The Sentinel Log Manager is preconfigured to accept syslog data from syslog event sources that are sending data over TCP (port 1468), UDP (port 1514), or SSL (port 1443). Additionally, if your firewall is enabled and supports iptables, Sentinel Log Manager automatically forwards events to UDP port 514 to port 1514.
To get started with syslog data collection, configure your syslog event sources to send their data to one of these ports. When Sentinel Log Manager receives data from your event sources, it automatically chooses the best Collector to parse the data, parses the data into events, and stores the event and raw data in the configured archived location. You can also configure Sentinel Log Manager to listen on additional ports.
The following sections describe how you can configure the event sources to send data to the Sentinel Log Manager and how you can configure new syslog ports to receive data:
When you point your syslog event sources to Sentinel Log Manager, it automatically creates an event source entry to track data that is being received from the event source and to allow you to manage how the data is processed. An entry is created for each unique IP address or hostname that appears in the header portion of the syslog messages. This entry enables you to identify the machines that are generating the syslog messages, regardless of whether they are being aggregated by a syslog relay or not.
The Sentinel Log Manager web interface allows you to configure ports to listen on to receive syslog data.
To add or remove syslog servers, use the Event Source Management interface. For more information, see Launching Event Source Management.
In the
section, you can start or stop data collection for each of the syslog server ports by using the on or off options next to them.Log in to the Sentinel Log Manager as an administrator.
Click the
link in the upper left corner of the page.The
tab is displayed on the right pane of the page.Select the
s tab.In the
section, specify the TCP, UDP, and SSL port numbers for the syslog servers.The default ports for TCP, UDP, and SSL are 1468, 1514, and 1443 respectively.
To start or stop the data collection for each of the syslog server, select the on or off options next to them.
To change the port values, specify a valid port value. The following table shows the description of the status messages you get after entering the valid or non-valid port values.
Set the appropriate client authentication and server key pairs settings for the SSL Syslog server. For more information on setting the client authentication, see Configuring Client Authentication for the SSL Syslog Server.
Click
to change the specified settings to previous settings before saving itClick
to save the new settings.The
button is disabled until a valid port is specified for all the servers.This section describes how to configure the type of client and sever authentication for syslog servers that uses SSL.
The client authentication settings determine how strictly the SSL syslog server verifies the identity of syslog event sources attempting to send their data. Use a strict client authentication policy that is applicable in your environment to prevent rogue syslog event sources from sending undesired data into the Sentinel Log Manager.
Open: No authentication is required. Sentinel Log Manager does not request, require, or validate a certificate from the event source.
Loose: A valid X.509 certificate is required from the event source, but the certificate is not validated. It does not need to be signed by a certificate authority.
Strict: A valid X.509 certificate is required from the event source, and it must be signed by a trusted certificate authority. If the event source does not present a valid certificate, Sentinel Log Manager does not accept its event data.
For strict authentication, you must have a truststore that contains either the certificate of the event source or the certificate of the certificate authority (CA) that signed the event source certificate. After you have a DER or PEM certificate, you can create the truststore by using the CreateTruststore utility that comes with Log Manager.
Log in to the Sentinel Log Manager server as novell.
Go to /opt/novell/sentinel_log_mgr_1.0_x86/data/updates/done.
To extract the syslog_connector.zip file.
unzip syslog_connector.zip
Either copy the TruststoreCreator.sh or TruststoreCreator.bat file to the machine with the certificates or copy the certificates to the machine with the TruststoreCreator utility.
Run the TruststoreCreator.sh utility.
TruststoreCreator.sh -keystore /tmp/my.keystore -password password1 -certs /tmp/cert1.pem,/tmp/cert2.pem
In this example, the TruststoreCreator utility creates a keystore file called my.keystore that contains two certificates (cert1.pem and cert2.pem). It is protected by the password password1. The keystore file must be imported into the truststore.
For strict authentication, the administrator can import a truststore by using the
button. This helps ensure that only authorized event sources are sending data to Log Manager. The truststore must include either the event source certificate or the certificate of the certificate authority that signed it.The following procedure must be run on the machine that has the truststore on it. You can open a Web browser on the machine with the truststore or move the truststore to any machine with a Web browser.
To import a truststore:
Log in to the Sentinel Log Manager as an administrator.
Click the
link at the upper left corner of the page.The
tab is displayed on the right pane of the page.Click the
tab.In the Syslog Server section, select the
option under .Click my.keystore)
and browse to the truststore file (for example,Specify the password for the truststore file.
Click
.If desired, click
to see more information about the truststore.Click
to change the specified settings to previous setting before saving itClick
.After the truststore is imported successfully, you can click
to see the certificates included in the truststore.The Sentinel Log Manager is installed with a built-in certificate, used to authenticate the Sentinel Log Manager server to the event sources. This certificate can be overridden with a certificate signed by a public certificate authority (CA).
To replace the built-in certificate:
Log in to the Sentinel Log Manager as an administrator.
Click the
link at the upper left corner of the page.The
tab is displayed on the right pane of the page.Select the
tab.In the Syslog Server section, under
, select .Click
and browse to the truststore file.Specify the password for the truststore file.
Click
.If there is more than one public-private key pair associated with the file, select the desired key pair, and click
.Click
to see more information about the server key pair.Click
to change the specified settings to previous setting before saving itClick
.NOTE:The instructions in this section assume that your firewall is enabled and is compatible with the iptables command. If this is not the case, there are likely options in your firewall configuration interface to allow you to configure the same port forwarding as described here.
As Sentinel Log Manager runs as the novell user, it cannot directly listen on ports that are less than 1024. To listen on a port that is less than 1024, use port forwarding to forward data to a port that Sentinel Log Manager can directly listen on. Sentinel Log Manager comes with the Install_Directory/bin/config_firewall.sh script to assist you in getting port forwarding setup. This script contains an example command of forwarding UDP port 514 to port 1514. This script is automatically run every time Sentinel Log Manager service startup /etc/init.d/sentinel_log_mgr script is executed with the start option by the root user.
You must run the following port forwarding command as root:
iptables -t nat -A PREROUTING -p <protocol> --destination-port <incoming port> -j REDIRECT --to-ports
The following command is an example of how to forward events from the default syslog server port 514 to the Novell Sentinel Log Manager port 1514 for Syslog UDP traffic:
iptables -t nat -A PREROUTING -p udp --destination-port 514 -j REDIRECT --to-ports 1514