3.1 Configuring Sentinel as a Sender

If Sentinel is the sender, you must import and configure the Sentinel Link Integrator plug-in and the Sentinel Link Action plug-in to create a Sentinel Link configuration. You also need to create an action that forwards the selected events to the receiver. To filter the events, use the Correlation Manager to set a correlation rule. Associate the action to the rule and deploy it. You can also use Global Filters to filter the events and forward them to the receiver.

NOTE:For more information on Sentinel Link Integrator and Action, see the corresponding plug-in documentation in the NetIQ Sentinel Plug-ins Web site.

Perform the following instructions to configure Sentinel server to send the events:

3.1.1 Configuring the Sentinel Link Integrator Plug-In

The Sentinel Link Integrator comes pre-installed with the Sentinel platform. To get the latest performance enhancements and other enhanced features, visit the NetIQ Sentinel Plug-ins Web site and download the latest set of Plug-ins.

NOTE:When updating any Sentinel Link Plug-in, you should also update all related Plug-ins across all platforms to ensure compatibility.

For instructions on configuring the Sentinel Link Integrator, see the Sentinel Link Integrator documentation in the NetIQ Sentinel Plug-ins Web site.

3.1.2 Importing and Configuring the Sentinel Link Action Plug-In

The Sentinel Link Action plug-in comes pre-installed with the Sentinel platform. To get the latest performance enhancements and other enhanced features, visit the NetIQ Sentinel Plug-ins Web site and download the latest set of Plug-ins.

NOTE:When updating any Sentinel Link Plug-in, you should also update all related Plug-ins across all platforms to ensure compatibility.

For instructions on configuring the Sentinel Link Action, see the Sentinel Link Action documentation in the NetIQ Sentinel Plug-ins Web site.

3.1.3 Automatically Forwarding Events to the Receiver

To select events that you want to automatically forward to a receiver, you need a filtering mechanism. Use Correlation rules or Global Filters to filter the desired events, and associate the Sentinel Link Action to forward to the receiver.

NOTE:To forward events to another Sentinel server based on simple filtering conditions, use Sentinel Link with Global Filters.

You can also use Sentinel Link anywhere in Sentinel to execute a javascript action, such as Correlation, Incidents, and Event right-click. Be aware that these mechanisms can forward the same event more than once. Use them only when simple filtering conditions are not enough.

For example, using Correlation, you can configure filter(1=1) and filter(e.sev>=3), and launch Sentinel Link action to forward the events to the same receiver. When you trigger the action, the receiver gets duplicated events.

Note that some field values of the events change during event forwarding. For example, the event id changes, but, the event name remains the same when you forward an event.

Another advantage of Global Filters over Correlation rule is that the events are sent in batches of 500 events to the receiver system. With Correlation rule, each event is forwarded to the receiver as soon as an event is generated.

Using Correlation Rules to Forward Events to the Receiver

You can create Correlation rules that filter the desired events for forwarding to the receiver system. After creating a rule, associate the Sentinel Link Action while deploying the rule.

This section describes how to use Correlation rules to forward events to the receiver in a Sentinel system.

The following example illustrates creating a simple rule that forward events with severity greater than 3.

  1. Log in to the Sentinel Web interface as a user with the Manage Correlation Engine and Rules permission.

  2. In the navigation panel, click Correlation.

  3. Click Create.

  4. In the Subrule window, click Create a new expression.

  5. Select the criteria to set it to Severity>3, then click OK.

    The specified criteria are displayed in the Subrule window.

  6. To associate one or more actions to the rule, in the Actions panel, click .

  7. Select Send Events via Sentinel Link action.

  8. Click OK.

  9. Click Save As.

  10. Specify an intuitive name, for example, Sev4Rule for the rule and an optional description, then click OK.

  11. Double-click the rule that you want to deploy.

  12. In the Deploy/Undeploy section, select the engine to which you want to deploy the rule, then click Deploy.

NOTE:You can also deploy a rule from the Correlation dashboard. In the Correlation panel, click the engine to which you want to deploy rules. In the Available rules section, select the rule or rules that you want to deploy, then click Deploy.

Using Global Filters to Forward Events to the Receiver

You can use Global Filters to filter the desired events for forwarding to the receiver system.

This section describes how to use Global Filters to forward events to the receiver in a Sentinel system.

You must configure and activate the rule to forward events to another Sentinel system.

Configuring the Rule to Forward Events to the Receiver

Sentinel is installed with a rule, Forward Events to Another Sentinel System that forwards events to another Sentinel server. By default, the Forward Events To Another Sentinel System rule is configured to filter out internal system events and events with severity greater than three. This rule filters the following three types of system events:

  • Audit (A)

  • Performance (P)

  • Internal (I)

You can also change the conditions of the rule to filter more events or remove conditions to filter fewer events.

NetIQ recommends that you configure the rule to forward only those events that you want to store on the Sentinel server for more in-depth reporting and analysis.

Activating the Rule to Forward Events to the Receiver

The Forward Events To Another Sentinel System rule is installed with Sentinel, but it is in the inactive (off) state. You must activate the rule to forward the events to another Sentinel system.

To activate the rule to forward events to the receiver:

  1. Log in to the Sentinel Web UI as an administrator.

  2. Click Routing in the toolbar.

  3. Click Edit link next to the Forward Events To Another Sentinel System rule.

  4. Select Send Events via Sentinel Link from the Perform the following actions: list.

  5. Click Save.

  6. Select the check box adjacent to the Forward Events To Another Sentinel System rule.

3.1.4 Manually Forwarding Events to the Receiver

You can forward events to the receiver by manually executing the Sentinel Link Action:

  • Executing the Sentinel Link Action on an Incident.

  • Executing the Sentinel Link Action on events in Active Views.

  • Executing the Sentinel Link Action on events in Search results.

For more information, see the Sentinel documentation.