4.4 Managing Event Sources

The event sources interface displays the health of the event source and the volume of data being received from it in events per second. The Event Sources page lists all the event sources, such as Syslog, Audit, File, and Database, that are configured in the Event Source Management interface.

You can refine the displayed event sources by selecting Collector Managers, Event Source Servers, and Collector Plugins. You can also specify a filter on the event source name and select particular event source health states you want to view. All of these refinement selections and filters are stored on a per-user basis, so that each time you login to Sentinel Log Manager server you can view event sources that match your last refinement selections.

To view the event sources:

  1. Log in to the Sentinel Log Manager as an administrator.

  2. Click the collection link in the upper left corner of the page.

    The Collection tab is displayed on the right pane of the page.

  3. Click the Event Sources tab.

    The Event Sources page is displayed.

    The left pane of the Event Sources page has following three sections:

    Collector Managers: Lists all of the Collector Managers associated with the Sentinel system.

    Event Source Servers: Lists all of the event source servers associated with the Sentinel system.

    Collector Plugins: Lists all of the Collector plug-ins associated with the Sentinel system.

    The Event Sources section at the right pane lists the event sources based on the options selected from the left pane.

    NOTE:The Event Sources page shows event sources that were already configured or automatically detected. To manually configure additional event sources, use the Event Source Management user interface described in Launching Event Source Management.

  4. In the Event Sources section, to select or deselect the event sources, click the check boxes next to the respective event source.

    To select all the available event sources, click the check box at the top of the column.

    To sort the event sources by Health, Name, Collector Plugin, Drop Data, Create Date, and EPS values, click the respective column header. When you click the column header the respective column header displays in bold text. When a column header is first clicked, the sort order will be ascending. A blue down arrow will be displayed to indicate that the sort order is ascending. If the column header is clicked a second time, the sort order will be changed to descending, and a blue up arrow will be displayed to indicate that the sort order is descending.

    When you click the event source’s Name or EPS value, a pop-up is displayed with additional information about the event source. The pop-up displays the Event Source, Description, Time Zone, Collector Manager, Collector Plugin, Collector Instance, Event Source Server, Events Per Second, Start Time, Total Bytes Received, Events Received Last Interval, Bytes Received Last Interval, Interval, Last Time Bytes Received, Health, and Error fields with their values. When you click the Collector Plugin column, a pop-up is displayed with additional information about the collector plug-in.

    The following table explains each column of the event source table:

    Columns

    Description

    Health

    Shows the health of the event source. The colored icon indicates the event source health.

    Green: Indicates that the event source is healthy and Sentinel Log Manager has received data from it.

    Red: Indicates that the Sentinel Log Manager server is reporting an error about connecting to or receiving data from this event source.

    Gray: Indicates that the event source is turned off. The Sentinel Log Manager is not processing any data from it.

    Orange: Indicates that the event source is running with some warnings.

    You can sort the event sources based on their health status.

    Name

    The event source name is the name given to the event source by the system (if auto-created) or by a user. For syslog event sources, if the event source was auto-created by the system, the name will be a combination of the hostname/IP address and the collector connection mode the event source is using.

    You can rename any event source at any time through the Event Source management interface.

    You can sort the event sources in alphabetical order based on their names.

    Collector Plugin

    Specifies the collector plug-in name the event source is connected to.

    NOTE:This is the name of the collector plug-in, not the name of the collector instance.

    You can sort the event sources based on collector plug-in name.

    Drop

    Specifies whether data from the associated event source should be dropped or not.

    YES: If Drop Data is set to YES, all data received from the event source is dropped. This means that the raw data will not be saved and events will not be generated.

    NO: If Drop Data is set to NO, all raw data from the event source is saved and events are generated. When set to NO, raw data is always saved, regardless of whether a filter is set on the event source using the Event Source Management user interface. However, if a filter is set, events may not get generated if the filter causes the data to be ignored.

    You can sort the event sources based on the drop data status.

    Create Date

    Specifies the date and time when the event source was created.

    You can sort the event sources based on when they were created.

    EPS

    Specifies the events per second value received from the event source. You can sort the event sources based on their events per second value.

    NOTE:If you see a value of less than one (<1) in this column, it indicates that the EPS rate is greater than zero, but less than one.

  5. To filter the event sources by name, type a name value in the filter text box, then click Filter.

    Matching value is case insensitive. The name value may contain wildcard characters. Use * to match zero or more characters and use ? to match one character. If no wildcard characters are specified in the name value, it is assumed that the name value is intended to mean contains <name value>, or *<name value>*.

    For example, an event source value of abc is interpreted as *abc*. Below are some common filter type examples:

    • If the event source name starts with abc. Enter the filter value as abc*.

    • If the event source name ends with abc. Enter the filter value as *abc.

    • If the event source name contains the abc. Enter the filter value as abc or *abc*.

    The Event source table displays the list of event sources whose name matches the value entered in the filter input box.

  6. To view the event sources based on the health status, select the Healthy, Warning, Error, and Offline check boxes.

    The Event source table displays the list of event sources with the selected health states.

    NOTE:If none of the health states are selected, health state filtering is not performed. It is essentially equivalent to selecting all four health states.

  7. To display only event sources that are connected to particular Collector Managers, select one or more Collector Managers from the Collector Managers section.

    NOTE:If none of the Collector Managers are selected, event sources refinement is not performed based on the Collector Managers. It is essentially equivalent to selecting all Collector Managers.

    To select or deselect the Collector Managers, click the check boxes next to the respective Collector Manager.

    To select all the available Collector Managers, click the check box located at the top of the column.

    The right pane displays the list of event sources connected to the selected Collector Managers.

    NOTE:If none of the Collector Managers are selected, the event sources table displays all the configured event sources.

    The following fields are available in the Collector Managers section:

    To sort the Collector Managers by Health, Name, and EPS values, click the respective column header. When you click the column header the respective column header displays in bold text.

    • Health: Indicates the health of the Collector Managers. You can sort the Collector Managers based on their health status.

    • Name: Displays the name of the Collector Managers. You can sort the Collector Managers in alphabetical order based on their names.

    • EPS: Displays the events per second value received from the event sources. You can sort the Collector Manager based on the events per second value.

    When you click the Name or EPS value column, a pop-up is displayed with additional information about the Collector Manager. The pop-up displays the Collector Manager, Start Time, Event Sources, Events Per Second, and Health fields with their values.

  8. To display only event sources connected to particular event source servers, select one or more event source servers from the Event Source Servers section.

    NOTE:If none of the event source servers are selected, event sources refinement is not performed based on the event source servers. This is not the same as selecting all event source servers, because it will also include event sources that are not connected to any event source server.

    To select or deselect the event source servers, click the check boxes next to the respective event source server.

    To select all the available event source servers, click the check box at the top of the column.

    The right pane displays the list of event sources connected to the selected event source servers.

    NOTE:If none of the event source servers are selected, the event sources table displays all of the configured event sources, including event sources which are not connected to any event source server.

    To sort the event source servers by Health, Name, and EPS values, click the respective column header. When you click the column header the respective column header displays in bold text.

    • Health: Indicates the health of the event source server. You can sort the event source servers based on their health status.

    • Name: Displays the names of the event source server used to parse the data from the event sources (for example: Syslog Server SSL). You can sort the event source server in alphabetical order based on their names.

    • EPS: Displays the events per second value received from the event sources. You can sort the event source servers based on the events per second value.

    When you click the Name or EPS value column, a common pop-up is displayed with additional information about the event source server. The pop-up displays the Event Source Server, Description, Collector Manager, Event Sources, Port, Events Per Second, Start Time, Total Bytes Received, Bytes Received Last Interval, Interval, Last Time Bytes Received, and Health fields with their values.

  9. To display only those event sources connected to particular collector plug-ins, select one or more collector plug-ins from the Collectors Plugins section.

    NOTE: If none of the collector plug-ins are selected, event sources refinement is not performed based on the collector plug-in. It is essentially equivalent to selecting all of the collector plug-ins.

    To select or deselect the collector plug-ins, click the check boxes next to the respective collector plug-in.

    To select all the available collector plug-ins, click the check box at the top of the column.

    The right pane displays the list of event sources connected to all the Collector instances of the selected Collector plug-ins.

    NOTE:If none of the collector plug-ins are selected, the event sources table displays all the configured event sources.

    To sort the collector plug-ins by Name or EPS values, click the appropriate column header. When you click the column header the respective column header displays in bold text.

    • Health: Indicates the aggregate health of all event sources that are connected to the collector plug-in.

      With the exception of the green icon (healthy state), the icon does not necessarily mean that all event sources connected to the collector plug-in are in state indicated by the icon.

      The red icon (error state) indicates that one or more event sources connected to the collector plug-in are in an error state, not necessarily all of them. To get more detailed information, click on the Name or EPS column value to see a help pop-up. The help pop-up will show additional information about the collector plug-in health state.

    • Name: Displays the names of the collector plug-in used to parse the data from the event sources (for example: Cisco* Firewall 6.1r1). You can sort the collector plug-ins in alphabetical order based on their names. This lists all the configured collector plug-ins and not the collector instances.

    • EPS: Displays the events per second value received from the event sources. You can sort the collector based on the events per second value.

    When you click the Name or EPS value column, a pop-up is displayed with additional information about the event source server. The pop-up displays the Collector Plugin, Description, Release Date, Scripting Language, Matching Rule, Applications, Universal, Event Sources, Events Per Second, Health, Event Sources Healthy, Event Sources With Warning, Event Sources With Error, Event Sources Offline, Collector Instances and Supported Devices fields with their values.

    The Collector Instances field displays the number of instances of the collector plug-in. Clicking on the Collector Instances field displays a Collectors pop-up with a list of Collector instances associated with the Collector plug-in.

  10. In the Event Source section, click the Next, Previous, First, and Last arrow links to scroll through all the event sources.

    The Event source section displays 30 event sources per page.

  11. To view the event search result for an event source, select the event source from the list and click the Search link.

    A new search results tab is displayed with the search results using the universally unique identifier (UUID) of the event source (for example, rv24:"2CBFB8A0-F24B-102C-A498-000C").

    If multiple event sources are selected for search, the rv24:<UUID> expressions are combined with the OR operator in the search filter expression.

    Results for all selected event sources will be returned as shown in the following image:

  12. To change the data logging status for one or more event sources, select the event sources from the list, click the Configure link, and select either Drop Data or Allow Data option,

    Drop Data: If Drop Data is selected, the selected event source(s) will drop all the events received. Messages will not be sent to the collector(s) the selected event sources are connected to.

    Allow Data: If Allow Data is selected, the selected event sources will forward events received to the Collector(s) they are connected to.

    NOTE:If you select a large number of event sources to change, it may take a while to complete. The event sources list will not show the Drop state (YES or NO) until after the changes are complete, and the display is refreshed from the database.

  13. To change the associated collector plug-in for one or more event sources, select the event source(s) from the list, click the Configure link, and select the Collector Plugin option.

    The Set Collector Plugin window is displayed with the Collector Plugin Name and Supported Devices information.

  14. Select a new Collector plug-in name, then click Set.

    The selected event sources are connected to the selected Collector plug-in.

    NOTE:If you select a large number of event sources to change, it may take a while to complete. The event sources list will not show the new collector plug-in until after the changes are complete, and the display is refreshed from the database.

  15. To change the time zone setting for one or more event sources, select the event source(s) from the list, click the Configure link, and select the Time Zone option.

    The Set Time Zone window is displayed.

  16. Select a new time zone, then click Set.

    The selected event sources are set to the new time zone setting.

    NOTE:If you select a large number of event sources to change, it may take a while to complete. The event sources list will not show the new time zone until after the changes are complete, and the display is refreshed from the database.

Changes on this page might take some time to display completely.