page 346: Importing Javascript Files

    15.2.2 Importing JavaScript Files Although JavaScript action plug-ins can be obtained from Novell, it is also possible to create and manage your own JavaScript action plug-ins. Plug-ins can be created by using JavaScript files that were used in the Execute Script command in versions prior to Sentinel 6.1 Rapid Deployment, or they can be created using any JavaScript file written by using the Sentinel JavaScript API.
  • Page 347 2 Click Manage Plugins. The Action Plugin Manager window displays. 3 Click the Add icon on the top left corner to Import plug-ins. The Plugin Import Type window displays. Action Manager and Integrator 347...
  • Page 348 4 Select Import an Action plugin from directory. The Choose JavaScript Directory window displays. 5 Browse to a location of the JavaScript Plug-in directory and click OK, then click Next. 348 Sentinel 6.1 Rapid Deployment User Guide...
  • Page 349 6 The Action Plugin Detail window displays. Provide the required information. Attach a main JavaScript file and a help file. If the file you have selected is not the correct format, the Next button does not activate. When you are updating an already-imported JavaScript file, you are provided with the option of updating the existing plug-in, going back and selecting a different plug-in, or canceling the import.
  • Page 350 8 Select the objects that the JavaScript action requires. This affects where the action is available in the interface. For more information, see the Table 15-1 on page 346. 9 Click Next. The Plugin Parameters window displays. 350 Sentinel 6.1 Rapid Deployment User Guide...
  • Page 351 10 [Optional] Click the Add button to add parameters that can be set when an action is configured. This option should be used for any JavaScript files that expect to receive parameterized information. The Parameter Definition window displays. Action Manager and Integrator 351...
  • Page 352 10a Specify the parameter name. The name used here should be identical to one used in the JavaScript API method in the script that is being imported. scriptEnv.getParameter 10b Select parameter name from Type drop-down list. The various parameter types available are: String: Accepts the sting values for the parameters.
  • Page 353 <Directory Name>_<Randomly Generated Number>_bak.zip where is the directory in which the plug-in is created. <Directory Name> The following is the example of file: package.xml <?xml version="1.0" encoding="UTF-8"?> <JavaScriptActionPackage> <ID>FA6944D0-DC43-102A-976F-001321B5C0B3</ID> <Name>Example JavaScript Plugin</Name> <Type>JAVASCRIPT_ACTION</Type> <DisplayName>Example JavaScript Plugin</DisplayName> <Author>Novell Engineering</Author> Action Manager and Integrator 353...

  • Page 354: Actions

    <Version>61r1</Version> <ReleaseDate>1206414663439</ReleaseDate> <MainScriptFile>example.js</MainScriptFile> <Description>An example JavaScript Action plugin.</Description> </JavaScriptActionPackage> NOTE: When a plug-in is created from a JavaScript file and an existing file, the package.xml file is updated with the list of files contained in the package, hash codes, current package.xml dates, and so on.

  • Page 355: Editing Actions

    If you select an action plug-in that is configured to use an Integrator to connect to an external system, the Add Integrator button displays. The parameters for the selected plug-in display. For actions provided by Novell, more information about configuration and the available parameters are available in the help file for the action.

  • Page 356: Developing Javascript Actions

    15.3.5 Developing JavaScript Actions The information below is very basic development information about developing JavaScript actions. For more information, see Novell Developer Community web site (http://developer.novell.com/ wiki/index.php?title=Develop_to_Sentinel). “Creating a JavaScript Action” on page 356 “Debugging JavaScript Actions” on page 357...
  • Page 357 Debugging JavaScript Actions You can debug JavaScript files from the Sentinel Control Center with the help of the JavaScript debugger. The JavaScript debugger is a local debugger that executes scripts with respect to the machine on which the Sentinel Control Center is running. The JavaScript debugger instantiates a debug session from the Data Access Service (DAS) machine.
  • Page 358 2 Right-click a JavaScript action associated with a correlation rule and select Debug. The Debug JavaScript Correlation Action window displays. The screen displays the following message: Retrieved source file, waiting for associated correlation rule to fire The correlation rule must fire (and a correlated event or incident must be created) before you can debug the script.
  • Page 359 3 Click Run. The debugger panel displays the source code and positions the cursor on the first line of the script. Action Manager and Integrator 359...

  • Page 360: Integrator Manager

    Integrators allow Sentinel to connect to other external systems, for example, an LDAP server, SMTP server, or SOAP server. JavaScript actions can use Integrators to interact with other systems. For example, you can set the attribute in Novell eDirectory (an LDAP server) to enable or disable a user, edit details and so on.

  • Page 361: Permissions For Using Integrators

    For more information on specific Integrators, see the documentation that is available with the Integrators. You can download the updated Integrators from the Sentinel documentation Web site (http://www.novell.com/documentation/sentinel61). Alternatively, you can view the Integrators documentation by clicking the Help button in Integrator Manager after configuring the Integrator. 15.4.1 Permissions for Using Integrators To use the Integrator Manager, a user must be assigned the necessary permissions in the User Manager.

  • Page 362: Integrator Plug-Ins

    6 Select View Integrators, Manage Integrators, Manage Integrator Plugins, or Integrators (which automatically selects all child permissions). The new permissions are applied the next time the user logs in. For more information, see “Sentinel 6.1 Rapid Deployment Control Center User Permissions”...

  • Page 363: Integrators

    15.6 Integrators Section 15.6.1, “Creating an Integrator Instance,” on page 363 Section 15.6.2, “Editing an Integrator Instance,” on page 363 Section 15.6.3, “Deleting an Integrator Instance,” on page 363 Section 15.6.4, “Integrator Connection Status,” on page 363 Section 15.6.5, “Viewing Integrator Health Details,” on page 364 Section 15.6.6, “Integrator Events Query,”...

  • Page 364: Viewing Integrator Health Details

    The server performs a test of the Integrators in the actual service where the Integrators are used when actions are executed. 3 Click OK. 15.6.5 Viewing Integrator Health Details 1 Click Tools > Integrator Manager. The Integrator Manager window displays. 2 Select an Integrator from the left pane.

  • Page 365: Integrator Events Query

    The Health screen displays the Refresh Health State, Time of last occurrence, its method calls, and the related events of the selected Integrator configuration. Integrator API Calls: Indicates the status of count and time of both the connection and the method calls used from the API of the selected Integrator. For more information on JavaScript plug-ins, see Section 15.1, “Action Manager,”...
  • Page 366 3 Click the Integrator Events button. The Query window displays. All the events related to the configured Integrator automatically display in the Query window. You can filter the displayed events by using the filter criteria. For more information, see Section 3.9.3, “Historical Event Query,” on page 366 Sentinel 6.1 Rapid Deployment User Guide...

  • Page 367: Using Integrators From Actions

    15.6.7 Using Integrators from Actions Some actions might require an Integrator in order to make a connection to an external system. You can write or customize JavaScript code that connects to an external system by using the Integrator and executes methods appropriate for the external system. Because all the connection and other configuration information is already configured as part of the Integrator, the code only needs to perform a task on the system with which it integrates.
  • Page 368 368 Sentinel 6.1 Rapid Deployment User Guide...

  • Page 369: Identity Integration

    ® Novell provides an optional integration with Novell Identity Manager. The screenshots and descriptions in this section are based on Novell Identity Manager. Sentinel 6.1 Rapid Deployment synchronizes identity information with major identity management systems and stores local copies of key information about each Identity.

  • Page 370: Integration With Novell Identity Manager

    Identity Details Figure 16-2 16.1 Integration with Novell Identity Manager Integration with Novell Identity Manager is available as part of the Novell Compliance Management Platform 1.0.1 and Novell Compliance Management extension for SAP environments 1.0.1, which includes the following components: Sentinel 6.1 Rapid Deployment...
  • Page 371 Identity Manager Driver for Sentinel 3.6 For more information, see Novell Compliance Management Platform (http://www.novell.com/ documentation/ncmp10/) Novell Compliance Management Platform extension for SAP environments 1.0 (http://www.novell.com/documentation/ncmp_sap10/). The Solution also requires identity-enabled Collectors, which are available for download at the Standard Sentinel Content download Web site (http://support.novell.com/products/sentinel/ sentinel61.html).
  • Page 372 Populated by which Column Label Map Key Field : Event Label from IdentityAccount Map InitUserDepartment Department Account Name : InitUserName Authority : InitUserDomain Customer Name : MSSPCustomerName InitUserFullName Full Name Account Name : InitUserName Authority : InitUserDomain Customer Name : MSSPCustomerName InitUserIdentity Identity GUID Account Name : InitUserName...

  • Page 373: Identity Browser

    16.2 Identity Browser The Identity Browser in Sentinel allows you to search and view user profiles of the identities in the Sentinel database that have been synchronized from the identity management system. In addition to information from the identity management system, the Identity Browser also shows recent activity for the user that has been collected using the Sentinel Collectors.

  • Page 374: Viewing Profile Details

    TIP: You can input letters to view all the identities whose first or last name starts with the letters. For example, if the user enters the letters “a,b” the names Abraham, Abdullah and so on are matched. If the search is broad, the results show the first 100 names with a Load <x> More Records button, where <x>...
  • Page 375 2 Type the first name or first character of the profile in the Search box. Click the Search icon. The searched profile displays. 3 Click the View Full Profile button. The user profile displays: Using the view profile window, you can view User Profile, Accounts, and Recent Activities performed by the user.
  • Page 376 You can access Accounts in Active View by right-clicking an event generated by the Identity Collector and by selecting the Show Identity Details option. Select the Initiator, Target, or Both option. The account details of the associated Identity in that event displays in a pop-up window. 5 Select Recent Activity.

  • Page 377: Using The Clipboard Functionality

    The contextual event information such as Authentication, Access, and Permission change events for that identity are displayed. The events displayed are limited to last 10 events in each category as shown below: 16.2.3 Using the Clipboard Functionality You can use the clipboard functionality to copy the data of User Profile, Recent Activity, or the Account tabs.
  • Page 378 Reports Figure 16-3 378 Sentinel 6.1 Rapid Deployment User Guide...

  • Page 379: Advisor Usage And Maintenance

    Advisor Usage and Maintenance Advisor is an optional data subscription service that provides device-level correlation between real- time events from intrusion detection and prevention systems and enterprise vulnerability scan results. By providing normalized attack information, Advisor acts as an early warning service to detect attacks against vulnerable systems.
  • Page 380 Supported Systems Device Type RV31 Value Symantec Intruder Alert Intruder McAfee* IntruShield* IntruShield eEYE* Retina* VULN Retina Foundstone* Foundscan* VULN Foundstone ISS Database Scanner VULN Database Scanner ISS Internet Scanner VULN Internet Scanner ISS System Scanner VULN System Scanner ISS Wireless Scanner VULN Wireless Scanner Nessus*...

  • Page 381: Installing Advisor

    Exploit Detection. The Advisor service is updated every 6 hours based on updates from the various security device vendors. ® All Collectors shipped by Novell meet the above requirements, as long as they are declared as being supported by Advisor. If you want to write your own vulnerability or intrusion detection...

  • Page 382: Updating Data In Advisor Tables

    Section 17.1, “Understanding Advisor,” on page 379. To update Advisor, new data files need to be downloaded from the Novell Advisor server and loaded into the Sentinel database on a regular basis. Advisor Updates NOTE: Novell recommends that you install the latest service pack for Sentinel.

  • Page 383: Changing The Scheduled Data Update Time

    3 Open in a text editor and make changes to the areas shown below: advisor_client.xml <property name="advisor.mail.from">fromNAME@domain.com</property> <property name="advisor.mailto.list">toNAME@domain.com</property> <property name="advisor.notify.success">false</property> NOTE: To send messages to more than one address, provide comma-separate e-mail addresses without spaces. 17.4.3 Changing the Scheduled Data Update Time When you are installing Advisor in Direct Download mode, you can select to update Advisor on a 6- hour or 12-hour schedule.
  • Page 384 384 Sentinel 6.1 Rapid Deployment User Guide...

  • Page 385: A Sentinel 6.1 Rapid Deployment Architecture

    ® Sentinel 6.1 Rapid Deployment (RD) is a simplified version and an alternate platform for Novell Sentinel that provides security information and an event management (SIEM) solution that automates the collection, analysis, and reporting of system network, application, and security logs to help organizations manage IT risks.
  • Page 386 The data collection components are downloaded from the Novell Sentinel Content page and are installed to the Collector Managers via a central ESM interface.

  • Page 387: Architecture Overview

    Components Description Collector Builder The Collector Builder helps you develop new Collectors from scratch by using the proprietary language. It is similar to an IDE. Sentinel 6.1 Rapid Deployment provides the ability to develop Collectors in Java Script by using the third-party tools like Eclipse. PostgreSQL Server Sentinel requires a back-end database component to store the data.

  • Page 388: Communication Server

    A.3.1 Communication Server Sentinel 6.1 Rapid Deployment’s Apache ActiveMQ is an open source message broker. The architecture is built around the Java Message Oriented Middleware (JMOM), which supports asynchronous calls between the client and server applications. Message queues provide temporary storage when the destination program is busy or not connected.

  • Page 389: Sentinel Events

    An event is made up of more than 200 tags. Tags are of different types and have different purposes. There are some predefined tags such as severity, criticality, destination IP, and destination port. There are two sets of configurable tags: reserved tags are for Novell internal use to allow future expansion and customer tags are for customer extensions.
  • Page 390 Streaming Maps The Map Service employs a dynamic update model and streams the maps from one point to another, avoiding the buildup of large static maps in dynamic memory. The value of this streaming capability is particularly relevant in a mission-critical real-time system such as Sentinel where there must be a steady, predictive, and agile movement of data independent of any transient load on the system.
  • Page 391 ISS Wireless Scanner Nessus nCircle IP360 Qualys QualysGuard You need at least one vulnerability scanner and either an intrusion detection system, IPS, or firewall from each category above. The intrusion detection system and Firewall DeviceName (rv31) must appear in the event as shown above. Also, the intrusion detection system and the firewall must properly populate the DeviceAttackName (rt1) field (for example, WEB-PHP Mambo uploadimage.php access).
  • Page 392 By default, there are two configured event columns used for exploit detection and they are referenced from a map (all mapped tags have the Scroll icon). Vulnerability AttackId Event Columns Figure A-4 When the Vulnerability field (vul) equals 1, the asset or destination device is exploited. If the Vulnerability field equals 0, the asset or destination device is not exploited.

  • Page 393: Event Source Management

    attackNormalization.csv Sample Figure A-6 The Vulnerability tag has a column entry , which means that the map result value is 1 if the _EXIST_ key is in IsExploitWatchlist ( file) or 0 if it is not. The key columns for the exploitDetection.csv vulnerability tag are IP and NormalizedAttackId.

  • Page 394: Application Integration

    takes the data from the source system, performs the transformations, and presents the events for later analysis, visualization, and reporting purposes. The framework delivers the following components and benefits: Collectors: Parse and normalize events from various systems. Connectors: Connect to the data source to get raw data. Taxonomy: Allows data from disparate sources to be categorized consistently.

  • Page 395: System Events

    Sentinel Time Figure A-8 1. By default, the event time is set to Collector Manager time. The ideal time is the device time. Therefore it is best to set the event time to the device time if the device time is available, accurate, and properly parsed by the Collector.

  • Page 396: Processes

    Audit Events Audit events are generated internally. Each time an audited method is called or an audited data object is modified, the audit framework generates audit events. There are two types of Audit events: one that monitors user actions such as user login/out, add/delete user and another that monitors system actions and health, such as process start/stop.
  • Page 397 Sentinel Server Architecture Figure A-9 Sentinel Service (Watchdog) Watchdog is a Sentinel process that manages other Sentinel processes. If a process other than Watchdog stops, Watchdog reports this and then restarts that process. If this service is stopped, it stops all Sentinel processes on that machine. It executes and reports the health of other Sentinel processes.

  • Page 398: Logical Architecture

    These processes are controlled by the following configuration files: das_binary.xml: Used for event and correlated event insertion operations das_core.xml: All other database operations DAS receives requests from the different Sentinel processes, converts them to a query against the database, processes the result from the database, and converts it back to a reply. It supports requests to retrieve events for Quick Query and Event Drill Down, in order to retrieve vulnerability information and advisor information and to manipulate configuration information.

  • Page 399: Collection And Enrichment Layer

    Sentinel Logical Layers Figure A-10 The collection and enrichment layer aggregates the events from external data sources, transforms the device-specific formats into Sentinel format, enriches the native events source with business-relevant data, and dispatches the event packets to the message bus. The key component orchestrating this function is the Collector, aided by a taxonomy mapping and global filter service.
  • Page 400 Data aggregated by the Collectors in the form of events is subsequently normalized and transformed into XML format, enriched with a series of metadata (that is, data about data) using a set of business relevance services, and propagated to the server side for further computational analysis through the message bus platform.
  • Page 401 ESM Hierarchy Figure A-11 The event source, event source server, Collector, and Connector are configuration-related objects that can be added through the ESM user interface. Event Source: This node represents a connection to a specific source of data, such as a specific file, firewall, or Syslog relay, and contains the configuration information necessary to establish the connection.
  • Page 402 Common Services All of the components in this Collection and Enrichment layer are driven by a set of common services. These utility services form the fabric of the data collection and data enrichment and assist in filtering the noise from the information (through global filters), applying user-defined tags to enrich the events information (through business relevance and taxonomy mapping services), and governing the data Collectors’...

  • Page 403: Business Logic Layer

    Exploit Detection Exploit Detection enables immediate, actionable notification of attacks on vulnerable systems. It provides a real-time link between intrusion detection system signatures and vulnerability scan results, notifying users automatically and immediately when an attack attempts to exploit a vulnerable system. This dramatically improves the efficiency and effectiveness of incident response. Exploit Detection provides users with updates of mappings between intrusion detection systems and vulnerability scanner product signatures.
  • Page 404 The Remoting Service provides the following capabilities: Locating remote objects: This is achieved through metadata that describes the object name or registration token, although the actual location is not required, because the iSCALE message bus allows for location transparency. Communicating with remote objects: Details of communication between remote objects are handled by the iSCALE message bus.
  • Page 405 Organizations can deploy multiple correlation engines, each on its own server, without the need to replicate configurations or add databases. Independent scaling of components provides cost- effective scalability and performance. The correlation engine can add events to incidents after an incident has been determined. Users are encouraged to use a metric called Event Rules per Second (ERPS).
  • Page 406 kept in memory and written to the database as needed (Active Views can store up to 8 hours of data in memory with typical event loads). This uninterrupted, performance-oriented real-time view is essential when under attack or in a steady state. Active Views Figure A-14 406 Sentinel 6.1 Rapid Deployment User Guide...
  • Page 407 Network Figure A-15 Incident Response Through iTRAC Sentinel iTRAC transforms traditional security information management from a passive alerting and viewing role to an actionable incident response role by enabling organizations to define and to document incident resolution processes and then guide, enforce and track resolution processes after an incident or violation has been detected.
  • Page 408 iTRAC’s automation framework works using two key components: s container: Automates the activity’s execution for the specified set of steps, based on input rules Workflow container: Automates the workflow execution based on activities through a worklist. The input rules are based on the XPDL (XML Processing Description Language) standard and provide a formal model for expressing executable processes in a business enterprise.

  • Page 409: Presentation Layer

    Reporting Service The Reporting service allows for reporting, including historical and vulnerability reports. Sentinel comes with out-of-the-box reports and enables users to configure their own reports using Jasper Reports. Some examples of reports included with Sentinel are: Trend analysis Security status of lines of business or critical assets Attack types Targeted assets Response times and resolution...
  • Page 410 “Active Browser” on page 411 Sentinel 6.1 Rapid Deployment Web Interface With the Novell Sentinel 6.1 Rapid Deployment Web interface, you can manage and search reports and launch the Sentinel Control Center (SCC), the Sentinel Data Manager (SDM), and the Solution Designer.
  • Page 411 Active Views Graphical Format Bar Graph Figure A-19 Active Views Graphical Format Line Graph Figure A-20 Active View Graphical Format Ribbon Graph Figure A-21 Active Browser The Active Browser facility helps in viewing the selected events. In the Active Browser, the events are grouped according to the meta tags.
  • Page 412 Active Browser Figure A-22 In the Active Browser, the query manager service retrieves a list of events taken from any part of the system and performs a statistical analysis of these events to break them down into ranges of values for each desired attribute of the event.

  • Page 413: B System Events For Sentinel

    System Events for Sentinel In the tables below, words in italics surrounded by <…> are replaced by relevant values in the real messages. Section B.1, “Authentication Events,” on page 413 Section B.2, “User Management,” on page 417 Section B.3, “Database Event Management,” on page 421 Section B.4, “Database Aggregation,”...

  • Page 414: Creating Entry For External User

    Authentication Events Authentication Table B-1 Value Severity Event Name Authentication Resource UserAuthentication SubResource Authenticate Message User <name> has passed Authentication to Sentinel/Wizard B.1.2 Creating Entry For External User When creating an external user, the following event is generated: Authentication Events: Creating Entry For External User Table B-2 Value Severity...

  • Page 415: Locked Account

    Authentication Events:Failed Authentication Table B-4 Value Severity Event Name AuthenticationFailed Resource UserAuthentication SubResource Authenticate Message Authentication of user <name> with OS name <domUser> from <IP> failed B.1.5 Locked Account When a locked user account is attempting to log in, the following event is generated: Authentication Events: Locked Account Table B-5 Value...

  • Page 416: Too Many Active Users

    B.1.7 Too Many Active Users Authentication Events: Too Many Active Users Table B-7 Value Severity Event Name Resource SubResource Message B.1.8 User Discovered If the server restarts, it loses the session information. It then reconstructsthe session when it receives messages from active users. When it discovers a connected user, the following internal event is generated: Table B-8: Authentication Events:User Discovered Table B-8...

  • Page 417: User Logged Out

    Value Message User <user> with OS name <osName> at <IP> logged in; currently <number> active users B.1.10 User Logged Out When a user logs out, the following internal event is generated: Authentication Events : User Logged Out Table B-10 Value Severity Event Name UserLoggedOut...

  • Page 418: Create Role

    Value Event Name createRole Resource WorkflowServices SubResource WorkflowAdminService Message Adding users <name> to role <role> B.2.2 Create Role User Management: Create Role Table B-12 Value Severity Event Name createRole Resource WorkflowServices SubResource WorkflowAdminService Message Creating role with name <name> and description <description> B.2.3 Create User User Management: Create User Table B-13...

  • Page 419: Delete Role

    Value SubResource UserManagementService Message Creating User Account: {0} with Last Name: <lastName>, First Name: <firstName>, State: <state> B.2.5 Delete Role User Management: Delete Role Table B-15 Value Severity Event Name deleteRole Resource WorkflowServices SubResource WorkflowAdminService Message Deleting role with name <name> B.2.6 Deleting User Account User Management: Deleting User Account Table B-16...

  • Page 420: Remove Users From Role

    B.2.8 Remove Users From Role User Management:Remove Users From Role Table B-18 Value Severity Event Name removeUsersFromRole Resource WorkflowServices SubResource WorkflowAdminService Message Removing users <name> from role <role> B.2.9 Resetting Password Resetting Password Table B-19 Value Severity Event Name setPassword Resource Config SubResource...

  • Page 421: Updating User

    B.2.11 Updating User User Management:Updating User Table B-21 Value Severity Event Name updateUser Resource Config SubResource UserManagementService Message Updating user: {0} Last Name:<lastName>, First Name: <firstName>, State: <state> B.3 Database Event Management Section B.3.1, “Diskspace Usage Reached Lower Threshold,” on page 422 Section B.3.2, “Diskspace Usage Reached Upper Threshold,”...

  • Page 422: Diskspace Usage Reached Lower Threshold

    B.3.1 Diskspace Usage Reached Lower Threshold Diskspace Usage Reached Lower Threshold Table B-22 Value Severity EventName DBLowSpace Resource DBSPace Message Diskspace usage reached lower threshold. Its current size is {0} MB as against allocated size {1} MB. B.3.2 Diskspace Usage Reached Upper Threshold Diskspace Usage Reached Upper Threshold Table B-23 Value...

  • Page 423: Failing To Drop Online Currentpartition

    B.3.4 Failing to Drop Online CurrentPartition Failing to Drop Online CurrentPartition Table B-25 Value Severity EventName DBNoSpace Resource DBSPace Message Diskspace usage reached upper threshold. Failing to drop online current partition {0}. B.3.5 Database Space Reached Specified Percent Threshold When event insertion is resumed after being blocked, the following event is sent.: Database Event Management: Database Space Reached Specified Percent Threshold Table B-26 Value...

  • Page 424: Database Space Very Low

    B.3.7 Database Space Very Low When event insertion is resumed after being blocked, the following event is sent: Database Event Management: Database Space Very Low Table B-28 Value Severity Event Name DbSpaceVeryLow Resource Database SubResource Database Message Tablespace <string> has current size of <number> MB and has reached the physical threshold of <number>...

  • Page 425: Error Processing Event Message

    Value Message Error moving completed archive file <fileName> to <directory> B.3.10 Error Processing Event Message Database Event Management:Error Processing Event Message Table B-31 Value Severity Event Name ErrorProcessingEventMessage Resource EventSubsystem SubResource EventStore Message Error processing event message, events may be lost; check the log file for more details: {0} B.3.11 Error Saving Failed Events Database Event Management : Error Saving Failed Events...

  • Page 426: Event Insertion Is Resumed

    Value SubResource Events Message Event insertion is blocked, waiting <number> sec B.3.13 Event Insertion Is Resumed When event insertion is resumed after being blocked, the following event is sent: Database Event Management : Event InsertionIs Resumed Table B-34 Value Severity Event Name EventInsertionResumed Resource...

  • Page 427: No Space In The Database

    Value Resource EventSubsystem SubResource EventStore Message In the previous {0}ms, failed to process {1} events--Events were stored for later insertion. Check the log files and the database for more information. The error occurred {2} times in this time range: {3}, cause {4}"; B.3.16 No Space In The Database Database Event Management : No Space In The Database Table B-37...

  • Page 428: Writing To Archive File Failed

    Value Event Name New/Update/Remove Resource SubResource PartitionConfig Message ableName=<name> PartTimeUnit={1} PartTimeFactor={2} NumberOfUnits={3} B.3.19 Writing to Archive File failed When opening an archive file for storing the events for aggregation fails, the following internal event is generated. Database Event Management : Writing to Archive File failed Table B-40 Value Severity...

  • Page 429: Creating Summary

    Section B.4.3, “Disabling Summary,” on page 429 Section B.4.4, “Enabling Summary,” on page 430 Section B.4.5, “Error inserting Summary Data into the Database,” on page 430 Section B.4.6, “Saving Summary,” on page 430 B.4.1 Creating Summary Database Aggregation : Creating Summary Table B-42 Value Severity...

  • Page 430: Enabling Summary

    B.4.4 Enabling Summary Database Aggregation : Enabling Summary Table B-45 Value Severity Event Name enableSummary Resource SubResource EventAggregationAdminService Message Enabling summary: <summaryDescription> B.4.5 Error inserting Summary Data into the Database If an error is encountered while writing aggregation data into the database, the following internal event is generated: Database Aggregation : Error inserting Summary Data into the Database Table B-46...

  • Page 431: Error

    Section B.5.2, “Error Applying Incremental Update,” on page 431 Section B.5.3, “Error initializing map with ID,” on page 432 Section B.5.4, “Error Refreshing Map,” on page 432 Section B.5.5, “Error Saving Data File,” on page 433 Section B.5.6, “Get File Size,” on page 433 Section B.5.7, “Loaded Large Map,”...

  • Page 432: Error Initializing Map With Id

    Value SubResource ReferentialDataObjectMap Message The error <error> occurred while applying updates to map <mapName> (ID <mapId>) v.<version>. Rescheduling a refresh to complete map update. B.5.3 Error initializing map with ID This internal event is generated from the client side of the mapping service (the one that is part of the Collector Manager).

  • Page 433: Error Saving Data File

    B.5.5 Error Saving Data File Database Aggregation : Error Saving Data File Table B-52 Value Severity Event Name ErrorSavingDataFile Resource MappingService SubResource MapService Message The error <error> occurred while saving data to file <fileName> (no) backup B.5.6 Get File Size Database Aggregation : Get File Size Table B-53 Value...

  • Page 434: Long Time To Load Map

    B.5.8 Long Time To Load Map This internal event is an information event sent by the mapping service informing that loading a map took an unusually long time (greater than one minute). Database Aggregation : Long time To load Map Table B-55 Value Severity...

  • Page 435: Refreshing Map From Server

    Value Event Name LoadingMapFromCache Resource MappingService SubResource ReferentialDataObjectMap Message Loading from cache v<version> of map <mapName> (ID <id>) B.5.11 Refreshing Map from Server This internal event is generated from the client side of the mapping service (the one that is part of the Collector Manager).

  • Page 436: Saved Data File

    B.5.13 Saved Data File Database Aggregation : Saved Data File Table B-60 Value Severity Event Name SavedDataFile Resource MappingService SubResource MapService Message Saved "+fileSize+" bytes to file <fileName> with original backed up to "+backupFile:"no backup of original B.5.14 Timed Out Waiting For Callback When the Collector Manager needs to refresh a map, it sends a request to the back end.

  • Page 437: Update

    Value Event Name TimeoutRefreshingMap Resource MappingService SubResource ReferentialDataObjectMap Message Request timed out while refreshing map <name>: <exception> B.5.16 Update Database Aggregation : Update Table B-63 Value Severity Event Name update Resource SubResource MapDataCallback Message Updating map data B.5.17 Update Database Aggregation : Update Table B-64 Value Severity...

  • Page 438: Event Router Is Initializing

    B.6.1 Event Router is Initializing This event is sent when an event router starts its initialization. The event router starts initializing when it has established a connection with the back end. Event Router : Event Router is Initializing Table B-65 Value Severity Event Name...

  • Page 439: Event Router Is Terminating

    Value SubResource EventRouter Message Event router is stopping; reqId(B408EC15-F4D2-1029-A795- 000C296FC5D4) B.6.4 Event Router is Terminating This event is sent when a request is received by the event router to stop during shutdown. Event Router : Event Router is Terminating Table B-68 Value Severity Event Name...

  • Page 440: Correlation Action Definition

    B.7.1 Correlation Action Definition Correlation Engine : Correlation Action Definition Table B-69 Value Severity Event Name New/Update/Remove Resource Correlation SubResource CorrelationActionDefinition Message Action Name: <name> with Id: <ID> B.7.2 Correlation Engine Configuration Correlation Engine : Correlation Engine Configuration Table B-70 Value Severity Event Name...

  • Page 441: Correlation Engine Is Stopped

    B.7.4 Correlation Engine is Stopped This event is sent out when the engine changes state from running to stopped. Correlation Engine : Correlation Engine is Stopped Table B-72 Value Severity Event Name EngineStopped Resource CorrelationEngine SubResource CorrelationEngine Message Correlation Engine has stopped processing events. B.7.5 Correlation Rule Correlation Engine : Correlation Rule Table B-73...

  • Page 442: Deploy Rules With Actions To Engine

    B.7.7 Deploy Rules With Actions To Engine Correlation Engine : Deploy Rules With Actions To Engine Table B-75 Value Severity Event Name deployRulesWithActionsToEngine Resource CorrelationManagementService SubResource CorrelationManagementService Message Deploy Rules With Actions To Engine <enginId>: Rules: <ruleID> Actions: <actionID> B.7.8 Disabling Rule Correlation Engine : Disabling Rule Table B-76 Value...

  • Page 443: Rename Correlation Engine

    B.7.10 Rename Correlation Engine Correlation Engine : Rename Correlation Engine Table B-78 Value Severity Event Name renameCorrEngine Resource CorrelationManagementService SubResource CorrelationManagementService Message Rename Engine to: <name> with EngineId: <ID> B.7.11 Rule Deployment is Modified This event is sent when an engine successfully reloads a rule deployment. This message is sent regardless of the engine‘s running state.

  • Page 444: Rule Deployment Is Stopped

    B.7.13 Rule Deployment is Stopped This event is sent when an engine successfully unloads a rule deployment. This message is sent regardless of the engine‘s running state. Correlation Engine : Rule Deployment is Stopped Table B-81 Value Severity Event Name DeploymentStopped Resource CorrelationEngine...

  • Page 445: Undeploy All Rules From Engine

    B.7.16 UnDeploy All Rules From Engine Correlation Engine : UnDeploy All Rules From Engine Table B-84 Value Severity Event Name undeployAllRulesFromEngine Resource CorrelationManagementService SubResource CorrelationManagementService Message Undeploy all rules from Engine: B.7.17 UnDeploy Rule Correlation Engine : UnDeploy Rule Table B-85 Value Severity Event Name...

  • Page 446: Collector Manager Initialized

    Section B.8.3, “Collector Manager Started,” on page 447 Section B.8.4, “Collector Manager Stopped,” on page 447 Section B.8.5, “Collector Service Callback,” on page 448 Section B.8.6, “Cyclical Dependency,” on page 448 Section B.8.7, “Event Source Manager Callback,” on page 448 Section B.8.8, “Initializing Collector Manager,”...

  • Page 447: Collector Manager Is Down

    B.8.2 Collector Manager Is Down Event Source Management (General) : Collector Manager Is Down Table B-88 Value Severity Event Name CollectorManagerDown Resource HealthManager SubResource CollectorManagerHealth Message B.8.3 Collector Manager Started Event Source Management (General) : Collector Manager Started Table B-89 Value Severity Event Name...

  • Page 448: Collector Service Callback

    B.8.5 Collector Service Callback Event Source Management (General) : Collector Service Callback Table B-91 Value Severity Event Name Restart Resource SubResource CollectorServiceCallback Message Restart Collector with Id: <ID> B.8.6 Cyclical Dependency The Event Service sends this event when it detects a cycle in the Event Definition (in dependencies among tags because of referential map assignments).

  • Page 449: Initializing Collector Manager

    B.8.8 Initializing Collector Manager Event Source Management (General) : Initializing Collector Manager Table B-94 Value Severity Event Name CollectorManagerInitializing Resource CollectorManager SubResource Internal Message Initializing Collector Manager… B.8.9 Lost Contact With Collector Manager Event Source Management (General) : Lost Contact With Collector Manager Table B-95 Value Severity...

  • Page 450: Persistent Process Restarted

    Event Source Management (General) : Persistent Process Died Table B-97 Value Severity Event Name PersistentProcessDied Resource AgentManager SubResource AgentManager Message Persistent Process on port <port ID> has died. B.8.12 Persistent Process Restarted The Collector Engine sends this event when the persistent process Connector is able to restart the controlled process that had died.

  • Page 451: Reestablished Contact With Collector Manager

    Event Source Management (General) : Port Stop Table B-100 Value Severity Event Name PortStop Resource AgentManager SubResource AgentManager Message Processing stopped for port_<port ID> B.8.15 Reestablished Contact With Collector Manager Event Source Management (General) : Reestablished Contact With Collector Manager Table B-101 Value Severity...

  • Page 452: Restarting Collector Manager (Cold Restart)

    B.8.17 Restarting Collector Manager (Cold Restart) Event Source Management (General) : Restarting Collector Manager (Cold Restart) Table B-103 Value Severity Event Name CollectorManagerRestart Resource CollectorManager SubResource Internal Message Restarting Collector Manager (Cold restart) B.8.18 Restarting Collector Manager (Warm Restart) Event Source Management (General) : Restarting Collector Manager (Warm Restart) Table B-104 Value Severity...

  • Page 453: Start Event Source Manager

    B.8.20 Start Event Source Manager Event Source Management (General) : Start Event Source Manager Table B-106 Value Severity Event Name startEventSourceManager Resource EventSourceManagement SubResource EventSourceManagerService Message Start Collector Manager: <eventSourceManagerID> B.8.21 Starting Collector Manager Event Source Management (General) : Starting Collector Manager Table B-107 Value Severity...

  • Page 454: Stop Event Source Manager

    B.8.23 Stop Event Source Manager Event Source Management (General) : Stop Event Source Manager Table B-109 Value Severity Event Name StopEventSourceManager Resource EventSourceManagement SubResource EventSourceManagerService Message Stop Collector Manager: <eventSourceManagerID> B.8.24 Stopping Collector Manager Event Source Management (General) : Stopping Collector Manager Table B-110 Value Severity...

  • Page 455: Stop Event Source

    B.9.2 Stop Event Source Event Source Management (Event Sources) : Stop Event Source Table B-112 Value Severity Event Name stopEventSource Resource EventSourceManagement SubResource EventSourceManagerService Message Stop EventSource: {0} B.10 Event Source Management-Collectors Section B.10.1, “Start Collector,” on page 455 Section B.10.2, “Stop Collector,” on page 455 B.10.1 Start Collector Event Source Management (Collectors) : Start Collector Table B-113...

  • Page 456: Event Source Management-Event Source Servers

    B.11 Event Source Management-Event Source Servers Section B.11.1, “Start Event Source Server,” on page 456 Section B.11.2, “Stop Event Source Server,” on page 456 Section B.11.3, “Stop Event Source Server,” on page 456 B.11.1 Start Event Source Server Event Source Management (Event Source Servers): Start Event Source Server Table B-115 Value Severity...

  • Page 457: B.12.1 Data Received After Timeout

    Value Message Stop EventSourceServer: <eventSourceServerID> B.12 Event Source Management-Connectors Section B.12.1, “Data Received After Timeout,” on page 457 Section B.12.2, “Data Timeout,” on page 457 Section B.12.3, “File Rotation,” on page 458 Section B.12.4, “Process Auto Restart Error,” on page 458 Section B.12.5, “Process Start Error,”...

  • Page 458: File Rotation

    Value SubResource FileConnector Message Event source <File Event Source ID> reached time out of <Timeout Period> when processing file <File Location>. B.12.3 File Rotation When the File Connector is configured to use file rotation and the Connector changes from one file to the next, the following internal event is generated: Event Source Management (Connectors): File Rotation Table B-120...

  • Page 459: Process Stop

    Value Event Name ProcessStartError Resource ProcessConnector SubResource ProcessConnector Message Error starting command: {0} B.12.6 Process Stop Event Source Management (Connectors) : Process Stop Table B-123 Value Severity Event Name ProcessStop Resource ProcessConnector SubResource ProcessConnector Message Process <{0}> exited [command: {1}] B.12.7 WMI Connector Status Message Event Source Management (Connectors) : WMI Connector Status Message Table B-124...

  • Page 460: Active View Created

    B.13.1 Active View Created DAS_Binary sends this event when an Active View is created. Active View : Active View Created Table B-125 Value Severity Event Name RtChartCreated Resource RealTimeSummaryService SubResource ChartManager Message Creating new Active View with filter <filter> and attribute <attribute> for users with security filter <security filter>.

  • Page 461: Active View Now Permanent

    Value SubResource ChartManager Message Active View with filter <filter> and attribute <attribute> for users with security filter <security filter> is no longer permanent. B.13.4 Active View Now Permanent DAS_Binary sends this event when it detects an Active View as newly permanent. This check happens periodically, so it can be several minutes after an Active View is saved to preferences before this event is generated.

  • Page 462: B.14.1 Activity Definition

    Active View : Idle Permanent Active View Removed Table B-130 Value Severity Event Name RtPermanentChartRemoved Resource RealTimeSummaryService SubResource ChartManager Message Removed idle permanent Active View with filter <filter> and attribute <attribute> for users with security filter <security filter>. Currently <n> Active View(s) Collecting.

  • Page 463: Viewing Configuration Store

    Value SubResource FilterConfig, GlobalFilterConfig, MenuConfig, OptionsConfig, IncidentActionConfig, AnalyzeDefaultConfig, AnalyzeReportConfig, AdvisorDefaultConfig and AdvisorReportConfig Message Updating Config Object: <name> by User: _SYSTEM B.14.3 Viewing Configuration Store Data Objects : Viewing Configuration Store Table B-133 Value Severity Event Name New/Update/Remove Resource SubResource ViewConfigurationStore Message name <name>...

  • Page 464: Creating An Activity

    B.15.1 Creating an Activity Activities : Creating an Activity Table B-135 Value Severity Event Name createActivity Resource SubResource ActivityNamespace Message Creating iTRAC Activity <name> B.15.2 Deleting an Activity Activities : Deleting an Activity Table B-136 Value Severity Event Name deleteActivity Resource SubResource ActivityNamespace...

  • Page 465: Add Events To Incident

    Section B.16.4, “Creating Group,” on page 466 Section B.16.5, “Creating User,” on page 466 Section B.16.6, “Delete Incident,” on page 467 Section B.16.7, “Deleting Group,” on page 467 Section B.16.8, “Deleting Process Definition,” on page 467 Section B.16.9, “Deleting User,” on page 468 Section B.16.10, “E-Mail Incident,”...

  • Page 466: Create Incident

    B.16.3 Create Incident Incidents and Workflow : Create Incident Table B-140 Value Severity Event Name createIncident Resource IncidentService SubResource IncidentService Message User: <name> created incident with name: <incidentName>, state: <state>, severity: <severity>, resolution: <resolution> B.16.4 Creating Group Incidents and Workflow : Creating Group Table B-141 Value Severity...

  • Page 467: Delete Incident

    B.16.6 Delete Incident Incidents and Workflow : Delete Incident Table B-143 Value Severity Event Name deleteIncident Resource IncidentService SubResource IncidentService Message Delete incident with ID: <ID> B.16.7 Deleting Group Incidents and Workflow : Deleting Group Table B-144 Value Severity Event Name deleteGroup Resource WorkflowServices...

  • Page 468: Deleting User

    B.16.9 Deleting User Incidents and Workflow : Deleting User Table B-146 Value Severity Event Name deleteUser Resource WorkflowServices SubResource WorkflowObjectMgrService Message Deleting User in WorkFlow: {0} with firstname: <firstName> lastname : <lastName> B.16.10 E-Mail Incident Incidents and Workflow : E-mail Incident Table B-147 Value Severity...

  • Page 469: Save Incident

    B.16.12 Save Incident Incidents and Workflow : Save Incident Table B-149 Value Severity Event Name saveIncident Resource IncidentService SubResource IncidentService Message Save incident with name: <name>, state: <state>, severity: <severity>, resolution: <resolution> B.16.13 Saving Group Incidents and Workflow : Saving Group Table B-150 Value Severity...

  • Page 470: Send Incident To Hp Service Desk

    B.16.15 Send Incident to Hp Service Desk Incidents and Workflow : Send Incident To Hp Service Desk Table B-152 Value Severity Event Name sendIncidentToHpServiceDesk Resource IncidentService SubResource IncidentService Message User: <name> sent incident with name: <incidentName>, state: <state>, severity: <severity>, resolution: <resolution> to HP Service Desk B.16.16 Send Incident to HpOVO Incidents and Workflow : Send Incident To HpOVO Table B-153...

  • Page 471: Configuration Service

    Section B.17.2, “Controlled Process is started,” on page 471 Section B.17.3, “Controlled Process Is Stopped,” on page 472 Section B.17.4, “Importing Auxiliary,” on page 472 Section B.17.5, “Importing Plug-In,” on page 472 Section B.17.6, “Load Esec Taxonomy to XML,” on page 473 Section B.17.7, “Process Auto Restart Error,”...

  • Page 472: Controlled Process Is Stopped

    Value Resource Sentinel SubResource Process Message Process <ProgramName> spawned (command <pID>) B.17.3 Controlled Process Is Stopped This event is sent when a process is stopped. The severity is set to 5 if the process was set to respawn (that is, it is not expected to die). The severity is set to 1 if the process was set to run once. General : Controlled Process Is Stopped Table B-157 Value...

  • Page 473: Load Esec Taxonomy To Xml

    Value Resource SubResource PluginRepositoryService Message Import plugin <name> (ID <ID>) of type <type>. B.17.6 Load Esec Taxonomy to XML General : Load Esec Taxonomy to XML Table B-160 Value Severity Event Name loadEsecTaxonomyToXML Resource SubResource EsecTaxonomyNodeService Message Loading Esecurity taxonomy Info to an xml format: B.17.7 Process Auto Restart Error This event is sent when a process is stopped.

  • Page 474: Proxy Client Registration Service (Medium)

    Value Event Name ProcessRestart Resource Sentinel SubResource Process Message Process <ProgramName> spawned (command <pID>) B.17.9 Proxy Client Registration Service (medium) General : Proxy Client Registration Service (medium) Table B-163 Value Severity Event Name registerClient Resource SubResource ProxyClientRegistrationService (medium) Message Registering new client B.17.10 Restarting Process General : Restarting Process Table B-164...

  • Page 475: Starting Process

    Value SubResource SentinelHealthService Message Restarting <number> processes: <number> name <name> server <name> server ID <ID>; B.17.12 Starting Process General : Starting Process Table B-166 Value Severity Event Name startProcess Resource SentinelHealth SubResource SentinelHealthService Message Starting process <name> on Sentinel server <name> UUID {2} B.17.13 Starting Processes General : Starting Processes Table B-167...

  • Page 476: Stopping Processes

    Value Message Stopping process <name> on Sentinel server <name> UUID {2} B.17.15 Stopping Processes General : Stopping Processes Table B-169 Value Severity Event Name stopProcesses Resource SentinelHealth SubResource SentinelHealthService Message Stopping <number> processes: <number> name <name> server <name> server ID <ID>; B.17.16 Store Esec Taxonomy From XML General : Store Esec Taxonomy From XML Table B-170...

  • Page 477: Watchdog Process Is Stopped

    Value Message WatchDog Service Starting B.17.18 Watchdog Process Is stopped When the Watchdog service is stopped, the following internal event is generated: General : Watchdog Process is stopped Table B-172 Value Severity Event Name ProcessStop Resource WatchDog SubResource WatchDog Message WatchDog Service Ended System Events for Sentinel 477...
  • Page 478 478 Sentinel 6.1 Rapid Deployment User Guide...

  • Page 479: C Documentation Updates

    If you are a new user, simply read the guide in its current state. Refer to the publication date that appears on title page to determine the release date of this guide. For the most recent version of the Novell Sentinel 6.1 Rapid Deployment User Guide, see the Novell Sentinel 6.1 Rapid Deployment documentation Web site (http://www.novell.com/documentation/...
  • Page 480 480 Sentinel 6.1 Rapid Deployment User Guide...

This manual is also suitable for:

Sentinel rapid deployment 6.1

Table of Contents