Novell SENTINEL 6.1 SP2 - 02-2010 User Manual

Table of Contents

Quick Links

Download this manual

AUTHORIZED DOCUMENTATION

User Guide

Novell

Sentinel

6.1 SP2

February 2010

www.novell.com

Sentinel 6.1 User Guide

Table of Contents

Need help?

Do you have a question about the SENTINEL 6.1 SP2 - 02-2010 and is the answer not in the manual?

Questions and answers

Summary of Contents for Novell SENTINEL 6.1 SP2 - 02-2010

Page 1 AUTHORIZED DOCUMENTATION User Guide Novell ® Sentinel 6.1 SP2 February 2010 www.novell.com Sentinel 6.1 User Guide...
Page 2 Further, Novell, Inc., reserves the right to make changes to any and all parts of Novell software, at any time, without any obligation to notify any person or entity of such changes.
Page 3 Novell Trademarks For Novell trademarks, see the Novell Trademark and Service Mark list (http://www.novell.com/company/legal/ trademarks/tmlist.html). Third-Party Materials All third-party trademarks are the property of their respective owners.
Page 4 Sentinel 6.1 User Guide...
Page 5: Table Of Contents
Contents Preface 1 Sentinel Control Center About Sentinel Control Center ..........21 1.1.1 Active Views .
Page 6 2.15 Using Custom Menu Options with Events ........61 2.16 Managing Columns in a Snapshot or Navigator Window .
Page 7 4.4.3 Attaching Workflows to Incidents ........101 4.4.4 Adding Notes to Incidents .
Page 8 Manage Work Items Of Other Users ......... . . 151 7 Analysis Tab Understanding Analysis .
Page 9 10.3.1 Graphical ESM View ..........188 10.3.2 Tabular ESM View .
Page 10 11.11 User Configurations ............271 11.11.1 Oracle and Microsoft SQL 2005 Authentication: .
Page 11 14.5 Administrators ............326 14.5.1 Simple Correlation .
Page 12 18.1.1 Integration with Novell Identity Manager ....... . . 432 18.2...
Page 13 B.3.5 Locked Account ........... . 471 B.3.6 No Such User Event .
Page 14 B.7.16 Update ............490 B.7.17 Update .
Page 15 B.13.1 Start Event Source Server ..........508 B.13.2 Stop Event Source Server .
Page 16 B.19.15 Stopping Processes ..........526 B.19.16 Store Esec Taxonomy From XML .
Page 17: Preface
Preface Sentinel is a security information and event management solution that receives information from many sources throughout an enterprise, standardizes it, prioritizes it and presents it to you to make threat, risk and policy related decisions.  Chapter 1, “Sentinel Control Center,” on page 21 ...
Page 18 For more information, see “Section Name” in “Chapter Name”, Name of the Guide (if in a  different Guide). In Novell documentation, a greater-than symbol (>) is used to separate actions within a step and items in a cross-reference path. ®...
Page 19 Patch Download Site: http://download.novell.com/index.jsp (http://download.novell.com/  index.jsp) 24x7 support: http://www.novell.com/company/contact.html (http://www.novell.com/  company/contact.html) For Collectors/Connectors/Reports/Correlation/Hotfixes/TIDS: http://support.novell.com/  products/sentinel (http://support.novell.com/products/sentinel) Preface...
Page 20 Sentinel 6.1 User Guide...
Page 21: Sentinel Control Center
Sentinel Control Center Section 1.1, “About Sentinel Control Center,” on page 21  Section 1.2, “Log in to the Sentinel Control Center,” on page 24  Section 1.3, “Introduction to the User Interface,” on page 25  1.1 About Sentinel Control Center Sentinel is a Security Information and Event Management solution that receives information from many sources throughout an enterprise, standardizes it, prioritizes it and presents it to you to make...
Page 22: Incidents
In the Advisor tab, you can view the products that Novell supports for Advisor and also the status of the last five Advisor feed files that have been processed or are being processed.
Page 23: Correlation
Create and modify filters  Use filters to format data  Use filters to determine event routing  View system statistics about the Data Access Service  Start and Stop system components  Configure Sentinel event fields  Configure the mapping service ...
Page 24: Solution Packs
1.1.10 Identity Integration Novell Sentinel 6.1 provides an integration framework for identity management systems. This integration provides functionality on several levels. With the Identity Browser you can: ...
Page 25: Introduction To The User Interface
4 On the first login, the following warning message displays. The user must accept the certificate in order to securely log in to the Sentinel Control Center 5 If you select Accept, this message displays every time you try to start Sentinel on your system. To avoid this, you can select Accept permanently.
Page 26: Menu Bar
Sentinel Control Center Figure 1-1 1.3.1 Menu Bar The menu bar has the menus required to Navigate, perform activities and change the appearance of Sentinel Control Center. Figure 1-2: Menu Bar Figure 1-2 The File, Options, Event Source Management, Windows and Help menus are always available. The availability of other menus depends on your location in the console and permissions.
Page 27: Tabs
Tab Specific Toolbar buttons Tab-specific toolbar buttons allows you to perform the functions related to each tab. Tab Specific Toolbar Buttons Table 1-1 Toolbar View Active Views Correlation Incidents iTRAC Analysis Admin For more information on Tabs-specific toolbar buttons, see the sections on each of the Tabs mentioned in the list above.
Page 28: Frames
1.3.4 Frames Sentinel provides a dock-able framework which allows you to drag frames on the screen to place them in user preferred locations. In a frame the following buttons displays, which allow you to drag/ hide frames. Toggle Floating  Toggle Auto-hide ...
Page 29 “Minimizing and Restoring Windows” on page 29  “Closing all open Windows” on page 29  Setting the Tab Position To set the tab position: 1 Click Options > Tab Placement. 2 Select either Top or Bottom. Cascading Windows To cascade windows: 1 Click Windows >...
Page 30: Saving User Preferences
1.3.7 Saving User Preferences If the user has permissions to save their workspace, they can save the following preferences:  Permanent windows that are not dependent on data that was available at the time of their original creation.  Active Views Summary displays ...
Page 31 You might need to update all the machines (which have components affected by the hostname change) before you restart Sentinel service on any machine. Scenario 1: Change in Sentinel Database Hostname In this scenario, the affected components are DAS and SDM. So you might need to Update the DAS ...
Page 32: Configuring The Attachment Viewer
2 Run Sentinel Uninstaller. In the Select components to Uninstall window, select Communication Server and deselect all other options. Follow instructions in “Uninstalling Sentinel” in Sentinel 6.1 Installation Guide as required and complete uninstallation. 3 Click Finish. 4 Insert (and mount, on Solaris/Linux only) the Sentinel Installer CD. 5 Run the setup file.
Page 33 2 Click Add. The Attachment Identification window displays. Specify the extension type (such as and so on) and click Browse or .doc .xls .txt .html type in the application program to launch the file type (such as for Notepad). notepad.exe 3 Click OK.
Page 34 Sentinel 6.1 User Guide...
Page 35: Active Views Tab
Active Views Tab Section 2.1, “Understanding Active Views,” on page 35  Section 2.2, “Introduction to the User Interface,” on page 36  Section 2.3, “Reconfiguring Total Display Time,” on page 39  Section 2.4, “Viewing Real Time Events,” on page 39 ...
Page 36: Introduction To The User Interface
 A successful login reported by an operating system A customer-defined situation such as a user accessing a file  Internal Events (an event generated by Sentinel), including:   A correlation rule being disabled Database filling up  You can monitor the events in a tabular form or using several different types of charts, you can perform queries for recent events.
Page 37  The Toolbar Buttons Active Views provides two types of views which display the events in Tables and Graphs. Table Format displays the variables of the events as columns in a table. You can sort the information in the grid by clicking on the column name. Active View-Tabular Format Figure 2-1 Graphical Format displays events as Graphs.
Page 38 Gray Line- Smallest Possible Display Interval Figure 2-3 In the event when there are more than 750 per 30-second time period, a red separation line displays indicating that there are more events than what is displayed. The other events can be viewed by using Historical Queries.
Page 39: Reconfiguring Total Display Time
2.3 Reconfiguring Total Display Time Active View Properties allows you to configure the cached time in each client. The default cache time value in an Active View is 24 hours. To configure Maximum Total Display Time: 1 Click the Active Views tab. 2 Click Active Views >...
Page 40 After making your selection, you can click Next or Finish. If you select Finish, the following default values are selected:  Display Interval and Refresh rate of 30 seconds Total Display Time of 15 minutes  Y-axis as Event Count ...
Page 41: To Reset Parameters And Chart Type Of An Active View
The five buttons to the left of the chart perform the following functions: When you click the Lock button, additional available buttons are: 2.4.1 To Reset Parameters and Chart Type of an Active View When viewing an Active View, you can reset your chart parameters, change your chart type. To Reset Parameters and Chart Type of an Active View: 1 Within an Active View displaying a chart, right-click and select Properties.
Page 42 Under the Parameters tab, you can set: Display Interval: Time between each interval  Refresh Rate: Number of seconds for event rate to be updated  Total Display Time: Amount of time to display the chart  Y-axis: Either total Event Count or Event Count per Second ...
Page 43: Rotating A 3D Bar Or Ribbon Chart
2.4.2 Rotating a 3D Bar or Ribbon Chart To rotate a 3D bar or ribbon chart: 1 Click anywhere on the chart and hold the mouse button. 2 Reposition the chart as desired by moving the mouse and holding the button. 2.5 Showing and Hiding Event Details To show event details: 1 In a Real Time Event Table of the Navigator or Snapshot, double-click or right-click an event...
Page 44 2 Provide the following information: Email Address  Email Subject  Email Message  3 Click OK. To e-mail an Incident: 1 After you save your incident, click the Incidents tab, Incidents > Incidents View. 2 Click All Incidents option in the Switch View drop down list located at the bottom right corner. 3 Double-click an Incident.
Page 45: Creating Incidents
Email Subject  Email Message  6 Click OK. The e-mail messages have html attachments that address incident details, events, assets, vulnerabilities, advisor information, attachment information, Incident Notes and incident history. 2.7 Creating Incidents NOTE: To perform this function you must have user permission to create Incident(s). This is useful in grouping a set of events together as a whole representing something of interest (group of similar events or set of different events that indicate a pattern of interest such an attack).
Page 46: Viewing Events That Triggered Correlated Events
3 In the Create Incident dialog box, specify: Title  State   Severity Priority  Category   Responsible Description  Resolution  4 Click Create. The incident is added under the Incidents tab of the Sentinel Control Center. 2.8 Viewing Events that Triggered Correlated Events Correlated events are determined based on the RT2 field value of the event.
Page 47: Investigating An Event Or Events
2.9 Investigating an Event or Events This Investigate options on the Event Menu allow you to: Perform a Event Query for the last hour on a single event for:  Other events with the same target IP address  Other events with the same source (initiator) IP address ...
Page 48: Investigate - Graph Mapper
Option Function Show More Events to this target Events with the same Destination IP address Show More Events from this source Events with the same Initiator IP address What are the target objects of this event? Events with the same event name as the selected event 2 An event table opens showing the chosen event information.
Page 49: Historical Event Query
  Circular Organic   Hierarchical Orthogonal 2.9.3 Historical Event Query You can query the database for the past events through Historical Event Query. The events can be queried according to the filter and severity criteria in required batch size. You can export the results file format.
Page 50 2 Click Filter. In Filter Selection window, select a filter from the list of available filters. 3 Click Severity Icon. Select Severity values window displays. Select one or more values for Severity and click OK 4 You must select From and To Date and Time from From and To drop-down. The Time you select corresponds your system time.
Page 51: Active Browser
2.9.4 Active Browser The Active Browser provides the ability to browse through a selected set of data to look for patterns and perform investigation. You can view the selected events in the Active Views in Active Browser. You can perform all the right-click activities that are available in Active Views in Active Browser too.
Page 52 2 Click Browse. The selected Query result displays in the Active Browser window. To search in Active Browser: 1 Specify the value or text you want to search for in the Search field 2 Press Enter or click the Search icon against the search field to search. NOTE: You can move between the various searches by using the Forward and Backward button above the search field.
Page 53: Viewing Advisor Data
3 Click OK. 2.10 Viewing Advisor Data Advisor provides a cross-reference between real-time IDS attack signatures and Advisor's knowledge base of vulnerabilities. The supported Intrusion Detection Systems are listed in Chapter 8, “Advisor Usage and Maintenance,” on page 159. To View Advisor Data: 1 In a Real Time Event Table of the Navigator or Snapshot, right-click an event or a series of selected events >...
Page 54: Viewing Asset Data
2.11 Viewing Asset Data Asset data displays the asset information related to a machine or device from which you are receiving events. You can view and save the Asset data report as an HTML file. You must run your asset management Collector to view this data. The available data for viewing are: Hardware ...
Page 55: Viewing Vulnerabilities
Vulnerability Visualization requires that a vulnerability Collector is running and adding vulnerability scan information to the Sentinel database. The Novell Web site (http:// support.novell.com/products/sentinel/collectors.html) provides Collectors for several industry- standard vulnerability scanners, and additional vulnerability Collectors can be written using Collector Builder.
Page 56  Hierarchical Orthogonal  The HTML view is a report view that lists relevant fields, depending on which vulnerability scanner you have:  Host   Vulnerability Port/protocol  Viewing Vulnerability Figure 2-6 The graphical display is a rendering of vulnerabilities that link them to an event through common ports.
Page 57 Organic View Figure 2-7 Hierarchical View Figure 2-8 Active Views Tab...
Page 58 Circular View Figure 2-9 Orthogonal View Figure 2-10 In the graphical display there are four panels. They are: Graph panel  Tree panel   Control panel Details/events panel  The graph panel display associates vulnerabilities to a port/protocol combination of a resource (IP address).
Page 59 NOTE: Event mapping takes place only between the selected events and the vulnerability data returned. The tree panel organizes data in same hierarchy as the graph. The tree panel also allows users to hide/show nodes at any level in the hierarchy. The control panel exposes all the functionality available in the display.
Page 60: Ticketing System Integration
 2.13 Ticketing System Integration Novell provides optional integration modules for BMC Remedy that allows you to send events from any display screen to one of these external ticketing systems. You can also send incidents and their associated information (asset data, vulnerability data, or attached files) to Remedy.
Page 61: Using Custom Menu Options With Events
2.15 Using Custom Menu Options with Events In an existing Real Time Event Table of the Visual Navigator or Snapshot, right-click an event and select a menu option. The default custom menu options are as follows: ping  nslookup  tracert ...
Page 62: Taking A Snapshot Of A Navigator Window
Use the Up and Down arrow buttons to arrange the order of the columns as you want them to display in the Real Time Event Table. The top to bottom order of column titles in the Manage Column dialog box determines the left to right order of the columns in the Real Time Event Table.
Page 63: Sorting Columns In A Snapshot
2.18 Sorting Columns in a Snapshot To sort columns in a Snapshot: 1 Click any column header once to sort by ascending value and twice to sort by descending value. 2.19 Closing a Snapshot or Navigator To close a Snapshot or a Real Time Event Table: 1 With a Snapshot or Navigator open, close by using the Close button (upper right corner in Windows or upper right corner in Windows/SUSE Linux/Red Hat Linux or upper left corner in Solaris).
Page 64 3 Select Incident window displays. Click Search to view a list of incidents. List of incidents of selected criteria displays. NOTE: You can define your criteria to better search for a particular incident or incidents in Select Incident window. 4 Highlight an incident and click Add. 5 Click OK.
Page 65: Correlation Tab
Correlation Tab Section 3.1, “Understanding Correlation,” on page 65  Section 3.2, “Introduction to the User Interface,” on page 67  Section 3.3, “Correlation Rules,” on page 67  Section 3.4, “Dynamic Lists,” on page 82  Section 3.5, “Correlation Engine,” on page 85 ...
Page 66: Technical Implementation
Correlation relies on the data that is collected, parsed, and normalized by the Collectors, so a working understanding of the data is necessary to write rules. Many Novell correlation rules rely on an event taxonomy that ensures that a “failed login” and an “unsuccessful logon” from two devices are classified the same.
Page 67: Introduction To The User Interface
In the Correlation tab, you can: Create/Modify Correlation rules and rule folders  Deploy Correlation rules on Correlation Engine  Create and associate an action to a rule  Configure Dynamic lists  NOTE: Access to the correlation functions can be enabled by the administrator on a user-by-user basis.
Page 68: Opening The Correlation Rule Manager
3.3.1 Opening the Correlation Rule Manager To open the Correlation Rules Manager: 1 Click Correlation tab. 2 In the navigator, click Correlation Rules Manager. Alternatively, click Correlation Rules Manager button in the Tool Bar. The Correlation Rule Manager window displays. 3.3.2 Creating a Rule Folder To create a Rule Folder: 1 Open the Correlation Rules Manager window and click Manage Folder.
Page 69: Creating Correlation Rules
Aggregate  Sequence  Custom/Freeform  4 Define the update criteria for the rule. If you select Continue to perform actions every time this rule fires, the rule fires every time the criteria is met. If you select Do not perform actions every time this rule fires for the next (t) time the events fires only once as per user-defined time period.
Page 70 NOTE: In Sentinel 6, filter criteria must be defined in the correlation rule wizard. You cannot use existing public filters. To create a simple rule: 1 Open the Correlation Rules Manager window and select a folder from the drop-down list to which this rule is added.
Page 71 4 Click Add to add additional definitions for this rule. 5 You can preview the rule in the RuleLG preview window. For example, filter(e.sev=3) Click Next. The Update Criteria window displays. 6 Enable the update criteria for the rule to fire and click Next. The General Description window displays.
Page 72 To create an aggregate rule: 1 Open the Correlation Rules Manager window and select a folder from the drop-down list to which this rule is added. 2 Click Add button located on the top left corner of the screen. The Correlation Rule window displays.
Page 73 4 Select a rule and click OK. 5 Set parameters for the rule to fire. 6 To group event tags according to the attributes, Click Add/Edit. The Attribute List window displays. 7 Check the attribute as per your requirement. You can preview the rule in the RuleLG preview window.
Page 74 3 In Composite Rule window, you can select sub-rules to create a composite rule. To select a sub- rule, click Add Rule button. Add Rule window displays. 4 Select a rule or a set of rules (hold control on your keyboard to select a set of rules) and click 5 Set parameters for the rule to fire.
Page 75 To create a sequence rule: 1 Open the Correlation Rules Manager window and select a folder from the Folder drop-down list to which this rule is added. 2 Click Add button located on the top left corner of the screen. The Correlation Rule window displays.
Page 76: Deploying/Undeploying Correlation Rules
 Use the operator to refer to unpopulated fields isnull Use the prefix for a field name in the window operation to compare an incoming event’s  value to a set of previous events TIP: You can select the Functions, Operators and Meta-Tags from the drop-down list selection. Type in the Correlation Rule section to view the drop-down lists.
Page 77 Field Name Default Values Message Same as the message for the trigger event Resource Correlation SubResource <Rule Name> Other types of actions can be configured in the Action Manager: Configure a Correlated Event (replaces the default correlated event settings)  Add to Dynamic List (adds an element to a dynamic list) ...
Page 78 5 Click Deploy. Rules are deployed in an enabled state. To deploy Correlation Rules (in Correlation Rule Manager): 1 Open the Correlation Rule Manager window. 2 Highlight a rule and click Deploy rules link. The Deploy Rule window displays. 3 In the Deploy Rule window, select the Engine to deploy the rule from the drop-down list. 4 [Optional] Select an action or add a new action.
Page 79: Enabling/Disabling Rules
If nothing is selected, a Correlated Event with default values is created. Click Deploy. To Undeploy a Single Rule: 1 In the Correlation Engine Manager, right-click the rule and select Undeploy Rule. 2 Alternatively, in the Correlation Rule Manager, highlight the rule and click Undeploy rule link. To Undeploy All Correlation Rules: 1 Open the Correlation Engine Manager window.
Page 80: Renaming And Deleting A Correlation Rule
3.3.8 Renaming and Deleting a Correlation Rule To rename a Correlation Rule: NOTE: You must undeploy a rule before you rename or delete the rule. 1 Open the Correlation Rules Manager window and select the rule you want to rename. 2 If the rule is deployed, click Undeploy Rule link to undeploy the rule.
Page 81: Exporting A Correlation Rule
2 Select the Import option from the Action pane. The Description in the Description pane changes to Import. 3 Click Browse to select the Correlation Rule you want to import. Select the file and click Import. Click Next. The Import Rule window displays. 4 Select the folder you want to import the Correlation rule into.
Page 82: Dynamic Lists
2 Select the Export option from the Action pane. The Description in the Description pane changes to Export. 3 Click Browse to export the rule. Specify a file name and click Export. Click Next. The Export Rule window displays. 4 Select the Correlation Rule you want to export. Click Finish. 3.4 Dynamic Lists Dynamic Lists are distributed list structures that can be used to store string elements, such as IP addresses, server names, or usernames.
Page 83: Adding A Dynamic List
3.4.1 Adding a Dynamic List To add Dynamic Lists: 1 Click Correlation on the Menu Bar and select Dynamic Lists. Alternatively, you can click Dynamic Lists button on the Tool Bar. 2 Click Add button located on the top left corner of the screen. Dynamic List Properties window displays.
Page 84: Modifying A Dynamic List
NOTE: Select a filter type from Quick Filter drop-down list and specify the name of the element, to filter the available elements. 3.4.2 Modifying a Dynamic List To edit a Dynamic List: 1 Click Correlation on the Menu Bar and select Dynamic Lists. Alternatively, you can click Dynamic Lists button on the Tool Bar.
Page 85: Correlation Engine
The following instructions assume that a Dynamic List already exists. To add a Dynamic List to correlation rule: 1 Open the Correlation Rules Manager window and select a folder from the drop-down list to which this rule is added. 2 Click Add button located on the top left corner of the screen. The Correlation Rule window displays.
Page 86: Starting Or Stopping Correlation Engine
3.5.1 Starting or Stopping Correlation Engine To Start or to Stop a Correlation Engine: 1 Open the Correlation Engine Manager window. 2 Highlight and right-click a Correlation Engine and select Start or Stop Engine. 3.5.2 Renaming Correlation Engine A Sentinel system can have one or more Correlation Engines. You can rename the engines if desired.
Page 87: Configure Correlated Event
If no Action is specifically selected when deploying a correlation rule, a correlated event with the following default settings is created: Default Settings Table 3-3 Field Name Default Values Severity Event Name Final Event Name Message <message> Resource Correlation SubResource <Rule Name>...
Page 88: Add To Dynamic List
3.6.2 Add to Dynamic List Adding to Dynamic List Figure 3-3 NOTE: This type of action can only be used in Correlation deployments. This action type can be used to add a constant value or the value of an event attribute (such as Target IP or Initiator User Name) to an existing Dynamic List.
Page 89: Remove From Dynamic List
3.6.3 Remove from Dynamic List Removing from Dynamic List Figure 3-4 NOTE: This type of action can only be used in Correlation deployments This action type can be used to add a constant value or the value of an event attribute (such as Target IP or Initiator User Name) from an existing Dynamic List.
Page 90: Execute A Command
3.6.4 Execute a Command Executing a Command Figure 3-5 NOTE: This type of action can only be used in Correlation deployments. This action type can be used to execute a command when a correlated event triggers. You can set the following parameters: Command ...
Page 91: Create Incident
Command actions can be created to perform a non-interactive action, such as modifying a firewall policy, entering a record in a database, or deactivating a user account. For an action that generates output, such as a command to run a vulnerability scan, the command should refer to a script that runs the command and then writes the output to a file.
Page 92: Send Email
WARNING: Do not enable the Create Incident action until the correlation rule has been tuned. If the rule fires frequently, the system can create more incidents or initiate more iTRAC workflow processes than desired. 3.6.6 Send Email Configure Action- Send Email Figure 3-7 NOTE: This type of action can only be used in Correlation deployments This action type can be used to send an Email when a correlated event triggers.
Page 93: Incidents Tab
Incidents Tab Section 4.1, “Understanding an Incident,” on page 93  Section 4.2, “Introduction to User Interface,” on page 93  Section 4.3, “Manage Incident Views,” on page 95  Section 4.4, “Manage Incidents,” on page 99  Section 4.5, “Switch between existing Incident Views,” on page 106 ...
Page 94: Incident View
 The Navigation Tree in the Navigation Pane  The Toolbar Buttons 4.2.1 Incident View In the Incident View Manager, you can view the list of incidents and the parameters you specified when adding an incident. To open Incident View Manager: 1 Click Incidents on Menu Bar and select Display Incident Views or click Display Incident View button in the Tool Bar.
Page 95: Manage Incident Views
Add/Edit Incident Figure 4-1  Events: Lists events attached to this incident. You can attach events to incidents in Active Views.  Assets: Lists assets affected by the events of this incident.  Vulnerability: Lists asset vulnerabilities.  Advisor: Displays Asset attack and alert information. ...
Page 96 2 Open the View Options by either: Clicking the down-arrow on the Manage Views button located in bottom right corner of  the window and selecting Add View. or  Clicking the down arrow on the Manage Views button located in the bottom right corner of the window, selecting Manage Views and then clicking the Add View button.
Page 97 Sort By: You can set rules to sort the incidents in the display view.  Incidents Tab...
Page 98: Modifying A View
 Filter: You can set Incident filters. Only the Incidents that match your filter displays in the View. Leaf Attribute: You can select an attribute from the list which is displayed as the first  column in the Incident View. 4 Click Save.
Page 99: Deleting A View
2 Open a view by: Clicking the down-arrow on the Switch View button in the bottom right corner, select the  view you want to edit. Click the down-arrow on the Manage View button located in bottom right corner of the screen and select Edit Current View from the list. or Clicking the down arrow on the Manage Views button located in the bottom right corner ...
Page 100: Creating Incidents
4.4.1 Creating Incidents To create an Incident: 1 Click Incidents > Create Incident, or click Create Incident button on the Tool Bar. The New Incident window displays. 2 Specify the following information:  Title: Specify the Title of the Incident. State: To set state of the incident, select from the drop-down list.
Page 101: Viewing An Incident
4.4.2 Viewing an Incident To open an Incident 1 Click Incidents > Display Incident View Manager or click Display Incident View Manager button on the Tool Bar. 2 Open an Incident by: Selecting a view from the Switch Views button in the bottom right corner. ...
Page 102: Executing Incident Actions
3 Click Browse, navigate to the attachment, and select it. 4 Provide the following information, or accept the default entries: Name  Description  Type  Subtype  Click OK, click Save. NOTE: Right-click the attachment to view or save. 4.4.6 Executing Incident Actions Any configured Javascript action or iTRAC activity can be executed on an incident.
Page 103 3 Select an Action or click Add Action to create a new one. 4 Click Execute. If the action is a Javascript Action, a window opens to show the progress of the action. 5 To add the command output to the Incident, click Attach to Incident. Incidents Tab 103...
Page 104: Emailing An Incident
To mail an incident using the preinstalled Email Incident action, you must have an SMTP Integrator is configured with valid connection information and with the property SentinelDefaultEMailServer set to “true”. For more information, see “SMTP Integrator” documentation available at Novell website (http://www.novell.com/documentation/sentinel61).
Page 105: Modifying Incidents
3 Provide: Email Address  Email Subject  Email Message  4 Select which HTML attachments should be included in the mail message: the events included in the incident, assets, vulnerabilities, Advisor attacks, incident history, attachments, and notes. 5 Click OK. 4.4.8 Modifying Incidents To edit an Incident: 1 Click Incident tab.
Page 106: Deleting Incidents
 Responsible Description  Resolution  4 Click Save. NOTE: Save button gets active only if you modify any information in Incidents screen. 4.4.9 Deleting Incidents To delete an Incident: 1 Click Incident tab. Click Incidents > Display Incident View Manager, or click Display Incident View button on the Tool Bar.
Page 107: Itrac Workflows
iTRAC Workflows Section 5.1, “Understanding iTRAC Workflows,” on page 107  Section 5.2, “Introduction to the User Interface,” on page 108  Section 5.3, “Template Manager,” on page 109  Section 5.4, “Template Builder Interface,” on page 110  Section 5.5, “Steps,” on page 114 ...
Page 108: Introduction To The User Interface
Major components of iTRAC Table 5-2  Step A Step is an individual unit of work within a workflow; there are manual steps, decision steps, command steps, mail steps, and activity-based steps. Each step displays as an icon within a given workflow template. ...
Page 109: Template Manager
 The toolbar buttons 5.3 Template Manager The Template Manager can be used to create, view, modify, copy, or delete a Template. Within the Template Manager you can add, delete, copy, view, and edit templates. Templates can be sorted into folders for easy management In the Template Manager, you can: Create new workflow Templates...
Page 110: Template Builder Interface
5.4 Template Builder Interface Template Builder Interface Figure 5-2 The following panes displays in the Template Builder window:  Process Tree: This pane displays the Steps, Transitions and Variables added to the Template. User can add Steps or Variables, Edit or Remove Steps, Variables and Transitions. To perform an action on a Step, Variable or Transition: Expand the relevant group in the Tree.
Page 111 Manual Step  Command Step  Activities: The activities added in the Activity Manager are shown in this pane and can be  added to a workflow template. The user can also Add, Edit and Remove Activities. For more information, see Section 5.7.5, “Managing Activities,”...
Page 112: Creating Templates
5.4.1 Creating Templates To create a New Template: 1 Click the iTRAC tab. 2 In the navigation pane, click iTRAC Administration > Template Manager. 3 Click Add. The iTRAC Template Builder window displays. 4 In the Process Details window, provide a name and description (optional) of the template and click OK.
Page 113: Managing Templates
5.4.2 Managing Templates After creating a template, you can modify, copy, delete the Template. Viewing/Editing Templates To view/edit an Existing Template: 1 In the Navigator, click iTRAC Administration > Template Manager. 2 Highlight a template and click View/Edit. The Template builder displays. Copying Templates One way to create a new workflow Template is to copy one of the default Templates and modify it.
Page 114: Steps
5.5 Steps Steps are the basic components of a Template. Every Template must have a Start Step and an End Step. The Start Step exists by default. You can also add the following types of Steps to a Template: Manual Step ...
Page 115 The value of the variable can be used as part of a Conditional transition to determine the path the workflow follows. It can also be used later as part of a Conditional Transition from a Decision step to determine the workflow path. NOTE: If the value is going to be used later as part of a Decision step, it should be marked “Required.”...
Page 116 Integer Variable: String Variable: 116 Sentinel 6.1 User Guide...
Page 117 Float Variable 6 Click OK. From a Manual Step, you can set Conditional, Unconditional, Timeout, or Alert transitions. iTRAC Workflows 117...
Page 118: Decision Steps
5.5.3 Decision Steps This type of step selects between exit transitions depending on the values of variables defined in prior steps. See Section 5.5.2, “Manual Steps,” on page 114 for the available variable types. The Decision Step itself is very simple; you can edit only the step name and description. The workflow path is determined by the transitions.
Page 119: Activity Steps
Arguments (Can be explicit or variable-driven)  Output Variable  NOTE: The command (or a batch file or script that refers to the command) must be stored in the %ESEC_HOME%\config\exec or $ESEC_HOME/config/exec directory on the iTRAC workflow server, usually the same machine where the Data Access Server (DAS) is installed. Symbolic links are not supported Variables The command output can also be used to set a variable to the appropriate values.
Page 120: End Step
From an Activity Step, you can set Conditional, Unconditional, Timeout, or Alert, or Error transitions. An Error transition should always be included so error conditions can be handled properly. NOTE: If the first step of a workflow fails without an error transition, the iTRAC process cannot proceed.
Page 121: Managing Steps
5.5.9 Managing Steps Steps can be copied, edited, or deleted. Copying Steps To copy a Step: 1 Click the iTRAC tab. 2 In the Navigator, click iTRAC Administration > Template Manager. 3 Highlight an existing template, click View/Edit. iTRAC Process Builder window displays. 4 Select an existing step, right-click, and select Copy Step.
Page 122 2 Provide a Name for the step. 3 Attach a Role to this step by selecting a Role from the drop-down list. (For more information on Roles, see Chapter 11, “Administration,” on page 227. 4 Click Associate to associate a Variable; select the variable from the list or create new variables to be associated.
Page 123 2 Provide Name. 3 Click Description tab to provide description for this step. 4 Click OK To edit a Mail Step: 1 Right-click a Mail Step and select Edit Step. 2 Provide Name for the step. 3 Provide To and From mail addresses and Subject in the General Tab. 4 Click Body tab and type the message.
Page 124 To edit a Command Step: 1 Right-click a Command Step and select Edit Step. 2 Provide a Name for this step. 3 Specify the path and name of the command or script to execute (relative to the $ESEC_HOME/ config/exec or %ESEC_HOME%\config\exec directory) 4 If you want to run a command or script referenced in a variable that gets populated during the workflow process, check the Use Variables box.
Page 125: Transitions
4 Select an existing step, right-click, and select Delete Step. 5 In the Alert Message window, select Yes to delete. 5.6 Transitions Transitions are used to connect steps. There are several types of transitions:   Unconditional Alert   Conditional Else ...
Page 126: Conditional Transitions
To add an Unconditional Transition: 1 Open the Process Builder. 2 Select an existing step, right-click and select Add Transition. 3 Specify a name for the transition. 4 Select the Transition type Unconditional from the list. 5 Click the down arrow for the Destination field and select a step. 6 Provide a description for this transition and click OK.
Page 127 5 Specify the destination Step. 6 Click Set to add an expression. The empty Expression window displays. 7 Click EXP to add the first expression. The evaluation expression is an expression that evaluates to TRUE or FALSE during the workflow process. Select the appropriate dropdown under Relations to compare a variable to a constant value (Variables and Values) or to another variable (Variables and Variables).
Page 128 8 Select a variable from the Attribute dropdown or add a new one if desired. 9 Select a condition from the Condition dropdown. The condition list varies depending on the type of Attribute variable chosen. String Variable Conditions: Integer and Float Variable Conditions: 128 Sentinel 6.1 User Guide...
Page 129 Boolean Variable Conditions: 10 Set the Value. 11 Click OK. 12 If a second expression is desired, highlight the root folder. 13 Repeat steps 7-12 as needed. 14 By default, all expressions at the root level is separated by AND operators. To nest expressions or to use the OR operator, click the appropriate operator button and drag and drop expressions onto that operator.
Page 130: Else Transitions
15 When the expression is complete, click OK. NOTE: You can edit/delete an existing expression using the Edit and Delete buttons in the Expression window. 16 Click OK. The expressions you provided displays in Transition window under Expression section. 17 Provide a description for your transition and click OK. 5.6.3 Else Transitions An Else transition leads to a path that is taken from a Decision Step when the criteria for the Conditional transitions are not met.
Page 131: Timeout Transitions
5.6.4 Timeout Transitions A Timeout transition leads to a path that is taken when a user-specified amount of time (minutes, hours or days) elapses after a Base Time, which is either step_activated_time or step_accepted_time. Step_activated_time is the time that iTRAC activates this step within the workflow process. Step_accepted_time is the time when a user accepts (or takes ownership) of the worklist item for this step.
Page 132: Error Transition
3 Select the Transition type Alert from the list. 4 Specify the destination Step. 5 Click Set to provide the Alert details. Alert details window displays. 6 Specify the Alert Time value, in minutes, hours, or days. Click OK. 7 Provide a description for your transition and click OK. 5.6.6 Error Transition An Error transition leads to a path that is taken if an automated step cannot successfully complete.
Page 133: Activities
7 Edit as needed. 8 Click OK until you exit the Transitions window. 9 Click Save. Deleting Transitions To Delete a Transition: 1 Click iTRAC tab. 2 In the Navigator, click iTRAC Administration > Template Manager. 3 Highlight an existing template, click View/Edit. iTRAC Process Builder window displays. 4 Select an existing step, right-click, and select Remove Transition.
Page 134: Incident Command Activity
Activity Pane Figure 5-3 iTRAC Activities can be used in iTRAC templates to define a workflow step, or they can be manually executed from within an Incident. Sentinel provides three types of actions that can be used to build Activities: Incident Command Activity ...
Page 135: Incident Composite Activity
To send mail messages from within the Sentinel Control Center, you must have an SMTP Integrator that is configured with connection information and with the property SentinelDefaultEMailServer set to “true”. 5.7.3 Incident Composite Activity An Incident Composite Activity enables combine one or more existing Command and Internal activities.
Page 136 6 Configure the necessary settings for the type of activity you chose.  Incident Command Activity In the Command Arguments Wizard, specify the Command.  Provide the Arguments for this command. You can select None, Incident Output  (Values from the Drop-down list), or provide Custom values. 136 Sentinel 6.1 User Guide...
Page 137 Click Next.  You can configure an Incident Command Activity to email the output to a specific  address and/or attach the output to the incident associated with the workflow process in this window. Select Mail and specify the To and From email address and Subject. ...
Page 138  Select Attach to Incident, if required. Click Next.  View and confirm the details you chose in the Summary page and click Finish.  Incident Internal Activity   In the Command Arguments wizard, specify the Command. Provide the Arguments for this command. You can select None, Incident Output ...
Page 139 Click Next. Select your options (Mail and attach).  If you select Mail, you are prompted to provide To, From email address and Subject.  Provide this information and click Next. View and confirm the details you chose in the Summary page and click Finish. ...
Page 140: Managing Activities
 Incident Composite Activity Select the activities from the list of available activities and click Next.  View and confirm the details you chose in the Summary page and click Finish. 5.7.5 Managing Activities After creating an Activity, you can modify, import or export it. Modifying Activities To modify an Activity: 1 Click the iTRAC tab.
Page 141 3 Click Import/Export Activity icon. Import/Export Wizard window displays. 4 Select Export Activity and click Explore. 5 Navigate to where you want save your exported file. 6 Click Next. 7 Select one or more activities to be exported. 8 Click Next and click Finish. Importing Activities To import an Activity: 1 Click iTRAC tab.
Page 142: Process Management
5.8 Process Management Process Management allows you to view the incident’s progress in the workflow or terminate a workflow process. Process Management allows you to: Display Status of your Process  Start your Process   Terminate your Process Process Execution is the time period during which the process is operational, with process instances being created and managed.
Page 143: Display Status
For more information, see Section 6.1.1, “Work Item Summary,” on page 147. NOTE: All Manual Steps must be assigned to a Role, or group of users. 5.8.4 Display Status The Display Status function is to monitor the progress of a process. As the process instance progresses from one activity the user might track the progress visually by clicking on the Refresh button, the process monitor also provides an audit trail of all the actions performed by the iTRAC server when executing the process.
Page 144: Changing Views In Process Manager
5 The current step is highlighted in red. 6 To close, click X in the upper right corner. 5.8.6 Changing Views in Process Manager To Change the View in the Process View Manager: 1 Click iTRAC tab. 2 Click Display Process Manager icon. 144 Sentinel 6.1 User Guide...
Page 145: Starting Or Terminating A Process
3 Click the drop down list in Manage View and select Edit Current View option. 4 In View Option window you can also set your: Fields  Group by  Sort  Filter  Tree Display  Click Apply and Save The following is view with Tree Display set to Status (running and not started).
Page 146 146 Sentinel 6.1 User Guide...
Page 147: Work Items
Work Items Section 6.1, “Understanding Work Items,” on page 147  Section 6.2, “Processing a Work Item,” on page 150  Section 6.3, “Manage Work Items Of Other Users,” on page 151  6.1 Understanding Work Items A Work Item is a workflow task assigned to a particular user or role in the iTRAC application. The individual activities to be performed to complete an iTRAC process are listed as work items in Work Item Summary in the Sentinel Control Center.
Page 148 Work Item Summary-Example Figure 6-2 To view a Work Item: 1 In the Work Item Summary, click the yellow or green bar. A work item list for the group or the current user displays and shows the name and ID of the incident, the workflow process name, and the step name and description 2 Double-click any work item and click View Details.
Page 149 4 Click Incident to view the details of the associated incident. 5 To take responsibility for this work item, click Acquire. Otherwise, click Cancel. NOTE: Any changes to the Incident from this screen must be saved. There is a Save button on the toolbar and Save button if you scroll down to the bottom of the screen.
Page 150: Processing A Work Item
The information on the Process Details and Process Overview tabs is defined by the iTRAC workflow designer. For more information on creating workflow templates, see Chapter 5, “iTRAC Workflows,” on page 107. 6.2 Processing a Work Item A Work Item can be accessed from any part of the main tabbed Sentinel Control Center interface. You can still process a Work Item in a group even if you have logged in as a different user.
Page 151: Manage Work Items Of Other Users
Work item assigned to a group (role) Work item assigned to the user under the Analyst role. NOTE: When acquiring (accepting) a work item, it is removed from the queue of all other users in the same role. The work item can be returned to the group by clicking Release. 3 Click View Details.
Page 152 3 In the Work Items window, set the following:  User: Name of the user that has acquired the process Group: Name of the Group that the user belongs to. In the above example, the user  belongs to the Analyst group. ...
Page 153: Analysis Tab
Analysis Tab Section 7.1, “Understanding Analysis,” on page 153   Section 7.2, “Introduction to the User Interface,” on page 153 Section 7.3, “Offline Query,” on page 156  7.1 Understanding Analysis The Analysis tab allows historical reporting. Historical and vulnerability reports are published on a Web Server, these run directly against the database and they appear on the Analysis and Advisor tabs on the Navigator pane.
Page 154: Top Ten Reports
The Navigation Tree in the Navigation Pane The Toolbar Buttons 7.2.1 Top Ten Reports The following are the Top 10 reports which are available in Sentinel 6: Top 10 Correlation Rules Triggered   Top 10 Destination Host Names Top 10 Destination IP Addresses ...
Page 155 To enable/disable Aggregation: 1 In Sentinel Control Center, go to Admin > Server Views. 2 Right-click DAS Aggregation and select Start/Stop to enable/disable Aggregation. To enable/disable summaries: 1 In Sentinel Control Center, go to Admin > Report Data Configuration. 2 Highlight the Summary to enable/disable and click the status (Active/Inactive) of that summary.
Page 156: Running A Report From Crystal Reports Server
7.2.2 Running a Report from Crystal Reports Server To run a report: 1 Click the Analysis tab. 2 In the Analysis Navigator, click a report from the available reports. NOTE: To run any Top 10 reports, aggregation must be enabled and EventFileRedirectService must be set to on.
Page 157: Creating An Offline Query
After the query has completely finished processing, the results are available to the user who initiated the Offline Query and other Sentinel users with the same security filter. When you attempt to browse or save the result as HTML or CSV, the data is transferred from the server to the local machine running the Sentinel Control Center.
Page 158 2 In the Offline Query window, select an offline query. The following options are available: Browse: Click Browse to view the output of the Offline Query in the Active Browser  window.  CSV: Click CSV to generate a Comma Separated Value file with the queried information. HTML: Click HTML to generate an HTML file with the queried information.
Page 159: Advisor Usage And Maintenance
NOTE: With Sentinel 6.1 SP2 or later, the initial Advisor data feed is installed by default on the Sentinel 6.1 server at . However, you must $ESEC_HOME/data/updates/advisor ® purchase an additional license from Novell to download the updated Advisor feed. Advisor Usage and Maintenance...
Page 160: Understanding Exploit Detection
The specific reported attacks and vulnerabilities must be known to the Advisor service and Exploit Detection. ® All Collectors shipped by Novell meet these requirements, as long as they are declared as being supported by Advisor. To write your own vulnerability or intrusion detection Collector, or to modify one of the shipped Collectors, refer to the Sentinel Plug-in SDK (http://developer.novell.com/wiki/...
Page 161 Cisco IOS Firewall Secure To enable exploit detection, the Sentinel Collectors must populate several variables as expected. Collectors built by Novell populate these variables by default. In intrusion detection systems and vulnerability Collectors, the RV31 (DeviceName) variable  in the event must be set to the value in the RV31 column in Table 8-1.
Page 162: Generating The Exploit Detection File
8.2.2 Generating the Exploit Detection File When you run the intrusion detection system or vulnerability type Collectors, events from all the selected products are scanned for possible attacks and vulnerabilities, and the product name and MSSP customer name are mapped to the Advisor product name and MSSP customer name. If the events match successfully, the exploit information (IP address, Device Name, Attack Name, and MSSP Customer Name) is updated in the file in the...
Page 163: The Advisor Window
Navigating to Advisor Table 8-2 Location User Interface The Admin menu in the menu bar The Navigation tree in the Navigation pane Admin Toolbar The Advisor icon 8.3.1 The Advisor Window The Advisor window has two sections: Download Method: Enables you to process the Advisor feed files manually and launch the ...
Page 164: Processing The Advisor Feed
NOTE: The Exploit Detection section initially displays a blank list unless you process the initial Advisor feed that was loaded during Sentinel installation. For more information, see Section 8.3.2, “Processing the Advisor Feed,” on page 164. Advisor Window Figure 8-1 8.3.2 Processing the Advisor Feed You can process the Advisor feed files manually or you can configure the Sentinel server to automatically process the feed files at scheduled time intervals.
Page 165: Configuring The Advisor Products For Exploit Detection
Processing the Feed Files Automatically You can use the Download Manager to configure the Sentinel 6.1 server to automatically process the feed files after they are downloaded. 1 In the Advisor window, click Launch Download Manager. For more information, see Chapter 9, “Download Manager,”...
Page 166: Downloading The Advisor Feed
Preview Threat Map Figure 8-2 8.4 Downloading the Advisor Feed To access the updated Advisor feed, you must download the feed and process the downloaded feed to load it into the Sentinel database. You can download the Advisor feed manually or you can configure the Sentinel server for automated downloads at fixed intervals.
Page 167: Downloading The Advisor Feed Manually
$ESEC_HOME/data/updates/advisor 8.5 Viewing the Advisor Status The Advisor Status window lists the products Novell supports for Advisor and also displays the status of the last five feed files that have been processed or are being processed. NOTE: Ensure that you have permissions to view the Advisor Status window.
Page 168 Table 8-3 Fields Description Product Name Name of the product supported by Novell for Advisor. For example: Cisco Secure IDS and Enterasys Dragon Host Sensor. Product Type Shows whether the product type is a Vulnerability, Intrusion Detection System (IDS), or Firewall.
Page 169: Viewing The Advisor Data
8.6 Viewing the Advisor Data The following are the prerequisites to view the Advisor data: The Advisor feed must be up-to-date, processed, and loaded into the Sentinel database.   The selected event is from a product supported by Advisor and has the Vulnerability field value set to 1.
Page 170: Advisor Reports
8.7 Advisor Reports Crystal Reports Server* is the reporting tool that is integrated with Sentinel for viewing Advisor reports. Advisor reports enable you to view and analyze the Advisor data, such as Recent Successful Attacks or Top 10 attacks. Section 8.7.1, “Generating the Advisor Reports,” on page 170 ...
Page 171: Resetting The Advisor Password
8.8 Resetting the Advisor Password If you have configured automated downloads for Advisor and if your Novell eLogin password changes, then you need to also change your Advisor password. You can change your Advisor eLogin password by using the Download Manager feature.
Page 172 172 Sentinel 6.1 User Guide...
Page 173: Download Manager
After the feed is downloaded, the Download Manager notifies the Advisor processes to process the downloaded feed and load it into the Sentinel database. However, for Advisor, you must ® purchase an additional license from Novell to download the updated Advisor feed. ...
Page 174: Creating A Download Configuration
Download Manager Figure 9-1 Download Configuration Status Table 9-1 Status Icon Description Download in progress Indicates that the download is in progress. Download successful Indicates that the latest download was successful. Download not initiated Indicates that a download has never been initiated. This status does not display any icon.
Page 175 For example, to download Advisor data, specify the repository name as Novell Advisor. URL where the download feed is located. For example, to download Advisor data, specify the Advisor URL. Advisor Data Feed (https://secure-www.novell.com/sentinel/ download/advisor/feed/) Anonymous Select the check box to download the information as an anonymous user.
Page 176: Editing A Download Configuration
Option Description Download Directory Specify the location and name of the directory where you want to save the feed. Ensure that you specify the absolute path. The directory is created on the Sentinel server at the specified path while downloading the feed. NOTE: If the specified directory already has some existing files that are not in sync with the Sentinel server files, these files are deleted when the new download starts.
Page 177: Downloading The Feed Instantly
9.4 Downloading the Feed Instantly You can instantly download the feed for a selected download configuration, regardless of the time interval scheduled for the selected download configuration. 1 Open the Download Manager window by doing either of the following: Click Tools > Download Manager. ...
Page 178 178 Sentinel 6.1 User Guide...
Page 179: Event Source Management
Event Source Management  Section 10.1, “Understanding Event Source Management,” on page 179 Section 10.2, “Introduction to the User Interface,” on page 180  Section 10.3, “Live View,” on page 187   Section 10.4, “Components of Event Source Hierarchy,” on page 192 Section 10.5, “Debugging,”...
Page 180: Plugin Repository
Some plugins, such as database Connectors, require one or more auxiliary files in order to function. Auxiliary files are typically files that can not be shipped by Novell within the standard plugin such as user-specific configuration files or third party libraries that require specific licenses. In all cases the documentation for the plugin will include detailed instructions about which auxiliary files are necessary and where they can be obtained.
Page 181: Menu Bar
Event Source Management-Live View Figure 10-1 10.2.1 Menu Bar The Menu Bar has File, View, Tools and Help options. Event Source Management-Menu Bar Figure 10-2 The following are the options available in the each of the Menu Bar options which are described in the document: File ...
Page 182: Tool Bar
 Help About  Help  These options allow you to perform a set of actions mentioned below: 10.2.2 Tool Bar Event Source Management -User Interface Table 10-1 Launch the wizard for connecting to a new Event Source Import/Export & Reload Event Source Management Configurations and plugging The tool bar contains several tools for displaying objects in ESM.
Page 183: Frames
To increase or decrease the size of magnification glass cursor:  To increase: Ctrl key + Backward scrolling of the Mouse wheel To decrease: Ctrl key + Forward scrolling of the Mouse wheel  To increase or decrease the zooming of the nodes: To Zoom in: Forward movement of the Mouse wheel ...
Page 184 Hierarchy Filter frame Figure 10-4 To set Hierarchy filter for displaying components: 1 In Sentinel Control Center, click the Event Source Management in the menu bar and select Live View or Scratch Pad. 2 Click the Hierarchy Filter frame. 3 Select the Hierarchy Level to display the components. Connectors Connectors are plugins in Sentinel.
Page 185 Add Auxiliary Files Add Auxiliary Files. For more information, see Auxiliary Files To add Connector Plugins: 1 In Sentinel Control Center, click the Event Source Management in the menu bar and select Live View or Scratch Pad. 2 Click the Script or Connectors frame. You can plugin connectors from here. For more information, see “Adding Connectors/Collector Plugins”...
Page 186 Event Source Palette This frame displays the list of Devices or Event Sources supported by the existing Collectors in the Central Repository. Each Collector ships with meta-information that describes the list of event source types supported by that Collector – this information is compiled to provide the data in this palette.
Page 187: Live View
Status Details frame Figure 10-9 Overview The overview frame allows you to quickly move across the graphical view. This is particularly useful when there are a lot of objects in the screen. Overview frame Figure 10-10 10.3 Live View The ESM panel provides the main user interface to Event Source Management. You can view configuration data in Graphical or Tabular view.
Page 188: Graphical Esm View
10.3.1 Graphical ESM View The Graphical view of ESM is the default view in Event Source Management. In Graphical view, you can view the status of a Collector and access the configuration settings of Collectors and Collector related objects as a graph of connected nodes. Graphical View Figure 10-11 By default, the Health Monitor Display frame displays in the Graphical View.
Page 189 Collapsed/Expanded nodes: To improve the manageability and performance of the Graphical display, Sentinel automatically contracts any node with 20 or more immediate children. This is especially useful for Connectors such as Syslog or Novell Audit that have the ability to automatically configure a large number of event sources.
Page 190: Tabular Esm View
10.3.2 Tabular ESM View The components visible in the Graphical view of ESM can also be viewed in tabular format. In Tabular view, you can view the status of a Collector in a table and access the configuration settings of Collectors and Collector related objects. Tabular View Figure 10-14 The columns in the ESM Tabular View are:...
Page 191  Clone: You can create a new object that has its configuration information pre-populated with the settings of the currently selected object. This allows you to quickly create a large number of similar Event Sources without having to retype in the same information over and over again. You can clone objects between the views that is live view to scratchpad and vice versa.
Page 192: Components Of Event Source Hierarchy
10.4 Components of Event Source Hierarchy ESM displays the information on the Collectors and other components in a hierarchy specific to ESM. ESM Hierarchy Figure 10-15 NOTE: ESM allows you to add Collector, Event Source and Connector. Components of ESM Hierarchy Table 10-4 Sentinel The single Sentinel icon represents the main Sentinel...
Page 193: Component Status Indicators
Event Source The Event Source represents the actual source of data for Sentinel. Unlike other components this is not a plugin, but is a container for meta-data, including runtime configuration, about the event source. In some cases a single Event Source could represent many real sources of event data, for example if multiple devices are writing to a single file.
Page 194: Adding Components To Event Source Hierarchy
4 Select the component type by which to limit the view. 10.4.2 Adding Components to Event Source Hierarchy Although some Sentinel components are pre-installed with the Sentinel system, Novell recommends that you check the Sentinel Content web site for updated versions. This content can be downloaded from the following location: http://support.novell.com/products/sentinel/sentinel6.1html (http://support.novell.com/products/...
Page 195 To add a Connector plugin: 1 Click Tools on the Menu Bar and select Import plugin... Import Plugin wizard window displays. 2 Select Import Collector Script or Connector plugin package file (.zip). Click Next. 3 Browse to a location of the Connector Plugin package file and click OK. Click Next. NOTE: If the file imported is not in the format specified for the Collector scripts or for the Connector plugin package, system displays an error message.
Page 196 NOTE: When you add a plugin into Sentinel, it is placed in the Plugin Repository, which enables Sentinel components on other machines to start using the plugin without having to add the plugin separately. To add a Collector plugin: 1 Click Tools on the Menu Bar and select Import plugin. Import Plugin Wizard window displays. 2 You can select from the two options available in this window.
Page 197 Updating Connector/Collector Plugins If a new version of a Connector or Collector is released, you can update the Sentinel system and any deployed instances of the Connector or Collector. NOTE: When you use the Sentinel Control Center to browse to locate a file on the Desktop of the Collector Manager, clicking Desktop takes you to the Desktop of the user running the Collector Manager, usually SYSTEM.
Page 198 5 Plugin details window displays. Check the Update Deployed Plugins option to update any currently deployed plugins that use this Connector or Collector. 198 Sentinel 6.1 User Guide...
Page 199 6 Click View Deployed Plugins to view the Plugins deployed in ESM Live View. The number in parentheses represents the number of instances of this plugin that are currently deployed and configured. The Deployed Plugins window displays the Affected Connectors/Event Sources/ Event Source Servers or Affected Collectors.
Page 200 Deploying a Collector To add a Collector: 1 In the main ESM display, locate the Collector Manager to which the new Collector will be associated. 2 Right-click the Collector Manager and select the Add Collector menu item. 3 Follow the prompts in the Add Collector wizard. 4 Click Finish.
Page 201 To deploy an event source, you need the following components: Collector Script: Collector scripts can be downloaded from the Sentinel Content web site  (http://support.novell.com/products/sentinel/sentinel6.1html), copied from a previous Sentinel implementation (4.x or 5.x), or built using Collector Builder Event Source Management 201...
Page 202  Connector: Connector can also be downloaded from the Sentinel Content web site (http:// support.novell.com/products/sentinel/sentinel6.1html). There are also some Connectors included in the installed Sentinel system, but there may be more recent versions on the web site.  Configuration information for the event source To connect to the Event Sources: 1 Click Tools on the Menu Bar and select Connect to Event Source.
Page 203 3 Select a Collector script from the list. You can also install additional Collector scripts (click Install More Scripts) that support your Event source, if it is not listed here (For more information on installing a Collector script, see “Adding Connectors/Collector Plugins” on page 194.
Page 204 4 Select a connection method from the list. You can also install additional connectors by clicking on the Install More Connectors button. For more information, see “Adding Connectors/ Collector Plugins” on page 194 to install connectors. Click Next. Event Source Management window displays.
Page 205 5 You can create a new Collector and Connector or you can use an existing Collector or Connector. Select an option and click Next. NOTE: Based on the existing Collectors and Connectors in your system that is compatible with your new Event Source, one or more of these options might be unavailable. ...
Page 206 3. Configure the parameters available and click Next. Configure Collector window displays. 4. Provide the name of the Collector and configure the options. 206 Sentinel 6.1 User Guide...
Page 207  Check the Run checkbox if you want to run your Collector automatically. Click Details button to see plugin details.  You can set alerts (with repeated option) if no data is received in a specific  period. You can limit the data rate as maximum number of records per second. ...
Page 208 5. Provide the name of the Connector and configure the options. Check the Run checkbox if you want to run your Connector automatically.  Click Details button to see plugin details.  You can set alerts (with repeated option) if no data is received in a specific ...
Page 209  Use an Existing Connector: Select this option to use an existing Collector and an existing Connector to manage the Event Source connection. 1. After you select this option and click Next, the Select Connector window displays. 2. Select the Connector you want to use and click Next. 6 The Records Per Second window displays.
Page 210 Provide Name of the Event Source.  Check the Run checkbox if you want to run your Event Source automatically.   Click Details button to see plugin details. You can set alerts (with repeated option) if no data is received in a specified time interval. ...
Page 211: Debugging
Collector code running in place on the Collector Manager For more information on customizing or creating new Collectors, obtain the Novell Developer's Kit for Sentinel at http://developer.novell.com/wiki/ index.php?title=Develop_to_Sentinel (http://developer.novell.com/wiki/ index.php?title=Develop_to_Sentinel).
Page 212: Collector Workspace And Collector Directory
Location: ESEC_HOME\data\collector_workspace on the client application machine. 10.5.2 Debugging Proprietary Collectors The Debugging Collector window allows you to debug Collectors written in Novell’s proprietary language. The left column on the debugger displays the commands for the current script state. The highlighted command is being executed.
Page 213 Debug Collector window Figure 10-16 The Events tab displays the events generated using this Collector and the Upload/Download tab allows you to upload/download another Collector Script file to make modifications. The debugger has the following four controls: Debugger Icons Table 10-6 Run the script until the next breakpoint is encountered.
Page 214: Debugging Javascript Collectors
You can view events as well as upload and download the Collector’s script from the Events tab and Upload/Download tab. NOTE: Multiple Sentinel Control Center users might connect to the same debugging session. And for this reason, a Collector will remain in Debug mode until one of the users specifically presses the debugger’s Stop button.
Page 215  Upload/Download: Upload/Download a JavaScript file here. You can download an existing JavaScript file, edit it, and upload again into the system to continue debugging. Context: Displays the variable (the debugger is pointing to at a point) and its value here. ...
Page 216 Upon selecting Debug, the Debug Mode Selection window displays. You can choose to debug in Standalone or Live mode. You can choose Standalone or Connected modes. Standalone mode Standalone debug mode allows you to debug a Collector even if the associated Collector ...
Page 217 3. In the Debug Collector window, click . In the Source text area, the source code of the Collector appears and stops at the first line of the text script. 4. Click left side bar and toggle a breakpoint in the script code. Click to go to the next breakpoint.
Page 218: Generating A Flat File Using The Raw Data Tap
 In Live debug mode, Input to the script comes from actual Event Sources connected to the Collector. To get data from a specific Event Source, you must right-click and start the desired Event Source via the ESM display. Starting/stopping Event Source(s) can be done any time during the debug session.
Page 219: Export Configuration
2 Check Save Raw Data to a file. 3 Specify (or browse to) a path on the Collector Manager machine where the raw data is saved. IMPORTANT: The account running the Sentinel service on the Collector Manager machine must have permissions to write to the file location. 10.6 Export Configuration Export configuration helps you export the configuration of ESM objects along with their Collector script and the Connector plugins.
Page 220 3 Select the Collector scripts from the list to export. You can select or deselect all. Click Next. Select Connectors Plugin window displays. 220 Sentinel 6.1 User Guide...
Page 221: Import Configuration
4 Select the Connector Plugins from the list to export. You can select or deselect all. Click Next. Specify Export File window displays. NOTE: If you want to view the description and dependents of a particular plugin in the above window, select that plugin from the table.
Page 222  do not select any node (only in Live View) select an Event Source node in child view of Graphical View  select multiple nodes  To import your configurations: 1 Click File on the Menu Bar and select Import Configuration. You can also click the Import Configuration button on the Tool Bar.
Page 223 4 Select the Collector script from the list to import. NOTE: Color indicator is displayed in Select Collector Scripts and Select Connector Plugins window to indicate whether the plugin is already present in the repository or not. If the plugin does not present in the repository, then the color is displayed as red and if same version of plugin exists then the color is green else it is orange.
Page 224: Reset Layout
6 Select the Connector plugins from the list to import. NOTE: To view the description and dependents of a particular plugin in the above window, select that plugin from the table. If there are any Collectors or connectors in the ESM panel which gets affected on importing the plugin then Affected Collectors or Affected Connectors window is displayed.
Page 225: Redo Layout
10.7.4 Redo Layout To redo layout changes: 1 Click View on the Menu Bar and select Redo Layout. Alternatively, click the Redo Layout button on the Tool Bar. 10.8 Event Source Management Scratchpad Scratchpad is the “Design Mode of the Health Monitor”. Through Scratchpad you can design and configure: ...
Page 226 Components Sentinel 5.x Sentinel 6.0 Storage location for %ESEC_HOME%\wizard\Elements %ESEC_HOME\data\collector_worksp files for Collectors in on Collector Builder machine development on Collector Builder machine Storage location for %ESEC_HOME%\wizard\Elements %ESEC_HOME%\data\collector_mgr. files for running cache\collector_instances on Collector Manager machine Collectors on Collector Manager Machine Collectors Scripts Collector Scripts were managed from In Sentinel Control Center, Collector...
Page 227: Administration
Administration Section 11.1, “Understanding Admin Tab,” on page 227  Section 11.2, “Introduction to User Interface,” on page 228  Section 11.3, “Crystal Report Configuration,” on page 229  Section 11.4, “Servers View,” on page 231  Section 11.5, “Filters,” on page 234 ...
Page 228: Introduction To User Interface
Sentinel Control Center Figure 11-1 11.2 Introduction to User Interface In Admin tab, you can see Server views, Filter Configuration and User Configuration in the Admin Navigator. You can navigate to these functions from: 228 Sentinel 6.1 User Guide...
Page 229: Crystal Report Configuration
Admin Tab- User Interface Table 11-1  The Admin menu in the Menu Bar  The Navigation Tree in the Navigation Pane  The Toolbar Buttons 11.3 Crystal Report Configuration To configure the URL for Analysis and Advisor Reports: 1 Click Admin. Administration 229...
Page 230 2 In the Admin Navigator, click Crystal Report Configuration. For Crystal Reports Server running on Windows: In the Analysis URL box, specify the URL for the Crystal Reports Server and click  Refresh. http://<hostname_or_IP_of_web_server>/ GetReports.asp?APS=<hostname>&user=Guest&password=&tab=Analysis NOTE: <hostname_or_IP_of_web_server> must be replaced with the IP address or hostname of the Crystal Reports Server.
Page 231: Servers View
NOTE: For more information about Crystal Reports Server installation and configuration, “Crystal Reports for Linux” in Sentinel 6.1 Installation Guide. You can select Use default browser to use your default browser or select Use the following commands to launch a browser to specify a command to launch a browser. When using a browser other than the default browser, your command line must be followed by a %URL%.
Page 232: Monitoring A Process
 Unix Communication Server Windows Communication Server  NOTE: Windows Communication Server and Unix Communication Server will run for their respective platform. Server View window Figure 11-2 Start, stop or restart processes: These actions can be taken on a process by right clicking on ...
Page 233: Creating A Servers View
11.4.2 Creating a Servers View To Create a Servers View: 1 Click the Admin tab. Click Servers View. Alternatively, in Navigator click Servers View > Servers View. You can also click Server View icon. 2 To create a new view, on the bottom right corner click Manage View drop down arrow. Click Add View.
Page 234: Filters
NOTE: You cannot stop the Windows Communication Server and Unix Communication Server using this feature. 11.5 Filters Filters allow you to process data based on specific criteria for events in real-time and for users of the system. Filters enable you to manage data seen in the Sentinel Control Center. The Filter Engine drives the Real Time Event windows by maintaining the data structure for each security filter.
Page 235: Global Filters
11.5.3 Global Filters Global filters are classified as Public filters. Global filters are sequentially processed at the Collector Manager for each event. Once the global filter criteria are met, the evaluation stops for that event and the associated global filter action is taken for the event. The order of evaluation of global filters is top to bottom, as shown in the console.
Page 236 5 In the Filter Selection Window, highlight a relevant filter and click Select, or click Add if you need to create a filter. The Expression column displays the selected filter in the RuleLg language. 6 In the Active column, select the checkbox to associate the filter with options specified in the Route and Action columns.
Page 237: Configuring Public And Private Filters
NOTE: The Action column and the Action Manager button are available only on systems that have Sentinel 6.1 SP1 Hotfix 2 or later installed. 9 Continue adding filters until you have completed adding all the required filters. 10 Click Save. Rearranging Global Filters To Rearrange Global Filters: 1 In the Global Configuration window, select a filter and click Up or Down to move it to a...
Page 238 Add a Filter View the Details of a Filter Clone a Filter Delete a Filter Modify a Filter Filter Manager window Figure 11-5 Adding a Filter To add a public and private filter: 1 Click Admin > Filter Manager or select File Manager under the Filter Configuration folder in the Navigator;...
Page 239 3 Specify a Filter Name. 4 The table editor is the default selection for editing the contents. NOTE: Optionally, you can click Use free form editor to display a free form editor. The free form editor allows you to create complex expressions not possible with the table editor. However, after the expression is modified with the free form editor, the table editor cannot be used with the expression.
Page 240: Color Filter Configuration
8 To remove a filter expression, select a filter expression from the table and click Remove the Selected Expression (-). Click Save. To Clone a Public and Private filter Cloning is a convenient way to duplicate a filter to assure consistency of criteria among a group of filters or users.
Page 241 On applying a color filter, all the event tables are updated. Color Filter Configuration Figure 11-6 The Color Filter Configuration GUI displays a listing of all the color filters that are defined in the order in which they should be applied. If an event meets the criteria for more than one of the color filters, the topmost color filter configuration will be applied.
Page 242 4 From the list, select a filter to which you want to apply the color filter configuration and click Select or click Add to create a new filter. For more information on configuring filters, seeSection 11.5.4, “Configuring Public and Private Filters,” on page 237.
Page 243: Configure Menu Options
NOTE: The order of the color filter configuration row in the Color Filter Configuration window matters. In the case where more than one color filter definition applies to an event, the formatting for the topmost color filter takes precedence. Deleting Color Filter To delete a color filter: 1 Click Color Filter Configuration in the navigation pane.
Page 244 Event Menu Configuration Figure 11-7 Ping: Ping the destination (or target) IP of the selected event   nslookup: Perform an nslookup on the Source (or initiator) IP of the selected event traceroute (tracert on Microsoft SQL 2005): Perform a traceroute from the Source (or ...
Page 245: Adding An Option To The Event Menu
Section 11.6.3, “Modifying an Event Menu Option,” on page 247  Section 11.6.4, “Viewing Event Menu Option Parameters,” on page 247  Section 11.6.5, “Activating or Deactivating an Event Menu Option,” on page 247  Section 11.6.6, “Rearranging Event Menu Options,” on page 248 ...
Page 246: Cloning An Event Menu Option
4 Enter a Name and Description. NOTE: To place the command in a folder, provide [foldername]/[commandname] in the Name field. 5 Select an action from the dropdown menu or click Add Action to configure a new JavaScript action. The available settings vary based on which action is chosen: Option Description Use browser...
Page 247: Modifying An Event Menu Option
To use a browser or not. For information, see Section 11.6.8, “Editing Your Event Menu  Browser Settings,” on page 248. Command/URL  Parameters  Select an action:  Execute Command  Launch Web Browser.  Any JavaScript action configured in the Action Manager ...
Page 248: Rearranging Event Menu Options
11.6.6 Rearranging Event Menu Options To move an Event menu option up or down: 1 Open the Event Menu Configuration window. 2 Select a menu option and click Up or Down. 11.6.7 Deleting an Event Menu Option To delete a Menu Configuration option: 1 Open the Event Menu Configuration window.
Page 249: Das Statistics
Use the following commands to launch a browser: Allows you to specify a specific  application to launch. When using a browser other than the default browser, your command line must be followed by a %URL%. For example: C:\Program Files\Internet Explorer\IEXPLORE.EXE %URL% Default extension: This file extension is assumed if the File Type in a configured action ...
Page 250 The information is divided into 3 sections:  Requests Services  ThreadPools  Under Requests it keeps all the requests by channel (such as services.CorrelationService). Under services it does the same by service. Sometimes it provides a breakdown by appending “<category>”...
Page 251: Mapping
11.8 Mapping A map is a collection of values and keys defined in a CSV or text file. You can enrich your data by using maps. With the help of maps you can add additional information to the incoming events from your source device.
Page 252: Adding Map Definitions
To view maps in the GUI: 1 Navigate to Admin tab and select Map Data Configuration from the Navigation pane or click Map Data Configuration button. The main Mapping GUI displays a listing of all of the maps that have been defined for the system. NOTE: Default Sentinel maps cannot be edited or deleted.
Page 253 Select your map definition file. Click Next. NOTE: Only the first 500 rows of the map appear in the interface. 8 In the New Map Definition window, set the following:  Delimiter: (pipe, comma, semicolon and so on) of data in rows of the map data source file ...
Page 254: Adding A Number Range Map Definition
 Column filtering: A row can be explicitly included or excluded based on matching criteria for a particular column. This can be used to exclude rows from the map source data that are not needed or will interfere with your mapping. As you configure each setting and filter, the data table will automatically update to allow you to preview your data and ensure your data is being parsed as expected.
Page 255 1-2,AA 2-4,AA 4-12,BB 10-20,BB 30-31,BB 100-200,AA 110-120,CC Number Range Map Definition Figure 11-10 The example table gets transformed to: Table Transformation Figure 11-11 An example event configuration on the above map might look like: Event Configuration Figure 11-12 Where CustomerVar97 is expected to contain a numeric value (or is of a type that can be converted to a numeric value, such as an IP or Date).
Page 256 When performing lookups into the example range map, the value in CustomerVar97 will take the range map and search for the range that the value belongs in (if any). Some examples and their results are: CustomerVar97 = 1; CustomerVar89 will be set to AA CustomerVar97 = 4;...
Page 257: Editing Map Definitions
Event Configuration Figure 11-14 If an event contains a target IP of 10.0.1.14 (equivalent to numerical value of 167772430), the output for column CustomerVar89 within the event will be BBB. Sentinel supports the following number ranges: Range from negative number to negative number (for example, “-234—34”) ...
Page 258: Deleting Map Definitions
The edit function allows you to:   set your delimiters activate or deactivate a column   set which row to start your map set your column keys   rename your columns column filter 4 After making your changes, Click OK. 11.8.4 Deleting Map Definitions To delete a map definition: 1 Navigate to Admin tab and select Map Data Configuration from the navigation pane or click...
Page 259: Updating Map Data
11.8.5 Updating Map Data Updating allows you to replace the map source data file of a map on the server running DAS with another file. Your new map source data file must have the same delimiter, number of columns, and overall structure as the existing map data source file in order for the map to function properly after the update.
Page 260 4 Select the new map data source file by clicking Browse and selecting the file with the new map data. After selecting the file, the data from the new map data source file displays under the New tab. The map data you are replacing will be under the Current tab. 5 Uncheck or leave the default setting for Backup Existing Data On Server.
Page 261: Event Configuration
11.9 Event Configuration NOTE: In order to use the Event Configuration, your file must be pointing to configuration.xml a Communication Server that also has DAS_Binary and DAS_Query connected to it. This will normally be the case, by default, as long as your Communication Server and DAS processes are running.
Page 262  Referenced from Map: Data is retrieved from a map to populate the tag. Data Sources Figure 11-15 In the above illustration, the SourceAssetName tag is populated from the map called (which Asset as its map data source file). The specific value for SourceAssetName is taken from asset.csv the AssetName column from the Asset map.
Page 263 Device and Attack Signature corresponds to Asset Name Figure 11-18 To Configure Event tags (columns) to use Mapping: 1 Navigate to Admin tab and click Event Configuration in the navigation pane or click Event Configuration button. 2 Highlight an event tag entry from the Event Columns list. NOTE: The original Event Tag name displays above the Label field.
Page 264 _EXIST_ : This is a special Map Column that exists in every map. If this Map Column is  selected, a “1” will be put in the event tag if the key is in the map data. If the key is not in the map data, a “0”...
Page 265: Renaming Tags
11.9.2 Renaming Tags The Event Configuration window also allows you to assign names to existing event tag labels. For example, you can rename the label for event tag Ct2 to City. Doing this will result in the event tag that formally appeared in Sentinel Control Center as “Ct2” to now appear as “City”. Some places where event tags appear in Sentinel Control Center are filters, correlation rules, and Active Views.
Page 266: Report Data Configuration
NOTE: Clicking on Apply saves the changes you made for the currently selected event tag in a temporary buffer. If you don't click Apply, when you select a different event tag, the changes you made to the previously selected event tag are lost. Changes won’t be saved to the server until you click Save.
Page 267 Report Data Configuration tab allows you to: enable/disable any predefined summaries  view attributes of each summary  see the validity of a summary for a timeframe  query which eventfiles need to be run so that the summary is complete ...
Page 268 To enable Aggregation for Top 10 reports for Crystal Reports Server: Enable the following three summaries: EventDestSummary   EventSevSummary EventSrcSummary  Enable EventFileRedirectService in the located: das_binary.xml For UNIX: $ESEC_HOME/config/das_binary.xml For Windows: %ESEC_HOME%\config\das_binary.xml NOTE: To enable the summary you must set the property “Status” to ON for EventFileRedirect in das_binary.xml To view information for a Summary:...
Page 269 To check the Validity of a summary: 1 Click Report Data Configuration in the navigation pane or click the Report Data Configuration button. 2 Select Status. 3 Select the summary or summaries you want to query. 4 Select a time interval. 5 Click Show Graph.
Page 270 3 Select the summary or summaries you want to query. 4 Select a time interval. 5 Click Show Event. 6 The Eventfiles needed to complete the summary displays in a list format. NOTE: To complete summaries, see “To run Eventfiles for a summary:” on page 270.
Page 271: User Configurations
8 Click Process. 11.11 User Configurations You must have the user permission in order to work in the User Configuration window. User configuration allows you to: Create a User Account Terminating an Active Session Modify a User Account Add a iTRAC Role View Details of a User Account Delete iTRAC Role Clone a User Account...
Page 272: Opening The User Manager Window
11.11.3 Opening the User Manager Window To open the User Manager window: 1 Click the Admin tab. 2 Click Admin > User Configuration. 11.11.4 Creating a User Account In order to meet stringent security configurations required by Common Criteria Certification, Sentinel requires a strong password with the following characteristics: Select passwords of at least 8 with characters in length that includes at least one uppercase ...
Page 273 5d Specify the fully qualified Distinguished Name of the LDAP user in the LDAP USER DN field. Do not leave the LDAP User DN field empty. For example, cn=sentinel_ldap_user,o=novell This field is available only if you have specified “Anonymous searches on LDAP directory”...
Page 274 5e (Optional) Under Details, specify the following: First Name  Last Name  Department  Phone  Email  5f Click the Permissions tab and assign user permissions. For more information about permissions, see “Sentinel Control Center User Permissions” in the Sentinel 6.1 Reference Guide.
Page 275 Creating a Database User Account for Sentinel 1 Select the Admin tab. 2 Expand the User Configuration folder in the navigation tree. 3 Select User Manager. The User Manager window is displayed. 4 Click Add User or right-click any user and select Add User. 5 Under Authorization: Select Local for Authentication.
Page 276: Modifying A User Account
or highlight any user, right-click any user and select Add User. 4 Under Authorization:  Select Domain authentication. Specify an existing User Name in the form Domain\Username.  5 For Security Filter, click the down arrow. The Filter Selection window displays and shows all public filters.
Page 277: Viewing Details Of A User Account
To modify a user account: 1 Open the User Manager window. 2 Double-click a user account or right-click > User Details. 3 Modify the account. 4 Click OK. 11.11.6 Viewing Details of a User Account To use this feature, you must have the User Management permission. To view user account details: 1 Open the User Manager window.
Page 278: Adding An Itrac Role
You will be prompted for a termination message. This option is provided so that you can inform the user why you are killing the session. NOTE: If the Client machine has multiple network interfaces, the IP Address displayed in the Active User Sessions window might not be the desired IP address, as the non-loop back IP address of the first NetworkInterface returned by the system is displayed.
Page 279: Viewing Details Of A Role
11.11.12 Viewing Details of a Role To view role details: 1 Open the Role Manager window. 2 Select a role, right-click > Role Details. Administration 279...
Page 280 280 Sentinel 6.1 User Guide...
Page 281: Sentinel Data Manager
Sentinel Data Manager  Section 12.1, “Understanding Sentinel Data Manager,” on page 281 Section 12.2, “Starting the SDM GUI,” on page 281  Section 12.3, “SDM Command Line,” on page 289  12.1 Understanding Sentinel Data Manager The Sentinel Data Manager (SDM) is a tool by which users can manage the Sentinel Database. The SDM allows users to perform the following operations: ...
Page 282 2 Go to $ESEC_HOME/sdm 3 Provide the following command line: ./sdm To start SDM GUI on Windows: 1 Click Start > All Programs (Win XP) or Program Files (Win2000) > Sentinel > Sentinel Data Manager. NOTE: To run the SDM from the command line, see the Section 12.3, “SDM Command Line,”...
Page 283: Partitions Tab
NOTE: If you select to save your connection settings, the settings are saved to the local file. By default the file is located in $ESEC_HOME/bin directory sdm.connect sdm.connect or %ESEC_HOME%\bin folder. Next time you start the GUI, the connection settings will be re-populated from the file.
Page 284 Offline Archived Partition with data that has been archived and then dropped from the database Online Archived Imported Partition with data that has been archived, dropped from the database, and then re-imported into the database NOTE: If you delete a partition without archiving it, it is deleted from the partition list in the GUI. At the bottom of the Partitions tab, there are several smaller tabs that allow the user to perform the following operations: ...
Page 285 NOTE: Sentinel partitioned tables are organized into 2 groups. One is the EVENTS table group, which includes EVENTS and CORRELATED_EVENTS; the other is the summary table group, which includes all summary, or aggregate, tables. If any one of the tables in the group is selected then the changes will apply to all the tables in the group.
Page 286: Tablespaces Tab
 On UNIX systems, the oracle user must have permissions to write to the archive directory. On Windows systems, owner of the SQL Server Agent service must have permissions to write  to the archive directory. To archive partitions: 1 Select the Archive partitions tab. 2 Specify the number of days for which older partitions will be archived.
Page 287: Partition Configuration
Color coded bar graphs help to visualize the total space allocated for each tablespace and the percent used of each tablespace. NOTE: On Microsoft SQL Server, “tablespace” usage represents “filegroup” usage. 12.2.3 Partition Configuration The Partition Configuration tab in the SDM allows you to set parameters to auto-archive partitions. It also allows you to auto-add partitions.
Page 288 NOTE: Partitioning Job scheduling through SDM is reflected only after the partition refresh interval. The default refresh interval is 5 minutes. To change the refresh interval, edit the specified in the partitionJobRefreshInterval /opt/novell/ file and restart the Sentinel service. pilin_1.0_x86-64/config/das_core.xml /etc/init.d/sentinel stop /etc/init.d/sentinel start Click History to view the Job History.
Page 289: Sdm Command Line
The SDM command line functions can be used instead of the GUI. The command line can be used to create a batch file or cron job for SDM operations, but Novell recommends using auto-archiving instead. Auto-archiving can be configured on the Partition Configuration tab of the SDM GUI.
Page 290 Viewing Sentinel Database Space Usage flags Table 12-2 -action dbstats -connectFile <filePath> To view Sentinel Database Space Usage (Command Line): 1 Execute the following command: -action dbStats -connectFile <filePath> The following example displays the tablespaces of Sentinel database with their total space, used space and free space available.
Page 291: Utilities
Utilities  Section 13.1, “Introduction to Sentinel Utilities,” on page 291 Section 13.2, “Starting and Stopping Sentinel Server,” on page 291  Section 13.3, “Sentinel Scripts,” on page 292   Section 13.4, “Version Information,” on page 298 Section 13.5, “Database Cleanup,” on page 299 ...
Page 292: Starting A Sentinel Server
 Patches Hotfixes  13.2.1 Starting a Sentinel Server To start the UNIX Sentinel Server: 1 Log into the machine where the Sentinel Server you want to start is installed as the Sentinel Administrator operating system user (by default esecadm). 2 Go to the $ESEC_HOME/bin directory.
Page 293: Operational Scripts
Runs the analyze partitions action on the Sentinel Database. This script is only available for Sentinel Database running on Oracle. BackupIncidentData.bat Used to backup Incident related data before running the delete incident utilities. For more information, contact Novell Technical BackupIncidentData.sh Support (http://support.novell.com/ phone.html?sourceidint=suplnav4_phonesup). Clean_Database.bat Used to delete Incident and/or Identity information from the database.
Page 294 Script File: Description: keymgr.bat Generates a random encryption key to be used to encrypt messages in transport over the iSCALE message bus. For more keymgr.sh information, see the section “Changing the Communication Encryption Key” of “Communication Layer (iSCALE) ” in Sentinel 6.1 Installation Guide.
Page 295: Troubleshooting Scripts
13.3.2 Troubleshooting Scripts The scripts below are useful when troubleshooting an issue you are experiencing. They provide finer grain control of certain components in Sentinel, allowing you to drill down to the root cause of the issue. NOTE: These scripts should not be used during normal operation of Sentinel. They are intended for troubleshooting purposes.
Page 296 Script File: Description: StartSQLAgent.bat Starts the SQL Server Agent Service and configures it to run automatically. This script is run automatically by the installer. stop_broker.bat Stops the message bus component of the Communication Server. For more information, see “Stopping the Communication stop_broker.sh Server in Console Mode”...
Page 297 To stop the Communication Server (Windows): 1 Either go or navigate through Windows Explorer to: %ESEC_HOME%\bin 2 Either double-click (through Windows Explorer) or execute the following file: stop_broker.bat To stop the Communication Server (UNIX): 1 Login as user Sentinel Administrator operating system user (default is esecadm). 2 Go to: $ESEC_HOME/bin 3 Specify:...
Page 298: Version Information
.\stop_container.bat <host machine> <process name> For example: .\stop_container.bat localhost DAS_RT To restart a Sentinel Container (UNIX): 1 Login as user Sentinel Administrator operating system user (default is esecadm). 2 Go to: $ESEC_HOME/bin 3 Specify: ./stop_container.sh <host machine> <process name> For example: ./stop_container.sh localhost DAS_RT 13.4 Version Information Below listed provides information about versions.
Page 299: Sentinel .Dll And .Exe File Version Information
13.4.2 Sentinel .dll and .exe File Version Information The following procedure describes how to gather the version information of Sentinel .dll files: .exe To obtain Sentinel .dll and .exe file version information: 1 Go to %ESEC_HOME%. 2 Within the bin and lib directory, right-click either a file and select Properties.
Page 300: Components
13.5.1 Components $ESEC_HOME/bin/Clean_Database.sh Main database cleanup script. This calls the other scripts. %ESEC_HOME%\bin\Clean_Database.bat $ESEC_HOME/bin/BackupIncidentData.sh Script used to backup Incident data %ESEC_HOME%\bin\BackupIncidentData.bat %ESEC_HOME%\bin\PromptForDatabaseConnectionInfo.bat Script used to prompt the user for SQL Server database connection information %ESEC_HOME%\bin\BackupAdvisor.bat Script used to backup Advisor data $ESEC_HOME/bin/BackupAdvisor.sh %ESEC_HOME%\bin\BackupAsset.bat Script used to backup Asset data...
Page 301: Prerequisites
13.5.2 Prerequisites There are several prerequisites for running the Clean_Database script. The user running the script must have permission to execute the cleanup script.  The user running the script must have permission to access/execute all of the database tools/ ...
Page 302 4 If cleaning Incidents, the following things happen: 4a The following prompt displays: Would you like to backup Incidents first? (y or n) => Enter "y" to backup the Incident data (recommended) or "n" to skip the Incident data backup. 4b If you select “y”...
Page 303 enter the esecadm user’s password. NOTE: NOTE: If you have a distributed Sentinel install, you may need to manually connect to the main Sentinel Server to delete the identityAccountMap.csv file. To run Clean_Database.bat on Windows: 1 Open a console, go to %ESEC_HOME%\bin and enter Clean_Database.bat to start the script. NOTE: At any time you can abort the execution of the cleanup script by entering "q"...
Page 304: Updating Your License Key
Sentinel Server to delete the identityAccountMap.csv file. 13.6 Updating Your License Key If your Sentinel license key has expired and Novell has issued you a new one, run the software key program to update your license key.
Page 305 ./softwarekey.sh 4 Specify the number 1 to set your primary key. Press enter. To update your license key (Windows): 1 Log into the machine where the DAS component is installed as a user with administrative rights. 2 Go to %ESEC_HOME%\bin 3 Specify the following command: .\softwarekey.bat 4 Specify the number 1 to set your primary key.
Page 306 306 Sentinel 6.1 User Guide...
Page 307: Quick Start
Quick Start  Section 14.1, “Security Analysts,” on page 307 Section 14.2, “Creating Incidents,” on page 310  Section 14.3, “iTRAC,” on page 312   Section 14.4, “Report Analyst,” on page 325 Section 14.5, “Administrators,” on page 326  14.1 Security Analysts NOTE: This document assumes your Security Administrator has built the necessary filters and configured Collectors for your system.
Page 308: Exploit Detection
3 Click Finish. If you have an active network, you might see something similar to: NOTE: To display a 3-D graph without real time events, click the Display Events down arrow and select No. 14.1.2 Exploit Detection For information on how exploit detection works and which Intrusion Detection Systems and Vulnerability Scanners are supported, see Chapter 8, “Advisor Usage and Maintenance,”...
Page 309: Event Query
Asset Report Figure 14-1 14.1.4 Event Query This section talks about event query Example Scenario – Telnet Event: During monitoring, you see numerous telnet attempts from source IP 10.0.0.1 Telnet attempts could be an attack. Telnet potentially allows an attacker to remotely connect to a remote computer as if they were locally connected.
Page 310: Creating Incidents
  SourceIP = 10.0.0.3 SensorType = H   EventName = Attempted_telnet DestinationIP = 10.0.0.4   Severity = 5 Match if, select All conditions are met (and) 3 Click Save. Highlight your filter and click Select. 4 Provide your time period of interest; click Search (Magnifying Glass icon). The result of your query displays.
Page 311 NOTE: If events are not initially displayed in a newly created Incident, it is most likely because of a lag in the time between display in the Real Time Events window and insertion into the database. If this occurs, it might take a few minutes for the original events to finally be inserted into the database and display in the incident.
Page 312: Itrac
14.3 iTRAC This section gives and idea relevant to iTRAC. 14.3.1 Instantiating a Process An iTRAC process can be instantiated in the iTRAC server by associating an iTRAC process to an incident the following methods: Associate an iTRAC process to the incident at the time of incident creation ...
Page 313 To Create an iTRAC Process: 1 Click the iTRAC tab. 2 In the navigation pane, click iTRAC Administration > Template Manager. 3 In the Template Manager window, click Add. 4 The iTRAC Process Builder displays with a Process Details window. Provide the name iTRAC Tutorial.
Page 314  in the Process Variables window select the Variable Type as String provide Default Value as yes  314 Sentinel 6.1 User Guide...
Page 315  under the Description tab, (optional) specify Initial evaluation of event(s) to determine if there has been an attack click OK   highlight the newly created association, continue to click OK until the step is renamed  Manual Step-1 to Collect Data set Role to Analyst ...
Page 316  Under the Body tab, (optional) specify This email is generated from a tutorial (simulation) iTRAC process. 316 Sentinel 6.1 User Guide...
Page 317  click OK Mail Step-4 to Prevent Future Attacks  in the To field, specify your email address   in the From field, specify a made up email address in the Subject field, specify Proper Attack Measures Taken  Under the Body tab, (optional) specify This email is generated from a tutorial ...
Page 318  Decision Step-6 to Hacked or Not. (optional) Under the Description tab, you might provide a description such as Decision as to if there has been an attack or not. 318 Sentinel 6.1 User Guide...
Page 319 6 Right-click Start and select Add Start Transition. Select destination to step Decide If Hacked. 7 Right-click Decide If Hacked and select Add Transition. Select and specify the following: Name, provide Decision   Type, select Unconditional Destination: Hacked?  ...
Page 320 Click Set > EXP  Select Variables and Values  Select Attribute Hacked  Select Condition equals  Specify Value of yes  Click OK until the transition is complete  320 Sentinel 6.1 User Guide...
Page 321 11 Right-click Collect Data and select Add Transition. Select and specify the following: Name, Hacked or Not?  Type, Unconditional   Destination, Hacked or Not 12 Right-click Hacked or Not and select Add Transition. Select and specify the following: Name, Not Hacked ...
Page 322 NOTE: By assigning steps to other roles, will mean having to log out and then log in as a user assigned to that role and accept the process. For simplicity, the following example is assigned to one role. To run this process, this process must first be assigned to an incident. To Start or Terminate a Process: 1 Click the Incident tab.
Page 323 If the View Work Item list bar was yellow as illustrated above, it changes with an addition of a green bar. 9 Click the green bar under View work items. In the Work Items window, click View Details. The red highlighted step indicates what step this process is currently in. 10 To start the steps within this process, click the Process Details tab.
Page 324 For this manual step the variable yes is specified. Providing another value such as no or else (no attack) will result in going to an email that will send an automatic email and complete the process. Let say that initial assessment is that there is an attack, with the hacked variable equal to yes, click Complete (to complete this step, not complete the process).
Page 325: Report Analyst
Also, if you go to the Process View window it indicates as Complete or if you double-click this process, it indicates as Complete. 14.4 Report Analyst NOTE: Assumption, your Security Administrator has configured your Crystal Enterprise Web Server and published a list of available reports. 14.4.1 Analysis Tab The Analysis tab allows for historical reporting.
Page 326: Administrators
5 You can export this file as a doc, pdf, rtf, xls or as a Crystal Report by clicking Export (envelope). Similar to the Security Analyst, if you have an event or events of interest within your reports, you can run an Event Query under the Analysis tab. To run a query, highlight Historical Events > Historical Event Queries and click Create Reports (magnifying glass).
Page 327 The following example is written for the Data Generator Connector that comes installed in Sentinel as a test event generator. NOTE: Anytime the Data Generator Connector is running, it will be putting data into your database. Having a correlation rule fire that is associated with the Data Generator Connector will additional data to your database.
Page 328 To Deploy the Simple Correlation Rule: 1 Click the Correlation tab and highlight Correlation Rule Manager in the navigation bar. 2 Click Tutorial_SourcePort_DestinationPort (this is the name of the rule from the previous example) > Deploy Rule. 3 (optional) In the Deploy Rule window, you can add an action. This allows you to: ...
Page 329 Quick Start 329...
Page 330 330 Sentinel 6.1 User Guide...
Page 331: Solution Packs
Although Solution Packs have many uses, one is to package content related to governance and regulatory compliance into a comprehensible and easily enforceable framework that is easy to deploy. Novell and its partners will offer and extend Solution Packs around such regulations or other customer needs.
Page 332 Solution Pack hierarchy Figure 15-1 The table below describes each level in a Solution Pack hierarchy. Solution Pack hierarchy levels Table 15-1 Solution Pack Solution Pack is the root node in the content hierarchy. Each Solution Pack can contain one or multiple Category node(s). Category Category is a conceptual classification.
Page 333: Permissions For Using Solution Packs
Workflow Workflow is a Content Group that contains an iTRAC Workflow template and any associated Roles. This icon is also used for the iTRAC workflow template itself. Role Indicates a Role used in a Workflow. Correlation Rule Correlation Rule is a Content Group that contains a correlation rule, the namespace in which it is stored, and any associated correlation actions or dynamic lists.
Page 334: Solution Manager
The user should change the status of the Control to Implemented after following all of these steps. Testing a Control is the process to verify the content associated with the Control. Novell  Solution Packs include detailed documentation describing testing steps. The user should change the status of the Control to Tested after following all of these steps.
Page 335 Content Frame Content Frame provides Solution Pack zip extracted information. The Content frame displays a hierarchical view of the Category, Control, Content Group, and various types of content. All parent nodes reflect the overall state of the controls they contain. This means that parent nodes have an inherited status based on their child content.
Page 336: Managing Solution Packs
(http://support.novell.com/products/sentinel6) (an additional license might be needed). They can be provided by one of Novell’s partners, or they can be created from content in your own Sentinel system. The first step in using a Solution Pack is to import the .zip file into the system using the Import Plugin Wizard.
Page 337 To import Solution Packs: 1 Click Tool menu and select Solution Packs. The Solution Packs window displays. 2 Click Import icon in the Solution Packs window. The Import Plugin Type window displays. Select Import Solution package plugin file (.zip). Click Next. The Choose Plugin Package File window displays.
Page 338: Opening Solution Packs
Click Next. The Plugin Detail window displays. 4 The details of the plug-in to be imported are displayed. Check the Launch Solution Manager checkbox if you want to deploy the plug-in after importing the Solution Pack. If you check the Launch Solution Manager check box, the Solution Manager displays.
Page 339 2 Double-click a Solution Pack in the Solution Packs window. The Solution Manager window displays. Content Comparison When the Solution Pack is opened, the Solution Manager compares the contents of the Solution Pack to other Solution Pack content (from different Solution Packs or previous versions of the same Solution Pack).
Page 340: Installing Content From Solution Packs
Out Of Sync Status The Out of Sync icon indicates that content in the newly opened Solution Pack differs from a version that was previously installed by another Solution Pack (either a different Solution Pack or a previous version of the same Solution Pack). The name, definition, or description of the content might be different.
Page 341 4 Click Next. If Correlation Rules or Reports are included in the Solution Pack, you need to proceed through several additional screens until you reach the Install Content window. Click Install. 5 After installation the Finish button displays. Click Finish. If the installation fails for any content item in the Control, the Solution Manager rolls back all the contents in that control to uninstalled.
Page 342 There are special considerations for installing certain types of content, including Correlation Rules and Reports; these issues are described below. Correlation Rules and Actions Correlation Rules are deployed to a specific correlation engine. During the Control installation, the following screen shows the correlation engines in the target Sentinel system and the rules that are already running on those engines.
Page 343 Unavailable Correlation Engines Figure 15-5 NOTE: The Execute Script Correlation Action (created in Sentinel 6.0) cannot run on a particular correlation engine if the installation of the JavaScript code fails for that correlation engine. The .js file can be manually copied to the proper directory on the correlation engine. In a default installation, the proper directory is $ESEC_HOME/config/exec or %ESEC_HOME\config\exec.
Page 344 Deploy Control Wizard-Crystal Reports Server Information Figure 15-6 To publish the reports directly to the Crystal Reports Server, select Publish to Crystal Reports Server and specify the Crystal Reports Server Name, Username and Password. (In a default installation, the Username is “Administrator” and Password is blank.) When you publish directly to the Crystal Reports Server, all reports are installed in the SentinelReports folder so they will be visible from the Analysis tab of the Sentinel Control Center.
Page 345 Deploy Control Wizard-Crystal Reports Server Information Figure 15-7 Regardless of how the reports are published, they must have the appropriate permissions configured. If this is the first time you have added any reports for Sentinel, you must set View on Demand permissions on the SentinelReports folder.
Page 346 8 Click Update. 9 Logoff and close the window. You can customize the URL’s that the Solution Manager will attempt when installing reports. The following procedure allows you to customize the URL’s: To customize the URL: 1 Based on the operating system: For Windows: Copy files from <build ...
Page 347 The following warning displays in the Description frame: Duplicate Content within Solution Pack If two separate Controls contain identical content and one Control is deployed successfully, the status of the duplicate content in the other Control is changed to Installed. The remaining child nodes in the second Control stay uninstalled.
Page 348: Implementing Controls
For example, the rule from the Solution Pack might be named Unauthorized Firewall Change (1). The existing rule in the Sentinel system is unchanged. NOTE: To prevent confusion for end users, Novell recommends that one of these rules be renamed. 15.3.4 Implementing Controls...
Page 349: Testing Controls
2 Select a Control. 3 Click the Implementation tab in the Documentation frame. 4 Follow all of the instructions in the Implementation tab. 5 Add notes to the Notes tab of the Documentation frame as necessary to document progress or necessary deviations from the recommended implementation steps.
Page 350: Uninstalling Controls
15.3.6 Uninstalling Controls Controls are often used to meet legal or regulatory requirements. After they are implemented and tested, Controls should be uninstalled only after careful consideration. When a Control is uninstalled, the status for the Control reverts to Not Implemented and child content is deleted from the Sentinel system.
Page 351: Viewing Solution Pack Status
3 Click Uninstall. The selected contents are uninstalled. NOTE: Local reports cannot be uninstalled from a different Sentinel Control Center machine than they were installed or if the files were copied to a new location after installation. If the Solution Manager cannot find the files in the expected location, a message is logged in .rpt the Sentinel Control Center log file.
Page 352  Out of Sync: This status indicates that a different version of the content in the Solution Pack is deployed in the Sentinel target system by another Solution Pack (or a previous version of the same Solution Pack. Generating Status Documentation The information about the Solution Pack can be exported in PDF format.
Page 353: Deleting Solution Packs
5 To save the PDF, click Browse. Navigate the location where you want to save the PDF and specify a filename. Click Save Audit Events in the Sentinel Control Center All major actions related to Solution Packs and Controls are audited by the Sentinel system, with information about which user performed the action.
Page 354: Solution Designer
All deletions are audited by the Sentinel system and sent to both the Sentinel Control Center and the Sentinel database. 1 To Click Tool menu and select Solution Packs. The Solution Packs window displays. 2 Select the Solution Pack you want to delete and click the Open icon on the tool bar. 3 Select the Solution Pack node and click Uninstall.
Page 355 Table 14-4: Solution Designer - User Interface Table 15-4  Content Palette  Content Description  Solution Pack Solution Packs 355...
Page 356: Connection Modes
 Documentation 15.4.2 Connection Modes Solution Packs can be created or edited in Solution Designer in connected or offline modes. In offline mode, there is no connection to an active Sentinel Server or its content (such as iTRAC workflows, event enrichment, or correlation rules). However, you can perform the following actions: ...
Page 357: Creating A Solution Pack
3 Open or create a Solution Pack. 15.4.3 Creating a Solution Pack Using Solution Designer, you can create a Solution Pack using existing content objects (for example, Correlation Rules, Dynamic Lists, or iTRAC workflow templates) from Sentinel. The Solution Designer will analyze the dependencies for a content object and include all necessary components in the Solution Pack.
Page 358: Adding Content To A Solution Pack
Adding, Deleting, Renaming and Reordering Content hierarchy Table 15-5 Function Description Create Add a node to the existing control. Select an existing node. Right-click and select Create, or click Create in the Solution Pack frame. Specify the details and click Create. Rename Rename an existing node.
Page 359 Event enrichment, including map definitions and event metatag configuration  Other associated files added when the Solution Pack is created, such as documentation,  example report PDFs, or sample map files. The general steps for Sentinel content are described below. The steps for reports, which are Crystal content, are slightly different.
Page 360 3 Click Connect. The Login to Crystal Reports Server window displays. Specify the Server Name, User Name and Password in their respective fields. NOTE: In a default Crystal installation, the User Name is “Administrator” and the password is blank. Click Login. 4 All the report folders will be available as a dropdown.
Page 361 6 Select the file and click Open. The file description is displayed. 7 Click OK. Placeholders If the user is working in offline mode or is not ready to associate content with a control, an empty placeholder can be used instead. To add a placeholder: 1 Click a button in the Content Palette to open the panel for the type of placeholder you want to add: Correlation, Event Enrichment, iTRAC workflow or Report.
Page 362: Documenting A Solution Pack
File Attachment Table 15-6 Add File Add an attachment to a node. The system prompts for another file if you attempt to add one that is already attached. Select a node. Click Add a new attachment icon in the Attachments panel.
Page 363: Editing A Solution Pack
15.4.7 Editing a Solution Pack A saved Solution Pack can be edited using Solution Designer. For information about deploying the changes into an existing system, see Section 15.5, “Deploying an Edited Solution Pack,” on page 364. When an existing Solution Pack is saved, the user has several options: Save: Saves an updated version of the original Solution Pack.
Page 364: Deploying An Edited Solution Pack
Out of Sync Content If the content in the source system is modified, the content in the source system and the content in the original Solution Pack can be out of sync.  You can drag and drop the content from the Content Palette onto the control. For simple content with no dependencies, the modified content is immediately updated.
Page 365: Actions And Integrator
Actions and Integrator  Section 16.1, “Overview,” on page 365 Section 16.2, “Action Manager,” on page 366  Section 16.3, “Action Plugins,” on page 367   Section 16.4, “Actions,” on page 379 Section 16.5, “Integrator Manager,” on page 385 ...
Page 366: Action Manager
An Action can be executed on its own, or it can make use of an Integrator instance, configured from an Integrator plugin. Integrators provide the ability to connect to an external system, such as an LDAP, SMTP, or SOAP server, to execute an action. 16.2 Action Manager The Action Manager allows you to configure repeatable actions that can be executed in various contexts throughout the Sentinel system.
Page 367: Action Plugins
Script actions in versions of Sentinel before Sentinel 6.1 can be converted to Action Plugins using the Action Manager. 16.3.1 Importing JavaScript Action Plugins JavaScript plugins from Novell or other sources can be imported into Sentinel. To import Action plugins: 1 Click Tool menu and select Action Manager. The Action Manager window displays.
Page 368 2 Click Manage Plugins. The Action Plugin Manager window displays. 3 Click the icon on the top left corner to Import plugins. Plugin Import Type window displays. 368 Sentinel 6.1 User Guide...
Page 369 4 Select Import an Action plugin file (.zip). Click Next. 5 The Choose Plugin Package File window displays. Actions and Integrator 369...
Page 370: Importing Javascript Files
Click Finish. 16.3.2 Importing JavaScript Files Although JavaScript Action plugins can be obtained from Novell, it is also possible to create and manage your own JavaScript Action plugins. Plugins can be created using JavaScript files that were used in the Execute Script command in versions prior to Sentinel 6.1, or they can be created using any JavaScript file written using the Sentinel JavaScript API.
Page 371 When you import a JavaScript file from a directory, it is important to define the required objects correctly so the JavaScript Actions that use the plugin are available in the right parts of the Sentinel Control Center interface. The following table shows the Required Objects options in the import wizard and where the Actions will be available if those options are checked.
Page 372 3 Click the icon on the top left corner to Import plugins. Plugin Import Type window displays. 372 Sentinel 6.1 User Guide...
Page 373 4 Select Import an Action plugin from directory. The Choose JavaScript Directory window displays. 5 Browse to a location of the JavaScript Plug-in directory and click OK. Click Next. 6 The Action Plugin Detail window displays. Provide the required information. Attach a Main JavaScript File and Help File.
Page 374 NOTE: If the file you have selected is not of proper format, the Next button will not activate. When updating an already-imported JavaScript file, you are provided with the option of updating the existing plug-in, going back and selecting a different plug-in, or canceling the import.
Page 375 8 Select the objects that the JavaScript action requires. This affects where the Action is available in the interface. For more information, see the Table 16-1 on page 371. Click Next. The Plugin Parameters window displays. Actions and Integrator 375...
Page 376 9 [Optional] Click Add button to add parameters that can be set when an Action is configured. This option should be used for any JavaScript files that expect to receive parameterized information. The Parameter Definition window displays. 376 Sentinel 6.1 User Guide...
Page 377 9a Specify the parameter name. The name used here should be identical to one used in the JavaScript API method scriptEnv.getParameter(“name>”) in the script that is being imported. 9b Select parameter name from Type drop down. The various parameter types available are: String: Accepts the sting values for the parameters ...
Page 378 Click Next. 10 The Plugin Details window displays. Details of the plugins to be imported are displayed. 11 Click Finish. If the directory from which the JavaScript file is imported contains a file, the system package.xml updates the file with the information defined in the wizard. If no file package.xml package.xml...
Page 379: Actions
<?xml version="1.0" encoding="UTF-8"?> <JavaScriptActionPackage> <ID>FA6944D0-DC43-102A-976F-001321B5C0B3</ID> <Name>Example JavaScript Plugin</Name> <Type>JAVASCRIPT_ACTION</Type> <DisplayName>Example JavaScript Plugin</DisplayName> <Author>Novell Engineering</Author> <Version>61r1</Version> <ReleaseDate>1206414663439</ReleaseDate> <MainScriptFile>example.js</MainScriptFile> <Description>An example JavaScript Action plugin.</Description> </JavaScriptActionPackage> NOTE: When a plugin is created from a JavaScript file and an existing file, the package.xml file is updated with the list of files contained in the package, hash codes, current dates package.xml...
Page 380: Editing Actions
NOTE: If you select an Action plugin that is configured to use an Integrator to connect to an external system, the Add Integrator button displays. 4 The parameters for the selected plugin display. For Actions provided by Novell, more information about configuration and the available parameters are available in the help file for the Action.
Page 381: Using Javascript Actions
16.4.5 Developing JavaScript Actions The information below is very basic development information about developing JavaScript Actions. For more information, see Novell Developer Community web site (http://developer.novell.com/ wiki/index.php?title=Develop_to_Sentinel). Creating a JavaScript Action JavaScript Actions take advantage of the functionality and flexibility of the JavaScript language and...
Page 382 importPackage(java.lang); var CollectorName = "TC_5"; var evt = scriptEnv.getCurrentEvent(); var collNm = evt.getPort(); var outfile = new java.io.PrintWriter(new java.io.FileWriter("/opt/jaya/ strtcoll.txt", true)); if(collNm && collNm.equals(CollectorName)) var collist = ESM.collectorsForName(collNm); if (collist.size() > 0) var coll = collist.get(0); outfile.println("Stopping " + CollectorName); coll.stop();...
Page 383 To open a JavaScript Debugger: 1 Click Correlation on the Menu Bar and select Correlation Engine Manager. Alternatively, you can click Correlation Engine Manager button on the Tool Bar. Select a JavaScript Action associated with Correlation Rule. Right click and select Debug. The Debug JavaScript Correlation Action window displays.
Page 384 Click Run. The debugger panel displays the source code and positions the cursor on the first line of the script. You can debug the script as many times as needed (without requiring a new correlation rule to fire). After the debugger gets to the end of the script (or after you click the Stop button), click Run again. 384 Sentinel 6.1 User Guide...
Page 385: Integrator Manager
SOAP server. JavaScript actions can use Integrators to interact with other systems. For example, you can set the attribute in Novell eDirectory (an LDAP server) to enable or disable a user, edit details and so on. You could also start an Identity Manager workflow, such as a provisioning request, using SOAP calls.
Page 386: Permissions For Using Integrators
For more information on specific Integrators, see the documentation that is available with the integrators. You can download the updated integrators from http://www.novell.com/documentation/ sentinel61 (http://www.novell.com/documentation/sentinel61). Alternatively you can view the Integrators specific document by clicking Help button in Integrator Manager after configuring that Integrator. 16.5.1 Permissions for Using Integrators To use the Integrator Manager, a user must be assigned the necessary permissions in the User Manager.
Page 387: Integrator Plugins
6 Select View Integrators, Manage Integrators, Manage Integrator Plugins or Integrators (which will automatically select all child permissions). The new permissions will be applied the next time the user logs in. For more information, see “Sentinel Control Center User Permissions” in Sentinel 6.1 Reference Guide.
Page 388: Integrators
5 Use the Browse button to locate an Integrator file to import to the plugin repository. Select a zip file and Click Open. 6 If you have selected an Integrator file which already exists then the Replace Existing Plugin window displays. Click Next if you want to replace the existing plugins. Click Next.
Page 389: Deleting An Integrator Instance
16.7.3 Deleting an Integrator Instance An Integrator instance cannot be deleted if it is currently associated with an Action. To delete an Integrator instance, you must first delete or modify any Actions that are associated with it. To delete an Integrator Instance: 1 Click Tools menu and select Integrator Manager.
Page 390 2 Select an integrator from the left pane. 3 Click See Details. The Refresh Health Information window displays Health screen displays the Refresh Health State, Time of last occurrence, its method calls and the related events of the selected Integrator configuration. The detailed description follows: Integrator API Calls: This section indicates the status of count and time of both the ...
Page 391: Integrator Events Query
Time of Last Successful Call: The time at which the method was last successfully executed. Average Successful Run Time: Average time to make a successful method call. Error Count: Number of times the API method failed Time of Last Error Call: The time at which the method call failed. Average Error Run Time: Average time to make a failed method call.
Page 392: Using Integrators From Actions
3 Click Integrator Events button. The Query window displays. All the events related to the configured integrator automatically displays in the Query window. You can filter the displayed events using the filter criteria. For more information see, Section 2.9.3, “Historical Event Query,”...
Page 393: Sentinel Link Solution
Link is a mechanism that provides the ability to hierarchically link multiple Sentinel ® systems, including Novell Sentinel Log Manager, Novell Sentinel, and Novell Sentinel Rapid Deployment. You can hierarchically link two or more Sentinel systems to forward filtered events from one Sentinel system to another for further evaluation.
Page 394: Configuring Sentinel Link
Replace svrname.example.com with the actual DNS name or IP address (such as 192.168.1.1) of the server where Novell Rapid Deployment is running. 2 If you are prompted to verify the certificates, review the certificate information, then click Yes if it is valid.
Page 395: Setting Up A Sentinel Link Connection
4 Use the Languages drop-down list to specify which language you want to use. 5 Click Sign in. 6 In the Novell Log Manager Web interface, click Collection. 7 In the Collection page, click Advanced. 8 In the Advanced page, click Launch to open the Event Source Management.
Page 396 Link Event Source server to auto-create the nodes is much simpler and is preferred over manual configuration because it ensures that nodes are properly configured and connected so that events are routed to the Sentinel Link Collector. 1 In the Event Source Management view, right-click the Collector Manager, select Add Event Source Server, then select Sentinel Link Connector and click Next.
Page 397 NOTE: If the Sentinel Link Event Source Server is running on a Linux/Unix machine, binding to port numbers less than 1024 requires root privileges. Therefore, Novell recommends that you run the server on a port greater than 1024 and change the source devices to send to this new port or use port forwarding.
Page 398 Options Description Client Authentication Type Specify either of the following:  Open: Allows HTTPS connections from any sender machines. It does not perform any client certificate validation or authentication.  Strict: Validates that the sender’s certificate in the trust store and is a valid X.509 certificate. For this option, a truststore needs to be imported.
Page 399 The Sentinel Link Event Source Server simplifies Event Source configuration with the option to detect a new source device that is sending data to the Sentinel Link Event Source Server, evaluate its IP address by using a set of user-defined policies, and either ignore the new source device or automatically add it as an Event Source in Event Source Management.
Page 400 1 In the Event Source Management (Live View), right-click the Collector Manager node, then select Add Collector. 2 Select Novell from the list of vendors from the left panel, then select the desired Sentinel Link version from the list of supported event sources, and click Next.
Page 401 3 Select the Novell Sentinel Link Collector, then click Next. Sentinel Link Solution 401...
Page 402 4 Click Next to accept the default Collector properties. For more information on Collector properties, see the Sentinel Link Collector documentation. 5 Accept the default Collector configuration, then click Finish to complete the configuration. 6 Continue with “Adding a Connector” on page 402.
Page 403 3 In the Select Event Source Server window, select the Event Source Server from the list of configured Event Source Servers. If no Event Source Servers are configured, the following message displays: There are no Event Source Servers configured on this Collector Manager that match the connection method selected.
Page 404 4 Click Add, then create an Event Source Server. For more information on creating an Event Source server, see Step 2 through Step 13 in the “Configuring Sentinel Link Event Source Server” on page 395. 5 Click Next to open the Configure Connector window. 404 Sentinel 6.1 User Guide...
Page 405 6 In the Configure Connector window, specify the following: Sentinel Link Solution 405...
Page 406 Options Description Name The name by which you want to identify this Connector. The Id of the Connector. You cannot change this value. Details Click Details if you want to open the Plugin Details window. (Optional) Select this option if you want to specify that the Connector should by default be started whenever the Collector Manager is started.
Page 407 2 Specify the IP address of the sender machine, which the Sentinel Link event source receives the messages from. 3 Click Next. Sentinel Link Solution 407...
Page 408 Collector. Each connection mode sends the data in a different format. For the Novell Collectors, which support more than one connection mode for different data formats, see the Collector-specific documentation for information about which mode is appropriate for your particular Event Source.
Page 409 6 Specify the General settings for the Sentinel Link Connector: Options Description Name The name by which you want to identify this Event Source. Specifies the Id of the Event Source. Details Click Details to display the Plugin Details window. (Optional) Select this option to specify that this event source should by default be started whenever the Collector Manager is started.
Page 410 Options Description Trust Event Source Time (Optional) Select this option to have the event time set to the time the event occurred rather than the time Sentinel received the data. Set Filter (Optional) Specify a filter on the raw data passing through this event source.
Page 411: Configuring Sentinel Systems For Sending Events
9 Click Finish to add the Event Source to the Event Source Management view. 17.6 Configuring Sentinel Systems for Sending Events You can configure Novell Sentinel Log Manager, Sentinel, or Sentinel Rapid Deployment to forward events to another Sentinel system. Section 17.6.1, “Configuring Sentinel Log Manager as a Sender,” on page 411 ...
Page 412 412 Sentinel 6.1 User Guide...
Page 413 4 Specify the following Sentinel Link settings, then click Save. Options Description Destination Specify the IP address or hostname of the receiver, where a Sentinel Link Connector is configured. Port Specify the port number for the receiver. The default port is 1290.
Page 414 Options Description Client key pair Select either of the following:  None - server does not require client certificate: The receiver system does not validate the sender certificates. Select this option if the server does not require the client key pair. ...
Page 415 You can also change the conditions of the rule to filter more events or remove conditions to filter fewer events. Novell recommends that you configure the rule to forward only those events that you want to store on the Sentinel system for more in-depth reporting and analysis.
Page 416: Configuring Sentinel Or Sentinel Rapid Deployment System As A Sender
To use an Integrator plug-in, one or more Integrator instances must be configured with valid connection information. 1 Log in to the Novell Sentinel Control Center as an administrator. 2 Select Tools > Integrator Manager. The Integrator Manager window displays.
Page 417 4 Select Sentinel Link Integrator from the Select Integrator drop-down list. 5 Click Add Integrator Plugin to import the Integrator plug-in, if the Integrator plug-in is not already available. The ID Number is the system-generated ID for the Integrator configuration and cannot be edited.
Page 418 Integrator Service Category Description E-Mail System Financial Application Network Firewall Host-based Firewall HR Application Identity Management Intrusion Detection/Prevention System INCM Incident Management NETD Network Router/Switch Operating System PROX Proxy Storage Virtual Private Network VULN Vulnerability Scanner Web Server 9 Click Next. The Sentinel Link Server Settings window displays. 418 Sentinel 6.1 User Guide...
Page 419 10 Specify the IP address or hostname of the Sentinel Link server, where the Sentinel Link Connector is running. 11 Specify the port number for the sentinel system. The default port is 1290. 12 Select either of the following: Not Encrypted (HTTP): Establish an unsecured connection. ...
Page 420  Encrypted (HTTPS): Establish a secured connection. If you select the encrypted (HTTPS) option, you are optionally allowed to specify a Server validation mode and an Integrator key pair. Field Description Server Validation Select either of the following: Mode  None- server certificate NOT validated: The Integrator does not validate the receiver's certificate.
Page 421 14 Specify the following: Options Description Maximum Event Queue Size (MB) Specify the maximum event queue size value in megabytes. The value must be between 0 and 2147483647. The following options are enabled only when you specify a value in the Maximum Event Queue Size (MB) field. ...
Page 422 Options Description Event Forwarding Mode Select one of the following options to specify the Event Forwarding Mode:  Send Immediately: Select this option to forward the events immediately to the receiver.  Scheduled: Select this option to schedule event forwarding. You can specify Time Of Day and Duration (in minutes) for each day of the week.
Page 423 Configuring the Action Plug-In 1 Log in to the Sentinel Control Center system as the administrator. 2 Select Tools > Action Manager. 3 In the Action Manager window, click Add. The Configure Action window is displayed. 4 Specify the following: Action Name: Specify a name for the action.
Page 424 can have filter(1=1) and filter(e.sev>=3) configured, and launch Sentinel Link action to forward the events to the same receiver. When the action is triggered, the receiver gets duplicated events. Therefore, use them only when simple filtering conditions are not enough. Note that some field values of the events are changed during event forwarding.
Page 425 12 Select Sentinel Link, then click OK. Using Global Filters to Forward Events to the Receiver Use Global Filters to filter the desired events for forwarding to the receiver system. In the Global Filter Configuration window, you can add the Sentinel Link Action, then deploy the rule. NOTE: This feature is supported only on Sentinel 6.1 SP1 Hotfix 2 or later, and Sentinel 6.1 Rapid Deployment 6.1 Hotfix 2 or later.
Page 426 3 Click the Add button on the right-side of the window. 4 Click the button below the Filter Name field, then click the drop-down to set a filter. For more information on Filters, see Filters (http://www.novell.com/documentation/ sentinel61rd/s61rd_user/data/filters.html) in the Sentinel 6.1 Rapid Deployment User Guide.
Page 427 The Select Action window is displayed. 8 Select the Sentinel Link Action, then click OK. If you have not created one, click Action Manager button at the right-side of the window, then follow the instructions. 9 Alternatively, you can also add Sentinel Link Action as the default Action. 9a Click the button below the Default Action.
Page 428: Verifying A Sentinel Link
10 Click Save. 17.7 Verifying a Sentinel Link In this example, a Sentinel Rapid Deployment machine is used as the sender and a Novell Sentinel Log Manager machine is used as the receiver. 1 Configure a Sentinel Rapid Deployment machine for sending events.
Page 429 4 To view that event, go to the Novell Log Manager Web interface, then search for events with sev:[3 TO 5]. Sentinel Link Solution 429...
Page 430 430 Sentinel 6.1 User Guide...
Page 431: Identity Integration
Section 18.3, “Reports,” on page 439  18.1 Overview Novell Sentinel 6.1 provides an integration framework for identity management systems. This integration provides functionality on several levels:  Identity Browser provides the ability to look up the following information about a user: Contact information ...
Page 432: Integration With Novell Identity Manager
Identity. Identity Details Figure 18-2 18.1.1 Integration with Novell Identity Manager Integration with Novell Identity Manager is available as part of the Novell Compliance Management Platform, which includes the following components: Sentinel 6.1 ...
Page 433 The Solution also requires “identity-enabled” Collectors, which are available for download at the standard Sentinel content download web site (http://support.novell.com/products/sentinel/ sentinel61.html). After Sentinel and Identity Manager are installed, the Sentinel Driver for Identity Manager sends identity and account information from the Identity Vault to the Sentinel Identity Vault Collector, which populates the Sentinel database.
Page 434: Identity Browser
Populated by which Column Label Map Key Field : Event Label from IdentityAccount Map InitUserFullName Full Name Account Name : InitUserName Authority : InitUserDomain Customer Name : MSSPCustomerName InitUserIdentity Identity GUID Account Name : InitUserName Authority : InitUserDomain Customer Name : MSSPCustomerName TargetUserDepartment Department Account Name : TargetUserName...
Page 435: Searching Profiles
To open Identity Browser: 1 Click Tools menu and select Identity Browser. The Identity Browser window displays. Alternatively, you can launch the Identity Browser through the icon that appears when you launch the Sentinel Control Center. 18.2.1 Searching Profiles To search profiles: 1 Click Tools menu and select Identity Browser.
Page 436: Viewing Profile Details
3 Click Search Icon. The searched profile displays: 4 Select a user and click View Full Profile to see more information. Alternatively, you can right- click a user name (identity) and select Open New Window. It opens a new Identity Browser window.
Page 437 Using the view profile window, you can view User Profile, Accounts, and Recent Activities performed by the user. By default the User Profile displays when you click the view profile button as shown above. 4 Select Accounts. The details of the account are displayed: Identity Integration 437...
Page 438 You can access Accounts in Active View by right clicking on an event generated by the Identity Collector and by selecting Show Identity Details option. Select Initiator, Target or Both option. The account details of the associated Identity in that event displays in a pop up window.
Page 439: Reports
5 Select Recent Activity. The contextual event information such as Authentication, Access and Permission change events for that identity are displayed. The events displayed are limited to last 10 events in each category as shown below: Using the Clipboard Functionality You can use the clipboard functionality to copy the data of User Profile, Recent Activity, or the Account tabs.
Page 440 Reports Figure 18-3 440 Sentinel 6.1 User Guide...
Page 441: A Sentinel Architecture
Collector Manager. This service can be installed on a number of systems to balance the processing load or for scalability. The data collection components are downloaded from the Novell Content Web page and are installed to the Collector Managers via a central ESM interface.
Page 442: Architecture Overview
Sentinel treats both “services” and “applications” as abstract service end points that can readily respond to asynchronous events. Services are “objects” that do not need to understand protocols or how messages get routed to the peer services. A.3 Architecture Overview The Sentinel system is responsible for receiving events from the Collector Manager.
Page 443 Message Bus The iSCALE message bus allows for independent scaling of individual components while also allowing for standards-based integration with external applications. The key to scalability is that, unlike other distributed software, no two peer components communicate with each other directly. All components communicate through the message bus, which is capable of moving thousands of message packets per second.
Page 444: Sentinel Event
An event comprises of more than 200 tags. Tags are of different types and of different purposes. There are some predefined tags such as severity, criticality, destination IP and destination port. There are two sets of configurable tags: Reserved Tags are for Novell internal use to allow future expansion and Customer Tags are for customer extensions.
Page 445 Streaming Maps Map Service employs a dynamic update model and streams the maps from one point to another, avoiding the build up of large static maps in dynamic memory. The value of this streaming capability is particularly relevant in a mission-critical real-time system such as Sentinel where there needs to be a steady, predictive and agile movement of data independent of any transient load on the system.
Page 446 Vulnerability Scanners scan for system (asset) vulnerable areas. IDS detects attacks (if any) against these vulnerable areas. Firewalls detect if any traffic is against any of these vulnerable areas. If an attack is associated with any vulnerability, the asset has been exploited. The Exploit Detection Service generates the file at: exploitdetection.csv...
Page 447: Event Source Management
Vulnerability and Data Source Figure A-5 A.3.3 Event Source Management Sentinel 6 delivers a centralized event source management framework to facilitate data source integration. This framework enables all aspects of configuring, deploying, managing and monitoring data Collectors for a broad set of systems, which include databases, operating systems, directories, firewalls, intrusion detection/prevention systems, antivirus applications, mainframes, Web and application servers, and many more.
Page 448: Application Integration
A.3.4 Application Integration External application integration through standard APIs is central to Sentinel. For example, when dealing with a third party trouble-ticketing system, Sentinel 6 can open an initial ticket in its own iTRAC workflow remediation system. Sentinel then uses bi-directional API to communicate with ®...
Page 449: System Events
Sentinel Time Figure A-6 1. By default, the event time is set to Collector Manager time. The ideal time is the device time. Therefore it is best to set the event time to the device time if the device time is available, accurate, and properly parsed by the Collector.
Page 450: Processes
Internal Events Internal Events are informational and describe a single state or change of state in the system. They report when a user logs in or fails to authenticate, when a process is started or a correlation rule is activated. Performance Events Performance Events are generated on a periodic basis and describe average resources used by different parts of the system.
Page 451 Data Access Service (DAS) Process (page 452)  DAS Query: Performs general Sentinel Service operations including Login and  Historical Query. DAS Binary: Performs event database insertion.  DAS RT: Provides the server-side functionality for Active Views.  DAS Aggregation: Calculates event data summaries that are used in reports. ...
Page 452: Logical Architecture
Data Access Service (DAS) Process The Data Access Service (DAS) process is Sentinel Server's persistence service and provides an interface to the database. It provides data driven access to the database backend. DAS is a container, composed of five different processes. Each process is responsible for different types of database operations.
Page 453: Collection And Enrichment Layer
management service to allow users to define objects using metadata. Additional services include Correlation, Query Manager, Workflow, Event Visualization, Incident Response, Health, Advisor, Reporting and Administration. Sentinel Logical Layers Figure A-8 The presentation layer renders the application interface to the end user. A comprehensive dashboard called the Sentinel Control Center offers an integrated user workbench consisting of an array of seven different applications accessible through a single common framework.
Page 454 Collectors are the component-level aggregator of event data from a specific source. Sentinel primarily supports remote “Collector-less” connections to sources; however, Collectors can be deployed on specific devices where a remote approach is less efficient. Collectors are controlled from the Sentinel Control Center, which orchestrates the communication between the Collectors and the Sentinel platform for real time analysis, correlation computation and incident response.
Page 455 The Event Source, Event Source Server, Collector, and Connector are configuration related objects and can be added through the ESM user interface. Event Source: This node represents a connection to a specific source of data, such as a  specific file, firewall or Syslog relay, and contains the configuration information necessary to establish the connection.
Page 456: Business Logic Layer
Business Relevance: Sentinel injects business-relevant contextual data directly into the event stream. It includes up to 135 customizable fields where users can add in asset specific information such as business unit, owner, asset value, geography. After this information is added into the system, all other components can take advantage of the additional context.
Page 457   “Remoting Service” on page 457 “Incident response through iTRAC” on page 460   “Data Access Service” on page 457 “Reporting Service” on page 462   “Query Manager Service” on page 457 “Advisor” on page 463  ...
Page 458 correlation engine works with a rules checker component which computes the correlation rule expressions and validates syntax of filters. In addition to providing a comprehensive set of correlation rules, Sentinel’s correlation engine provides specific advantages over database-centric correlation engines. By relying on in-memory processing rather than database inserts and reads, the correlation ...
Page 459 representation and others. Additional valuable information can be viewed from the Active Views dashboard, including notification of asset exploits (exploit detection), viewing asset information and graphical associations between pertinent source IPs and destination IPs. Because Active Views uses the iSCALE architecture, analysts can quickly drill down for further analysis because Active Views provides direct access to the real-time memory-resident event data, which easily handles thousands of events per second without any performance degradation.
Page 460 Network Figure A-13 Incident response through iTRAC Sentinel iTRAC transforms traditional security information management from a passive “alerting and viewing” role to an “actionable incident response” role by enabling organizations to define and document incident resolution processes and then guide, enforce and track resolution processes after an incident or violation has been detected.
Page 461 Process Template Figure A-14 A worklist provides the user with all tasks that have been assigned to the user and a process monitor provides real-time visibility into process status during a resolution process lifecycle. iTRAC’s activity framework enables users to customize automated or manual tasks for specific incident-resolution processes.
Page 462  Role: Users can be assigned to one or more Roles for example, Analyst, Admin and so on. Manual steps in the workflow processes can be assigned to a Role. Sentinel 6 workflows have four major components that are unique to iTRAC: ...
Page 463 Sentinel Top 10 Reports Figure A-16 Advisor Sentinel Advisor, an optional module, cross-references Sentinel’s real-time alert data with known vulnerabilities and remediation information, bridging the gap between incident detection and response. With Advisor, organizations can determine if events exploit specific vulnerabilities and how these attacks impact their assets.
Page 464: Presentation Layer
Administration The Administration facility allows for user management and settings setup facilities typically needed by application administrators of Sentinel. Common Services All of the above described components in this business logic layer of the architecture are driven by a set of common services. These utility services assist in fine-grain filtering (through Filter Engine) of events to users, continuous monitoring of system health statistics (through Health Monitor) and dynamic updates of system wide data (through Map Service).
Page 465 Active Views-Graphical format-Bar Graph Figure A-19 Active Views-Graphical format-Line Graph Figure A-20 Active Views-Graphical format-Ribbon Graph Figure A-21 Active Browser Active Browser facility helps in viewing the selected events. In Active Browser, the events are grouped according to the metatags. In these metatags various sub-categories are defined. The numbers in the parentheses against these sub-categories display the total number of event counts corresponding to the value of the metatag.
Page 466 Active Browser Figure A-22 In Active Browser, the query manager service retrieves a list of events taken from any part of the system and performs a statistical analysis of these events to break them down into ranges of values for each desired attribute of the event. Using single clicks through a Web browser interface, you can select ranges to quickly drill down on a large set of events.
Page 467: B System Events For Sentinel
System Events for Sentinel In the description tables below, words in italics surrounded by <…> are replaced by relevant values in the real messages. B.1 Advisor Audit Events Section B.1.1, “Advisor Update Successful,” on page 467  Section B.1.2, “Advisor Update Failure,” on page 467 ...
Page 468: Download Manager Audit Events
Value SubResource Advisor Processor Message Advisor feed file advnxsfeed.1.zip could be corrupt B.2 Download Manager Audit Events  Section B.2.1, “Download Successful,” on page 468 Section B.2.2, “Download Failed,” on page 468  Section B.2.3, “Download Config Updated,” on page 469 ...
Page 469: Download Config Updated
B.2.3 Download Config Updated Download Config Updated Event Details Table B-5 Value Severity Event Name Update Download Config Resource DownloadFeedService SubResource DOWNLOAD Message Successfully updated Download Configuration B.2.4 Download Config Added Download Config Added Event Details Table B-6 Value Severity Event Name AddDownloadConfig Resource...
Page 470: Creating Entry For External User
Authentication Events - Authentication Table B-8 Value Severity Event Name Authentication Resource UserAuthentication SubResource Authenticate Message User <name> has passed Authentication to Sentinel/Wizard B.3.2 Creating Entry For External User When creating an external user, the following event is generated. Authentication Events - Creating Entry For External User Table B-9 Value Severity...
Page 471: Locked Account
Authentication Events - Failed Authentication Table B-11 Value Severity Event Name AuthenticationFailed Resource UserAuthentication SubResource Authenticate Message Authentication of user <name> with OS name <domUser> from <IP> failed B.3.5 Locked Account When a locked user account is attempting to login, the following event is generated. Authentication Events - Locked Account Table B-12 Value...
Page 472: Too Many Active Users
B.3.7 Too Many Active Users Authentication Events - Too Many Active Users Table B-14 Value Severity Event Name Resource SubResource Message B.3.8 User Discovered If the server restarts, it loses the session information. It will then reconstruct the session when it receives messages from active users.
Page 473: User Logged Out
Value Message User <user> with OS name <osName> at <IP> logged in; currently <number> active users B.3.10 User Logged Out When a user logs out, the following internal event is generated. Authentication Events - User Logged Out Table B-17 Value Severity Event Name UserLoggedOut...
Page 474: Create Role
B.4.2 Create Role User Management - Create Role Table B-19 Value Severity Event Name createRole Resource WorkflowServices SubResource WorkflowAdminService Message Creating role with name <name> and description <description> B.4.3 Create User User Management - Create User Table B-20 Value Severity Event Name createUser Resource...
Page 475: Delete Role
B.4.5 Delete Role User Management - Delete Role Table B-22 Value Severity Event Name deleteRole Resource WorkflowServices SubResource WorkflowAdminService Message Deleting role with name <name> B.4.6 Deleting User Account User Management - Deleting User Account Table B-23 Value Severity Event Name deleteUser Resource Config...
Page 476: Remove Users From Role
B.4.8 Remove Users From Role User Management - Remove Users From Role Table B-25 Value Severity Event Name removeUsersFromRole Resource WorkflowServices SubResource WorkflowAdminService Message Removing users <name> from role <role> B.4.9 Resetting Password Resetting Password Table B-26 Value Severity Event Name setPassword Resource Config...
Page 477: Updating User
B.4.11 Updating User User Management - Updating User Table B-28 Value Severity Event Name updateUser Resource Config SubResource UserManagementService Message Updating user: {0} Last Name:<lastName>, First Name: <firstName>, State: <state> B.5 Database Event Management Below listed shows database event management B.5.1 Database Space Reached Specified Percent Threshold When event insertion is resumed after being blocked, the following event is sent.
Page 478: Database Space Very Low
Value Resource Database SubResource Database Message Tablespace <string> has <number> MB left and growing <number> bytes per second and will run out space within the time threshold specified <number> seconds B.5.3 Database Space Very Low When event insertion is resumed after being blocked, the following event is sent. Database Event Management - Database Space Very Low Table B-31 Value...
Page 479: Error Processing Event Message
Database Event Management - Error Moving Completed File Table B-33 Value Severity Event Name MoveArchiveFileFailed Resource <DAS name> SubResource ArchiveFile Message Error moving completed archive file <fileName> to <directory> B.5.6 Error Processing Event Message Database Event Management - Error Processing Event Message Table B-34 Value Severity...
Page 480: Event Insertion Is Resumed
Database Event Management - Event Insertion is blocked Table B-36 Value Severity Event Name EventInsertionIsBlocked Resource EventSubSystem SubResource Events Message Event insertion is blocked, waiting <number> sec B.5.9 Event Insertion is resumed When event insertion is resumed after being blocked, the following event is sent. Database Event Management - Event Insertion is resumed Table B-37 Value...
Page 481: Event Processing Failed
B.5.11 Event Processing Failed Database Event Management - Event Processing Failed Table B-39 Value Severity Event Name EventProcessingFailed Resource EventSubsystem SubResource EventStore Message In the previous {0}ms, failed to process {1} events--Events were stored for later insertion. Check the log files and the database for more information. The error occurred {2} times in this time range: {3}, cause {4}";...
Page 482: Partition Configuration
B.5.14 Partition Configuration Database Event Management - Partition Configuration Table B-42 Value Severity Event Name New/Update/Remove Resource SubResource PartitionConfig Message ableName=<name> PartTimeUnit={1} PartTimeFactor={2} NumberOfUnits={3} B.5.15 Writing to Archive File failed When opening an archive file for storing the events for aggregation fails, the following internal event is generated.
Page 483: Database Aggregation
B.6 Database Aggregation Below listed states database aggregation. B.6.1 Creating Summary Database Aggregation - Creating Summary Table B-45 Value Severity Event Name createSummary Resource SubResource Message Creating summary: <summaryDescription> B.6.2 Deleting Summary Database Aggregation - Deleting Summary Table B-46 Value Severity Event Name deleteSummary...
Page 484: Enabling Summary
B.6.4 Enabling Summary Database Aggregation - Enabling Summary Table B-48 Value Severity Event Name enableSummary Resource SubResource EventAggregationAdminService Message Enabling summary: <summaryDescription> B.6.5 Error inserting summary data into the database If an error is encountered while writing aggregation data into the database, the following internal event is generated.
Page 485: Error
Below listed are relevant to mapping service B.7.1 Error Database Aggregation - Error Table B-51 Value Severity Event Name error Resource SubResource Message Error while updating map data: {0} B.7.2 Error Applying Incremental Update This event is sent when the mapping service fails to apply an update to an existing client map. Database Aggregation - Error Applying Incremental Update Table B-52 Value...
Page 486: Error Refreshing Map
Value Message Error initializing map with id <ID>: no such map B.7.4 Error Refreshing Map This internal event is generated from the client side of the mapping service (the one that is part of the Collector Manager). When the Collector Manager is told to refresh the map because it has been modified or its definition has changed it sends an internal event.
Page 487: Loaded Large Map
Value Resource SubResource Message Retrieving size for file <fileName> B.7.7 Loaded Large Map This internal event is an information event sent by the mapping service informing that a large map was loaded to the Collector Manager. A map is considered large if the number of rows exceeds 100,000.
Page 488: Refreshing Map From Cache
Database Aggregation - Out Of Sync Detected Table B-59 Value Severity Event Name OutOfsyncDetected Resource MappingService SubResource ReferentialDataObjectMap Message Map <mapName> detected the map data is out-of-sync, probably because of a missed update notification--scheduling a refresh B.7.10 Refreshing Map from Cache This internal event is generated from the client side of the mapping service (the one that is part of the Collector Manager).
Page 489: Save Data File
Value Message Refreshing from server map <name> with id <ID> B.7.12 Save Data File Database Aggregation - Save Data File Table B-62 Value Severity Event Name saveDataFile Resource SubResource MapService Message Saving data file {0}, backup? {1} B.7.13 Saved Data File Database Aggregation - Saved Data File Table B-63 Value...
Page 490: Timeout Refreshing Map
Value Resource MappingService SubResource ReferentialDataObjectMap Message Map <name> timed out waiting for callback with new map data--retrying B.7.15 Timeout Refreshing Map This internal event is generated from the client side of the mapping service (the one that is part of the Collector Manager).
Page 491: Update
B.7.17 Update Database Aggregation - Update Table B-67 Value Severity Event Name update Resource SubResource (low) Message Updating map data (ser) B.8 Event Router Below listed are relevant to Event router. B.8.1 Event Router is Initializing This event is sent when an event router starts its initialization. The event router starts initializing when it has established a connection with the backend (DAS Query).
Page 492: Event Router Is Stopping
Event Router - Event Router is Running Table B-69 Value Severity Event Name EventRouterIsRunning Resource CollectorManager B.8.3 Event Router is Stopping This event is sent when a request is received by the event router to stop during shutdown. Event Router - Event Router is Stopping Table B-70 Value Severity...
Page 493: Correlation Action Definition
B.9.1 Correlation Action Definition Correlation Engine - Correlation Action Definition Table B-72 Value Severity Event Name New/Update/Remove Resource Correlation SubResource CorrelationActionDefinition Message Action Name: <name> with Id: <ID> B.9.2 Correlation Engine Configuration Correlation Engine - Correlation Engine Configuration Table B-73 Value Severity Event Name...
Page 494: Correlation Engine Is Stopped
B.9.4 Correlation Engine is Stopped This event is sent out when the engine changes state from running to stopped. Correlation Engine - Correlation Engine is Stopped Table B-75 Value Severity Event Name EngineStopped Resource CorrelationEngine SubResource CorrelationEngine Message Correlation Engine has stopped processing events. B.9.5 Correlation Rule Correlation Engine - Correlation Rule Table B-76...
Page 495: Deploy Rules With Actions To Engine
B.9.7 Deploy Rules With Actions To Engine Correlation Engine - Deploy Rules With Actions To Engine Table B-78 Value Severity Event Name deployRulesWithActionsToEngine Resource CorrelationManagementService SubResource CorrelationManagementService Message Deploy Rules With Actions To Engine <enginId>: Rules: <ruleID> Actions: <actionID> B.9.8 Disabling Rule Correlation Engine - Disabling Rule Table B-79 Value...
Page 496: Rename Correlation Engine
B.9.10 Rename Correlation Engine Correlation Engine - Rename Correlation Engine Table B-81 Value Severity Event Name renameCorrEngine Resource CorrelationManagementService SubResource CorrelationManagementService Message Rename Engine to: <name> with EngineId: <ID> B.9.11 Rule Deployment is Modified This event is sent out when an engine successfully reloads a rule deployment. This message is sent out regardless of the engine running state.
Page 497: Rule Deployment Is Stopped
B.9.13 Rule Deployment is Stopped This event is sent out when an engine successfully unloads a rule deployment. This message is sent out regardless of the engine running state. Correlation Engine - Rule Deployment is Stopped Table B-84 Value Severity Event Name DeploymentStopped Resource...
Page 498: Undeploy All Rules From Engine
B.9.16 UnDeploy All Rules From Engine Correlation Engine - UnDeploy All Rules From Engine Table B-87 Value Severity Event Name undeployAllRulesFromEngine Resource CorrelationManagementService SubResource CorrelationManagementService Message Undeploy all rules from Engine: B.9.17 UnDeploy Rule Correlation Engine - UnDeploy Rule Table B-88 Value Severity Event Name...
Page 499: Collector Manager Initialized
B.10.1 Collector Manager Initialized Event Source Management (General) - Collector Manager Initialized Table B-90 Value Severity Event Name CollectorManagerInitialized Resource CollectorManager SubResource Internal Message Initialized Collector Manager… B.10.2 Collector Manager Is Down Event Source Management (General) - Collector Manager Is Down Table B-91 Value Severity...
Page 500: Collector Manager Stopped
B.10.4 Collector Manager Stopped Event Source Management (General) - Collector Manager Stopped Table B-93 Value Severity Event Name CollectorManagerStopped Resource CollectorManager SubResource Internal Message Stopped Collector Manager... B.10.5 Collector Service Callback Event Source Management (General) - Collector Service Callback Table B-94 Value Severity Event Name...
Page 501: Event Source Manager Callback
B.10.7 Event Source Manager Callback Event Source Management (General) - Event Source Manager Callback Table B-96 Value Severity Event Name restart Resource SubResource EventSourceManagerCallback Message Restart node with Id: <ID> B.10.8 Initializing Collector Manager Event Source Management (General) - Initializing Collector Manager Table B-97 Value Severity...
Page 502: No Data Alert
B.10.10 No Data Alert Event Source Management (General) - No Data Alert Table B-99 Value Severity Event Name NoDataAlert Resource CollectorManager SubResource objectName Message No data received for {7} {0} (ID {1}) for last {2} days {3} hrs {4} min {5} sec (threshold {6} ms) B.10.11 Persistent Process Died Collector Engine sends this event when the persistent process connector detects its controlled...
Page 503: Port Start
B.10.13 Port Start Collector Manager sends this event when a port is started. Event Source Management (General) - Port Start Table B-102 Value Severity Event Name PortStart Resource AgentManager SubResource AgentManager Message Processing started for port_<port ID> B.10.14 Port Stop Collector Manager sends this event when a port is stopped.
Page 504: Restart Plugin Deployments
B.10.16 Restart Plugin Deployments Event Source Management (General) - Restart Plugin Deployments Table B-105 Value Severity Event Name restartPluginDeployments Resource EventSourceManagement SubResource EventSourceManagerService Message Restart deployments of plugin: {0} B.10.17 Restarting Collector Manager (Cold Restart) Event Source Management (General) - Restarting Collector Manager (Cold Restart) Table B-106 Value Severity...
Page 505: Start Event Source Group
B.10.19 Start Event Source Group Event Source Management (General) - Start Event Source Group Table B-108 Value Severity Event Name startEventSourceGroup Resource EventSourceManagement SubResource EventSourceManagerService Message Start Connector: {0} B.10.20 Start Event Source Manager Event Source Management (General) - Start Event Source Manager Table B-109 Value Severity...
Page 506: Stop Event Source Group
B.10.22 Stop Event Source Group Event Source Management (General) - Stop Event Source Group Table B-111 Value Severity Event Name stopEventSourceGroup Resource EventSourceManagement SubResource EventSourceManagerService Message Stop Connector: {0} B.10.23 Stop Event Source Manager Event Source Management (General) - Stop Event Source Manager Table B-112 Value Severity...
Page 507: Start Event Source
B.11.1 Start Event Source Event Source Management (Event Sources) - Start Event Source Table B-114 Value Severity Event Name startEventSource Resource EventSourceManagement SubResource EventSourceManagerService Message Start EventSource: {0} B.11.2 Stop Event Source Event Source Management (Event Sources) - Stop Event Source Table B-115 Value Severity...
Page 508: Stop Collector
B.12.2 Stop Collector Event Source Management (Collectors)- Stop Collector Table B-117 Value Severity Event Name stopCollector Resource EventSourceManagement SubResource EventSourceManagerService Message Stop Collector: {0} B.13 Event Source Management-Event Source Servers Below listed are relevant to Event Source Management-Event Source Servers. B.13.1 Start Event Source Server Event Source Management (Event Source Servers)- Start Event Source Server Table B-118...
Page 509: Stop Event Source Server
Value Message Stop EventSourceServer: <eventSourceServerID> B.13.3 Stop Event Source Server Event Source Management (Event Source Servers)- Stop Event Source Server Table B-120 Value Severity Event Name stopEventSourceServer Resource EventSourceManagement SubResource EventSourceManagerService Message Stop EventSourceServer: <eventSourceServerID> B.14 Event Source Management-Connectors Below listed are relevant to Event Source Management-Connectors. B.14.1 Data Received After Timeout When the File Connector is configured with a DataTimeout greater than 0 in the file...
Page 510: File Rotation
Event Source Management (Connectors)- Data Timeout Table B-122 Value Severity Event Name FileTimeout Resource FileConnector SubResource FileConnector Message Event source <File Event Source ID> reached time out of <Timeout Period> when processing file <File Location>. B.14.3 File Rotation When the File Connector is configured to use file rotation and the Connector changes from one file to the next, the following internal event is generated.
Page 511: Process Start Error
B.14.5 Process Start Error Event Source Management (Connectors)- Process Start Error Table B-125 Value Severity Event Name ProcessStartError Resource ProcessConnector SubResource ProcessConnector Message Error starting command: {0} B.14.6 Process Stop Event Source Management (Connectors) - Process Stop Table B-126 Value Severity Event Name ProcessStop...
Page 512: Active View Created
B.15.1 Active View Created DAS_Binary sends this event when an Active View is created. Active View - Active View Created Table B-128 Value Severity Event Name RtChartCreated Resource RealTimeSummaryService SubResource ChartManager Message Creating new Active View with filter <filter> and attribute <attribute> for users with security filter <security filter>.
Page 513: Active View Now Permanent
Value SubResource ChartManager Message Active View with filter <filter> and attribute <attribute> for users with security filter <security filter> is no longer permanent. B.15.4 Active View Now Permanent DAS_Binary sends this event when it detects an Active View as newly permanent. This check happens periodically, so it can be several minutes after an Active View is saved to preferences before this event is generated.
Page 514: Data Objects
Active View - Idle Permanent Active View Removed Table B-133 Value Severity Event Name RtPermanentChartRemoved Resource RealTimeSummaryService SubResource ChartManager Message Removed idle permanent Active View with filter <filter> and attribute <attribute> for users with security filter <security filter>. Currently <n> Active View(s) Collecting.
Page 515: Viewing Configuration Store
B.16.3 Viewing Configuration Store Data Objects - Viewing Configuration Store Table B-136 Value Severity Event Name New/Update/Remove Resource SubResource ViewConfigurationStore Message name <name> type <type> description <description> B.16.4 Write Data Data Objects - Write Data Table B-137 Value Severity Event Name WriteData Resource ListService...
Page 516: Deleting An Activity
B.17.2 Deleting an Activity Activities - Deleting an Activity Table B-139 Value Severity Event Name deleteActivity Resource SubResource ActivityNamespace Message Deleting iTRAC Activity <name> B.17.3 Saving an Activity Activities - Saving an Activity Table B-140 Value Severity Event Name saveActivity Resource SubResource ActivityNamespace...
Page 517: Adding Process Definition
B.18.2 Adding Process Definition Incidents and Workflow - Adding Process Definition Table B-142 Value Severity Event Name addProcessDefinition Resource WorkflowServices SubResource WorkflowObjectMgrService Message reading iTRAC Template <name> B.18.3 Create Incident Incidents and Workflow - Create Incident Table B-143 Value Severity Event Name createIncident Resource...
Page 518: Creating User
B.18.5 Creating User Incidents and Workflow - Creating User Table B-145 Value Severity Event Name createUser Resource WorkflowServices SubResource WorkflowObjectMgrService Message Creating User in WorkFlow: {0} with firstname: <firstName> lastname : <lastName> B.18.6 Delete Incident Incidents and Workflow - Delete Incident Table B-146 Value Severity...
Page 519: Deleting Process Definition
B.18.8 Deleting Process Definition Incidents and Workflow - Deleting Process Definition Table B-148 Value Severity Event Name deleteProcessDefinition Resource WorkflowServices SubResource WorkflowObjectMgrService Message Deleting iTRAC Template <ID> B.18.9 Deleting User Incidents and Workflow - Deleting User Table B-149 Value Severity Event Name deleteUser Resource...
Page 520: Get Incident
B.18.11 Get Incident Incidents and Workflow - Get Incident Table B-151 Value Severity Event Name getIncident Resource IncidentService SubResource IncidentService Message Get incident with ID: <ID> B.18.12 Save Incident Incidents and Workflow - Save Incident Table B-152 Value Severity Event Name saveIncident Resource IncidentService...
Page 521: Saving Process Definition
B.18.14 Saving Process Definition Incidents and Workflow - Saving Process Definition Table B-154 Value Severity Event Name saveProcessDefinition Resource WorkflowServices SubResource WorkflowObjectMgrService Message Saving iTRAC Template <name> B.18.15 Viewing Process Definition Incidents and Workflow - Viewing Process Definition Table B-155 Value Severity Event Name...
Page 522: Controlled Process Is Started
B.19.2 Controlled Process is started Watchdog is run as a service. Its main purpose is to keep Sentinel processes running. If a process dies, Watchdog will automatically restart that process. This event is sent out when a process is started. General - Controlled Process is started Table B-157 Value...
Page 523: Importing Plugin
B.19.5 Importing Plugin General - Importing Plugin Table B-160 Value Severity Event Name importPlugin Resource SubResource PluginRepositoryService Message Import plugin <name> (ID <ID>) of type <type>. B.19.6 Load Esec Taxonomy To XML General - Load Esec Taxonomy To XML Table B-161 Value Severity Event Name...
Page 524: Process Restarts
B.19.8 Process Restarts General - Process Restarts Table B-163 Value Severity Event Name ProcessRestart Resource Sentinel SubResource Process Message Process <ProgramName> spawned (command <pID>) B.19.9 Proxy Client Registration Service (medium) General - Proxy Client Registration Service (medium) Table B-164 Value Severity Event Name registerClient...
Page 525: Restarting Processes
B.19.11 Restarting Processes General - Restarting Processes Table B-166 Value Severity Event Name restartProcesses Resource SentinelHealth SubResource SentinelHealthService Message Restarting <number> processes: <number> name <name> server <name> server ID <ID>; B.19.12 Starting Process General - Starting Process Table B-167 Value Severity Event Name startProcess...
Page 526: Stopping Process
B.19.14 Stopping Process General - Stopping Process Table B-169 Value Severity Event Name stopProcess Resource SentinelHealth SubResource SentinelHealthService Message Stopping process <name> on Sentinel server <name> UUID {2} B.19.15 Stopping Processes General - Stopping Processes Table B-170 Value Severity Event Name stopProcesses Resource SentinelHealth...
Page 527: B.19.18 Watchdog Process Is Stopped
General - Watchdog Process is started Table B-172 Value Severity Event Name ProcessStart Resource WatchDog SubResource WatchDog Message WatchDog Service Starting B.19.18 Watchdog Process is stopped When the Watchdog service is stopped, the following internal event is generated. General - Watchdog Process is stopped Table B-173 Value Severity...
Page 528 528 Sentinel 6.1 User Guide...

This manual is also suitable for:

Sentinel 6.1 sp2

Novell SENTINEL 6.1 SP2 - 02-2010 User Manual

Preface

Sentinel Control Center

Active Views Tab

Correlation Tab

Incidents Tab

Chapter 5, "Itrac Workflows," on

Itrac Workflows

Work Items

Analysis Tab

Chapter 2, "Active Views Tab," on

Advisor Usage and Maintenance

Download Manager

Chapter 10, "Event Source Management," on

Event Source Management

Administration

Sentinel Data Manager

Utilities

Quick Start

Quick Links

Need help?

Questions and answers

Subscribe to Our Youtube Channel

Related Manuals for Novell SENTINEL 6.1 SP2 - 02-2010

Summary of Contents for Novell SENTINEL 6.1 SP2 - 02-2010