Processes; A.3.7 Processes - Novell SENTINEL RAPID DEPLOYMENT 6.1 - 12-2009 User Manual

Audit Events
Audit events are generated internally. Each time an audited method is called or an audited data
object is modified, the audit framework generates audit events. There are two types of Audit events:
one that monitors user actions such as user login/out, add/delete user and another that monitors
system actions and health, such as process start/stop.
Some of these events were formerly called internal events (mainly for system actions/health
monitoring), so the functionality of Audit events is similar to internal events. Audit events can be
logged into log files, saved into database, and sent out as Audit events simultaneously (internal
events are only sent out as events.).
All System events populate the following attributes:
Sensor Type (ST) field: For internal events this field is set to
and for performance events it is set to
Event ID: A unique UUID for the event.
Event Time: The time the event was generated.
Source: The UUID of the process that generated the event.
Sensor Name: The name of the process that generated the event (for example, DAS_Binary).
RV32 (Device Category): Set to
Collector: .Performance. for performance events,
internal events.
In addition to the common attributes, every system event also sets the resource, sub-resource, the
severity, the event name, and the message tags. For internal events, the event name should be
specific enough to identify the exact meaning of the event (for example, UserAuthenticationFailed).
The message tags add some specific detail; for UserAuthenticationFailed, the message tag contains
the name of the user, the OS name if available, and the machine name). For performance events the
event name is generic, describing the type of statistical data and the data itself is in the message tag.
Performance events are sent directly to the database. To view them, do a quick query.
For more information, see

A.3.7 Processes

The following processes and the services communicate with each other through the ActiveMQ
message bus.
"Sentinel Service (Watchdog)" on page 397
"Data Access Service (DAS) Process" on page 397
"Correlation Engine Process (correlation_engine)" on page 398
"Collector Manager" on page 398
"ActiveMQ" on page 398
The following illustration shows the architecture for the Sentinel server.
396 Sentinel 6.1 Rapid Deployment User Guide
.
P
.
.ESEC
Appendix B, "System Events for Sentinel," on page
, for Audit events it is set to
I
for Audit events, and
Audit
413.
,
A
for
Internal