Configuring Syslog Data Collection; Configuring Syslog Servers - Novell SENTINEL LOG MANAGER 1.0.0.5 - ADMINISTRATION GUIDE 03-31-2010 Administration Manual

For more information about editing Collectors that are already included in the Sentinel Log Manager
and about adding new Collectors, refer to the
developer.novell.com/wiki/index.php?title=Develop_to_Sentinel)
the Sentinel 6.1 Content Web site (http://support.novell.com/products/sentinel/sentinel61.html)
respectively.
The detailed documentation for Connectors and Collectors can be accessed by clicking on the PDF
icon next to the Collector on the
sentinel/sentinel61.html).
Novell recommends that you review the full documentation for any new event source integration to
ensure that all available features are enabled.
NOTE: Every Collector has its own associated Collector packs. The new Collector packs include
reports that can be uploaded and used in the Sentinel Log Manager interface. For more information
about extracting the reports, see
page 97.
Section 4.1, "Configuring Syslog Data Collection," on page 48
Section 4.2, "Configuring Data Collection for Novell Audit Server," on page 53
Section 4.3, "Configuring Data Collection for Other Event Sources," on page 57
Section 4.4, "Managing Event Sources," on page 60
Section 4.5, "Viewing Events Per Second Statistics," on page 72

4.1 Configuring Syslog Data Collection

The Sentinel Log Manager is preconfigured to accept syslog data from syslog event sources that are
sending data over TCP (port 1468), UDP (port 1514), or SSL (port 1443). Additionally, if your
firewall is enabled and supports iptables, Sentinel Log Manager automatically forwards events to
UDP port 514 to port 1514.
To get started with syslog data collection, configure your syslog event sources to send their data to
one of these ports. When Sentinel Log Manager receives data from your event sources, it
automatically chooses the best Collector to parse the data, parses the data into events, and stores the
event and raw data in the configured archived location. You can also configure Sentinel Log
Manager to listen on additional ports.
The following sections describe how you can configure the event sources to send data to the Sentinel
Log Manager and how you can configure new syslog ports to receive data:
Section 4.1.1, "Configuring Syslog Servers," on page 48
Section 4.1.2, "Setting the Syslog Server Options," on page 50

4.1.1 Configuring Syslog Servers

When you point your syslog event sources to Sentinel Log Manager, it automatically creates an
event source entry to track data that is being received from the event source and to allow you to
manage how the data is processed. An entry is created for each unique IP address or hostname that
48 Sentinel Log Manager 1.0.0.4 Administration Guide
Sentinel Plug-In SDK Web site (http://
Sentinel 6.1 Content Web site (http://support.novell.com/products/
Section 6.5, "Extracting the Reports from the Collector Packs," on
and Collector documentation at