53.6 Configuring Sentinel Log Management for IGA

You can monitor and manage the connection between Sentinel Log Management for IGA (Sentinel) and the event sources that provide data to Sentinel, such as Identity Reporting and OSP. The Event Source Management (Live View) in Sentinel helps you accomplish this.

53.6.1 Checking for Sentinel Events

  1. Log in to the Sentinel Main interface as an administrator.

    https://<IP_Address/DNS_Sentinel_server:8443>/sentinel/views/main.html

  2. In the toolbar, click Applications > Launch Control Center.

    or

    In the toolbar, click Collection > Advanced > Launch Control Center.

  3. Log in to Sentinel Control Center.

  4. In the toolbar, click Event Source Management > Live View.

53.6.2 Configuring the Collector Instances in Sentinel

In the Event Source Management view, manually configure the following collectors:

NetIQ iManager and NetIQ One SSO Provider (OSP)

See Step 7 of the Quickstart Collector Configuration section in the Sentinel Plug-ins website. The process for configuring both collectors are the same.

NetIQ Self Service Password Reset

See the Manual Event Source Configuration section in the Sentinel Plug-ins website.

53.6.3 Configuring Event Data Retention

Event Data Retention controls the duration for which Sentinel keeps different types of event data in the system before deletion.

  1. Log in to the Sentinel Web interface as a administrator.

  2. Click Storage > Events.

  3. In the Data Retention section, select Default Data Retention and then click Edit.

  4. Specify the following information to edit the event data retention:

    Policy name: Specifies the name for the data retention.

    Keep at least: Specify the duration for which the events will be persisted in the Sentinel system. The default value is 7 days.

    The value must be a valid positive integer and must be greater than or equal to the Keep at least value.

    Keep at most: Specify the duration for which the events will be persisted in the Sentinel system. The default value is 21 days.

    The value must be a valid positive integer and must be greater than or equal to the Keep at least value.

  5. Click Save.

53.6.4 Configuring Disk Space Usage for Sentinel

  1. Log in to the Sentinel Main interface as an administrator.

  2. Click Storage > Events.

  3. In the Disk Space Usage section, specify the following values in the Primary storage utilization field:

    • Start deleting data from primary storage when __% full: Specify the threshold at which the event data deletion process should start.

    • Stop when __% full: Specify the threshold below which the disk space cleanup process should stop. The amount of freed disk space should be sufficient to store an additional full days' worth of event data.

53.6.5 Configuring Raw Data Retention Policy in Sentinel

The Raw Data Retention policy determines the duration for which Sentinel keeps the raw data in the system before deletion. The is turned off by default. When you enable the policy, ensure that you set the value for raw data retention as per your requirement. Setting a higher value for raw data retention would consume more disk space.

You can modify the Keep at most and Keep at Least values, which determine the maximum and minimum number of days to keep the raw data file in the system. All the files exceeding the retention time are removed permanently from the data storage.

  1. Log in to the Sentinel Main interface as an administrator.

  2. Click Storage > Events.

  3. In the Data Retention section, select Raw Data Retention and then click Edit.

  4. Keep at least: Specify the duration for which the raw data will be persisted in the Sentinel system.

    The value must be a valid positive integer and must be greater than or equal to the Keep at least value.

    Keep at most: Specify the duration for which the raw data will be persisted in the Sentinel system.

    The value must be a valid positive integer and must be greater than or equal to the Keep at least value.

53.6.6 Configuring the Sentinel Link Connection

You can forward events from NetIQ Sentinel to Sentinel Log Management for IGA. In a Sentinel Link Solution setup, the Sentinel system that forwards the events is called the sender and the Sentinel system that receives the events is called the receiver. You can simultaneously link multiple Sentinel systems to a single receiver system. To configure a Sentinel link, you need to configure at least two systems: the sender machine and the receiver machine. For more information on configuring Sentinel Link, see the Sentinel Link Overview Guide.