Sentinel Event Fields; Event Field Labels And Tags - Novell SENTINEL 6.1 SP2 - REFERENCE GUIDE 02-2010 Reference Manual

Sentinel Event Fields

2
Every Sentinel event or correlated event has certain fields that are automatically populated (such as
Event Time and Event UUID) and other fields that may or may not be populated, depending on the
type of event, the collector parsing, and the mapping service configuration. This event data is visible
in Active Views, historical queries, and reports. They are stored in the database and can be accessed
via the report views. They can also be used in actions available through the right-click event menu,
correlation actions, and iTRAC workflow actions.

2.1 Event Field Labels and Tags

Each field can be referred to by a user-friendly label or a short tag. The user-friendly label is visible
throughout the Sentinel Control Center interface, for example:
Column headers for Active Views, historical event queries, and the Active Browser

Correlation wizard drop-down menus

Active View configuration drop-down menus

Each field has a default label, but that label is user-configurable using the Event Configuration
option on the Admin tab. For more information, see "Admin Tab" section in
Guide. InitUserName is the default label to represent the account name of the user who initiated the
event, but this can be changed by the administrator. When a user changes the default label, the
changes are reflected in most areas of the interface, including any correlation rules, filters, and right-
click menu options.
WARNING: Changing the default label for any variables other than Customer Variables may cause
confusion when working with Novell Technical Services or other parties who are familiar with the
default names. In addition, JavaScript Collectors built by Novell refer to the default labels described
in this chapter and are not automatically updated to refer to new labels.
Each field also has a short tag name that is always used for internal references to the field and is not
user-configurable. This short tag name may not correspond exactly to the default label; Sentinel
labels have changed over the years, but the underlying short tags remain the same for backward
compatibility. (For example, InitUserName is the default label for the account name of the user who
initiated the event. The default label was previously SourceUserName, and the underlying short tag
is "sun".)
NOTE: Many of the default labels were updated for clarity in the Sentinel 6.1 release. Because all
filters, actions, and correlation rule definitions are defined using the short tags (even though the
label may be visible in the interface), there is no change in functionality due to the label renaming.
Each field is associated with a specific data type, which corresponds to the data type in the database:
string: limited to 255 characters (unless otherwise specified)

integer: 32 bit signed integer

UUID: 36 character (with hyphens) or 32 character (without hyphens) hexadecimal string in

the format XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX (For example, -
6A5349DA-7CBF-1028-9795-000BCDFFF482)
Sentinel 6.1 User
Sentinel Event Fields
2
17