The Event Sources page consists of different sections that allow you to perform different functions.
Collector Managers: Lists all the Collector Managers associated with the Sentinel system. It also displays the state and details about the Collector Managers.
Event Source Servers: Lists all the Event Source Servers associated with the Sentinel system. It also displays the state of the Event Source Servers.
Collector Plug-ins: Lists all the Collector plug-ins associated with the Sentinel system. You can also view the details about the installed plug-ins.
The Event Sources section in the right pane lists the event sources based on the options selected from the left pane.
NOTE:The Event Sources page shows event sources that were already configured or automatically detected. To manually configure additional event sources, use the Event Source Management user interface described in Configuring Data Collection for Other Event Sources.
From Sentinel Main, click Collection > Event Sources.
Each column in the Event Source section has different information:
Health Icon: The colored icon indicates the event source health.
Green: Indicates that the event source is healthy and Sentinel has received data from it.
Red: Indicates that the Sentinel server is reporting an error about connecting to or receiving data from this event source.
Gray: Indicates that the event source is turned off. Sentinel is not processing any data from it.
Orange: Indicates that the event source is running with some warnings.
You can sort the event sources based on their health status.
Name: Displays the name given to the Event Source by the system (if it was auto-created) or by a user. For Syslog Event Sources, if the Event Source was auto-created by the system, the name is a combination of the hostname/IP address and the Collector connection mode the event source is using.
You can rename any Event Source at any time through the Event Source Management interface.
You can sort the Event Sources in alphabetical order based on their names.
Collector Plug-in: Displays the name of the Collector plug-in that the event source is connected to.
This is the name of the Collector plug-in, not the name of the Collector instance. You can sort the event sources based on Collector plug-in name.
Store raw data: Indicates whether Sentinel stores raw data from the associated event source.
Yes: Sentinel stores all data received from the event source regardless of filter set on the event source.
No: Sentinel does not store the data received from the event source and does not generate events.
You can sort the event sources based on the Store raw data status.
Parse: Indicates whether Sentinel parses the data received from the event source.
All: Sentinel parses all the data received from the event source.
Filtered: Sentinel parses only the filtered data received from the event source.
None: Sentinel does not parse the data received from the event source.
NOTE:If the Store raw data option is set to No, Sentinel does not parse the data.
Create Date: Specifies the date and time when the event source was created. You can sort the event sources based on when they were created.
EPS: Displays the events per second value received from the event source. You can sort the event sources based on their events per second value.
If you see a value of less than one (<1) in this column, it indicates that the EPS rate is greater than zero, but less than one.
To select or deselect an event source, select the check box next to the event source.
To select all the available event sources, select the check box at the top of the column.
To sort the event sources by Health, Name, Collector Plug-in, Drop Data, Create Date, and EPS values, click the column header. The selected column header is displayed in bold.
When you first click a column header, the event sources are arranged in ascending order. A blue down-arrow is displayed to indicate that the sort order is ascending. When you click the column header for the second time, the sort order is changed to descending, and a blue up-arrow is displayed to indicate that the sort order is descending.
To view additional information about an event source, click the Name or EPS value of an event source. A dialog box displays the additional information.
From Sentinel Main, click Collection > Event Sources.
In the Event Sources tab, select one or more event source.
NOTE:If you select multiple event sources, the settings apply to all the selected event sources.
Click the Settings icon.
Start: Sentinel starts collecting raw data received from the event sources. Sentinel starts only the event sources that are in the stopped state. If the event sources are already in the start state, they remain unchanged.
Stop: Sentinel stops collecting raw data received from the event sources. Sentinel stops only the event sources that are in the start state. If the event sources already in the stopped state, they remain unchanged.
Delete: Deletes the selected event sources.
Collector Plug-in: Select the Collector plug-in to connect to the event sources.
Tags: Select the tags to set on the event sources.
Configure: Select Configure to set the following options in the Configure Event Sources window:
No data alert: Click Edit to configure notifications if Sentinel does not receive data from the event sources.
Alert if no data received in specified time period: Select this option to receive notifications if no data is received during the specified time period.
Send repeated alerts every time period: Select this option to receive repeated notifications at every time interval (specified in the time period).
Time zone: Select the time zone for the event source.
Trust event source time (Optional) Select this option to set the event time to the time the event occurred, rather than the time Sentinel received the data.
Store raw data: Select Yes to store the raw data from the event sources. If you select No, Sentinel does not store the raw data.
Click Save to apply the selected settings.
From Sentinel Main, click Collection > Event Sources.
The Collector Manager section is displayed in the Event Sources page.
Health: Indicates the health of the Collector Managers. You can sort the Collector Managers based on their health status.
Name: Displays the names of the Collector Managers. You can sort the Collector Managers in alphabetical order based on their names.
EPS: Displays the events per second value received from the event sources. You can sort the Collector Managers based on the events per second value.
To select or deselect a Collector Manager, select the check box next to the Collector Manager.
To select all the available Collector Managers, select the check box located at the top of the column.
The right pane displays the list of event sources connected to the selected Collector Managers.
If none of the Collector Managers are selected, thee event sources table displays all the configured event sources.
To sort the Collector Managers by Health, Name, and EPS values, click the column header. The selected column header displays in bold text.
To get additional information about the Collector Managers, click the Name or EPS value column. A dialog box displays the additional information.
From Sentinel Main, click Collection > Event Sources.
The Event Source Servers section is displayed.
Health: Indicates the health of the Event Source Server. You can sort the Event Source Servers based on their health status.
Name: Displays the names of the Event Source Server used to parse the data from the event sources (for example, Syslog Server SSL). You can sort the event source server in alphabetical order based on their names.
EPS: Displays the events per second value received from the event sources. You can sort the event source servers based on the events per second value.
To sort the Event Source Servers by Health, Name, and EPS values, click the column header. The selected column header displays in bold text.
To view additional details, click the Name or EPS value column. A dialog box displays the additional information.
From Sentinel Main, click Collection > Event Sources.
Health: Indicates the aggregate health of all event sources that are connected to the Collector plug-in.
With the exception of the green icon (healthy state), the icon does not necessarily mean that all event sources connected to the Collector plug-in are in the state indicated by the icon.
The red icon (error state) indicates that one or more event sources connected to the Collector plug-in are in an error state. To get a detailed information, click the Name or EPS column value to view help information.
Name: Displays the names of the Collector plug-in used to parse the data from the event sources (for example, Cisco Firewall 6.1r1).
This is the name of the Collector plug-in, not the name of the Collector instance. You can sort the event sources based on Collector plug-in name.
EPS: Displays the events per second value received from the event sources. You can sort the Collector based on the events per second value.
To select or deselect the Collector plug-ins, select the check box next to the Collector plug-in.
To select all the available Collector plug-ins, select the check box at the top of the column.
To sort the Collector plug-ins by Name or EPS values, click the appropriate column header. The selected column header displays in bold text.
The Collector Instances field displays the number of instances of the Collector plug-in. Clicking the Collector Instances field displays a Collectors window with a list of Collector instances associated with the Collector plug-in:
Click the Collector Plug-in column to display a dialog box with additional information about the Collector plug-in.