A.24 NetIQ Sentinel

Table A-24 NetIQ Sentinel

Property

Specify

Alarm Columns

A comma-separated list that determines which alarm columns display and the order in which the alarm items display in the Alarms view.

Sentinel 6 Adapter: Default is Event Name, Event Created, Rule Name, Rule Created, Route, Parent Id

Sentinel 6 Adapter: Available columns are Event Name, Event Id, Message, Parent Id, Rule Name, Alarm Created Long, Event Created Long, Rule Created Long, Event Create, Rule Created, Occurrences, Host, Source IP, Severity, Route.

Sentinel 7Adapter: Default is Event Name, Message, Rule Name, Route, Parent Id

Sentinel 7 Adapter: Available columns are Event Name, Event Id, Message, Parent Id, Rule Name, Alarm Created Long, Event Created Long, Occurrences, Host, Source IP, Severity, Route, Reporter IP, TenantName, ObserverCountry, SourceHostCountry, TargetHostCountry, TargetHostLatitude, TargetHostLongitude, SourceHostLatitude, SourceHostLongitude, ObserverHostLatitude, ObserverHostLongitude, ObserverHostName, ObserverIP, ObserverHostCountry, ObserverServiceName, SourceHostName, TargetHostName, TargetIP, TargetUserFullName, TargetEmail, InitiatorEmail, InitiatorUserFullName, Vulnerability, XDASOutcomeName, XDASTaxonomyName, CollectorNodeName, InitiatorUserName, TargetUserName, SourceHostDomain, InitiatorUserDomain, TargetHostDomain, TargetUserDomain, InitiatorServiceComponent, TargetServiceComponent, TargetServiceName, InitiatorServiceName, TargetTrustDomain, TargetTrustName, TargetDataContainer, TargetDataName.

For information about Sentinel

Alarm Expiration Polling Time (in Seconds)

The interval, in seconds, that the time stampadapter performs an evaluation of alarms and remove expired alarms.

Alarm Expiration Time Type

The time stamp to use when evaluation alarms. Specify one of the following:

  • event: the time of the event in Sentinel

  • rule: Sentinel 6 Adapter Only. the time the Correlation Rule was triggered in Sentinel

  • alarm: the time the alarm was received in Operations Center

Critical Max

The highest value that can be mapped to a Critical event. Default is 5.

Custom Property Mappings

Sentinel 7 Adapter: A comma delineated list of name/value pairs for declaring custom Sentinel event properties. When configured, these properties show in a Custom Attributes alarm property page. Use the following syntax to map event fields to an alarm property:

Custom_alarm_property_name=sentinel7_event_field_name

For example, Custom_Customer Source IP=dip, Custom_Customer Source=rv39.

The Custom_ prefix is used in Operations Center to avoid property name clashes and can be omitted from the property definition. However, the actual alarm property retains the full property name. For example, Custom_Customer Source

If adding to the Alarm Columns list in adapter properties, the full property name must be specified, but can be mapped to a shorter name for display purposes. For example, Customer Source=Custom_Customer Source

If using in the hierarchy file to generate new elements in the Sentinel adapter hierarchy tree from property values, the full property name must be specified. For example, <generator class="SentinelHost" field="Custom_Customer Source"/>

Element Timeout Ager Delay Value (in Seconds)

The number of seconds to display an element after all alarms have expired. Specify -1 to never remove elements, 0 to remove elements immediately.

Hierarchy File

A file in the /OperationsCenter_install_path/database directory that contains an XML description of the element hierarchy to build below the adapter element. The default is examples/SentinelHierarchy.xml

Incoming Event Thread Pool Size

The number of threads that can be started for processing incoming events from Sentinel. This can be useful for performance tuning / resource management.

Info Max

The highest value that can be mapped to an Information event.

Listener Port

The Port number to be opened for incoming events.

Sentinel 6 Adapter: Set to the same port number as the Sentinel Mail/SMTP Interceptor port.

Sentinel 7 Adapter: Set to the same port number as the Sentinel Log to Syslog Action port.

Major Max

The highest value that can be mapped to a Major event.

Minor Max

The highest value that can be mapped to a Minor event.

Rule List for History Mining

The names of Correlation Rule recent events to be queried on adapter startup.

Sentinel 6 Adapter: Specify a comma delimited list using single quotes around the values. For example, 'Test Rule 1', 'Test Rule 2', 'Test Rule 3'

Sentinel 7 Adapter: Specify a comma delimited list. For example, Test Rule 1, Test Rule 2, Test Rule 3

Script.onError

A script that executes if the adapter fails for any reason. For example, the script can print the reason for the failure as msg using log.info(msg).

Script.onInitialized

A script that executes when the adapter initializes.

Script.onStarted

A script that executes when the adapter starts, either manually or automatically when the Operations Center server starts.

Script.onStopped

A script that executes after stopping the adapter.

Sentinel Database Connection Password

Sentinel 6 Adapter Only. The password used to connect to the Sentinel database for history mining.

Sentinel Database Connection User Name

Sentinel 6 Adapter Only. The Account Name used to connect to the Sentinel database for history mining.

Sentinel Database Name

Sentinel 6 Adapter Only. The name of the Sentinel database for history mining (Oracle database name).

Sentinel Database Server Address

Sentinel 6 Adapter Only. The IP address of the Sentinel database for history mining (Oracle database name).

Sentinel Database Server Port

Sentinel 6 Adapter Only. The port for connecting to the Sentinel Database for history mining.

Sentinel Database Time Zone Offset

Sentinel 6 Adapter Only. The number of hours off of GMT to be used for the Sentinel database connection. For example, enter 7 for MST.

Sentinel Server Administrator User Password

Sentinel 7 Adapter Only. The Administrator User password used to connect to Sentinel for history mining.

Sentinel Server Administrator User Name

Sentinel 7 Adapter Only. The Administrator User account name used to connect to Sentinel for history mining.

Sentinel Server Address

Sentinel 7 Adapter Only. The IP address of the Sentinel server for history mining.

Sentinel Server Port

Sentinel 7 Adapter Only. The port for connecting to the Sentinel REST interface for history mining.

Stylesheet File

This option is not used by the Sentinel adapter.

Time Length in Minutes/Hours for Events to Display

The number of minutes/hours an alarm is displayed before it is removed from the console.

Sentinel 6 Adapter: Specify number of minutes.

Sentinel 7 Adapter: Specify number of hours.

Time Length in Minutes/Hours for History Mining

The number of minutes/hours of history from the Sentinel database (Sentinel 6 Adapter) or Sentinel server (Sentinel 7 Adapter) to be loaded on adapter startup.

Sentinel 6 Adapter: Specify number of minutes.

Sentinel 7 Adapter: Specify number of hours.

Use Alarm Times For Condition Changes

The date/time stamp to use for all alarm data stored by the Operations Center Data Warehouse. If true, the alarm’s date/time stamp is used. If false, the date/time stamp of when the Operations Center server received the alarm is used. The default is true.

Alarm history is stored based on the alarm time rather than alarm receipt time. For SLA metric data based on alarm properties, property values are recorded based on the alarm time instead of the alarm receipt time. Note that recording historical condition data for historical alarms is not supported.