3.21 NetIQ Sentinel

The NetIQ (formerly Novell) Sentinel Adapter allows Correlation Rule events to be communicated from Sentinel into Operations Center.

Some additional configurations are necessary to integrate with Sentinel 7. You must configure a Sentinel Event Routing Rule and a Log to Syslog Action in order to be able to receive correlated events from the Sentinel Server.

For more information about the Sentinel Generic Event Forwarder, see Sentinel Plug-ins.

To integrate NetIQ Sentinel:

  1. To integrate to NetIQ Sentinel 7, do the following:

    1. Download the following files from the JSON-lib Download Web site, and save them to the /OperationsCenter_install_path/integrations/ext/Sentinel directory:

      • json-lib-2.4-jdk15.jar

      • json-lib-ext-spring-1.0.2.jar

      For more information about the JSON-lib, see the JSON-lib website.

    2. Get the following files from the Sentinel installation lib directory (exact file names depend on the version of Sentinel that you are integrating):

      • commons-lang

      • commons-beanutils

      • commons-collections

      • commons-logging

      • ezmorph

      • sentinel-client-activity-beans

      • sentinel-client-base

      • sentinel-client-base-java

      • sentinel-client-beans

      • sentinel-client-wfbeans

      • sentinel-crypto

      For more information about dependencies, see the JSON-lib website.

    3. To configure Sentinel to log to the Operations Center Sentinel Adapter via Syslog, do the following:

      1. From the Sentinel Control Center, click Configuration and select Integration Manager.

      2. Under Integrators, select Syslog.

      3. Select Server Configuration tab in the right panel.

      4. Enter the IP address of the Operations Center server used by the Sentinel adapter to receive events in the Host field.

      5. Select Protocol from the TCP drop-down list.

      6. Specify the port number in the Port field.

        This must be the same port as specified in the Listener Port property for the Sentinel 7 Adapter in Operations Center.

      7. Click Save.

      8. From the Sentinel Control Center, click Configuration and select Action Manager.

      9. Select Log to Syslog and click View/Edit.

      10. Select Event Forwarder in the Action drop down list, and then define the following values in the Action Plug-in To Execute list:

        • Integrator: Syslog

        • Display Format: JSON

        • Display Data: All Data

        • Display Events: All Events

      11. Click Save, and then close the Action Manager panel.

    4. To configure a Sentinel Event Routing Rule do the following:

      1. Open the Sentinel Web console by entering the following URL in a web browser:

        https://SentinelServerAddress:PortNumber

      2. On the toolbar, click Routing.

      3. Click Create.

      4. Specify the name of the routing rule in the Name field.

        For example, All Correlation Events.

      5. Enter st:C in the Filter field.

      6. Verify the All radio button is selected for the Route the following services option.

      7. Select Log to Syslog in the Perform the following actions drop-down list.

      8. Verify that the information for the TCP Syslog Server Connection and Port, configured in Step 1.c, are correct.

      9. Click Save.

      10. Verify that New Event Routing Rule is selected for the Enabled setting.

  2. Create an adapter for each instance of NetIQ Sentinel on the network. To integrate to Sentinel 7, select NetIQ Sentinel 7 for the adapter type.

    For information on creating an adapter, see Section 2.1, Creating an Adapter.

    For property descriptions, see Section A.24, NetIQ Sentinel.