NetIQ Documentation: Operations Center 5.0 Adapter and Integration Guide - NetIQ Sentinel

2.23 NetIQ Sentinel

The NetIQ (formerly Novell) Sentinel Adapter allows Correlation Rule events to be communicated from Sentinel into Operations Center.

Some additional configurations are necessary to integrate with Sentinel:

Sentinel 6: A Sentinel SMTP Integrator must be configured to send events to the Sentinel Adapter for Operations Center and is used by the Generic Action for Sentinel. If you are already using the existing Sentinel Mail (SMTP) Integrator to send mail, you might need to create a new SMTP Integrator. The Sentinel Generic Event Forwarder is configured to collect all values for a triggered Correlation Rule and forward the values to the Sentinel Adapter.
Sentinel 7: A Sentinel Event Routing Rule and a Log to Syslog Action must be configured in order to be able to receive correlated events from the Sentinel Server.

For more information about the Sentinel Generic Event Forwarder, see Sentinel Plug-ins.

To integrate NetIQ Sentinel:

To integrate to Novell Sentinel 6, do the following:
1. To configure a Sentinel SMTP Integrator, do the following:
  1. From the Sentinel Control Center, click Tools and select Integrator Manager.
  2. Select the SMTP Integrator to be used for the Sentinel Adapter.
  3. Click the Connection panel.
  4. Specify the Host including IP address of the Managed Objects server and Port used by the Sentinel Adapter to receive events.
  5. Test and save the configuration.
2. To configure the Generic Event Forwarder, do the following:
  1. From the Sentinel Control Center, click Tools and select Action Manager.
  2. Select Manage Plugins and click the + icon to add the action.
  3. Select the Import an Action Plugin File radio button.
  4. Click Next.
  5. Browse to the .zip file for the Generic Event Forwarder and click Open.
  6. Click Next.
  7. Review the information for the action
  8. Click Finish.
  9. Close the Action Plugin Manager panel.
  10. From the Action Manager panel, click the + icon to add another action.
  11. Specify the name for the new action (ie. Forward Events to Operations Center), and select the Generic Event Forwarder from the Action drop-down list.
  12. Select the Sentinel Mail / SMTP Integrator (configured to connect to the Sentinel Adapter) from the Integrator drop-down list.
  13. Select the following values for the action in the Integrator: Sentinel Mail column values drop down list:
    
    Display Format: JSON
    
    Display Data: All Data
    
    From Address: Specify the from address
    
    To Address: Specify the to address.
    
    Subject: Specify the subject line.
    
    Display Events: All Events
  14. Click Save.
  15. Close the Action Manager panel.
To integrate to NetIQ Sentinel 7, do the following:
1. Download the following files from the JSON-lib Download Web site, and save them to the /OperationsCenter_install_path/integrations/ext/Sentinel directory:
  - json-lib-2.2.2-jdk15.jar
  - json-lib-ext-spring-1.0.2.jar
  For more information the JSON-lib, see the JSON-lib Web site.
2. Verify the following JSON-lib dependencies are in your classpath;
  - jakarta commons-lang 2.5
  - jakarta commons-beanutils 1.8.0
  - jakarta commons-collections 3.2.1
  - jakarta commons-logging 1.1.1
  - ezmorph 1.0.4
  For more information about dependencies, see the JSON-lib Web site.
3. Download the following files from your Sentinel Server at https://<SENTINEL SERVER IP ADDRESS>:8443/SentinelRESTServices/apidoc/DataObjectAPI.html, and save them to the /OperationsCenter_install_path/integrations/ext/Sentinel directory:
  - sentinel-client-base.jar
  - sentinel-client-base-java.jar
  - sentinel-client-beans.jar
  - sentinel-client-wfbeans.jar
4. To configure Sentinel to log to the Operations Center Sentinel Adapter via Syslog, do the following:
  1. From the Sentinel Control Center, click Configuration and select Integration Manager.
  2. Under Integrators, select Syslog.
  3. Select Server Configuration tab in the right panel.
  4. Enter the IP address of the Operations Center server used by the Sentinel adapter to receive events in the Host field.
  5. Select Protocol from the TCP drop-down list.
  6. Specify the port number in the Port field.
    
    This must be the same port as specified in the Listener Port property for the Sentinel 7 Adapter in Operations Center.
  7. Click Save.
  8. From the Sentinel Control Center, click Configuration and select Action Manager.
  9. Select Log to Syslog and click View/Edit.
  10. Select Event Forwarder in the Action drop down list.
    
    Then, define the following values in the Action Plug-in To Execute list:
    
    Integrator: Syslog
    
    Display Format: JSON
    
    Display Data: All Data
    
    Display Events: All Events
  11. Click Save.
  12. Close the Action Manager panel.
5. To configure a Sentinel Event Routing Rule do the following:
  1. Open the Sentinel Web console by entering the following URL in a Web browser:
    
    https://SentinelServerAddress:PortNumber
  2. On the toolbar, click Routing. The Event Routing tab opens.
  3. Click Create.
  4. Specify the name of the routing rule in the Name field.
    
    For example, All Correlation Events.
  5. Enter st:C in the Filter field.
  6. Verify the All radio button is selected for the Route the following services option.
  7. Select Log to Syslog in the Perform the following actions drop-down list.
  8. Verify that the information for the TCP Syslog Server Connection and Port, configured in Step 2.d, are correct.
  9. Click Save.
  10. Verify that New Event Routing Rule is selected for the Enabled setting.
Create an adapter for each instance of a Novell Sentinel on the network. To integrate to Sentinel 7, select NetIQ Sentinel 7 for the adapter type. For Sentinel 6, select Novell Sentinel for the adapter type.

For information on creating an adapter, see Section 5.1, Creating an Adapter.

For more information about Novell Sentinel adapter properties, see Section A.27, NetIQ Sentinel.