1.1 Event Field Labels and Tags
Each field can be referred to by a user-friendly label or a short tag. The user-friendly label is visible throughout the Sentinel Control Center interface, for example:
-
Column headers for Active Views, historical event queries, and the Active Browser
-
Correlation wizard drop-down menus
-
Active View configuration drop-down menus
Each field has a default label, but that label is user-configurable using the Event Configuration option on the tab. For more information, see Event Configuration
section in Sentinel 6.1 Rapid Deployment User Guide. InitUserName is the default label to represent the account name of the user who initiated the event, but this can be changed by the administrator. When a user changes the default label, the changes are reflected in most areas of the interface, including any correlation rules, filters, and right-click menu options.
WARNING:Changing the default label for variables other than Customer Variables may cause confusion when working with Novell Technical Services or other parties who are familiar with the default names. In addition, JavaScript Collectors built by Novell refer to the default labels described in this chapter and are not automatically updated to refer to new labels.
Each field also has a short tag name that is always used for internal references to the field and is not user-configurable. This short tag name may not correspond exactly to the default label; Sentinel labels have changed over the years, but the underlying short tags remain the same for backward compatibility. (For example, InitUserName is the default label for the account name of the user who initiated the event. The default label was previously SourceUserName, and the underlying short tag is “sun”.)
NOTE:Many of the default labels were updated for clarity in the Sentinel 6.1 release. Because all filters, actions, and correlation rule definitions are defined using the short tags, even though the label may be visible in the interface, there is no change in functionality due to the label renaming.
Each field is associated with a specific data type, which corresponds to the data type in the database:
-
string: limited to 255 characters (unless otherwise specified)
-
integer: 32-bit signed integer
-
UUID: 36 character (with hyphens) or 32 character (without hyphens) hexadecimal string in the format XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX (For example, - 6A5349DA-7CBF-1028-9795-000BCDFFF482)
-
date: Collector Variable must be set with date as number of milliseconds from January 1, 1970 00:00:00 GMT. When displayed in Sentinel Control Center, meta-tags of type date are displayed in a regular date format.
-
IPv4: IP address in dotted decimal notation (that is – xxx.xxx.xxx.xxx)
This section has the following information:
1.1.1 Free-Form Filters and Correlation Rules
You can use either the tag or the label when you write free-form language in the Sentinel Control Center. The Sentinel interface shows the user-friendly label.
Figure 1-1 Correlation Wizard displaying labels in drop-down and free-form language
Figure 1-2 Filter Wizard displaying labels in drop-down and free-form language
The representation of fields in the free-form RuleLG language is usually prefaced by “e.” for example, “e.InitUserName” or “e.sun” can refer to the Initiator User Name for the incoming or current event. In special cases, “w.” may be used to refer to a field in a past event (for example, “w.InitUserName”). For more information about the RuleLG language, see Section 3.0, Sentinel 6.1 Rapid Deployment Correlation Engine RuleLG Language.
1.1.2 Actions
Users can use either the tag or the label when they define parameters to be sent to right-click Event Menu actions, correlation actions, and iTRAC workflow actions.
To pass a field value to an action, you may use a checklist that shows the labels or type the parameter name directly into the configuration.
Figure 1-3 Configuration Action - Select Event Attributes window
When you type the label or short tag for a field to be used in an action, the name can be enclosed in percent signs (%tag%) or dollar signs ($tag$). For example:
-
%sun% in a correlation action refers to the value of InitUser in the correlated event
-
$sun$ in a correlation action refers to the value of InitUser in the current, “trigger” event (the final event that caused the correlation rule to fire)
NOTE:In a right-click menu event operating on a single event, there is no functional difference between %sun% and $sun$.
For example, to pass the Initiator User Name to a command line action to look up information from a database about that user, you could use %InitUserName% or %sun%. For more information about Actions, see Actions and Integrators
section in Sentinel 6.1 Rapid Deployment User Guide.
Figure 1-4 Configuration Action window
1.1.3 Proprietary Collectors
Proprietary Collectors, written in Novell’s own language, always use variables based on the short tag to refer to event fields. The short tag name must be prefaced by a letter and underscore, where the letter indicates the data type for the field (i_ for integer, s_ for string).
1.1.4 JavaScript Collectors
JavaScript Collectors usually refer to event fields using an “e.” followed by the same user-friendly label set in Event Configuration in the Sentinel Control Center. For a Sentinel system with a default configuration, for example, the Initiator User Name would be referred to as “e.InitUserName” in the JavaScript Collector. There are some exceptions to this general rule. Refer to the Sentinel Collector SDK for more details.