NetIQ supports Sentinel on the operating systems described in this section. NetIQ also supports Sentinel on systems with minor updates to these operating systems, such as security patches or hotfixes. However, running Sentinel on systems with major updates to these operating systems is not supported until NetIQ has tested and certified those updates.
The Sentinel server, Collector Manager, and Correlation Engine are supported on the following operating systems and platforms:
|
Category |
Requirement |
|---|---|
|
Operating System |
Sentinel is supported on the following operating systems:
* Sentinel 7 is not supported on the Open Enterprise Server installs of SLES. |
|
Virtual Platform |
NetIQ provides appliances that install a SLES 11 SP1 64-bit server and Sentinel on the following virtual platforms:
|
|
DVD ISO |
NetIQ provides a DVD ISO file that installs SLES 11 SP1 64-bit and Sentinel on:
|
The hardware recommendations for a Sentinel implementation can vary based on the individual implementation, so you should consult NetIQ Consulting Services or any of the NetIQ Sentinel partners prior to finalizing the Sentinel architecture.
This section lists the hardware recommendations for a production system that holds 90 days of online data. The recommendations assume an average event size of 600 bytes. The local and network storage recommendations include a 20% buffer above the actual storage estimates. NetIQ recommends building in a buffer in case estimates are inaccurate or some of the servers become busier over time.
Use the following hardware recommendations for running the Sentinel server with all of the Sentinel components installed on a single server:
|
Category |
100 EPS |
2500 EPS |
5000 EPS |
|---|---|---|---|
|
CPU |
One Intel Xeon X5570 2.93-GHz (4 CPU cores) |
Two Intel Xeon X5470 3.33-GHz (4 core) CPUs (8 cores total) |
Two Intel Xeon X5470 3.33-GHz (4core) CPUs (8 cores total) |
|
Local Storage (30 days) |
2x256 GB, 7.2k RPM drives (Hardware RAID 1 with 256 MB cache) |
8x1.2 TB, 7.2k RPM drives (Hardware RAID 10 with 256 MB cache) |
16x1.2 TB, 15k RPM drives, (Hardware RAID 10 with 512 MB cache) or an equivalent storage area network (SAN) |
|
Networked Storage (90 days) |
2x128 GB |
4x1 TB |
8x1 TB |
|
Memory |
Other Installations: 4 GB DVD ISO Installation: 4.5 GB |
16 GB |
24 GB |
NOTE:Sentinel is supported on x86-64-bit Intel Xeon and AMD Opteron processors, but is not supported on pure 64-bit processors like Itanium.
Follow these guidelines for optimal system performance:
The local storage should have enough space to hold at least 5 days worth of data, which includes both event data and raw data. For more details on calculating the data storage requirements, see Section 1.1.5, Data Storage Requirement Estimation.
Networked storage contains all 90 days worth of data, including a fully compressed copy of the event data in local storage. A copy of the event data is kept on local storage for search and reporting performance reasons. The local storage size can be decreased if storage cost is a concern. However, due to decompression overhead, there will be an estimated 70% decrease in searching and reporting performance on data that would otherwise be in local storage.
You must set up the networked storage location to an external multi-drive SAN or network-attached storage (NAS).
The recommended steady state volume is 80% of the maximum licensed EPS. NetIQ recommends that you add additional Sentinel instances if this limit is reached.
Use the following hardware requirements for running the Collector Manager on a separate system from the Sentinel Server in a production environment:
|
Category |
Minimum |
Recommendation |
|---|---|---|
|
CPU |
Intel Xeon L5240 3-Ghz (2 core) |
One Intel Xeon X5570 2.93-GHz (4 CPU cores) |
|
Disk Space |
10 GB (RAID 1) |
20 GB (RAID 1) |
|
Memory |
1.5 GB |
4 GB |
|
Estimated Rate (EPS) |
500 |
2000 |
Use the following system requirements for running the Correlation Engine on a separate system from the Sentinel Server in a production environment:
|
Category |
Minimum |
Recommendation |
|---|---|---|
|
CPU |
Intel Xeon L5240 3-Ghz (2 core) |
One Intel Xeon X5570 2.93-GHz (4 CPU cores) |
|
Disk Space |
10 GB (no RAID required) |
10 GB (no RAID required) |
|
Memory |
1.5 GB |
4 GB |
|
Estimated Rate (EPS) |
500 |
2500 |
Sentinel includes an embedded file-based storage system and a database, which is all is necessary to run Sentinel. However, if you use the optional data synchronization feature to copy data to a data warehouse, Sentinel supports using Oracle version 11g R2 or Microsoft SQL Server 2008 R2 as the data warehouse.
The Sentinel Web interface is optimized for viewing at 1280 x 1024 or higher resolution in the following supported browsers:
NOTE:To load the Sentinel client applications properly, you must have Sun Java plug-in installed on your system.
|
Platform |
Browser |
|---|---|
|
Windows 7 |
For information about Internet Explorer 8, see Prerequisites for Internet Explorer. |
|
SLES 11 SP1 and RHEL 6 |
For more information, see Manually Updating Firefox Version. |
If the Internet Security Level is set to High, a blank page appears after logging in to Sentinel and the file download pop-up might be blocked by the browser. To work around this issue, you need to first set the security level to Medium-high and then change to Custom level as follows:
Navigate to and set the security level to .
Make sure that the option is not selected.
Navigate to , then scroll down to the section and select under the option.
Sentinel supports Firefox versions 5 through 10; however, the SLES 11 SP1 system is packaged with Firefox version 3.6x. Perform the following steps to manually update a SLES 11 SP1 installation to include a supported version of Firefox:
Open YaST.
Select > to display the Configured Software Repositories window.
Click to open the Media Type window.
Select the option, then click .
This displays the Repository URL window.
Type the Software Repository link in the URL text box, then click .
The software repository is downloaded.
Click to refresh the software repository.
Click to open the YaST2 window.
Enter Firefox in the text box.
The list of Firefox packages is displayed.
Select the required packages for the supported version of Firefox you want to install.
If you select a package that conflicts with the existing version, a Warning dialog box displays. Select the appropriate option, then click the button.
Click
Sentinel is used to retain raw data for a long period of time to comply with legal and other requirements. Sentinel employs compression to help you make efficient use of local and networked storage space. However, storage requirements might become significant over a long period of time.
To overcome cost constraint issues with large storage systems, you can use cost-effective data storage systems to store the data for a long term. Tape-based storage systems are the most common and cost-effective solution. However, tape does not allow random access to the stored data, which is necessary to perform quick searches. Because of this, a hybrid approach to long-term data storage is desirable, where the data you need to search is available on a random-access storage system and data you need to retain, but not search, is kept on a cost-effective alternative, such as tape. For instructions on employing this hybrid approach, see Using Sequential-Access Storage for Long Term Data Storage
in the NetIQ Sentinel 7.0.1 Administration Guide.
To determine the amount of random-access storage space required for Sentinel, first estimate how many days of data you need to regularly perform searches or run reports on. You should have enough hard drive space either locally on the Sentinel machine, or remotely on the Server Message Block (SMB) protocol or CIFS protocol, the network file system (NFS), or a SAN for Sentinel to use for archiving data.
You should also have the following additional hard drive space beyond your minimum requirements:
To account for data rates that are higher than expected.
To copy data from tape and back into the Sentinel in order to perform searching and reporting on historical data.
Use the following formulas to estimate the amount of space required to store data:
Local event storage (partially compressed): {average byte size per event} x {number of days} x {events per second} x 0.00008 = Total GB storage required
Event sizes typically range from 300-1000 bytes.
Networked event storage (fully compressed): {average byte size per event} x {number of days} x {events per second} x 0.00001 = Total GB storage required
Raw Data Storage (fully compressed on both local and networked storage): {average byte size per raw data record} x {number of days} x {events per second} x 0.000003 = Total GB storage required
A typical average raw data size for syslog messages is 200 bytes.
Total local storage size (with networked storage enabled): {Local event storage size for desired number of days} + {Raw data storage size for one day) = Total GB storage required
If networked storage is enabled, event data is copied to networked storage typically after 2 days. For more information, see Configuring Data Storage
in the NetIQ Sentinel 7.0.1 Administration Guide.
Total local storage size (with networked storage disabled): {Local event storage size for retention time} + {Raw data storage size for retention time) = Total GB storage required
Total networked storage size: {Networked event storage size for retention time} + {Raw data storage size for retention time} = Total GB storage required
NOTE:
The coefficients in each formula represent ((seconds per day) x (GB per byte) x compression ratio).
These numbers are only estimates and depend on the size of the event data as well as on the size of compressed data.
Partially compressed means that the data is compressed, but the index of the data is not compressed. Fully compressed means that both the event data and index data is compressed. Event Data compression rates are typically 10:1. Index compression rates are typically 5:1. The index is used to optimize searching through the data.
You can also use the above formulas to determine how much storage space is required for a long-term data storage system such as tape.
Use the following formulas to estimate the amount of disk utilization on the server at various EPS rates.
Data written to Disk (Kilobytes per second): (average event size in bytes + average raw data size in bytes) x (events per second) x .002 compression coefficient = data written per second to disk
For example, at 500 EPS, for an average event size of 758 bytes and an average raw data size of 490 bytes in the log file, data written to disk is determined as follows:
(758 bytes + 490 bytes) x 500 EPS x .002 = ~1100 KB
Number of I/O request to the Disk (transfers per second): (average event size in bytes + average raw data size in bytes) x (events per second) x .00002 compression coefficient = I/O requests per second to disk
For example, at 500 EPS, for an average event size of 758 bytes and an average raw data size of 490 bytes in the log file, number of I/O requests per second to the disk is determined as follows:
(758 bytes + 490 bytes) x 500 EPS x .00002 = ~10 transfers per second
Number of blocks written per second to the disk: (average event size in bytes + average raw data size in bytes) x (events per second) x .003 compression coefficient = Blocks written per second to disk
For example, at 500 EPS, for an average event size of 758 bytes and an average raw data size of 490 bytes in the log file, number of blocks written per second to the disk is determined as follows:
(758 bytes + 490 bytes) x 500 EPS x .003 = ~1800 blocks per second
Data read per second from disk when performing a Search: (average event size in bytes + average raw data size in bytes) x (number of events matching query in millions) x .40 compression coefficient = kilobytes read per second from disk
For example, at 5 millions of events matching the search query, for an average event size of 758 bytes and an average raw data size of 490 bytes in the log file, data read per second from the disk is determined as follows:
(758 bytes + 490 bytes) x 5 x .40 = ~500 KB
Use the following formulas to estimate the network bandwidth utilization between the Sentinel server and remote Collector Manager at various EPS rates:
{average event size in bytes + average raw data size in bytes} x {events per second} x .0003 compression coefficient = network bandwidth in Kbps (kilobits per second)
For example, at 500 EPS for an average event size of 758 bytes and an average raw data size of 490 bytes in the log file, the network bandwidth utilization is determined as follows:
(758 bytes + 490 bytes} x 500 EPS x .0003 = ~175 Kbps
Sentinel is extensively tested and fully supported on a VMware ESX server. When you set up a virtual environment, the virtual machines must have 2 or more CPUs. To achieve comparable performance results to the physical-machine testing results on ESX or in any other virtual environment, the virtual environment should provide the same memory, CPUs, disk space, and I/O as the physical machine recommendations.
For information on physical machine recommendations, see Section 1.1, System Requirements and Supported Platforms.