To test the installation:

1. Log in to a Sentinel Rapid Deployment Web interface.

   For more information, see Accessing the Novell Sentinel Web Interface in the Sentinel Rapid Deployment User Guide.

2. Select the Search page and search for any internal event. One or more events should be returned.

   For example, to search for internal events within the severity range 3-5, select Include System Events, then enter sev:[3 TO 5] in the Search field.

   For more information on Search, refer to Running an Event Search in the Sentinel Rapid Deployment User Guide.

   The Search feature is not enabled by default in SP2. However, if you want to enable this feature, refer to Enabling the Search Option in Web User Interface in the Sentinel Rapid Deployment User Guide.

3. Select the Reports page, specify the parameters, then run a report.

   For example, click the Run button next to Sentinel Core Event Configuration, specify the desired parameters, then click Run.

   For more information, refer to Running Reports in the Sentinel Rapid Deployment User Guide.

4. On the Applications page, click Launch Sentinel Control Center.

5. Log in to the system by using the Sentinel Administrative User specified during installation (admin by default).

   The Sentinel Control Center opens, and you can see the Active Views tab with the events filtered by the Internal_Events and High_Severity public filters.

   

6. Go to the Event Source Management menu, then select Live View.

7. In the Graphical view, right-click 5 eps event source, then select Start.

8. Close the Event Source Management Live View window.

9. Click the Active Views tab.

   You can view the Active window titled PUBLIC: High_Severity, Severity. It might take some time for the Collector to start and the data to be displayed in this window.

10. Click the Event Query button on the toolbar. The Historical Event Query window is displayed.

11. In the Historical Event Query window, click the Filter down-arrow to select the filter. Select Public: All filter.

12. Select a time period that covers the time during which the Collector has been active. Use the From and To drop-down lists to select the date range.

13. Select the batch size.

14. Click the magnifying glass icon to run the query.

    

15. Hold down the Ctrl or Shift key, then select multiple events from the Historical Event Query window.

16. Right-click in the window, then select Create Incident to display the New Incident window.

    

17. Name the incident TestIncident1, then click Create. When a success notification displays, click Save.

18. Click the Incident tab to see the incident you just created in the Incident View Manager.

    

19. Double-click the incident to display the events.

    

20. Close the Incident window.

21. Click the Analysis tab.

22. Click Offline Queries from the Analysis menu or from the Navigator.

23. In the Offline Query window, click Add.

24. Specify a name, select a filter, select a time period, then click OK.

25. Click Browse to view the list of events and associated details in the Active Browser window.

    

    You can view the details such as Collector, Target IP, Severity, Target Service Port, and Resource.

26. Select the Correlation tab. The Correlation Rule Manager is displayed.

    

27. Click Add. The Correlation Rule Wizard is displayed.

    

28. Click Simple. The Simple Rule window is displayed.

    

29. Use the drop-down menus to set the criteria to Severity=4, then click Next. The Update Criteria window is displayed.

    

30. Select Do not perform actions every time this rule fires, use the drop-down menu to set the time period to 1 minute, then click Next. The General Description window is displayed.

    

31. Name the rule as TestRule1, provide a description, then click Next.

32. Select No, do not create another rule and click Next.

33. Create an action to associate with the rule you have created:

    1. Perform either of the following:

       • Select Tools > Action Manager > Add.

       • In the Deploy Rule window, click Add Action. For more information, see Step 34 thru Step 35.

       The Configure Action window is displayed.

       

    2. In the Configure Action window, specify the following:

       • Specify the action name, such as CorrelatedEvent Action.

       • Select Configure Correlated Event from the Action drop-down list.

       • Set the Event Options.

       • Set the Severity to 5.

       • Specify the EventName, such as CorrelatedEvent.

       • Specify a message, if necessary.

       For more information on creating an action, see Creating Actions in the Sentinel Rapid Deployment User Guide.

    3. Click Save.

34. Open the Correlation Rule Manager window.

35. Select a rule, then click the Deploy Rules link. The Deploy Rule window is displayed.

36. In the Deploy Rule window, select the Engine to deploy the rule.

37. Select the action you created in Step 33 to associate with the rule, then click OK.

    

38. Select Correlation Engine Manager.

    Under the Correlation Engine, you can see the rule is deployed and enabled.

    

39. Trigger an event of severity 4, such as failed authentication to fire the deployed correlation rule.

    For example, open a Sentinel Control Center login window, then specify wrong user credentials to generate such an event.

40. Click the Active Views tab, then verify if the Correlated Event is generated.

    

41. Close the Sentinel Control Center.

42. On the Applications page, click Launch Sentinel Data Manager.

43. Log in to Sentinel Data Manager by using the Database Administrative User specified during installation (dbauser by default).

    

44. Click each tab to verify that you can access it.

45. Close Sentinel Data Manager.