10.4 Components of Event Source Hierarchy

ESM displays the information on the Collectors and other components in a hierarchy specific to ESM.

Figure 10-15 ESM Hierarchy

NOTE:ESM allows you to add Collector, Event Source and Connector.

Table 10-4 Components of ESM Hierarchy

Sentinel

The single Sentinel icon represents the main Sentinel Server that manages all events collected by the Sentinel system.

The Sentinel object is installed automatically through the Sentinel installer.

Collector Manager

Each Collector Manager icon represents another instance of a Collector Manager process. Multiple Collector Manager processes can be installed throughout the enterprise. As each Collector Manager process connects to Sentinel the object are created in ESM automatically.

Collector

Collectors instantiate the parsing logic for data from a particular event source. Each Collector icon in ESM refers to a deployed Collector script as well as the runtime configuration of a set of parameters for that Collector.

Connector

Connectors are used to provide the protocol-level communication with an event source, using industry standards like Syslog, JDBC, and so forth. Each instance of a Connector icon in ESM represents the Connector code as well as the runtime configuration of that code.

Event Source Server

An Event Source Server (ESS) is considered part of a Connector, and is used when the data connection with an Event Source is inbound rather than outbound. The ESS represents the daemon or server that listens for these inbound connections. The ESS will cache the received data, and one or more Connectors will connect to the ESS to fetch a set of data for processing. The Connector will request only the data from its configured Event Source (defined in the meta-data for the Event Source) and that matches additional filters.

Event Source

The Event Source represents the actual source of data for Sentinel. Unlike other components this is not a plugin, but is a container for meta-data, including runtime configuration, about the event source. In some cases a single Event Source could represent many real sources of event data, for example if multiple devices are writing to a single file.

10.4.1 Component Status Indicators

Indicators are used to represent various states as follows:

Table 10-5 Component Status Indicators

Stopped

Indicates that the component is stopped.

Running

Indicates that the component is running.

Warning

Indicates that a warning is associated with the component. At this time, this warning indicator is primarily used to show when the configured state and actual state of a component differ. (that is, a component is configured to be running, but the actual state of the component is stopped.)

Error

Indicates that an error is associated with the component. See the individual component’s status display for details about the error.

Reporter Time is Skewed

Indicates when the time of a component differs from the main server’s time. (The difference is greater than a predefined time threshold.)

Debug

Indicates that the component is in Debug mode. Only a Collector can be in Debug mode.

Unknown

This indicator is displayed when the status of the object in the ESM panel is not yet known.

To set Attribute filter for displaying components:

  1. In Sentinel Control Center, click the Event Source Management in the menu bar and select Live View or Scratch Pad.

  2. Click the Attribute Filter frame.

  3. Specify the Search and Limit to criteria.

  4. Check Running and/or Stopped checkbox to specify the status of the components.

To hide components based on type:

  1. In Sentinel Control Center, click the Event Source Management in the menu bar and select Live View or Scratch Pad.

  2. Click Attribute Filter frame.

  3. Specify the Search and Limit to criteria.

  4. Select the component type by which to limit the view.

10.4.2 Adding Components to Event Source Hierarchy

Although some Sentinel components are pre-installed with the Sentinel system, Novell recommends that you check the Sentinel Content Web site to download the updated versions.

Collectors, Connectors and Event Sources can be added to the system through the right-click menus on the main ESM display.

10.4.3 Collectors

To run the Collectors and generate the Events as per your requirements, you need to:

  • Download Collectors

  • Import and Deploy Collectors

    • After downloading Collectors, import and deploy the Collectors.

  • Generate Events

    • Start (Right-click the Collector and select Start) the Collector to generate Events.

  • Debug Collectors

    • For any errors in the output of a Collector, select the Collector, right-click and select Debug.

    • For more information, see Section 10.5, Debugging.

  • Edit Collectors

    • To troubleshoot any misbehavior of a Collector, you can edit the Collector. The method for editing the Collector depends on the type of Collector

    • For proprietary (or legacy) Collectors, copy the Collector Script to a Windows machine that has Collector Builder installed.

    • For JavaScript Collectors, any standard development environment for JavaScript can be used.

    • For more information on editing Collectors, see Sentinel Collector SDK.

  • Re-Import and deploy Collectors

Adding Connectors/Collector Plugins

NOTE:When you use the Sentinel Control Center to browse to locate a file on the Desktop of the Collector Manager, clicking Desktop takes you to the Desktop of the user running the Collector Manager, usually SYSTEM. Extra steps might be necessary to navigate to the correct user’s desktop.

To add a Connector plugin:

  1. Click Tools on the Menu Bar and select Import plugin... Import Plugin wizard window displays.

  2. Select Import Collector Script or Connector plugin package file (.zip). Click Next.

  3. Browse to a location of the Connector Plugin package file and click OK. Click Next.

    NOTE:If the file imported is not in the format specified for the Collector scripts or for the Connector plugin package, system displays an error message.

  4. Plugin details window displays. Select the Deploy Plugin option to deploy the plugin from this window. For more information, see To connect to the Event Sources:.

  5. Click Finish.

    NOTE:When you add a plugin into Sentinel, it is placed in the Plugin Repository, which enables Sentinel components on other machines to start using the plugin without having to add the plugin separately.

To add a Collector plugin:

  1. Click Tools on the Menu Bar and select Import plugin. Import Plugin Wizard window displays.

  2. You can select from the two options available in this window. Click Next.

  3. If you chose first option, browse to a location of the Collector Script file and click OK. Click Next. If you chose second option, you are directed to the Collector workspace. Select a Collector Script directory and click Next.

  4. Collector Script Detail window displays.

    1. Click the button next to id field to generate UUID.

    2. The name and author details are displayed. Edit the details as per your requirement. Specify Version number.

    3. Browse and attach the help file.

      NOTE:If the help file is not in the plugin directory, the system prompts to copy the help file to the plugin directory before import. Click Yes.

    4. Provide description and click Next. Supported Devices window displays.

      NOTE:You must specify at least one device.

      Click Add. The Supported Devices window displays.

      Provide vendor, name, version, description and click OK. Click Next.

      NOTE:Use Edit button to edit the details of a device or use Delete button to delete a device from the list.

  5. Plugin details window displays. Check the Deploy Plugin option to deploy the plugin from this window. For more information on deployment procedure, see To connect to the Event Sources:.

  6. Click Finish.

Updating Connector/Collector Plugins

If a new version of a Connector or Collector is released, you can update the Sentinel system and any deployed instances of the Connector or Collector.

NOTE:When you use the Sentinel Control Center to browse to locate a file on the Desktop of the Collector Manager, clicking Desktop takes you to the Desktop of the user running the Collector Manager, usually SYSTEM. Extra steps might be necessary to navigate to the correct user’s desktop.

To update a Connector or Collector plugin:

  1. Click Tools Menu and select Import plugin…Import Plugin Wizard window displays.

  2. You can select from the two options available in this window. Click Next.

  3. Browse to a location of the Connector or Collector Plugin package file and click OK. Click Next.

    NOTE:If the file imported is not in the format specified for the Collector scripts or for the Connector plugin package, system displays an error message.

  4. When updating an already-imported Connector or Collector, you are provided with the option of updating the existing plugin, going back and selecting a different plugin, or canceling the import. If you want to continue, click Next.

  5. Plugin details window displays. Check the Update Deployed Plugins option to update any currently deployed plugins that use this Connector or Collector.

  6. Click View Deployed Plugins to view the Plugins deployed in ESM Live View. The number in parentheses represents the number of instances of this plugin that are currently deployed and configured. The Deployed Plugins window displays the Affected Connectors/Event Sources/Event Source Servers or Affected Collectors. These are the components whose configuration is affected because of adding already existing Connectors/Collectors in ESM.

    Affected Event Sources/Connectors/Event Source Servers

    Affected Collectors

    Click Finish.

NOTE:When you add a plugin into Sentinel, it is placed in the Plugin Repository, which enables Sentinel components on other machines to start using the plugin without having to add the plugin separately.

Deploying a Collector

To add a Collector:

  1. In the main ESM display, locate the Collector Manager to which the new Collector will be associated.

  2. Right-click the Collector Manager and select the Add Collector menu item.

  3. Follow the prompts in the Add Collector wizard.

  4. Click Finish.

NOTE:Collector Script enables the ESM panel to prompt you for parameter values as well as enable ESM to automatically select supported connection methods that work well with the Collector Script.

Deploying a Connector

To add a Connector:

  1. In the main ESM display, locate the Collector to which the new Connector will be associated.

  2. Right-click the Collector and select the Add Connector menu item.

  3. Follow the prompts in the Add Connector wizard.

  4. Click Finish.

Deploying an Event Source

To add an Event Source:

  1. In the main ESM display, locate the Connector to which the new Event Source will be associated.

  2. Right-click the Connector and select the Add Event Source menu item.

  3. Follow the prompts in the Add Event Source wizard.

  4. Click Finish.

Deploying Event Source Servers

Certain Event Source Connectors (such as the Syslog Connector) require a process to collect data from the actual data source. These processes are called “Event Source Servers”. They collect data from the data source and then “serve” it to the Event Source Connector. Event Source Servers must be added and associated to any Event Source Connectors that require a server.

To add an Event Source Server:

  1. In the Live View, right-click the Collector Manager and select Add Event Source Server. Select Connector window displays.

    NOTE:To start the Add Event Source Server wizard, locate the Collector Manager on which the Event Source Server process will run.

  2. Select a Connector that will support your device and click Next. If you do not have any connectors in the list that will support your device, click Install More Connectors. For more information on installing Connector, see Adding Connectors/Collector Plugins.

  3. Configure the various parameters for the server with reference to the Connector selected (For example, Syslog Connector, NAudit Connector, and so on.). The configurable parameters are different for the different Connector types. Click Next.

  4. Provide a Name for the Event Source Server. If you want this server to be running, select the Run checkbox.

  5. Click Finish. In the Health Monitor Display frame, the Event Source Server added here displays with a dashed blue line showing the Collector Manager to which it is associated to.

NOTE:This Add Event Source Server wizard can also be initiated from within the Add Connector wizard if a compatible Event Source Server has not yet been added.

Connect to Event Source

There are several methods to configure an event source. Event sources can be deployed by right-clicking on an existing Collector Manager, Collector, or Connectors.

To deploy an event source, you need the following components:

  • Collector Script: Collector scripts can be downloaded from the Sentinel Content Web site, copied from a previous Sentinel implementation (4.x or 5.x), or built using Collector Builder.

  • Connector: Connector can also be downloaded from the Sentinel Content Web site. There are also some Connectors included in the installed Sentinel system, but there may be more recent versions on the web site.

  • Configuration information for the event source

To connect to the Event Sources:

  1. Click Tools on the Menu Bar and select Connect to Event Source. Alternatively, click the Connect to Event Source button on the Tool Bar. Connect to Event Source window displays.

    NOTE:Event Source types for which you currently have compatible Collector parsing scripts are listed here.

  2. Select an Event Source from the list to which you want to connect to and collect data from. You can click Add More to import an Event Source. Click Next. Select Collector Script window displays.

    NOTE:You can open Select Collector Script window by double clicking or dragging a selected event source from the Event Source Palette window.

  3. Select a Collector script from the list. You can also install additional Collector scripts (click Install More Scripts) that support your Event source, if it is not listed here (For more information on installing a Collector script, see Adding Connectors/Collector Plugins. Click Next. Select Connection Method window displays.

  4. Select a connection method from the list. You can also install additional connectors by clicking on the Install More Connectors button. For more information, see Adding Connectors/Collector Plugins to install connectors. Click Next. Event Source Management window displays.

  5. You can create a new Collector and Connector or you can use an existing Collector or Connector. Select an option and click Next.

    NOTE:Based on the existing Collectors and Connectors in your system that is compatible with your new Event Source, one or more of these options might be unavailable.

    • Create a new Collector and Connector: Select this option to create a new Collector and Connector to manage the Event Source connection.

      1. After you select this option and click Next, Select Collector Manager window displays.

      2. Select the Collector Manager you want to use and click Next. Configure Collector Property window displays.

      3. Configure the parameters available and click Next. Configure Collector window displays.

      4. Provide the name of the Collector and configure the options.

        • Check the Run checkbox if you want to run your Collector automatically.

        • Click Details button to see plugin details.

        • You can set alerts (with repeated option) if no data is received in a specific period.

        • You can limit the data rate as maximum number of records per second.

        • You can set filter through Set Filter button.

        • You can check Trust Event Source Time to display the Device Time (time when the event occurred) instead of Event Source Time (time when the event was reported to console).

        NOTE:If Trust Event Source Time option is selected, then all data flowing through the Collector will have there Event Source Time trusted even if the Event Sources do not have this option selected.

        Click Next. The Configure Connector window displays.

      5. Provide the name of the Connector and configure the options.

        • Check the Run checkbox if you want to run your Connector automatically.

        • Click Details button to see plugin details.

        • You can set alerts (with repeated option) if no data is received in a specific period.

        • You can limit the data rate as maximum number of records per second.

        • You can set filter through Set Filter button.

        Click Next. The Event Source Configuration window displays.

    • Use an existing Collector: Select this option to use an existing Collector and to create a new Connector to manage the Event Source connection.

      1. After you select this option and click Next, the Select Collector window displays.

      2. Select the Collector you want to use and click Next. The Configure Connector window displays.

      3. Provide the name of the Connector and configure the options

        • Check the Run checkbox if you want to run your Connector automatically.

        • Click Details button to see plugin details.

        • You can set alerts (with repeated option) if no data is received in a specific period.

        • You can limit the data rate as maximum number of records per second.

        • You can set filter through Set Filter button.

      Click Next. The Event Source Configuration window displays.

    • Use an Existing Connector: Select this option to use an existing Collector and an existing Connector to manage the Event Source connection.

      1. After you select this option and click Next, the Select Connector window displays.

      2. Select the Connector you want to use and click Next.

  6. The Records Per Second window displays.

  7. Set the number of records to be transferred per second and click Next. The General window displays.

    • Provide Name of the Event Source.

    • Check the Run checkbox if you want to run your Event Source automatically.

    • Click Details button to see plugin details.

    • You can set alerts (with repeated option) if no data is received in a specified time interval.

    • You can limit the data rate as maximum number of records per second.

    • You can check Trust Event Source Time to display the Device Time (time when the event occurred) instead of Event Source Time (time when the event was reported to console).

    • You can set filter through Set Filter button. In the Filter window, add/edit the filters and click OK.

  8. Click Next. The Summary window displays.

    • Click Test Connection to test the event source. Test Event Source window displays with Data and Error tabs. The Error tab displays the error message if there is any error in the configuration of event source.

    • After a few seconds, a sampling of raw data should be received from the Event Source and displayed in the Data tab.

    • Use the Start and Stop buttons to start or stop the test.

    • Use the “Maximum Rows” component to control the max number of raw data records to obtain at once.

    You can test the event source in the Test Event Source window. It displays the data in the Data tab and errors in the Errors tab. You can select maximum rows to be displayed and can start and stop the test.

  9. Click Finish.

NOTE:The Collector parsing script is executed on the same system as the Collector Manager that you select here.