17.6 Configuring Sentinel Systems for Sending Events

You can configure Novell Sentinel Log Manager, Sentinel, or Sentinel Rapid Deployment to forward events to another Sentinel system.

17.6.1 Configuring Sentinel Log Manager as a Sender

In Sentinel Log Manager, the plug-ins and the event forwarding rule by default are installed. You only need to configure the system for Sentinel link and activate the rule for sending the event data.

Follow the instructions below to configure a Sentinel Log Manager for sending the event data:

Configuring a Sentinel Link

  1. Log in to the Sentinel Log Manager Web interface as an administrator.

  2. Click rules in the upper left corner of the page.

    The Rules tab is displayed on the right panel of the page.

  3. Click the Configuration link on the right side of the screen.

    Scroll through the configuration settings to find the Sentinel Link settings.

  4. Specify the following Sentinel Link settings, then click Save.

    Options

    Description

    Destination

    Specify the IP address or hostname of the receiver, where a Sentinel Link Connector is configured.

    Port

    Specify the port number for the receiver. The default port is 1290. Click Test to validate the hostname or IP address and port number.

    Encrypted (HTTPS) or Non Encrypted (HTTP)

    Specify either of the following:

    • Non Encrypted (HTTP): Provides unsecured connections.

    • Encrypted (HTTPS): Provides secured connections between the Sentinel Link Connector and the Integrator.

      If you select the encrypted (HTTPS) option, you are allowed to optionally specify a server validation mode and a client key pair.

      You need to import the client key pair into the Integrator only if the server operates in a mode where it restricts the Integrators it communicates with. The server does this when a client certificate is imported into its trust store.

      If you import a client key pair into the Integrator, it is assumed that you intend to import the corresponding certificate, which contains the public key, from the client key pair to the trust store of the server.

      NOTE:If the receiver operates in a less restrictive Open mode, where it does not validate the sender certificates, it is not necessary to import a key pair into the receiver system. The receiver ignores even if you import one.

    Server validation mode

    Specify either of the following:

    • None - no server certificate required: Select this option if you do not want to use any server certificate.

    • Strict - server certificate required: Select this option to import a server certificate.

      The Import and Details buttons are displayed. If you click Import; a dialog box is opened with the following fields:

      • Certificate file: Click Browse to add the server certificate file.

      • File password: Specify the password for the certificate file.

      Click Import to import the server certificate.

      Click Cancel to close the Import dialog box.

    Client key pair

    Select either of the following:

    • None - server does not require client certificate: The receiver system does not validate the sender certificates. Select this option if the server does not require the client key pair.

    • Custom - server validates (strict) client certificate: The receiver system validates the sender certificates. Selecting this option allows you to import a client key pair.

      The Import and Details buttons are displayed. Click Import to open a dialog box with the following fields:

      • Keypair file: Click Browse to import the client keypair file.

      • File password: Specify the password for the client key pair file.

    Click Import to import the client key pair.

    Click Cancel to close the Import dialog box.

    Maximum Event Queue Size (MB)

    Specify the maximum event queue size value in megabytes. The value must be between 0 and 2147483647.

    Maximum Data Rate (Kbps)

    The following options are enabled only when you specify a value in the Maximum Event Queue Size (MB) field. The value must be between 0 and 2147483647.

    • Drop OLDEST event when queue is full: Select this option to drop the oldest events in the event queue when the value specified in the Maximum Event Queue Size (MB) field exceeds the limit.

    • Drop NEWEST event when queue is full: Select this option to drop the newest event when the value specified in the Maximum Event Queue Size (MB) field exceeds the limit.

    Event Forwarding mode

    Select one of the following options to specify the Event Forwarding Mode:

    • Forward Events Immediately: Select this option to forward the events immediately to the receiver.

    • Scheduled Event Forwarding: Select this option to schedule event forwarding. You can specify Time Of Day and Duration (in minutes) for each day of the week. The valid format for Time Of Day is hh:[mm] [am|pm]. The duration must be between 1 and 1440 minutes. If you do not specify time or duration for any of the days in the week, the schedule is considered to be 24 hours a day, seven days a week. It is equivalent to the Forward Events Immediately option.

    • Queue Events Only (do not forward): Select this option to stop forwarding events to the receiver system. However, the integrator stores events it receives in its queue unless the queue has a size limit and has reached its capacity.

      This mode is useful if the receiver is down for maintenance or any network problems persist in communicating with the receiver system that might not be fixed immediately. In such situations, rather than continually trying to forward events, you can select this option to temporarily stop forwarding messages. After the problems are resolved, you can re-enable event forwarding by selecting the Forward Events Immediately or Scheduled Events Forwarding options.

Configuring the Rule to Forward Events to Another System

The Sentinel Log Manager is installed with a rule that forwards events to another sentinel system.The rule is called Forward Events to Another Sentinel System. By default, the Forward Events To Another Sentinel System rule is configured to filter out internal system events and events with severity greater than three. This rule filters the following three types of system events:

  • Audit (A)

  • Performance (P)

  • Internal (I)

You can also change the conditions of the rule to filter more events or remove conditions to filter fewer events.

Novell recommends that you configure the rule to forward only those events that you want to store on the Sentinel system for more in-depth reporting and analysis.

Activating the Rule to Forward Events to Another Sentinel System

The Forward Events To Another Sentinel System rule is installed with Log Manager, but it is in the inactive (off) state. To forward the system events to another Sentinel system, the rule must be activated, and the Sentinel Link Integrator settings must be configured.

  1. Log in to the Log Manager Web interface as an administrator.

  2. Click rules in the upper left corner of the page.

  3. The Rules tab displays on the right panel of the page.

    The Forward Events To Another Sentinel System rule displays under the Rules tab.

  4. To activate the Forward Events To Another Sentinel System rule, click the check box next to the rule.

    If the rule is activated, a Successfully activated the rule message is displayed.

17.6.2 Configuring Sentinel or Sentinel Rapid Deployment System as a Sender

If Sentinel or Sentinel Rapid Deployment is the sender, you must configure the Sentinel Link Integrator plug-in and Sentinel Link Action plug-in to create a Sentinel Link configuration. You also need to create an action that forwards the selected events to the receiver system. To filter the events, set a correlation rule by using the Correlation Manager. After creating the rule, associate the action to it, and deploy the rule. You can also use Global Filters to filter the events and forward them to the receiver system.

Follow the instructions given below to configure Sentinel or Sentinel Rapid Deployment server for sending the events:

Configuring the Integrator Plug-In

The Sentinel Link Integrator allows you to forward the events to another Sentinel system.

To use an Integrator plug-in, one or more Integrator instances must be configured with valid connection information.

  1. Log in to the Novell Sentinel Control Center as an administrator.

  2. Select Tools > Integrator Manager. The Integrator Manager window displays.

  3. Click the Add Integrator icon in the bottom left corner. The Basic Information window displays.

  4. Select Sentinel Link Integrator from the Select Integrator drop-down list.

  5. Click Add Integrator Plugin to import the Integrator plug-in, if the Integrator plug-in is not already available.

    The ID Number is the system-generated ID for the Integrator configuration and cannot be edited.

    Type represents the type of Integrator plug-in selected from the drop-down.

  6. Specify a name for the integrator in the Name field.

  7. Specify a description for the integrator in the Description field.

  8. Select an Integrator Service category from the Service Category drop-down list, or type a name in the field to create a custom service type. These services are used to group similar Integrator instances. The following table list of the Integrator Service categories:

    Integrator Service Category

    Description

    AS

    Antispam

    AV

    Antivirus

    BM

    Business Management

    CM

    Configuration Management

    DB

    Database

    EML

    E-Mail System

    FIN

    Financial Application

    FW

    Network Firewall

    HFW

    Host-based Firewall

    HR

    HR Application

    IDM

    Identity Management

    IDS

    Intrusion Detection/Prevention System

    INCM

    Incident Management

    NETD

    Network Router/Switch

    OS

    Operating System

    PROX

    Proxy

    STO

    Storage

    VPN

    Virtual Private Network

    VULN

    Vulnerability Scanner

    WEB

    Web Server

  9. Click Next. The Sentinel Link Server Settings window displays.

  10. Specify the IP address or hostname of the Sentinel Link server, where the Sentinel Link Connector is running.

  11. Specify the port number for the sentinel system. The default port is 1290.

  12. Select either of the following:

    • Not Encrypted (HTTP): Establish an unsecured connection.

    • Encrypted (HTTPS): Establish a secured connection. If you select the encrypted (HTTPS) option, you are optionally allowed to specify a Server validation mode and an Integrator key pair.

      Field

      Description

      Server Validation Mode

      Select either of the following:

      • None- server certificate NOT validated: The Integrator does not validate the receiver's certificate.

      • Strict - valid server certificate required: The Integrator always verifies the receiver's certificate when connecting to the receiver. If this option is selected, the Integrator immediately attempt to retrieve the receiver's certificate over the network and validate that it is issued by an authorized CA.

        If the certificate is not validated for some reason, it is still presented to the user to accept or reject. The certificate is considered to be valid if the user accepts it. When a validated certificate is acquired, it is stored in the Integrator's configuration. Henceforth, the Integrator allows communication only with a receiver that provides that certificate during the initial connection setup.

      Integrator Key Pair

      Select either of the following:

      • None (server does not validate integrator certificate): The receiver system does not validate the sender certificates. Select this option if the receiver's client authentication type is configured to Open.

      • Custom (server validates integrator certificate): The receiver system validates the sender certificates. Select this option if the receiver's client authentication type is configured to Strict. If the receiver system performs a strict validation, it imports a trust store, which contains all the sender certificates that it trusts.

        After selecting this option, click the Import Key Pair button to import a key pair. The key pair you import must match one of the certificates that is included in the trust store, which is imported by the receiver system.

  13. Click Next. The Queue Settings window displays.

  14. Specify the following:

    Options

    Description

    Maximum Event Queue Size (MB)

    Specify the maximum event queue size value in megabytes. The value must be between 0 and 2147483647.

    The following options are enabled only when you specify a value in the Maximum Event Queue Size (MB) field.

    • Drop OLDEST event when queue is full: Select this option to drop the oldest events in the event queue when the value specified in the Maximum Event Queue Size (MB) field exceeds the limit.

    • Drop NEWEST event when queue is full: Select this option to drop the newest event when the value specified in the Maximum Event Queue Size (MB) field exceeds the limit.

    Maximum Data Rate (Kbps)

    Specify the maximum data rate value in kilobytes per second. The value must be between 0 and 2147483647.

    Event Forwarding Mode

    Select one of the following options to specify the Event Forwarding Mode:

    • Send Immediately: Select this option to forward the events immediately to the receiver.

    • Scheduled: Select this option to schedule event forwarding. You can specify Time Of Day and Duration (in minutes) for each day of the week. The valid format for Time Of Day is hh:[mm] [am|pm]. The duration must be between 1 and 1440 minutes. If you do not specify time or duration for any of the days in the week, the schedule is considered to be 24 hours a day, seven days a week. It is equivalent to the Forward Events Immediately option.

    • Queue Only (don’t forward): Select this option to stop forwarding the events to the receiver system. However, the integrator stores the events it receives in its queue unless the queue has a size limit and has reached its maximum capacity.

      This mode is useful if the receiver is down for maintenance or any network problems persist in communicating with the receiver system that might not be fixed immediately. In such situations, rather than continually trying to forward events, you can select this option to temporarily stop forwarding messages. After the problems are resolved, you can re-enable event forwarding by selecting the Forward Events Immediately or Scheduled Events Forwarding options.

  15. Click Next. The Integrator Properties window is displayed.

    If the connection for your Sentinel Link server requires additional properties to establish a connection other than the fields provided, you can use the Add button to add properties. Specify the Property Name and Value. Press Enter. The Property is added to the Properties list in the Integrator Properties window. You can edit the property values if required. Repeat the steps to add more properties.

  16. Click Next. The Integrator Configuration Summary window is displayed.

  17. Click Finish to confirm configuring the Sentinel Link Integrator.

  18. (Conditional) Click Revert to revert unsaved Integrator settings.

  19. (Optional) To test the connection of the configured Sentinel Link Integrator, perform the following:

    1. In the Integrator Manager window, select the Sentinel Link Integrator.

    2. Click Test to test the configuration.

      A message is displayed stating that the Integrator test was successful, then click OK.

      NOTE:This method tests the connection without actually sending any events to the Sentinel Link server. It does not update any statistics for the Integrator.

Configuring the Action Plug-In

  1. Log in to the Sentinel Control Center system as the administrator.

  2. Select Tools > Action Manager.

  3. In the Action Manager window, click Add.

    The Configure Action window is displayed.

  4. Specify the following:

    • Action Name: Specify a name for the action. For example, Sentinel Link.

    • Action: Select Sentinel Link 6.1r1 from the drop-down.

    • Integrator: Select Sentinel Link from the drop-down.

  5. Click Save.

Filtering Events to Forward to the Receiver

To select events that you want to forward to a receiver system, you need some filtering mechanism. Use Correlation Manager or Global Filters to filter the desired events for forwarding to the receiver system.

NOTE:To forward events to another Sentinel or Sentinel Log Manager system based on simple filtering conditions, use Sentinel Link with Global Filters.

Sentinel Link can also be used wherever a JavaScript action can be executed in Sentinel such as Correlation, Incidents, and Event right-click. However, while event forwarding, the same event is likely to be forwarded more than once with these mechanisms. For example, using Correlation, you can have filter(1=1) and filter(e.sev>=3) configured, and launch Sentinel Link action to forward the events to the same receiver. When the action is triggered, the receiver gets duplicated events. Therefore, use them only when simple filtering conditions are not enough.

Note that some field values of the events are changed during event forwarding. For example, the event id is changed, but, the event name is preserved when you forward an event.

Another advantage of Global Filters over Correlation rule is that the events are sent in batches of 500 events to the receiver system. With Correlation rule, each event is forwarded to the receiver system as soon as an event is generated.

Using Correlation Manager to Forward Events to the Receiver

Use Correlation Manager to set correlation rules that filter the desired events for forwarding to the receiver system. After creating a rule, add the Sentinel Link Action, then deploy the rule.

In the following example, a simple rule is created that forward events with severity greater than 3.

  1. In the Sentinel Control Center, select Correlation Rule Manager.

  2. Click Add.

    The Correlation Rule wizard is displayed.

  3. Click Simple. The Simple Rule windows is displayed.

  4. Use the drop-down menus to set the criteria to Severity>=3, then click Next. The Update Criteria window displays.

  5. Select Do not perform actions every time this rule fires and use the drop-down menu to set the time period to 1 minute. Click Next. The General Description window displays.

  6. Name the rule as Sev4Rule, provide a description, and click Next.

  7. Select No, do not create another rule and click Next.

  8. Click Save.

  9. Select the Correlation Rule Manager window.

  10. Select Sev4Rule and click Deploy Rules link. The Deploy Rule window displays.

  11. In the Deploy Rule window, select the Engine to deploy the rule.

  12. Select Sentinel Link, then click OK.

Using Global Filters to Forward Events to the Receiver

Use Global Filters to filter the desired events for forwarding to the receiver system. In the Global Filter Configuration window, you can add the Sentinel Link Action, then deploy the rule.

NOTE:This feature is supported only on Sentinel 6.1 SP1 Hotfix 2 or later, and Sentinel 6.1 Rapid Deployment 6.1 Hotfix 2 or later.

  1. In the Sentinel Control Center, select the Admin Tab.

  2. In the left navigation bar, select Global Filter Configuration.

    The Global Filter Configuration window is displayed.

  3. Click the Add button on the right-side of the window.

  4. Click the button below the Filter Name field, then click the drop-down to set a filter.

    For more information on Filters, see Filters in the Sentinel 6.1 Rapid Deployment User Guide.

  5. Select the Active check box.

  6. Select a Route from the drop-down:

    Based on the selection, the events are either dropped or sent to the selected option.

    • drop

    • database only

    • database and gui

    • gui only

  7. Click the button below the Action field.

    The Select Action window is displayed.

  8. Select the Sentinel Link Action, then click OK.

    If you have not created one, click Action Manager button at the right-side of the window, then follow the instructions.

  9. Alternatively, you can also add Sentinel Link Action as the default Action.

    1. Click the button below the Default Action.

    2. Select the Sentinel Link Action, then click OK.

  10. Click Save.