4.1 Testing the Installation

Sentinel is installed with a demonstration collector that can be used to test many of the basic functions of the system. Using this collector, you can test Active Views, Incident creation, Correlation rules, and Reports. The following procedure describes the steps to test the system and the expected results. You might not see the exact events, but your results should be similar to the results below.

At a basic level, these tests allow you to confirm the following:

If any of these tests fail, review the installation log and other log files, and contact Novell Technical Support, if necessary.

To test the installation:

  1. Start the Sentinel Control Center:

    • Windows: Double-click the Sentinel Control Center icon on the desktop.

    • Linux/Solaris: Log in as an admin user (esecadm), change the directory to $ESEC_HOME/bin and run ./control_center.sh from the command prompt. Specify the credentials and press Enter.

  2. Log in to the system as an admin user (esecadm by default).

    The Sentinel Control Center opens and you can see the events in the Active Views filtered by public filters: Internal_Events and High_Severity.

  3. Click the Event Source Management menu, and select Live View.

  4. In the Graphical view, right-click 5 eps event source and select Start.

  5. Close the Event Source Management Live View window.

  6. Click the Active Views tab.

    The Active window titled PUBLIC: High_Severity, Severity. The collector might take some time to start and send the data to get displayed in the Active View window.

  7. Click the Event Query button in the toolbar.

    The Historical Event Query window is displayed.

  8. In the Historical Event Query window, click the Filter drop-down arrow to select the filter. Highlight Public: All filter and click Select.

  9. Select a time period that covers the time that the Collector has been active. Select the date range from the From and To drop-down list.

  10. Select a batch size from the Batch size drop-down list.

  11. Click the Magnifying Glass icon to run the query.

  12. Hold down the Ctrl or Shift key, and select multiple events from the Historical Event Query window.

  13. Right-click and select Create Incident.

  14. Enter a name for the incident TestIncident1 and click Create. A success notification displays.

  15. Click OK.

  16. Click the Incident tab.

    The Incident View Manager window is displayed that lists the incident that you created.

  17. Double-click the incident to display.

  18. Click File > Exit or click the X button on the upper right corner of the window to close the Incident window.

  19. Click the Analysis tab.

    The Analysis Navigator window with the Events folder is displayed.

  20. Click Historical Event Queries.

  21. Click Analysis > Create Report or click the Create Report icon.

    An Event Query window is displayed. Set the following:

    • time frame

    • filter

    • severity level

    • batch size (this is the number of events to view – events display from oldest events to newer events)

  22. Click the Begin Searching icon.

  23. To view the next batch of events, click More.

  24. Rearrange the columns by dragging and dropping them, and sort the events as required by clicking the respective column heading.

    When the query is complete, it gets added to the list of quick queries in the Navigator.

  25. Click the Correlation tab.

    The Correlation Rule Manager window is displayed.

  26. Click Add.

    The Correlation Rule wizard is displayed.

  27. Click Simple.

    The Simple Rule window is displayed.

  28. Use the drop-down menus to set the criteria to Severity 4. Click Next.

    The Update Criteria window is displayed.

  29. Select Do not perform actions every time this rule fires for the next and set the time period to 1 Minute using the drop-down menu. Click Next.

    The General Description window displays.

  30. Enter a name and description for the rule, and click Next.

  31. Select No, do not create another rule and click Next.

  32. Create an action to associate the rule that you have created:

    1. Perform either of the following:

      • Select Tools > Action Manager > Add.

      • In the Deploy Rule window, click Add Action. For more information, see Step 33 thru Step 34.

      The Configure Action window is displayed.

    2. In the Configure Action window, specify the following:

      • Specify the action name. For example, CorrelatedEvent Action.

      • Select Configure Correlated Event from the Action drop-down list.

      • Set the Event Options.

      • Set the Severity to 5.

      • Specify the EventName. For example, CorrelatedEvent.

      • Specify a message if required.

    3. Click Save.

  33. Open the Correlation Rule Manager window.

  34. Select a rule and click the Deploy rules link.

    The Deploy Rule window is displayed.

  35. In the Deploy rule window, select the Engine to deploy the rule from the drop-down list.

  36. Select the action that you created in Step 32 to associate with the rule and click OK.

  37. Select Correlation Engine Manager.

    In the Correlation engine, you can see the rule is deployed/enabled.

  38. Click the Active Views tab and verify that the Correlated Event is generated.

  39. Close the Sentinel Control Center.

  40. Double-click the Sentinel Data Manager (SDM) icon on the desktop.

  41. Log in to SDM using the Database Administrative User specified during installation (esecdba by default).

  42. Click each tab to verify that you can access them.

  43. Close Sentinel Data Manager.

If you were able to proceed through all of these steps without errors, you have completed a basic verification of the Sentinel system installation.