17.2 Managing Integrators

An Integrator is a configured instance of an Integrator plug-in.There can be one or more instances of an Integrator plug-in with different parameters or settings. A few Integrators are available by default. You can also add additional Integrators as required.

17.2.1 Configuring the Default Integrators

The default Integrators installed with Sentinel are not configured. To use these default Integrators with the actions in your Sentinel system, you must configure the Integrators for your environment.

Configuring the File Integrator

The File Integrator is used with the Log to File action.

  1. Access the Sentinel Control Center.

  2. Launch the Integrator Manager:

    • If the Configuration menu is not enabled, click the Configuration tab, then click the Configuration menu > Integrator Manager or click the icon in the toolbar.

    • If the Configuration menu is enabled, click the Configuration menu > Integrator Manager or click the icon in the toolbar.

  3. Select File in the Integrators column, then click the File Configuration tab.

  4. Change the default filename and location where the events are stored.

    By default, the location is ../data/log_to_file_events.txt.

  5. Click Save.

Configuring the Sentinel Link Integrator

The Sentinel Link Integrator is used to connect multiple Sentinel systems. For more information, see Section 12.0, Linking to Additional Sentinel Systems.

  1. Access the Sentinel Control Center.

  2. Launch the Integrator Manager:

    • If the Configuration menu is not enabled, click the Configuration tab, then click the Configuration menu > Integrator Manager or click the icon in the toolbar.

    • If the Configuration menu is enabled, click the Configuration menu > Integrator Manager or click the icon in the toolbar.

  3. Select Sentinel Link in the Integrators column, then click the Sentinel Link Connector tab.

  4. Use the following information to configure the Sentinel Link Integrator:

    Host Name: Specify the hostname or IP address of the destination Sentinel system where a Sentinel Link Connector is configured.

    Port Number: Specify the port number for the destination Sentinel system. The default port is 1290.

    Encrypted (HTTPS)/Not Encrypted (HTTP): Select whether the connection to the destination Sentinel system is encrypted or not encrypted. If you selected Encrypted, there are addition fields to configure:

    • Server Validation Mode: Select one of the following:

      • None: The Integrator does not validate the receiver's certificate.

      • Strict: The Integrator always verifies the receiver's certificate when connecting to the receiver. If this option is selected, the Integrator immediately attempts to retrieve the receiver's certificate over the network and validate that it is issued by an authorized CA.

        If the certificate is not validated, it is still presented to the user to accept or reject. The certificate is considered to be valid if the user accepts it. When a validated certificate is acquired, it is stored in the Integrator's configuration. From now on, the Integrator allows communication only with a receiver that provides that certificate during the initial connection setup.

    • Integrator Key Pair: Select one of the following:

      • None: The receiver system does not validate the sender certificates. Select this option if the receiver's client authentication type is configured to Open.

      • Custom: The receiver system validates the sender certificates. Select this option if the receiver's client authentication type is configured to Strict. If the receiver system performs a strict validation, it imports a trust store, which contains all the sender certificates that it trusts.

        After selecting this option, click the Import Key Pair button to import a key pair. The key pair you import must match one of the certificates that is included in the trust store that is imported by the receiver system.

  5. Click Save.

Configuring the Sentinel Mail Integrator

All Sentinel events that meet the filter criteria for which the Send an E-mail action is defined are sent to the associated SMTP relay and email addresses by the Sentinel Mail Integrator.

To configure the Sentinel Mail Integrator:

  1. Access the Sentinel Control Center.

  2. Launch the Integrator Manager:

    • If the Configuration menu is not enabled, click the Configuration tab, then click the Configuration menu > Integrator Manager or click the icon in the toolbar.

    • If the Configuration menu is enabled, click the Configuration menu > Integrator Manager or click the icon in the toolbar.

  3. Select Sentinel Mail in the Integrators column, then click the Connection tab.

  4. Use the following information to configure the Sentinel Mail Integrator:

    Host: Specify the hostname or IP address of an available SMTP server.

    Port: Specify the port number of an available SMTP server. The default port is 25.

    From (default): Specify an address to using or sending the email messages are sent. The default value is siem@yourcompany.com.

    User: If the SMTP server requires authentication, specify a user name.

    Password: Specify the password for authentication to the SMTP server.

  5. Click Save.

Configuring the SNMP Integrator

All Sentinel events that meet the filter criteria for which the Send SNMP Traps action is defined are sent to the specified SNMP addresses.

To configure the SNMP Integrator:

  1. Access the Sentinel Control Center.

  2. Launch the Integrator Manager:

    • If the Configuration menu is not enabled, click the Configuration tab, then click the Configuration menu > Integrator Manager or click the icon in the toolbar.

    • If the Configuration menu is enabled, click the Configuration menu > Integrator Manager or click the icon in the toolbar.

  3. Select snmp in the Integrators column, then click the Server Configuration tab.

  4. Use the following information to configure the SNMP server:

    Host: Specify the IP address or hostname of the SNMP server you want to send the trap to.

    Port: Specify the port number for the SNMP server. The default port is 162.

    Community String (Password): Specify the community string (password) to access the SNMP management system. If no community string is specified, the Integrator sets the default value to public.

    OID: Specify the desired ASNL object ID you want to associate with this message. If no object ID is specified, the Novell Audit internal OID is used (2.16.840.1.113719.1.347.3.1).

  5. Click Save.

Configuring the Syslog Integrator

All Sentinel events that meet the filter criteria for the Send to Syslog action are sent to the specified syslog server.

To configure the Syslog Integrator:

  1. Access the Sentinel Control Center.

  2. Launch the Integrator Manager:

    • If the Configuration menu is not enabled, click the Configuration tab, then click the Configuration menu > Integrator Manager or click the icon in the toolbar.

    • If the Configuration menu is enabled, click the Configuration menu > Integrator Manager or click the icon in the toolbar.

  3. Select Syslog in the Integrators column, then click the Server Configuration tab.

  4. Use the following information to configure the syslog Integrator.

    Host: Specify the host name or IP address of the syslog server.

    Protocol: Select the protocol used to connect to the syslog server.

    Port: Specify the port number used to connect to the syslog server.

    Default Facility: Select the default facility for the syslog server from the drop-down list. The facility allows you to classify the syslog messages.

    Stream Encoding: Select the encoding standard for the syslog Integrator.

  5. Click Save.

17.2.2 Adding an Integrator

The specific steps to configure an Integrator depend on the type of Integrator. The steps are described in detail in documents that come with the Integrators. Documentation for installed plug-ins can be viewed by selecting an Integrator in the Integrator Manager and clicking Help. Or, you can refer to the document that comes with the Integrator plug-in.

17.2.3 Viewing Integrator Health Details

  1. Launch the Sentinel Control Center.

  2. Launch the Integrator Manager:

    • (Conditional) If the Configuration menu is not enabled, click the Configuration tab, then click the Configuration menu > Integrator Manager or click the icon in the toolbar.

    • (Conditional) If the Configuration menu is enabled, click the Configuration menu > Integrator Manager or click the icon in the toolbar.

  3. In the Integrator Manager window, select an Integrator from the left pane.

  4. Click see details.

    The Health Details window displays the Refresh Health State, time of last occurrence, its method calls and the related events of the selected Integrator configuration.

    • Integrator API Calls: Indicates the status of the connection and the method calls used from the API of the selected integrator. For more information on the JavaScript plug-in, see Section 16.0, Configuring Actions.

      • Call Success Count: Displays the number of times the connection was established successfully and the methods were called successfully from the API. Time of Last Occurrence displays the time when the connection and the method call were successful.

      • Call Failure (but Connection Success) Count: Displays the number of times the connection was established successfully but the method call failed. Time of Last Occurrence displays the last time when the connection was successful and the method call failed.

      • Connection Failure Count: Displays the number of times the connection failed. Time of Last Occurrence displays the last time when the connection and method call failed.

      NOTE:The most recent success or failure time is shown in the overall health status for the configured Integrator.

    • Integrator Health Details: Provides information about the success of the API methods called in the JavaScript action files associated with the Integrator. It provides information specific to the methods called.

      • Method Name: Name of the API method used in the JavaScript.

        Success Count: Number of times the API method executed successfully.

        Time of Last Successful Call: The time at which the method was last successfully executed.

        Average Successful Run Time: Average time to make a successful method call.

        Error Count: Number of times the API method failed.

        Time of Last Error Call: The time at which the method call failed.

        Average Error Run Time: Average time to make a failed method call.

      NOTE:The most recent success or failure time is shown in the overall health status of the method.