1.1 Sentinel Integrated Architecture

Sentinel is a security information management and compliance monitoring solution that monitors, responds to, and reports on security and compliance events. Sentinel easily integrates with NetIQ Identity Manager so you get automated, real-time security management and compliance monitoring across all systems and networks. The Sentinel-Identity Manager framework provides automatic documenting and reporting of security, systems, and access events across the enterprise; built-in incident management and remediation; and the ability to demonstrate and monitor compliance with internal policies and government regulations.

The following diagram illustrates the Identity Manager logging and reporting architecture when integrated with Sentinel.

Figure 1-1 Identity Manager and Sentinel Integrated Architecture

  1. An Identity Manager event occurs and it is sent to the Platform Agent. To capture all Identity Manager events, the Platform Agent must be installed and configured on each Identity Manager server.

  2. (Conditional) If the Platform Agent cannot connect to the Event Source Server, the events are stored in cache until the connection is reestablished.

  3. The Platform Agent sends the events to the Event Source Sever, which stores the events in the audit queue.

  4. The events in the audit queue are sent to the NetIQ Audit Connector.

  5. The NetIQ Audit Connector sends the events to the Identity Manager Collector, which parses the information and then stores the parsed events in the data store.

  6. The stored events are displayed through Crystal Reports.

For a thorough discussion of the Sentinel architecture, see “Appendix A Sentinel Architecture” in the NetIQ Sentinel User’s Guide.