17.5 Configuring Sentinel Systems for Receiving Events

On the receiver system, you must configure the Sentinel Link Collector, which generates events from the data received by the Sentinel Link Connector. You must also configure the Sentinel Link Connector and configure a Sentinel Link Event Source Server to receive the event data from the sender systems.

17.5.1 Accessing Event Source Management

Sentinel

  1. As the Sentinel Administrator User (esecadm), change the directory to:

    $ESEC_HOME/bin

  2. Run the following command:

    control_center.sh

  3. Specify the administrator username and password, then click OK.

  4. In the Sentinel Control Center, select Event Source Management > Live View.

Sentinel Rapid Deployment

  1. Open a Web browser to the following URL:

    https://svrname.example.com: port/sentinel

    Replace svrname.example.com with the actual DNS name or IP address (such as 192.168.1.1) of the server where Novell Rapid Deployment is running.

  2. If you are prompted to verify the certificates, review the certificate information, then click Yes if it is valid.

  3. Specify the username and password for the Sentinel Rapid Deployment account you want to access.

  4. Use the Languages drop-down list to specify which language you want to use.

  5. Click Sign in.

  6. In the Web interface, select Applications from the left panel.

  7. In the Application page, click Launch to open the Sentinel Control Center.

  8. Log in to the Sentinel Control Center as administrator.

  9. Select Event Source Management > Live View.

Sentinel Log Manager

  1. Open a Web browser to the following URL:

    https://svrname.example.com: port/novelllogmanager

    Replace svrname.example.com with the actual DNS name or IP address (such as 192.168.1.1) of the server where Novell Log Manager is running.

  2. If you are prompted to verify the certificates, review the certificate information, then click Yes if it is valid.

  3. Specify the username and password for the Log Manager account you want to access.

  4. Use the Languages drop-down list to specify which language you want to use.

  5. Click Sign in.

  6. In the Novell Log Manager Web interface, click Collection.

  7. In the Collection page, click Advanced.

  8. In the Advanced page, click Launch to open the Event Source Management.

17.5.2 Setting Up a Sentinel Link Connection

This section describes how to set up the Sentinel Link connection to receive messages from another Sentinel or Sentinel Log Management system, and enable the messages to be processed by a Collector. To set up the Sentinel Link connection, you must, at a minimum, create and configure a Sentinel Link Event Source server. The Sentinel Link Event Source server automatically creates and configures the Connector, the Collector and the Event Source nodes as needed. You can also manually create the Collector, the Connector, and the Event Source nodes. However, it is easier and simpler to allow the Sentinel Link Event Source server auto-create them.

The instructions given in this section use the right-click menu items on the Event Source Management Graph View. However, all the steps described in this section can also be performed through the Event Source Management Table view and the Connect to Event Source option on the tool bar.

NOTE:These instructions assume that you have already downloaded and installed the Collector to process event data from the Sentinel Link Connector.

Configuring Sentinel Link Event Source Server

Configure a Sentinel Link Event Source server to set up a Sentinel Link connection to start processing the data received from the sender system. After you add a Sentinel Link Event Source server, the required Collector, the Connector, and the Event Source nodes are automatically created and configured when the server receives the events from the sender system. Allowing the Sentinel Link Event Source server to auto-create the nodes is much simpler and is preferred over manual configuration because it ensures that nodes are properly configured and connected so that events are routed to the Sentinel Link Collector.

  1. In the Event Source Management view, right-click the Collector Manager, select Add Event Source Server, then select Sentinel Link Connector and click Next.

    The Networking window is displayed.

  2. Specify the following, then click Next.

    Options

    Description

    Interface(s)

    Specify any of the following:

    • All network interfaces: Binds the port on all the IP addresses of the machine, including local loopback.

    • Internal loopback interface: Binds the port only to the local loopback address.

    • Network interface with this IP: Allows the port to be bound to one IP address on the machine with multiple IP addresses.

    Port Number

    Specify the port number. The default port number is 1290.

    NOTE:If the Sentinel Link Event Source Server is running on a Linux/Unix machine, binding to port numbers less than 1024 requires root privileges. Therefore, Novell recommends that you run the server on a port greater than 1024 and change the source devices to send to this new port or use port forwarding.

    Encrypted (HTTPS) or Not > Encrypted (HTTP)

    Select either of the following:

    • Encrypted (HTTPS): Allows secure message transport to the Sentinel Link Event Source Server.

    • Not Encrypted (HTTP): Allows insecure message transport to the Sentinel Link Event Source Server.

  3. In the Security window for configuring authentication settings on the HTTPS port, specify the following:

    Options

    Description

    Client Authentication Type

    Specify either of the following:

    • Open: Allows HTTPS connections from any sender machines. It does not perform any client certificate validation or authentication.

    • Strict: Validates that the sender’s certificate in the trust store and is a valid X.509 certificate.

      For this option, a truststore needs to be imported. Use the Import button to do this. The truststore should have the sender’s certificate, which is signed by a CA. Click the Details button to display the list of certificates imported from the truststore.

    Server Key Pair Settings

    Specify either of the following:

    • Internal: The Internal (default) option directs the Sentinel Link Connector to generate a server key pair.

    • Custom: Select this option, then click Import to import a server key pair that the embedded tomcat server uses. The imported keystore must contain at least one private/public key pair. If the keystore has more than one, a popup screen allows you to select one of the key pairs. The server key pair Details button displays the certificate imported from the keystore.

  4. Click Next.

    The Auto Configuration window is displayed.

    In this window, you can create policies to automatically add or exclude individual Sentinel source machines. You can select IP addresses, ranges or subnets to be auto-configured, auto-configured and started, or ignored by the Connector.

    The Sentinel Link Event Source Server simplifies Event Source configuration with the option to detect a new source device that is sending data to the Sentinel Link Event Source Server, evaluate its IP address by using a set of user-defined policies, and either ignore the new source device or automatically add it as an Event Source in Event Source Management.

  5. Click Add if you want to create a new policy.

  6. Double-click the Source field and enter a source IP address or a range of IP addresses in one of the following formats:

    • Specific IP address (such as 10.0.0.1)

    • IP address range (such as 10.0.0.1-10.0.0.25)

    • IP address with mask (like 10.0.0.1/16)

  7. Select an action to associate with the IP address or range of IP addresses:

    • The Allow and Start action creates and starts Event Source node in the ESM view.

    • The Allow action auto-creates the Event Source node in the ESM view but does not auto- start the Event Source.

      After the new Event Source node is created, an administrator can review and start it at any time.

    • The Deny action prevents the auto-creation of an Event Source.

  8. Select Active to activate the policy.

    If there are multiple policies, reorder the order in which they are evaluated by using the Up and Down buttons.

  9. Set the Default Policy, which applies to all sources that do not meet any of the criteria defined by the policies above.

  10. To set the filtering and configuration settings for all automatically-created Event Sources, click the Set Event Source Configuration button. For more information on these options, see Adding Event Sources.

    HINT:Auto-configured Event Sources should not be manually deleted in the Event Source Management interface because they are auto-configured again when the Connector restarts. To block a particular source device, add a Deny policy in Auto Configuration.

  11. Click Next to display the General properties window.

  12. Select Run to run the Sentinel Link Server automatically whenever the Collector Manager is restarted.

  13. Click Finish to complete the configuration of the Sentinel Link Event Source Server.

Manually Setting Up the Sentinel Link Connection

Although the Event Source server is capable of auto-creating the required Collector, Connector, and Event Source nodes, you might also want to manually create the Collector, the Connector, and the Event Source nodes.

Regardless of which way you choose, you must configure an Event Source server. For more information, see Configuring Sentinel Link Event Source Server. This section assumes that you have already configured an Event Source server.

NOTE:If you have not created an Event Source server, you are given the option to do so during the configuration of Connector nodes.

Adding a Collector

  1. In the Event Source Management (Live View), right-click the Collector Manager node, then select Add Collector.

  2. Select Novell from the list of vendors from the left panel, then select the desired Sentinel Link version from the list of supported event sources, and click Next.

  3. Select the Novell Sentinel Link Collector, then click Next.

  4. Click Next to accept the default Collector properties.

    For more information on Collector properties, see the Sentinel Link Collector documentation.

  5. Accept the default Collector configuration, then click Finish to complete the configuration.

  6. Continue with Adding a Connector.

Adding a Connector

In addition to the typical Collector Manager > Collector > Connector > Event Source hierarchy, the Sentinel Link Connector also requires a Sentinel Link Event Source Server.

  1. In the Event Source Management (Live View), right-click the Collector node that should process the data retrieved from the Sentinel Link Connector, then select Add Connector.

  2. In the Select Connection Method window, select Sentinel Link from the list of plug-ins, then click Next.

  3. In the Select Event Source Server window, select the Event Source Server from the list of configured Event Source Servers.

    If no Event Source Servers are configured, the following message displays:

    There are no Event Source Servers configured on this Collector Manager that match the connection method selected. Please add an Event Source Server with a matching connection method or choose a different connection method.

  4. Click Add, then create an Event Source Server. For more information on creating an Event Source server, see Step 2 through Step 13 in the Configuring Sentinel Link Event Source Server.

  5. Click Next to open the Configure Connector window.

  6. In the Configure Connector window, specify the following:

    Options

    Description

    Name

    The name by which you want to identify this Connector.

    Id

    The Id of the Connector. You cannot change this value.

    Details

    Click Details if you want to open the Plugin Details window.

    Run

    (Optional) Select this option if you want to specify that the Connector should by default be started whenever the Collector Manager is started.

    Alert if no data received in specified time period

    (Optional) Select this option to send No Data Alert event to Sentinel if no data is received by the Connector in the specified time period.You also have an option, Send repeated alerts every time period, to resend the alert if multiple time periods consecutively pass without receiving data from the Connector. Specify the time in seconds. By default the value is 60 seconds.

    Limit Data Rate

    (Optional) You can set a maximum limit on the rate of data the Connector can send to Sentinel. If the data rate limit is reached, Sentinel begins to throttle back on the source to limit the flow.

    Set Filter

    (Optional) You can specify a filter for the raw data that passes through this Connector.

    Copy Raw Data to a file

    (Optional) You can copy the raw data, which passes through this Connector, to a file for further analysis. To save the raw data, click the Browse button to choose a location to save the data.

  7. Click Finish to confirm adding the Connector to the Event Source Management view.

Adding Event Sources

Sentinel Link Event Sources can be automatically detected and added according to user-configured rules, or they can be added manually.

  1. In Event Source Management, right-click the Sentinel Link Connector, then select Add Event Source.

    The Client IP Address window displays.

  2. Specify the IP address of the sender machine, which the Sentinel Link event source receives the messages from.

  3. Click Next.

    The Connection Mode (Advanced) window displays and shows all preset connection modes that are supported by the Collector. Each connection mode sends the data in a different format. For the Novell Collectors, which support more than one connection mode for different data formats, see the Collector-specific documentation for information about which mode is appropriate for your particular Event Source.

  4. Select a Connection Mode.

  5. Click Next. The General window displays.

  6. Specify the General settings for the Sentinel Link Connector:

    Options

    Description

    Name

    The name by which you want to identify this Event Source.

    Id

    Specifies the Id of the Event Source.

    Details

    Click Details to display the Plugin Details window.

    Run

    (Optional) Select this option to specify that this event source should by default be started whenever the Collector Manager is started.

    Alert if no data received in specified time period

    (Optional) Select this option to send No Data Alert event to Sentinel, if no data is received by the event source in the specified time period.

    Limit Data Rate

    (Optional) Set a limit for the rate of data this event source can send to Sentinel. If the maximum rate limit is reached, Sentinel begins to throttle back on the source to limit the flow.

    Timezone

    Specify the time zone for the event source.

    NOTE:This setting is not currently used by a Sentinel Link event source.

    Trust Event Source Time

    (Optional) Select this option to have the event time set to the time the event occurred rather than the time Sentinel received the data.

    Set Filter

    (Optional) Specify a filter on the raw data passing through this event source.

  7. Click Next.

    The Summary window is displayed.

  8. To test the configuration, click Test Connection.

    NOTE:The Sentinel Link Event Source Server and Connector must be running to list the messages in the Test Connection window.

    The Test Connection window is displayed with Data and Error tabs.

    1. On the Data tab, specify the maximum number of rows of data to be displayed in the Test Connection window at one time.

    2. Click Start to start the connection test.

      The Data tab displays the events generated on successful connection with the Event Source.

      If there are errors, click the Error tab to display any errors in the event source configuration.

    3. Click the Stop button to stop the connection test.

    4. Close the Test Connection window.

  9. Click Finish to add the Event Source to the Event Source Management view.