The Sentinel installation installs the following components in the Sentinel server:
Sentinel server process: This is the primary component of Sentinel. The Sentinel server process processes requests from other components of Sentinel and enables seamless functionality of the system.The Sentinel server process handles requests, such as filtering data, processing search queries, and managing administrative tasks that include user authentication and authorization.
Web server: Sentinel uses Jetty as its Web server to allow secure connection to the Sentinel Web interface.
PostgreSQL database: Sentinel has a built-in database that stores Sentinel configuration information, asset and vulnerability data, identity information, incident and workflow status, and so on.
MongoDB database: Stores the Security Intelligence data.
Collector Manager: Collector Manager provides a flexible data collection point for Sentinel. The Sentinel installer installs a Collector Manager by default during installation.
NetFlow Collector Manager: The NetFlow Collector Manager collects network flow data (NetFlow, IPFIX, and so on) from network devices such as routers, switches, and firewalls. Network flow data describes basic information about all network connections between hosts including packets and bytes transmitted, which helps you visualize the behavior of individual hosts or the entire network.
Correlation Engine: Correlation Engine processes events from the real-time event stream to determine whether they should trigger any of the correlation rules.
Advisor:
Advisor, powered by Security Nexus, is an optional data subscription service that provides device-level correlation between real-time events, from intrusion detection and prevention systems, and from enterprise vulnerability scan results. For more information about Advisor, see Detecting Vulnerabilities and Exploits
in the NetIQ Sentinel Administration Guide.
Sentinel plug-ins: Sentinel supports a variety of plug-ins to expand and enhance system functionality. Some of these plug-ins are preinstalled. You can download additional plug-ins and updates from the Sentinel Plug-ins Web site. Sentinel plug-ins include the following:
Collectors
Connectors
Correlation rules and actions
Reports
iTRAC workflows
Solution packs
Sentinel has a highly scalable architecture, and if high event rates are expected, you can distribute components across several machines to achieve the best performance for the system. For production environments, NetIQ Corporation recommends setting up a distributed deployment because it isolates data collection components on a separate machine, which is important for handling spikes and other anomalies with maximum system stability. For more information, see Section 6.1, Advantages of Distributed Deployments.