NOVELL SENTINEL RAPID DEPLOYMENT 6.1 - 12-2009 Manuals

Manuals and User Guides for NOVELL SENTINEL RAPID DEPLOYMENT 6.1 - 12-2009. We have 1 NOVELL SENTINEL RAPID DEPLOYMENT 6.1 - 12-2009 manual available for free PDF download: User Manual

NOVELL SENTINEL RAPID DEPLOYMENT 6.1 - 12-2009 User Manual

NOVELL SENTINEL RAPID DEPLOYMENT 6.1 - 12-2009 User Manual (480 pages)

Brand: NOVELL | Category: Software | Size: 12.21 MB

Table of Contents

Table of Contents
5
About this Guide

17
1 Managing Sentinel 6.1 Rapid Deployment through the Web Interface

19
- Accessing the Novell Sentinel Web Interface
  19
- Applications and Installers
  19
- Reporting
  21
  - Running Reports
    21
  - Viewing Reports
    24
  - Scheduling a Report
    26
  - Managing Reports
    27
- Searching Events
  31
  - Running an Event Search
    31
  - Viewing Search Results
    34
  - Event Fields
    37
2 Sentinel Control Center

41
- Log in to the Sentinel Control Center
  41
  - Linux
    41
  - Windows
    41
- About Sentinel Control Center
  42
  - Active Views
    43
  - Incidents
    43
  - Itrac
    43
  - Analysis
    44
  - Admin
    44
  - Correlation
    44
  - Event Source Management
    44
  - Solution Packs
    45
  - Identity Integration
    45
- Introduction to the User Interface
  45
  - Menu Bar
    46
  - Toolbar
    46
  - Tabs
    48
  - Frames
    48
  - Using the Sentinel Control Center to Navigate
    48
  - Changing the Appearance of the Sentinel Control Center
    49
  - Saving User Preferences
    50
  - Changing Password
    50
  - Configuring the Attachment Viewer
    50
3 Active Views Tab

53
4 Correlation Tab

83
- Understanding Correlation
  83
  - Technical Implementation
    84
- Introduction to the User Interface
  85
- Correlation Rules
  85
- Dynamic Lists
  98
  - Adding a Dynamic List
    99
  - Modifying a Dynamic List
    100
  - Deleting a Dynamic List
    100
  - Removing Dynamic List Elements
    100
  - Using a Dynamic List in a Correlation Rule
    100
- Correlation Engine
  102
  - Starting or Stopping a Correlation Engine
    102
  - Renaming a Correlation Engine
    102
- Correlation Actions
  102
  - Configuring a Correlated Event
    103
  - Adding to a Dynamic List
    104
  - Removing a Value from a Dynamic List
    105
  - Executing a Command
    106
  - Creating an Incident
    107
  - Sending an E-Mail
    108
  - Imported Javascript Action Plugins
    108
5 Incidents Tab

109
- Understanding an Incident
  109
- Introduction to User Interface
  109
  - Incident View
    110
  - Incident
    110
- Manage Incident Views
  111
  - Adding a View
    111
  - Modifying a View
    114
  - Deleting a View
    115
  - Default View
    115
- Manage Incidents
  115
  - Creating Incidents
    115
  - Viewing an Incident
    116
  - Attaching Workflows to Incidents
    116
  - Adding Notes to Incidents
    117
  - Adding Attachments to Incidents
    117
  - Executing Incident Actions
    118
  - E-Mailing an Incident
    119
  - Modifying Incidents
    120
  - Deleting Incidents
    121
- Switch between Existing Incident Views
  121
6 Itrac Workflows

123
- Understanding Itrac Workflows
  123
- Introduction to the User Interface
  124
- Template Manager
  125
  - Default Templates
    125
- Template Builder Interface
  126
  - Creating Templates
    127
  - Managing Templates
    128
- Steps
  129
  - Start Step
    130
  - Manual Step
    130
  - Decision Step
    134
  - Mail Step
    134
  - Command Step
    134
  - Activity Step
    135
  - End Step
    136
  - Adding Steps to a Workflow
    136
  - Managing Steps
    136
- Transitions
  141
  - Unconditional Transitions
    141
  - Conditional Transitions
    142
  - Else Transitions
    146
  - Timeout Transitions
    146
  - Alert Transitions
    147
  - Error Transition
    148
  - Managing Transitions
    148
- Activities
  149
  - Incident Command Activity
    150
  - Incident Internal Activity
    151
  - Eradication Activity
    151
  - Incident Composite Activity
    151
  - Creating Itrac Activities
    151
  - Managing Activities
    154
- Process Management
  155
  - Instantiating a Process
    156
  - Automatic Step Execution
    156
  - Manual Step Execution
    157
  - Displaying Status
    157
  - Displaying the Status of a Process
    157
  - Changing Views in the Process Manager
    158
  - Starting or Terminating a Process
    159
7 Work Items

161
- Work Item Summary
  161
- Processing a Work Item
  164
  - Accepting and Completing a Work Item
    164
- Managing Work Items of Other Users
  165
8 Analysis Tab

167
- Introduction to the User Interface
  167
  - Top Ten Dashboard
    167
- Offline Query
  169
  - Creating an Offline Query
    169
  - Viewing, Exporting, or Deleting an Offline Query
    170
9 Event Source Management

171
- Understanding Event Source Management
  171
  - Using Event Source Management
    171
  - Plug-In Repository
    172
  - Auxiliary Files
    172
- Introduction to the User Interface
  172
  - Menu Bar
    173
  - Toolbar
    174
  - Zoom
    174
  - Frames
    175
- Live View
  180
  - Graphical ESM View
    180
  - Tabular ESM View
    182
  - Right-Click Menu
    182
- Components of Event Source Hierarchy
  184
  - Component Status Indicators
    185
  - Adding Components to the Event Source Hierarchy
    186
  - Collectors
    186
- Debugging
  202
- Exporting a Configuration
  210
- Importing a Configuration
  212
  - Enabling or Disabling the Import Configuration
    213
  - Resetting the Layout
    215
  - Undoing the Layout
    215
  - Redo Layout
    215
- Event Source Management Scratchpad
  216
- Comparing Sentinel 5.X and Sentinel 6.0
  216
10 Administration

219
- Understanding the Admin Tab
  219
- Introduction to the User Interface
  220
- Servers View
  221
  - Monitoring a Process
    222
  - Creating a Servers View
    222
  - Starting, Stopping, and Restarting Processes
    223
- Filters
  223
  - Public Filters
    223
  - Private Filters
    224
  - Global Filters
    224
  - Configuring Public and Private Filters
    227
  - Color Filter Configuration
    229
- Configure Menu Options
  232
- DAS Statistics
  238
- Mapping
  239
  - Adding Map Definitions
    241
  - Adding a Number Range Map Definition
    243
  - Editing Map Definitions
    246
  - Deleting Map Definitions
    246
  - Updating Map Data
    247
- Event Configuration
  249
  - Event Mapping
    249
  - Renaming Tags
    253
- Report Data Configuration
  254
- User Configurations
  259
  - Opening the User Manager Window
    259
  - Creating a User Account
    259
  - Modifying a User Account
    264
  - Viewing Details of a User Account
    264
  - Cloning a User Account
    264
  - Deleting a User Account
    264
  - Terminating an Active User Session
    264
  - Adding an Itrac Role
    265
  - Deleting an Itrac Role
    265
  - Viewing the Details of a Role
    265
11 Sentinel Data Manager

267
- Understanding the Sentinel Data Manager
  267
- Using the SDM GUI
  267
  - Prerequisites
    267
  - Starting the SDM GUI
    268
  - Connecting to the Database
    268
  - Partitions Tab
    269
  - Tablespaces Tab
    272
  - Partition Configuration
    273
  - Managing Disk Space Allocation
    275
- Using the SDM Command Line
  275
  - Prerequisite
    276
  - Syntax of the SDM Command
    276
  - Starting the SDM GUI
    276
  - Saving Connection Properties for Sentinel Data Manager
    276
  - Adding Partitions
    277
  - Dropping Partitions
    278
  - Viewing Partition Summaries
    279
  - Archiving Data
    280
  - Importing Data
    281
  - Deleting Imported Data
    282
  - Viewing Sentinel Database Space Usage
    283
12 Utilities

285
- Introduction to Sentinel Utilities
  285
- Starting and Stopping a Sentinel Server
  285
  - Starting a Sentinel Server
    286
  - Stopping a Sentinel Server
    286
- Sentinel Scripts
  286
  - Operational Scripts
    286
  - Troubleshooting Scripts
    287
- Version Information
  289
  - Executable Version Information
    289
  - Sentinel .Jar Version Information
    289
- Database Cleanup
  289
  - Components
    290
  - Prerequisites
    290
  - Running Clean_Database.sh
    290
- Updating Your License Key
  292
13 Quick Start

293
- Security Analysts
  293
  - Active Views Tab
    293
  - Exploit Detection
    294
  - Asset Data
    295
  - Event Query
    296
- Creating Incidents
  297
- Itrac
  298
  - Instantiating a Process
    298
- Correlation
  308
14 Solution Packs

311
- Components of a Solution Pack
  312
- Permissions for Using Solution Packs
  313
- Solution Manager
  314
  - Solution Manager Interface
    315
- Managing Solution Packs
  316
  - Importing Solution Packs
    317
  - Opening Solution Packs
    319
  - Installing Content from Solution Packs
    321
  - Implementing Controls
    325
  - Testing Controls
    326
  - Uninstalling Controls
    326
  - Viewing Solution Pack Status
    328
  - Deleting Solution Packs
    330
- Solution Designer
  331
  - Solution Designer Interface
    331
  - Connection Modes
    333
  - Creating a Solution Pack
    334
  - Managing Content Hierarchy Nodes
    335
  - Adding Content to a Solution Pack
    336
  - Documenting a Solution Pack
    338
  - Editing a Solution Pack
    339
- Deploying an Edited Solution Pack
  340
15 Action Manager and Integrator

341
- Action Manager
  341
- Action Plug-Ins
  343
  - Importing Javascript Action Plug-Ins
    343
  - Importing Javascript Files
    346
- Actions
  354
  - Creating Actions
    354
  - Editing Actions
    355
  - Deleting Actions
    355
  - Using Javascript Actions
    355
  - Developing Javascript Actions
    356
- Integrator Manager
  360
  - Permissions for Using Integrators
    361
- Integrator Plug-Ins
  362
  - Importing Integrator Plugins
    362
  - Deleting Integrator Plug-Ins
    362
- Integrators
  363
  - Creating an Integrator Instance
    363
  - Editing an Integrator Instance
    363
  - Deleting an Integrator Instance
    363
  - Integrator Connection Status
    363
  - Viewing Integrator Health Details
    364
  - Integrator Events Query
    365
  - Using Integrators from Actions
    367
16 Identity Integration

369
- Integration with Novell Identity Manager
  370
- Identity Browser
  373
  - Searching Profiles
    373
  - Viewing Profile Details
    374
  - Using the Clipboard Functionality
    377
- Reports
  377
17 Advisor Usage and Maintenance

379
- Understanding Advisor
  379
- Installing Advisor
  381
- Viewing Advisor Data
  381
  - Using Menu Options to View Data
    381
- Maintaining Advisor
  381
A Sentinel 6.1 Rapid Deployment Architecture

385
- Sentinel 6.1 Rapid Deployment Features
  385
- Functional Architecture
  385
- A.2 Functional Architecture
  385
- Architecture Overview
  387
  - Communication Server
    388
  - A.3.1 Communication Server
    388
  - Sentinel Events
    389
  - A.3.2 Sentinel Events
    389
  - Event Source Management
    393
  - Application Integration
    394
  - Time
    394
    
    A.3.4 Application Integration
    394
    
    A.3.5 Time
    394
  - System Events
    395
  - A.3.6 System Events
    395
  - Processes
    396
  - A.3.7 Processes
    396
- Logical Architecture
  398
  - A.4 Logical Architecture
    398
  - Collection and Enrichment Layer
    399
  - Business Logic Layer
    403
  - A.4.3 Presentation Layer
    409
  - Presentation Layer
    409
B System Events for Sentinel

413
- Authentication Events
  413
  - Authentication
    413
    
    B.1 Authentication Events
    413
    
    B.1.1 Authentication
    413
  - Creating Entry for External User
    414
  - Duplicate User Objects
    414
  - Failed Authentication
    414
  - B.1.4 Failed Authentication
    414
  - Locked Account
    415
  - B.1.5 Locked Account
    415
  - No such User Event
    415
  - Too Many Active Users
    416
  - User Discovered
    416
  - User Logged in
    416
    
    B.1.8 User Discovered
    416
    
    B.1.9 User Logged in
    416
  - User Logged out
    417
- User Management
  417
  - Add Users to Role
    417
    
    B.1.10 User Logged out
    417
    
    B.2 User Management
    417
    
    B.2.1 Add Users to Role
    417
  - Create Role
    418
  - Create User
    418
    
    B.2.2 Create Role
    418
    
    B.2.3 Create User
    418
  - Creating User Account
    418
  - Delete Role
    419
  - B.2.5 Delete Role
    419
  - Deleting User Account
    419
  - Locking User Account
    419
  - Remove Users from Role
    420
  - Resetting Password
    420
  - B.2.9 Resetting Password
    420
  - Unlocking User Account
    420
  - Updating User
    421
- Database Event Management
  421
  - B.2.11 Updating User
    421
  - B.3 Database Event Management
    421
  - Diskspace Usage Reached Lower Threshold
    422
  - Diskspace Usage Reached Upper Threshold
    422
  - Dropping the Oldest Partition
    422
  - Database Space Reached Specified Percent Threshold
    423
  - Database Space Reached Specified Time Threshold
    423
  - Failing to Drop Online Currentpartition
    423
  - Database Space very Low
    424
  - Error Inserting Events
    424
  - Error Moving Completed File
    424
  - Error Processing Event Message
    425
  - Error Saving Failed Events
    425
  - Event Insertion Is Blocked
    425
  - Event Insertion Is Resumed
    426
  - Event Message Queue Overflow
    426
  - Event Processing Failed
    426
  - B.3.18 Partition Configuration
    427
  - No Space in the Database
    427
  - Opening Archive File Failed
    427
  - Partition Configuration
    427
  - Writing to Archive File Failed
    428
  - Writing to the Overflow Partition (P_MAX)
    428
- Database Aggregation
  428
  - B.4 Database Aggregation
    428
  - B.4.1 Creating Summary
    429
  - B.4.2 Deleting Summary
    429
  - B.4.3 Disabling Summary
    429
  - Creating Summary
    429
  - Deleting Summary
    429
  - Disabling Summary
    429
  - Enabling Summary
    430
  - Error Inserting Summary Data into the Database
    430
  - Saving Summary
    430
- Mapping Service
  430
  - B.4.4 Enabling Summary
    430
  - B.4.5 Error Inserting Summary Data into the Database
    430
  - B.4.6 Saving Summary
    430
  - B.5 Mapping Service
    430
  - B.5.2 Error Applying Incremental Update
    431
  - Error
    431
  - Error Applying Incremental Update
    431
  - Error Initializing Map with ID
    432
  - Error Refreshing Map
    432
  - Error Saving Data File
    433
  - Get File Size
    433
  - Loaded Large Map
    433
  - Long Time to Load Map
    434
  - Out of Sync Detected
    434
  - Refreshing Map from Cache
    434
  - Refreshing Map from Server
    435
  - Save Data File
    435
  - Saved Data File
    436
  - Timed out Waiting for Callback
    436
  - Timeout Refreshing Map
    436
  - Update
    437
- Event Router
  437
  - B.5.16 Update
    437
  - B.5.17 Update
    437
  - B.6 Event Router
    437
  - Event Router Is Initializing
    438
  - Event Router Is Running
    438
  - Event Router Is Stopping
    438
  - Event Router Is Terminating
    439
- Correlation Engine
  439
  - Correlation Action Definition
    440
  - Correlation Engine Configuration
    440
  - Correlation Engine Is Running
    440
  - Correlation Engine Is Stopped
    441
  - Correlation Rule
    441
  - B.7.5 Correlation Rule
    441
  - Correlation Rule Configuration
    441
  - Deploy Rules with Actions to Engine
    442
  - Disabling Rule
    442
  - Enabling Rule
    442
    
    B.7.8 Disabling Rule
    442
    
    B.7.9 Enabling Rule
    442
  - Rename Correlation Engine
    443
  - Rule Deployment Is Modified
    443
  - Rule Deployment Is Started
    443
  - Rule Deployment Is Stopped
    444
  - Starting Engine
    444
  - Stopping Engine
    444
    
    B.7.14 Starting Engine
    444
    
    B.7.15 Stopping Engine
    444
  - Undeploy All Rules from Engine
    445
  - Undeploy Rule
    445
  - B.7.17 Undeploy Rule
    445
  - Update Correlation Rule Actions
    445
- Event Source Management:general
  445
  - Collector Manager Initialized
    446
  - Collector Manager Is down
    447
  - Collector Manager Started
    447
  - Collector Manager Stopped
    447
  - Collector Service Callback
    448
  - Cyclical Dependency
    448
  - B.8.6 Cyclical Dependency
    448
  - Event Source Manager Callback
    448
  - Initializing Collector Manager
    449
  - Lost Contact with Collector Manager
    449
  - No Data Alert
    449
  - B.8.10 no Data Alert
    449
  - Persistent Process Died
    449
  - Persistent Process Restarted
    450
  - Port Start
    450
  - Port Stop
    450
    
    B.8.13 Port Start
    450
    
    B.8.14 Port Stop
    450
  - Reestablished Contact with Collector Manager
    451
  - Restart Plugin Deployments
    451
  - Restarting Collector Manager (Cold Restart)
    452
  - Restarting Collector Manager (Warm Restart)
    452
  - Start Event Source Group
    452
  - Start Event Source Manager
    453
  - Starting Collector Manager
    453
  - Stop Event Source Group
    453
  - Stop Event Source Manager
    454
  - Stopping Collector Manager
    454
- Event Source Management-Event Sources
  454
  - Start Event Source
    454
  - Stop Event Source
    455
  - B.10.1 Start Collector
    455
- Event Source Management-Collectors
  455
  - Start Collector
    455
  - B.10.2 Stop Collector
    455
  - Stop Collector
    455
- Event Source Management-Event Source Servers
  456
  - Start Event Source Server
    456
  - Stop Event Source Server
    456
  - B.12.1 Data Received after Timeout
    457
- Event Source Management-Connectors
  457
  - Data Received after Timeout
    457
  - B.12.2 Data Timeout
    457
  - Data Timeout
    457
  - File Rotation
    458
  - B.12.3 File Rotation
    458
  - Process Auto Restart Error
    458
  - Process Start Error
    458
  - Process Stop
    459
  - WMI Connector Status Message
    459
    
    B.12.6 Process Stop
    459
    
    B.12.7 WMI Connector Status Message
    459
- Active Views
  459
  - Active View Created
    460
  - Active View Joined
    460
  - Active View no Longer Permanent
    460
  - Active View Now Permanent
    461
  - Idle Active View Removed
    461
  - Idle Permanent Active View Removed
    461
  - B.14.1 Activity Definition
    462
- Data Objects
  462
  - Activity Definition
    462
  - B.14.2 Configuration
    462
  - Configuration
    462
  - Viewing Configuration Store
    463
  - Write Data
    463
  - B.14.4 Write Data
    463
- Activities
  463
  - Creating an Activity
    464
  - Deleting an Activity
    464
  - Saving an Activity
    464
    
    B.15.1 Creating an Activity
    464
    
    B.15.2 Deleting an Activity
    464
    
    B.15.3 Saving an Activity
    464
- Incidents and Workflows
  464
  - Add Events to Incident
    465
  - Adding Process Definition
    465
  - Create Incident
    466
  - Creating Group
    466
  - Creating User
    466
    
    B.16.3 Create Incident
    466
    
    B.16.4 Creating Group
    466
    
    B.16.5 Creating User
    466
  - Delete Incident
    467
  - Deleting Group
    467
    
    B.16.6 Delete Incident
    467
    
    B.16.7 Deleting Group
    467
  - Deleting Process Definition
    467
  - Deleting User
    468
  - B.16.9 Deleting User
    468
  - E-Mail Incident
    468
  - Get Incident
    468
  - Save Incident
    469
  - Saving Group
    469
  - Saving Process Definition
    469
  - Send Incident to Hp Service Desk
    470
  - Send Incident to Hpovo
    470
  - Viewing Process Definition
    470
- General
  470
  - Configuration Service
    471
  - Controlled Process Is Started
    471
  - Controlled Process Is Stopped
    472
  - Importing Auxiliary
    472
  - Importing Plug-In
    472
    
    B.17.4 Importing Auxiliary
    472
    
    B.17.5 Importing Plug-In
    472
  - Load Esec Taxonomy to XML
    473
  - Process Auto Restart Error
    473
  - Process Restarts
    473
  - B.17.8 Process Restarts
    473
  - Proxy Client Registration Service (Medium)
    474
  - Restarting Process
    474
  - Restarting Processes
    474
  - Starting Process
    475
  - Starting Processes
    475
  - Stopping Process
    475
  - Stopping Processes
    476
  - Store Esec Taxonomy from XML
    476
  - Watchdog Process Is Started
    476
  - Watchdog Process Is Stopped
    477
C Documentation Updates

479
- September 2009
  479
- August 2009
  479
  - C.1 September 2009
    479
  - C.2 August 2009
    479

Advertisement

Advertisement

Related Products

NOVELL Categories

Software Server Print Server Gateway

Desktop

More NOVELL Manuals