4.1 Installing and Configuring the Audit Connector

To install the Audit Connector,

  1. Download the latest Audit Connector (.zip file) from the Sentinel Plug-ins Web site to the server where the Sentinel Control Center is running.

    The Audit Connector is located under the Connectors tab.

  2. Log in to the Sentinel Control Center.

  3. Select Event Source Management > Live View, then select Tools > Import plugin.

  4. Select Import Collector Script or Connector plugin package file (.zip) option, then click Next.

  5. Browse to and select the .zip file you just downloaded, then click Next.

    The 6.1r9 version is bundled with Identity Manager 4.5. The latest version is 6.1r10. You must use the latest plug-ins available from the Sentinel Plug-ins Web site.

  6. Follow the remaining prompts, then click Finish.

You need to configure the Audit Connector for it to receive messages sent from Identity Manager to the Platform Agent. These events are then processed by the Identity Manager Collector.

There are multiple ways to configure the Audit Connector. The following instructions use the right-click menu items on the Event Source Management Graph view.

  1. Right-click the Identity Manager Collector, then click Add Connector.

  2. Select View Compatible Connection Methods Only.

  3. Select Audit from the list of installed connectors, then click Next.

  4. Click Add to add an Event Source server.

    The Event Source server is the server that is running the Platform Agent and Identity Manager.

  5. Select the network interface setting for the server running the Platform Agent and Identity Manager.

    • All network interfaces: Binds the port on all the IP addresses of the server, including the loopback address.

    • Internal loopback interface: Only binds the local loopback address.

    • Network interface with this IP: Binds the port only to the specified IP address.

  6. In the Port Number field, specify the SLS port, then click Next.

    The default port is 1289.

  7. Select the option for the client authentication type.

    • Open: Allows all SSL connections from the Platform Agent. It does not perform any client certificate validation or authentication.

    • Loose: Validates a client certificates to be a valid X.509 certificate, but does not check if the certificate is signed by a Certificate Authority.

    • Normal: Validates the certificate to be a valid X.509 certificate and also checks to see that the client certificate is signed by a Certificate Authority.

      This option requires a trust store to be imported. The trust store must have the client’s certificate and the Certificate Authority’s certificate. Click the Import button to import the trust store.

  8. Select whether you want to use the built-in server key pair or import server key pair, then click Next.

    The Audit Connector comes with a built-in certificate. You can use it or overwrite it with your own certificate.

  9. Select the behavior of the Event Source Server if it receives move events than the Collector can parse. The options are:

    • Drop connections: The Event Source Server drops existing connections and stops accepting new connections until the buffer has space for the new messages. This is the default behavior, because the Platform Agent performs caching when a connection is dropped.

    • Drop messages: The Event Source Server drops the oldest message in order to accept the new message. These dropped messages are lost and cannot be recovered.

  10. Select whether the Event Source Server disconnects an SSL connection with the Platform Agent if the connection is idle and does not send any data within the set number of minutes.

    If you select this option, you must specify the number of minutes to wait before it disconnects. The default value is 15 minutes.

  11. Select whether you want the Event Source Server to request the Platform Agent to send the signature of the event with the event, then click Next.

  12. Select Run to have the Event Source Server automatically start whenever the Collector Manager is restarted, then click Finish.

  13. Repeat Step 4 through Step 12 for each Identity Manager server.

    To capture all events in your environment, you must have an Event Source server for each Identity Manager, and the Identity Manager server must have the Platform Agent installed on it.

  14. Select the Event Source server to add to the Audit Connector, then click Next.

  15. Use the default policy or create a custom policy to automatically add or exclude individual source devices, then click Next.

    For more information, see “Auto Configuring Event Sources” in the Audit Connector Guide.

  16. Finish the configuration of the connector with the following information, then click Finish.

    • Name: Specify a name for this connector.

    • Run: Select whether the connector is started whenever the Collector Manager is started.

    • Alert if no data received in specified time period: (Optional) Select this option to send the No Data Alert event to Sentinel if not data is received by the connector in the specified time period.

    • Limit Data Rate: (Optional) Set a maximum limit on the rate of data the connector sends to Sentinel. If the data rate limit is reached, Sentinel throttles back on the source in order to limit the flow of data.

    • Set Filter: (Optional) Specify a filter on the raw data passing through the connector.

    • Save Raw Data to a File: (Optional) Save the raw data passing through this connector to a file for further analysis.

Proceed to Section 5.0, Installing and Configuring the Platform Agent.