11.4 Components of Event Source Hierarchy

ESM displays the information on the Collectors and other components in a hierarchy specific to ESM.

Figure 11-15 ESM Hierarchy

NOTE:ESM allows you to add Collectors, event sources, and Connectors.

Table 11-4 Components of the ESM Hierarchy

Icon

Name

Description

Sentinel

The single Sentinel icon represents the main Sentinel server that manages all events collected by the Sentinel system.

The Sentinel object is installed automatically through the Sentinel installer.

Collector Manager

Each Collector Manager icon represents another instance of a Collector Manager process. Multiple Collector Manager processes can be installed throughout the enterprise. As each Collector Manager process connects to Sentinel, the objects are created in ESM automatically.

Collector

Collectors instantiate the parsing logic for data from a particular event source. Each Collector icon in ESM refers to a deployed Collector script as well as the runtime configuration of a set of parameters for that Collector.

Connector

Connectors are used to provide the protocol-level communication with an event source, using industry standards like Syslog, JDBC, and so forth. Each instance of a Connector icon in ESM represents the Connector code as well as the runtime configuration of that code.

Event Source

An event source server (ESS) is considered part of a Connector, and is used when the data connection with an event source is inbound rather than outbound. The ESS represents the daemon or server that listens for these inbound connections. The ESS caches the received data, and one or more Connectors connects to the ESS to retrieve a set of data for processing. The Connector requests only the data from its configured event source (defined in the metadata for the event source) and that matches additional filters.

Event Source Server

The event source represents the actual source of data for Sentinel. Unlike other components this is not a plug-in, but is a container for metadata, including runtime configuration, about the event source. In some cases a single event source could represent many real sources of event data, for example if multiple devices are writing to a single file.

11.4.1 Component Status Indicators

Indicators are used to represent various states as follows:

Table 11-5 Component Status Indicators

Icon

Name

Description

Stopped

Indicates that the component is stopped.

Running

Indicates that the component is running.

Warning

Indicates that a warning is associated with the component. At this time, this warning indicator is primarily used to show when the configured state and actual state of a component differ, that is, a component is configured to be running, but the actual state of the component is stopped.

Error

Indicates that an error is associated with the component. See the individual component’s status display for details about the error.

Reporter Time is Skewed

Indicates when the time of a component differs from the main server’s time. The difference is greater than a predefined time threshold.

Debug

Indicates that the component is in Debug mode. Only a Collector can be in Debug mode.

Unknown

This indicator is displayed when the status of the object in the ESM panel is not yet known.

To set an attribute filter for displaying components:

  1. In the Sentinel Control Center, click Source Management in the menu bar and select Live View or Scratch Pad.

  2. Click the Attribute Filter frame.

  3. Specify the Search and Limit to criteria.

  4. Select the Running or Stopped check box to specify the status of the components.

To hide components based on type:

  1. In the Sentinel Control Center, click Event Source Management in the menu bar and select Live View or Scratch Pad.

  2. Click the Attribute Filter frame.

  3. Specify the Search and Limit to criteria.

  4. Select the component type by which to limit the view.

11.4.2 Adding Components to the Event Source Hierarchy

Although some Sentinel components are preinstalled with the Sentinel system, Novell recommends that you check the Sentinel Content Web site for updated versions.

Collectors, Connectors and event sources can be added to the system through the right-click menus on the main ESM display.

11.4.3 Collectors

To run the Collectors and generate the events as per your requirements, you need to:

  • Download Collectors

  • Import and Deploy Collectors

  • Generate Events

    Right-click the Collector and select Start to generate events.

  • Debug Collectors

    For any errors in the output of a Collector, right-click the Collector and select Debug.

    For more information, see Section 11.5, Debugging.

  • Edit Collectors

    To troubleshoot any problems with a Collector, you can edit the Collector. The method for editing the Collector depends on the type of Collector. For proprietary (or legacy) Collectors, copy the Collector script to a Windows machine that has Collector Builder installed. For JavaScript Collectors, any standard development environment for JavaScript can be used.

    For more information on editing Collectors, see the Sentinel Collector SDK.

  • Re-Import and deploy Collectors

Adding Connectors/Collector Plug-Ins

NOTE:When you use the Sentinel Control Center to browse to locate a file on the Desktop of the Collector Manager, clicking Desktop takes you to the desktop of the user running the Collector Manager, usually SYSTEM. Extra steps might be necessary to navigate to the correct user’s desktop.

To add a Connector:

  1. Click Tools on the menu bar and select Import Plugin. The Import Plugin Wizard window displays.

  2. Select Import Collector Script or Connector plugin package file (.zip). Click Next.

  3. Browse to the location of the Connector plugin package file and click OK, then click Next.

    If the file imported is not in the format specified for the Collector scripts or for the Connector plug-in package, the system displays an error message.

    Plug-in details window displays.

  4. Select the Deploy Plugin option to deploy the plug-in from this window.

    For more information, see .

  5. Click Finish.

    When you add a plug-in into Sentinel, it is placed in the Plugin Repository, that enables Sentinel components on other machines to start using the plug-in without adding the plug-in separately.

To add a Collector plug-in:

  1. Click Tools on the menu bar and select Import plugin. The Import Plugin Wizard window displays.

    You can select from the two options available in this window.

  2. Click Next.

  3. Do one of the following:

    • If you chose the first option, browse to a location of the Collector script file and click OK., then click Next.

    • If you chose second option, you are directed to the Collector workspace. Select a Collector script directory and click Next.

    The Collector Script Detail window displays.

  4. Click the button next to the ID field to generate UUID.

    The name and author details are displayed.

  5. Edit the details as per your requirements. Specify a Version number.

  6. Browse to and attach the help file.

    If the help file is not in the plug-in directory, the system prompts you to copy the help file to the plug-in directory before the import. Click Yes.

  7. Provide a description and click Next. The Supported Devices window displays.

    You must specify at least one device.

  8. Click Add. The Supported Devices window displays.

  9. Provide a vendor, name, version, description, click OK, then click Next.

    Use the Edit button to edit the details of a device or use the Delete button to delete a device from the list. The Plugin details window displays.

  10. Select the Deploy Plugin option to deploy the plug-in from this window.

    For more information on the deployment procedure, see .

  11. Click Finish.

Updating Connector/Collector Plug-Ins

If a new version of a Connector or Collector is released, you can update the Sentinel system and any deployed instances of the Connector or Collector.

NOTE:When you use the Sentinel Control Center to browse to locate a file on the desktop of the Collector Manager, clicking Desktop takes you to the desktop of the user running the Collector Manager, usually SYSTEM. Extra steps might be necessary to navigate to the correct user’s desktop.

To update a Connector or Collector plug-in:

  1. Click Tools and select Import plugin. The Import Plugin Wizard window displays.

  2. Select from the two options available in this window. Click Next.

  3. Browse to a location of the Connector or Collector Plugin package file, select the file, click OK, then click Next.

    If the file imported is not in the format specified for the Collector scripts or for the Connector plug-in package, system displays an error message.

  4. (Conditional) If you are updating an already-imported Connector or Collector, you are provided with the option of updating the existing plug-in, going back and selecting a different plug-in, or canceling the import. If you want to continue, click Next.

    The Plugin details window displays.

  5. Select the Update Deployed Plugins option to update any currently deployed plug-ins that use this Connector or Collector.

  6. Click View Deployed Plugins to view the plug-ins deployed in the ESM Live View.

    The number in parentheses represents the number of instances of this plug-in that are currently deployed and configured. The Deployed Plugins window displays the Affected Connectors/Event Sources/Event Source Servers or Affected Collectors. These are the components whose configuration is affected because of adding already existing Connectors/Collectors in ESM.

    Description

    User Interface

    Affected Collectors

    Affected Event Sources/Connectors/Event Source Servers:

  7. Click Finish.

NOTE:When you add a plug-in into Sentinel, it is placed in the Plugin Repository, which enables Sentinel components on other machines to start using the plug-in without adding the plug-in separately.

Deploying a Collector

  1. In the main ESM display, locate the Collector Manager to which the new Collector is to be associated.

  2. Right-click the Collector Manager and select the Add Collector menu item.

  3. Follow the prompts in the Add Collector Wizard.

  4. Click Finish.

NOTE:The Collector script enables the ESM panel to prompt you for parameter values as well as enabling ESM to automatically select supported connection methods that work well with the Collector script.

Deploying a Connector

  1. In the main ESM display, locate the Collector to which the new Connector will be associated.

  2. Right-click the Collector and select the Add Connector menu item.

  3. Follow the prompts in the Add Connector Wizard.

  4. Click Finish.

Deploying an Event Source

  1. In the main ESM display, locate the Connector to which the new event source will be associated.

  2. Right-click the Connector and select the Add Event Source menu item.

  3. Follow the prompts in the Add Event Source Wizard.

  4. Click Finish.

Deploying Event Source Servers

Certain event source Connectors (such as the Syslog Connector) require a process to collect data from the actual data source. These processes are called event source servers. They collect data from the data source and then serve it to the event source Connector. Event source servers must be added and associated to any event source Connectors that require a server.

  1. In the Live View, right-click the Collector Manager and select Add Event Source Server. The Select Connector window displays.

    To start the Add Event Source Server Wizard, locate the Collector Manager on which the event source server process runs.

  2. Select a Connector to support your device and click Next. If you do not have any Connectors in the list to support your device, click Install More Connectors.

    For more information on installing a Connector, see Adding Connectors/Collector Plug-Ins.

  3. Configure the various parameters for the server with reference to the Connector selected (For example, Syslog Connector, NAudit Connector, and so on.). The configurable parameters are different for the different Connector types.

  4. Click Next.

  5. Provide a name for the event source server. If you want this server to be running, select the Run check box.

  6. Click Finish.

    In the Health Monitor Display frame, the event source server added here displays with a dashed blue line showing the Collector Manager to which it is associated.

NOTE:This Add Event Source Server Wizard can also be initiated from within the Add Connector Wizard if a compatible event source server has not yet been added.

Connecting to an Event Source

There are several methods to configure an event source. Event sources can be deployed by right-clicking on an existing Collector Manager, Collector, or Connectors.

To deploy an event source, you need the following components:

  • Collector Script: Collector scripts can be downloaded from the Sentinel Content Web site copied from a previous Sentinel implementation (4.x or 5.x), or built by using the Collector Builder.

  • Connector: A Connector can also be downloaded from the Sentinel Content Web site. There are also some Connectors included in the installed Sentinel system, but there might be more recent versions on the Web site.

  • Configuration information for the event source

To connect to the event sources:

  1. Click Tools on the menu bar and select Connect to Event Source. Alternatively, click the Connect to Event Source button on the toolbar. The Connect to Event Source window displays.

    Event source types for which you currently have compatible Collector parsing scripts are listed here.

  2. Select an event source from the list to which you want to connect to and collect data from. You can click Add More to import an event source.

  3. Click Next. Select Collector Script window displays.

    You can open the Select Collector Script window by double-clicking or dragging a selected event source from the Event Source Palette window.

  4. Select a Collector script from the list.

    You can also install additional Collector scripts (click Install More Scripts) that support your event source, if it is not listed here. For more information on installing a Collector script, see Adding Connectors/Collector Plug-Ins.

  5. Click Next. The Select Connection Method window displays.

  6. Select a connection method from the list.

    You can also install additional Connectors by clicking on the Install More Connectors button. For more information, see Adding Connectors/Collector Plug-Ins to install Connectors.

  7. Click Next.The Event Source Management window displays.

    You can create a new Collector and Connector or you can use an existing Collector or Connector.

  8. Select an option and click Next.

    Based on the existing Collectors and Connectors in your system that is compatible with your new event source, one or more of these options might be unavailable.

  9. Complete the configuration and click Next.

    The Records Per Second window displays.

  10. Set the number of records to be transferred per second and click Next.

    The General window displays.

    Options

    Description

    Name

    Specify the name of the event source.

    Run

    Select the Run check box if you want to run your event source automatically.

    Plugin Details

    Click the Details button to see plug-in details.

    Alert if no data is received in specified time period

    Set alerts (with repeated option) indicating what to do if no data is received in a specified time interval.

    Limit Data Rate

    Limit the data rate as the maximum number of records per second.

    Trust Event Source Time

    Select Trust Event Source Time to display the Device Time (time when the event occurred) instead of the Event Source Time (time when the event was reported to the console).

    Set Filter

    Set the filter by using the Set Filter button. In the Filter window, add/edit the filters and click OK.

  11. Click Next. The Summary window displays.

    1. Click Test Connection to test the event source.

      The Test Event Source window displays with Data and Error tabs. The Error tab displays the error message if there is any error in the configuration of event source.

      After a few seconds, a sampling of raw data should be received from the event source and displayed in the tab.

    2. Click the Start and Stop buttons to start or stop the test.

      Use the Maximum Rows component to control the maximum number of raw data records to obtain at once.

  12. Click Finish.

NOTE:The Collector parsing script is executed on the same system as the Collector Manager that you select here.

Creating a new Collector and Connector

  1. In the Select Collector Manager window, select the Collector Manager you want to use and click Next.The Configure Collector Property window displays.

  2. Configure the parameters available and click Next. The Configure Collector window displays.

  3. Provide the name of the Collector and configure the options as desired:

    Options

    Descriptions

    Name

    Specify the name of the event source.

    Run

    Select the Run check box if you want to run your Collector automatically.

    Details

    Click the Details button to see plug-in details.

    Alert if no data is received in specified time period

    Set alerts (with repeated option) indicating what to do if no data is received in a specific period.

    Limit Data Rate

    Limit the data rate as maximum number of records per second.

    Set Filter

    Set a filter by using the Set Filter button.

    Trust Event Source Time

    Select Trust Event Source Time to display the Device Time (time when the event occurred) instead of the Event Source Time (time when the event was reported to the console).

    If the Trust Event Source Time option is selected, then all data flowing through the Collector has its Event Source Time trusted even if the event sources do not have this option selected.

  4. Click Next. The Configure Connector window displays.

  5. Provide the name of the Connector and configure the options as desired:

    Options

    Descriptions

    Name

    Specify the name of the event source.

    Run

    Select the Run check box if you want to run your Collector automatically.

    Details

    Click the Details button to see plug-in details.

    Alert if no data is received in specified time period

    Set alerts (with repeated option) indicating what to do if no data is received in a specific period.

    Limit Data Rate

    Limit the data rate as maximum number of records per second.

    Set Filter

    Set a filter by using the Set Filter button.

    Trust Event Source Time

    Select Trust Event Source Time to display the Device Time (time when the event occurred) instead of the Event Source Time (time when the event was reported to the console).

  6. Click Next. The Event Source Configuration window displays.

  7. Continue with Step 9.

Using an existing Collector:

  1. Select this option to use an existing Collector and to create a new Connector to manage the event source connection.

    After you select this option and click Next, the Select Collector window displays.

  2. Select the Collector you want to use and click Next. The Configure Connector window displays.

  3. Provide the name of the Connector and configure the options as desired:

    Options

    Descriptions

    Run

    Select the Run check box if you want to run your Collector automatically.

    Details

    Click the Details button to see plug-in details.

    Alert if no data is received in specified time period

    Set alerts (with repeated option) indicating what to do if no data is received in a specific period.

    Limit Data Rate

    Limit the data rate as maximum number of records per second.

    Set Filter

    Set a filter by using the Set Filter button.

    Trust Event Source Time

    Select Trust Event Source Time to display the Device Time (time when the event occurred) instead of the Event Source Time (time when the event was reported to the console).

  4. Click Next.The Event Source Configuration window displays.

  5. Continue with Step 9.

Using an Existing Connector

  1. Select this option to use an existing Collector and an existing Connector to manage the event source connection.

    After you select this option and click Next, the Select Connector window displays.

  2. Select the Connector you want to use and click Next.

  3. Continue with Step 9.