Configuring Actions - Novell SENTINEL LOG MANAGER 1.0.0.5 - ADMINISTRATION GUIDE 03-31-2010 Administration Manual

7.2 Configuring Actions

An event is delivered to one or more channels when it meets the criteria specified by one of the
rules. An incoming event is evaluated against each filtering rule in the specified order until a match
is found, then the delivery actions associated with that rule are executed. Before the events can be
output to a channel, an action to send the events to that channel should be configured.
Actions are added, deleted, and modified independent of the rules that use them (however, an action
that is associated with one or more rules cannot be deleted).
There may be many actions, but each action will be one of the following six action types:
Execute a Script: This type of action executes a specified script on a Sentinel Log Manager server
by passing events to it as argument.
Log to File: This type of action writes the event to a specified file on a Sentinel Log Manager
server.
Log to Syslog: This type of action forwards the event to a configured syslog server.
Send an Email: This type of action sends the event to one or more user by using a configured
SMTP relay. For example, a Send to Email action can be used to escalate specific events to notify a
system administrator or Tier 2 analyst. It can also be used to forward events to an incident response
system that accepts e-mail input.
Send SNMP Trap: This type of action sends the SNMP traps.
Send to Sentinel Link: This type of action uses Sentinel Link to forward events to another Sentinel
Log Manager, Sentinel, or Sentinel RD system.
For more information on how to configure these actions, see "Adding Actions" on page 115.
NOTE: Events are processed by the associated actions one at a time. You should therefore consider
performance implications when selecting the output channel to which events are sent. For example,
the Write to File action is the least resource-intensive, so it can be used to test rule criteria to
determine the data volume before sending a flood of events to e-mail or syslog.
Also, when you set up the Send to e-mail action, you should consider how many events the recipient
can effectively handle, and adjust the filtering on the rule accordingly.
Event output is in JavaScript* Object Notation (JSON), which is a lightweight data exchange
format. Events consist of field names (such as "evt" for Event Name) followed by a colon and a
value (such as "Start"), separated by commas.
For example:
{"st":"I","evt":"Start","sev":"1","sres":"Collector","res":"CollectorManager"
,"rv99":"0","rv1":"0","repassetid":"0","rv77":"0","agent":"Novell
SecureLogin","obsassetid":"0","vul":"0","port":"Novell
SecureLogin","msg":"Processing started for Collector Novell SecureLogin (ID
D892E9F0-3CA7-102B-B5A1-005056C00005).","dt":"1224204655689","id":"751D97B0-
7E13-112B-B933-000C29E8CEDE","src":"D892E9F0-3CA7-102B-B5A2-005056C00004"}
The following sections describe how you can add, edit, and delete the actions:
Section 7.2.1, "Adding Actions," on page 115
114 Sentinel Log Manager 1.0.0.4 Administration Guide