In Sentinel 6.1, a JavaScript SendEmail action works with an SMTP integrator to send e-mail messages from various contexts within the Sentinel interface to e-mail recipients. The recipients of the e-mail message and the message contents are configured in the action parameters.
A single action instance of the SendEmail action plug-in is created automatically in every Sentinel installation. This action is used internally by Sentinel to send e-mail in the following situations:
When a Correlation rule that is deployed with a Send Email action is triggered. The Send Email action referred to here is the action indicated by the gear icon, which is only valid for correlation (as opposed to the JavaScript SendEmail action, which is indicated by the JS JavaScript icon).
If the workflow includes a Mail Step or Activity that is configured to send e-mail.
If the user opens an incident and selects to execute an Activity that is configured to send e-mail.
If the user right-clicks an event and selects .
If the user opens an incident and selects .
No configuration is necessary for the SendEmail action, but the SMTP Integrator must be configured with valid connection information before it works.
Unless the DBA wants to manage database archiving using his or her own procedures, Sentinel database automatic partition management (archiving, dropping, and adding partitions) should be enabled during installation to keep event data within a controlled size. Automatic partition management can also be configured post-installation by using the Sentinel Data Manager (SDM).
By default, the Sentinel Data Manager might not be able to write to the file system in order to archive data. This can be enabled by editing the init<OracleSID>.ora file for the database.
NOTE:By default, the installer sets all tablespaces to autogrow. By default, the file grow size is 200 MB, but the maximum file size depends on the value provided during the installation.
To enable Oracle to write to the archive directory:
Log in to the database machine.
Navigate to the $ORACLE_HOME/dbs directory.
Open the init<OracleSID>.ora file in a text editor.
Edit the UTL_FILE_DIR parameter to specify the directory path to which the archived Sentinel data should be written. You should have one of the following:
UTL_FILE_DIR = *
or
UTL_FILE_DIR = [specific directory path]
Save the file and exit.
During the installation of the Collector Service, a Collector called the General Collector is configured. By default, it creates events at a rate of 5 events per second (eps). This Collector can be used to test the installation. Additional Collectors can be downloaded from the Sentinel Content Web site.
Start Sentinel 6.1.
Click > .
You can also click in the Navigator pane.
Expand the Servers view.
The list of processes is displayed.
Right-click the Collector Manager that you want to start, then select > .
Alternatively, click > . Right-click the Collector Manager that you want to start, then select .
The EventRouter component of the Collector Manager handles internal functions such as processing maps and applying global filters on the events parsed by the Collector Manager. These processes can cause high CPU and RAM usage on a remote system.
With Sentinel 6.1 SP1 Hotfix 2 and later, you can configure a lightweight version of the Collector Manager on remote systems that have limited CPU and RAM. The internal functions of a Lightweight Collector Manager (LWCM) are handled by the Sentinel server (or whichever system is running DAS), so they consume less CPU and RAM on the remote system.
The EventRouter must be configured to operate in server and client modes on the DAS system and Collector Manager system. The Collector Manager system on which the EventRouter is configured to run in the client mode is referred to as the LWCM.
The EventRouter must be configured to run in the server mode. This enables the DAS Query container to provide centralized event routing for multiple LWCMs.
The das_query.xml file under the <ESEC_HOME>/config folder contains a preconfigured EventRouter. By default, the EventRouter section is commented in the das_query.xml file.
Perform the following steps to configure the EventRouter for server mode:
Open the das_query.xml file for edit.
Windows: %ESEC_HOME%\config\das_query.xml
Linux: $ESEC_HOME/config/das_query.xml
Comment the following section:
<obj-component id="EventRouter"> <class>esecurity.ccs.comp.router.EventRouter</class> <property name="esecurity.router.mode">standalone</property> <property name="esecurity.router.disable.compression">true</property> - <obj-component-ref> <name>DispatchManager</name> <ref-id>DispatchManager</ref-id> </obj-component-ref> - <obj-component-ref> <name>EventPublisher</name> <ref-id>DispatchManager</ref-id> </obj-component-ref> </obj-component>
Uncomment the following section:
<!--
<obj-component id="DispatchManagerEvents">
<class>esecurity.ccs.comp.dispatcher.CommDispatcherManager</class>
<property name="esecurity.communication.service">Sentinel</property>
<property name="EventPublisher.performanceEventChannel">ewizard_binary_event</property>
</obj-component>
<obj-component id="EventRouterServer">
<class>esecurity.ccs.comp.dispatcher.CommDispatcherManager</class>
<property name="esecurity.communication.service">Sentinel</property>
</obj-component>
<obj-component id="EventRouter">
<class>esecurity.ccs.comp.router.EventRouter</class>
<property name="esecurity.router.mode">server</property>
<property name="esecurity.router.disable.compression">true</property>
<obj-component-ref>
<name>DispatchManager</name>
<ref-id>DispatchManager</ref-id>
</obj-component-ref>
<obj-component-ref>
<name>EventPublisher</name>
<ref-id>DispatchManagerEvents</ref-id>
</obj-component-ref>
<obj-component-ref>
<name>EventRouterServer</name>
<ref-id>EventRouterServer</ref-id>
</obj-component-ref>
</obj-component>
-->
Restart the Sentinel services.
NOTE:To return the EventRouter to standalone mode, comment the EventRouter section in the das_query.xml file and restart the Sentinel services.
To switch the EventRouter from standalone mode to client mode, rename the default collector_mgr.xml file, which is in the ESEC_HOME/config folder.
Change the collector_mgr.xml filename to collector_mgr_standalone.xml.
Change the collector_mgr_lwcm.xml filename to collector_mgr.xml.
Restart the Collector Manager services.
NOTE:To return the EventRouter to standalone mode, change the filenames to the original names and restart the Collector Manager services.
Novell strongly recommends that all Sentinel components, particularly the Correlation Engine and Collector Manager machines, be connected to an NTP (Network Time Protocol) server or other type of time server. If the system time across machines is not synchronized, the Sentinel Correlation Engine and Active Views do not work properly. The events from the Collector Managers are not considered to be real-time and are therefore sent directly to the Sentinel database, bypassing the Sentinel Control Centers and Correlation Engines.
By default, the threshold for real-time data is 120 seconds. This can be modified by changing the value of esecurity.router.event.realtime.expiration in the event-router.properties file. The Sentinel event time populates based on the Trust Device Time or the Collector Manager Time. You can select the Trust Device Time while configuring a collector. The Trust Device Time is the time when the log was generated by the device and the Collector Manager Time is the local system time of the Collector Manager system.
Sentinel cannot start the Oracle 10 database because of errors in the Oracle dbstart and dbshut scripts. For details on the script errors, see Oracle Support for the error numbers 336299.1 with the subject “dbstart errors out when executing in 10.2.0.1.0”, 5183726 and 4665320.
After the installation of Sentinel 6.1, you need to modify the dbstart and dbshut scripts for Sentinel to start an Oracle 10 database.
To modify the dbstart and dbshut scripts on Solaris 10:
In a text editor, open the dbstart script from $ORACLE_HOME/bin/dbstart.
Go to line 78 and replace the line with ORACLE_HOME_LISTNER=$ORACLE_HOME.
Add #!/bin/bash at the start to request the bash shell.
Ensure that ORATAB is pointing to ORATAB=/var/opt/oracle/oratab.
If ORATAB is not in this location on your system, modify the ORATAB path manually to the correct location.
Click .
In a text editor, open the dbshut script from $ORACLE_HOME/bin/dbshut.
Ensure that ORATAB is pointing to ORATAB=/var/opt/oracle/oratab.
If ORATAB is not in this location on your system, modify the ORATAB path manually to the correct location.
Click .
To modify the dbstart script on Red Hat Linux ES4:
In a text editor, open dbstart script from $ORACLE_HOME/bin/dbstart.
Ensure that ORATAB is pointing to ORATAB=/etc/oratab.
If ORATAB is not in this location on your system, modify the ORATAB path manually to the correct location.
Click .
Open the dbshut script for edit from $ORACLE_HOME/bin/dbshut.
Ensure that ORATAB pointing is to ORATAB=/etc/oratab.
NOTE:If ORATAB is not in the above specified location on your system, modify the ORATAB path manually to the exact location.
Click .
After Sentinel is installed, you must install the Crystal Reporting server and the Sentinel Core Solution Pack.
DAS and the Sentinel Database are typically located in a secure area of your network. However, you might want to add another security layer to protect the data being transmitted from DAS to the database. For Oracle, the DBA can use the Advanced Security feature. For SQL Server, the DBA can enable the SSL functionality in the jTDS driver. For more information, go to jTDS FAQ and search for "ssl".
There are several recommendations for configuring a high-performance Sentinel system.
The Sentinel Server machine with Data Access Server (DAS) must have a local or shared striped disk array (RAID) with a minimum of four disk spindles because of high event loads and local caching.
The distributed hosts must be connected to the other Sentinel Server hosts through a single high-speed switch (GigE) in order to prevent network traffic bottlenecks.
The Crystal Reports Server should be installed on its own dedicated machine, particularly if the database is large or reporting usage is heavy.
To achieve optimal performance on systems using an Oracle database, the Oracle database uses a StorCase Disk Array (16 disks) to store data files and a separate local SATA drive to hold the Oracle Redo log.
To achieve optimal performance on the Sentinel server, the file directory that holds DAS aggregation data and insertErrorBuffer can be pointed to a separate local SATA hard drive.
To change the file directory for aggregation and buffers:
NOTE:The esecadm user or the user running the Sentinel services must have write permission to the file directory that holds the DAS aggregation data and insertErrorBuffer.
On the Sentinel server (DAS installed machine), open the das_binary.xml file for editing.
On Windows: %ESEC_HOME%\config\das_binary.xml
On Linux: $ESEC_HOME/config/das_binary.xml
Change the rootDirectory value in the following component:
<obj-component id="EventInsertErrorHandler"> <class>esecurity.ccs.comp.event.EventInsertErrorHandlerService</class> <property name="cacheImpl">esecurity.ccs.comp.event.SmallFileMultiDirectoryEventMessageCache</property> <property name="rootDirectory">../data/events/insertErrorBuffer</property> <property name="reportInterval">300</property> <property name="takeDelaySec">60</property> <property name="eventTimeoutSec">28800</property> <property name="onlineCapacity">1000</property> <property name="capacity">5368709120</property> </obj-component>
In the same file, change the rootDirectory value of the following component:
<obj-component id="EventProcessingErrorHandler"> <class>esecurity.ccs.comp.event.EventInsertErrorHandlerService</class> <property name="cacheImpl">esecurity.ccs.comp.event.SmallFileMultiDirectoryEventMessageCache</property> <property name="rootDirectory">../data/events/insertErrorBuffer</property> <property name="reportInterval">300</property> <property name="takeDelaySec">60</property> <property name="eventTimeoutSec">28800</property> <property name="onlineCapacity">1000</property> <property name="capacity">5368709120</property> </obj-component>
Change the directory and outputDirectory values of the following component:
<obj-component id="EventFileRedirectService">
<class>esecurity.ccs.comp.event.redirect.EventFileRedirectService</class>
<property name="status">on</property>
<property name="handler">esecurity.event.fileredirect</property>
<property name="directory">../data/events/aggregation</property>
<property name="outputDirectory">../data/events/aggregation/done</property>
<property name="filePrefix">events</property>
<property name="fileSuffix">dat</property>
<property name="maxFileSize">500000000</property>
<property name="maxFileTime">1800</property>
<property name="notificationChannel">event_file_redirect</property>
<obj-component-ref>
<name>Publisher</name>
<ref-id>DispatchManager</ref-id>
</obj-component-ref>
</obj-component>
Save the das_binary.xml file and exit.
On the Sentinel server (DAS installed machine), open the das_aggregation.xml in the config directory file for editing.
Change the directory value in the following component to match the directory value in the EventFileRedirectService component in the das_binary.xml file.
<obj-component id="EventAggregationService">
<class>esecurity.ccs.comp.event.transformer.EventAggregationService</class>
<property name="directory">c:\test\Aggregation\done</property>
<property name="reporterChannel">event_aggregation_status</property>
<property name="updateBatchSize">200</property>
<property name="updateDB">enabled</property>
<property name="nullHashValid">false</property>
<property name="maxNumberEntries">30000</property>
<property name="maxEntrySize">50</property>
<property name="startOffsetInDays">7</property>
<property name="deleteProcessedFiles">true</property>
<obj-component-ref>
<name>Publisher</name>
<ref-id>DispatchManager</ref-id>
</obj-component-ref>
</obj-component>
Save the das_aggregation.xml file and exit.
Restart the Sentinel server for the changes to take effect.