6.5 Managing Event Sources

The Event Sources interface displays the health of the event source and the volume of data being received from it in events per second. The event sources page lists all the event sources, such as Syslog, Audit, File, and Database, that are configured in the Event Source Management interface.

You can refine the displayed event sources by selecting Collector Managers, Event Source Servers, and Collector plug-ins. You can also specify a filter on the event source name and select particular event source health states you want to view. All of these selections and filters are stored on a per-user basis, so that each time you log into the Sentinel server you can view event sources that match your last selections.You can also perform filtering based on tags. For more information, see Configuring Tags in the Legal Notices.

6.5.1 Viewing the Event Sources Page

The Event Sources page consists of different sections that allow you to perform different functions.

Collector Managers: Lists all the Collector Managers associated with the Sentinel system. It also displays the state and details about the Collector Managers.

Event Source Servers: Lists all the Event Source Servers associated with the Sentinel system. It also displays the state of the Event Source Servers.

Collector Plug-ins: Lists all the Collector plug-ins associated with the Sentinel system. You can also view the details about the installed plug-ins.

The Event Sources section in the right pane lists the event sources based on the options selected from the left pane.

NOTE:The Event Sources page shows event sources that were already configured or automatically detected. To manually configure additional event sources, use the Event Source Management user interface described in Configuring Data Collection for Other Event Sources.

Viewing Event Sources

  1. Log in to the Sentinel Web interface as a user in the administrator role.

  2. Select Collection in the toolbar, then click the Event Sources tab.

    The Event Sources page is displayed.

    Each column in the Event Source section has different information:

    Health Icon: The colored icon indicates the event source health.

    • Green: Indicates that the event source is healthy and Sentinel has received data from it.

    • Red: Indicates that the Sentinel server is reporting an error about connecting to or receiving data from this event source.

    • Gray: Indicates that the event source is turned off. Sentinel is not processing any data from it.

    • Orange: Indicates that the event source is running with some warnings.

    You can sort the event sources based on their health status.

    Name: Displays the name given to the Event Source by the system (if it was auto-created) or by a user. For Syslog Event Sources, if the Event Source was auto-created by the system, the name is a combination of the hostname/IP address and the Collector connection mode the event source is using.

    You can rename any Event Source at any time through the Event Source Management interface.

    You can sort the Event Sources in alphabetical order based on their names.

    Collector Plug-in: Displays the name of the Collector plug-in that the event source is connected to.

    This is the name of the Collector plug-in, not the name of the Collector instance. You can sort the event sources based on Collector plug-in name.

    Drop: Indicates whether data from the associated event source should be dropped.

    • YES: If Drop Data is set to YES, all data received from the event source is dropped. This means that the data is not saved and events are not generated.

    • NO: If Drop Data is set to NO, all data from the event source is saved and events are generated. When it is set to NO, data is always saved, regardless of whether a filter is set on the event source using the Event Source Management user interface. However, if a filter is set, events might not be generated if the filter causes the data to be ignored.

      You can sort the event sources based on the drop data status.

    Create Date: Specifies the date and time when the event source was created. You can sort the event sources based on when they were created.

    EPS: Displays the events per second value received from the event source. You can sort the event sources based on their events per second value.

    If you see a value of less than one (<1) in this column, it indicates that the EPS rate is greater than zero, but less than one.

  3. To select or deselect an event source, select the check box next to the event source.

    To select all the available event sources, select the check box at the top of the column.

  4. To sort the event sources by Health, Name, Collector Plug-in, Drop Data, Create Date, and EPS values, click the column header. The selected column header is displayed in bold.

    When you first click a column header, the event sources are arranged in ascending order. A blue down-arrow is displayed to indicate that the sort order is ascending. When you click the column header for the second time, the sort order is changed to descending, and a blue up-arrow is displayed to indicate that the sort order is descending.

  5. To view additional information about an event source, click the Name or EPS value of an event source. A dialog box displays the additional information.

Viewing Collector Managers

  1. Log in to the Sentinel Web interface as a user in the administrator role.

  2. Select Collection in the toolbar, then click the Event Sources tab.

    The Collector Manager section is displayed in the Event Sources page.

    Health: Indicates the health of the Collector Managers. You can sort the Collector Managers based on their health status.

    Name: Displays the names of the Collector Managers. You can sort the Collector Managers in alphabetical order based on their names.

    EPS: Displays the events per second value received from the event sources. You can sort the Collector Managers based on the events per second value.

  3. To select or deselect a Collector Manager, select the check box next to the Collector Manager.

    To select all the available Collector Managers, select the check box located at the top of the column.

    The right pane displays the list of event sources connected to the selected Collector Managers.

    If none of the Collector Managers are selected, thee event sources table displays all the configured event sources.

  4. To sort the Collector Managers by Health, Name, and EPS values, click the column header. The selected column header displays in bold text.

  5. To get additional information about the Collector Managers, click the Name or EPS value column. A dialog box displays the additional information.

Viewing Event Source Servers

  1. Log in to the Sentinel server as a user in the administrator role.

  2. Select Collection in the toolbar, then click the Event Sources tab.

    The Event Source Servers section is displayed.

    Health: Indicates the health of the Event Source Server. You can sort the Event Source Servers based on their health status.

    Name: Displays the names of the Event Source Server used to parse the data from the event sources (for example, Syslog Server SSL). You can sort the event source server in alphabetical order based on their names.

    EPS: Displays the events per second value received from the event sources. You can sort the event source servers based on the events per second value.

  3. To sort the Event Source Servers by Health, Name, and EPS values, click the column header. The selected column header displays in bold text.

  4. To view additional details, click the Name or EPS value column. A dialog box displays the additional information.

Viewing Collector Plug-Ins

  1. Log in to the Sentinel server as a user in the administrator role.

  2. Select Collection in the toolbar, then click the Event Sources tab.

    Health: Indicates the aggregate health of all event sources that are connected to the Collector plug-in.

    With the exception of the green icon (healthy state), the icon does not necessarily mean that all event sources connected to the Collector plug-in are in the state indicated by the icon.

    The red icon (error state) indicates that one or more event sources connected to the Collector plug-in are in an error state. To get a detailed information, click the Name or EPS column value to view help information.

    Name: Displays the names of the Collector plug-in used to parse the data from the event sources (for example, Cisco Firewall 6.1r1).

    This is the name of the Collector plug-in, not the name of the Collector instance. You can sort the event sources based on Collector plug-in name.

    EPS: Displays the events per second value received from the event sources. You can sort the Collector based on the events per second value.

  3. To select or deselect the Collector plug-ins, select the check box next to the Collector plug-in.

    To select all the available Collector plug-ins, select the check box at the top of the column.

  4. To sort the Collector plug-ins by Name or EPS values, click the appropriate column header. The selected column header displays in bold text.

    The Collector Instances field displays the number of instances of the Collector plug-in. Clicking the Collector Instances field displays a Collectors window with a list of Collector instances associated with the Collector plug-in:

  5. Click the Collector Plug-in column to display a dialog box with additional information about the Collector plug-in.

6.5.2 Filtering Event Sources

  1. Log in to the Sentinel server as a user in the administrator role.

  2. Select Collection in the toolbar, then click the Event Sources tab.

  3. Select the desired criteria to filter event sources.

    You can use one or more of the following options to filter the event sources:

Filtering Event Sources by Name

To filter the event sources by name, type a name value in the filter text box, then click Filter.

Matching is case insensitive. The name value can contain wildcard characters. Use * to match zero or more characters and use ? to match one character. If no wildcard characters are specified in the name value, it is assumed that the name value is intended to mean contains <name value>, or *<name value>*.

For example, an event source value of abc is interpreted as *abc*. Some examples of common filter types are:

  • If the event source name starts with abc, enter the filter value as abc*.

  • If the event source name ends with abc, enter the filter value as *abc.

  • If the event source name contains abc, enter the filter value as abc or *abc*.

The Event Source table displays the list of event sources whose names match the value entered in the filter input box.

Filtering Event Sources by Tags

To filter event sources based on tags, do one of the following:

  • Click , then select the tags to use for searching the events.

  • Specify the following search criteria:

    @<tag_name>

    For example, @HIPAA displays all events tagged with the HIPPAA tag.

Filtering Event Sources by Health Status

To view the event sources based on the health status, select the Healthy, Warning, Error, or Offline check boxes.

The Event Source table displays the list of event sources with the selected health states.

If none of the health states are selected, health state filtering is not performed. It is essentially equivalent to selecting all four health states.

In the Event Source section, click the Next, Previous, First, and Last arrow links to scroll through all the event sources. The event source section displays 30 Event Sources per page.

Filtering by Event Sources Event Search Results

To view the event search result for an event source, select the event source from the list and click the Search link.

A search is performed using the universally unique identifier (UUID) of the event source (for example, rv24:"2CBFB8A0-F24B-102C-A498-000C").

If multiple event sources are selected for search, the rv24:<UUID> expressions are combined with the OR operator in the search filter expression.

Filtering Event Sources by Collector Managers

To display the event sources connected to particular Collector Managers, select one or more Collector Managers from the Collector Managers section.

If none of the Collector Managers are selected, event source filtering is not performed based on the Collector Managers. This is not the same as selecting all Collector Managers, because it also includes event sources that are not connected to any Collector Manager.

To select or deselect Event Source Servers, select the check boxes next to the Event Source Servers.

Filtering Event Sources by Event Source Servers

To display only event sources connected to particular Event Source Servers, select one or more Event Source servers from the Event Source Servers section.

If none of the Event Source Servers are selected, event source filtering is not performed based on the Event Source servers. This is not the same as selecting all Event Source Servers, because it also includes event sources that are not connected to any Event Source Server.

To select or deselect Event Source Servers, select the check boxes next to the Event Source Servers.

Filtering Event Sources by Collector Plug-Ins

To display only those event sources connected to particular Collector plug-ins, select one or more Collector plug-ins from the Collectors Plug-ins section.

If none of the Collector plug-ins are selected, event source filtering is not performed based on the Collector plug-in. It is essentially equivalent to selecting all of the Collector plug-ins.

6.5.3 Changing the Data Logging Status of Event Sources

  1. Log in to the Sentinel Web interface as a user in the administrator role.

  2. Select Collection in the toolbar, then click the Event Sources tab.

  3. To change the data logging status for one or more event sources, select the event sources from the list.

  4. Click the Configure button in the table, then select either Drop Data or Allow Data,

    Drop Data: If Drop Data is selected, the selected event sources drop all the events received. Messages are not sent to the Collectors the selected event sources are connected to.

    Allow Data: If Allow Data is selected, the selected event sources forward events received to the Collectors they are connected to.

    If you select a large number of event sources to change, it might take some time to complete. The Event Sources list does not show the Drop state (YES or NO) until after the changes are complete and the display is refreshed from the database.

6.5.4 Changing the Associated Collector Plug-In for Event Sources

  1. Log in to the Sentinel Web interface as a user in the administrator role.

  2. Select Collection in the toolbar, then click the Event Sources tab.

  3. Select the event sources from the list, then click the Configure button in the toolbar.

  4. Select the Collector Plug-in option.

    The Set Collector Plug-in window is displayed with the Collector Plug-in Name and Supported Devices information.

  5. Select a new Collector plug-in, then click Set.

    The event sources are connected to the selected Collector plug-in.

    If you select a large number of event sources to change, it might take some time to complete. The Event Sources list does not show the new Collector plug-in until after the changes are complete and the display is refreshed from the database.

6.5.5 Changing the Time Zone Setting for Event Sources

  1. Log in to the Sentinel Web interface as a user in the administrator role.

  2. Select Collection in the toolbar, then click the Event Sources tab.

  3. To change the time zone setting for one or more event sources, select the event sources from the list, then click the Configure button in the toolbar.

  4. Select the Time Zone option.

    The Set Time Zone window is displayed.

  5. Select a new time zone, then click Set.

    The selected event sources are set to the new time zone setting.

    If you select a large number of event sources to change, it might take some time to complete. The Event Sources list does not show the new time zone until after the changes are complete and the display is refreshed from the database.