Technical Implementation - Novell SENTINEL RAPID DEPLOYMENT 6.1 - 12-2009 User Manual

When a rule fires, a correlated event is sent to the Sentinel Control Center, where it can be viewed in
the Active Views window.
Active Views Window
Figure 4-1
The correlated event can also trigger actions, such as sending an e-mail with the correlated event's
details or creating an incident associated with an iTRAC workflow.
TM

4.1.1 Technical Implementation

All correlation is done in-memory on the machine (or machines) that host the Correlation engine.
This model allows fast, distributed processing that does not contend with database operations such
as inserting events into the database.
For environments with large numbers of Correlation rules or extremely high event rates, it might be
advantageous to install more than one Correlation engine and redeploy some rules to the new
Correlation engine. The ability to deploy multiple Correlation engines provides the ability to scale
as the Sentinel system incorporates additional data sources or as event rates increase.
Sentinel correlation is nearly real-time and depends on the time stamp for the individual events. To
synchronize time, you can use an NTP (Network Time Protocol) server to synchronize the time on
all devices on your network, or you can rely on the time on the Collector Manager servers and
synchronize only those few machines.
Correlation relies on the data that is collected, parsed, and normalized by the Collectors, so a
®
working understanding of the data is necessary to write rules. Many Novell Correlation rules rely
on an event taxonomy that ensures that a "failed login" and an "unsuccessful logon" from two
devices are classified the same.
84 Sentinel 6.1 Rapid Deployment User Guide