Novell SENTINEL LOG MANAGER ADMINISTRATION GUIDE
Novell®
www.novell.com
Installation Guide
Sentinel Log Manager 1.0.0.5
novdocx (en) 16 April 2010
AUTHORIZED DOCUMENTATION
1.0.0.5
March 31, 2010
Sentinel Log Manager 1.0.0.5 Installation Guide
Legal Notices
Novell, Inc., makes no representations or warranties with respect to the contents or use of this documentation, and
specifically disclaims any express or implied warranties of merchantability or fitness for any particular purpose.
Further, Novell, Inc., reserves the right to revise this publication and to make changes to its content, at any time,
without obligation to notify any person or entity of such revisions or changes.
Further, Novell, Inc., makes no representations or warranties with respect to any software, and specifically disclaims
any express or implied warranties of merchantability or fitness for any particular purpose. Further, Novell, Inc.,
reserves the right to make changes to any and all parts of Novell software, at any time, without any obligation to
notify any person or entity of such changes.
Any products or technical information provided under this Agreement may be subject to U.S. export controls and the
trade laws of other countries. You agree to comply with all export control regulations and to obtain any required
licenses or classification to export, re-export or import deliverables. You agree not to export or re-export to entities on
the current U.S. export exclusion lists or to any embargoed or terrorist countries as specified in the U.S. export laws.
You agree to not use deliverables for prohibited nuclear, missile, or chemical biological weaponry end uses. See the
Novell International Trade Services Web page (http://www.novell.com/info/exports/) for more information on
exporting Novell software. Novell assumes no responsibility for your failure to obtain any necessary export
approvals.
novdocx (en) 16 April 2010
Copyright © 2009-2010 Novell, Inc. All rights reserved. No part of this publication may be reproduced, photocopied,
stored on a retrieval system, or transmitted without the express written consent of the publisher.
Novell, Inc.
404 Wyman Street, Suite 500
Waltham, MA 02451
U.S.A.
www.novell.com
Online Documentation: To access the latest online documentation for this and other Novell products, see
the Novell Documentation Web page (http://www.novell.com/documentation).
Novell Trademarks
For Novell trademarks, see the Novell Trademark and Service Mark list (http://www.novell.com/company/legal/
trademarks/tmlist.html).
Third-Party Materials
All third-party trademarks are the property of their respective owners.
novdocx (en) 16 April 2010
novdocx (en) 16 April 2010
4 Sentinel Log Manager 1.0.0.5 Installation Guide
About This Guide
This guide provides an overview of Novell® SentinelTM Log Manager and its installation.
Chapter 1, “Introduction,” on page 9
Chapter 2, “System Requirements,” on page 19
Chapter 3, “Installing and Uninstalling Novell Sentinel Log Manager,” on page 27
Audience
This guide is intended for Novell Sentinel Log Manager administrators and end users.
Feedback
We want to hear your comments and suggestions about this manual and the other documentation
included with this product. Please use the User Comments feature at the bottom of each page of the
online documentation, or go to Novell Documentation Feedback Web site (http://www.novell.com/
documentation/feedback.html) and enter your comments there.
novdocx (en) 16 April 2010
Additional Documentation
For more information about building your own plug-ins (for example, JasperReports*), go to the
Sentinel SDK Web page (http://developer.novell.com/wiki/index.php/Develop_to_Sentinel). The
build environment for Sentinel Log Manager report plug-ins is identical to what is documented for
Novell Sentinel.
For more information about the Sentinel documentation refer to the Sentinel Documentation Web
site (http://www.novell.com/documentation/sentinel61/index.html).
For more information about configuring Sentinel Log Manager, see Sentinel Log Manager 1.0.0.4
Administration Guide.
Documentation Conventions
In Novell documentation, a greater-than symbol (>) is used to separate actions within a step and
items in a cross-reference path.
®
A trademark symbol (
trademark.
, TM, etc.) denotes a Novell trademark. An asterisk (*) denotes a third-party
About This Guide 5
novdocx (en) 16 April 2010
6 Sentinel Log Manager 1.0.0.5 Installation Guide
Contents
About This Guide 5
1 Introduction 9
1.1 Novell Sentinel Log Manager Features . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9
1.1.1 What’s New in Novell Sentinel Log Manager 1.0.0.5. . . . . . . . . . . . . . . . . . . . . . . . . . 9
1.1.2 What’s New in Novell Sentinel Log Manager 1.0.0.4. . . . . . . . . . . . . . . . . . . . . . . . . . 9
1.1.3 Novell Sentinel Log Manager 1.0 Features . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11
1.2 Novell Sentinel Log Manager Interface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13
1.3 Architecture . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14
1.4 Terminologies. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16
2 System Requirements 19
2.1 Hardware Requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19
2.1.1 Sentinel Log Manager . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19
2.1.2 Collector Manager . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20
2.1.3 Estimating the Data Storage Space Requirement . . . . . . . . . . . . . . . . . . . . . . . . . . . 20
2.1.4 Virtual Environment . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21
2.2 Supported Operating Systems . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21
2.2.1 Sentinel Log Manager . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22
2.2.2 Collector Manager . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22
2.3 Supported Browsers. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22
2.3.1 Setting Browser’s Internet Security Level . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22
2.4 Supported Connectors . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22
2.5 Supported Event Sources . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23
novdocx (en) 16 April 2010
3 Installing and Uninstalling Novell Sentinel Log Manager 27
3.1 System Prerequisites . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27
3.2 Installing on an Existing Operating System . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 28
3.2.1 Quick Installation (as root) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 28
3.2.2 Non-root Installation. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29
3.3 Logging in to Novell Sentinel Log Manager . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 30
3.4 Configuring Archive Server Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 30
3.4.1 CIFS Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31
3.4.2 NFS Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31
3.5 Installing Additional Collector Managers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 33
3.6 Post-Installation Configurations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 37
3.6.1 Ping Timeout Setting . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 37
3.7 Uninstalling Novell Sentinel Log Manager . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 37
Contents 7
novdocx (en) 16 April 2010
8 Sentinel Log Manager 1.0.0.5 Installation Guide
1
Introduction
Novell® SentinelTM Log Manager collects data from a wide variety of devices and applications,
including intrusion detection systems, firewalls, operating systems, routers, Web servers, databases,
switches, mainframes, and antivirus event sources. Novell Sentinel Log Manager provides high
event-rate processing, long-term data retention, regional data aggregation, and simple searching and
reporting functionality for a broad range of applications and devices.
Section 1.1, “Novell Sentinel Log Manager Features,” on page 9
Section 1.2, “Novell Sentinel Log Manager Interface,” on page 13
Section 1.3, “Architecture,” on page 14
Section 1.4, “Terminologies,” on page 16
1.1 Novell Sentinel Log Manager Features
novdocx (en) 16 April 2010
1
Section 1.1.1, “What’s New in Novell Sentinel Log Manager 1.0.0.5,” on page 9
Section 1.1.2, “What’s New in Novell Sentinel Log Manager 1.0.0.4,” on page 9
Section 1.1.3, “Novell Sentinel Log Manager 1.0 Features,” on page 11
1.1.1 What’s New in Novell Sentinel Log Manager 1.0.0.5
“500 EPS Version of Sentinel Log Manager” on page 9
“New End User License Agreement” on page 9
500 EPS Version of Sentinel Log Manager
The Novell Sentinel Log Manager is now available in a 500 EPS (events per second) version. The
500 EPS version is suitable for small deployments with only one Sentinel Log Manager server and a
low event rate. It can also be used as a low volume node reporting to another Sentinel or Sentinel
Log Manager server in a large deployment.
New End User License Agreement
The end user license agreement (EULA) terms have been updated in this release. You must accept
the new terms before before proceeding to apply the latest patch. Some of the changes in the EULA
are:
Novell Sentinel Log Manager is now available in a 500 EPS version.
Updated definition for
Non-Production Instance
.
Updated definition for
Type I Device
.
1.1.2 What’s New in Novell Sentinel Log Manager 1.0.0.4
“New Data Collection User Interface” on page 10
“LDAP Authentication” on page 10
Introduction
9
“Enhancements to the Search Result User Interface” on page 10
“New User Interface for Actions” on page 10
“Enhancement to the Admin User Interface” on page 11
New Data Collection User Interface
The new and enhanced data collection user interface enables you to perform several new tasks:
Refine all the event sources by using the new Event Sources screen.
Start and stop the audit and syslog event source server by using the new Event Source Servers
tab.
Set the time zone for event sources.
Search for events that are coming from one or many event sources.
For more information about data collection configuration, see “Configuring Data Collection” in the
Sentinel Log Manager 1.0.0.4 Administration Guide.
LDAP Authentication
novdocx (en) 16 April 2010
Sentinel Log Manager now supports LDAP authentication in addition to the database authentication.
A new Authentication Type option has been added in the user > Add a user window of the Sentinel
Log Manager, which enables you to create user accounts that use LDAP authentication.
For more information about configuring the Sentinel Log Manager server for LDAP authentication,
see “User Administration” in the Sentinel Log Manager 1.0.0.4 Administration Guide.
Enhancements to the Search Result User Interface
The enhanced search result interface enables you to perform several new tasks:
Export search report results.
Send search results to an action.
Download the raw data files for the selected event result's event source by using the get raw
data link.
View new event fields information in the search results.
For example, it displays the Source IP address, Rawdata Record ID, Collector Script, Collector
name, Collector Manager ID, Connector ID, and Event Source ID information for the incoming
events.
View all the event fields information for the event source by using the show all fields link.
For more information about searching events and generating reports, see “Searching” in the Sentinel
Log Manager 1.0.0.4 Administration Guide.
New User Interface for Actions
The new user interface for actions allows you to create multiple action instances that you can also
use while configuring rules. You can also view the number of rules that are associated with an
action.
10 Sentinel Log Manager 1.0.0.5 Installation Guide
For more information about configuring rules and actions, see “Configuring Rules” in the Sentinel
Log Manager 1.0.0.4 Administration Guide.
Enhancement to the Admin User Interface
The new admin user interface enables you to assign new permissions for a user:
You can now allow users to view all reports that are stored on the server
Enable Sentinel Log Manager configuration reporting
You can now set a filter for the events a user can view.
For more information about configuring users, see “User Administration” in the Sentinel Log
Manager 1.0.0.4 Administration Guide.
1.1.3 Novell Sentinel Log Manager 1.0 Features
“Installation and Deployment” on page 11
“Data Collection” on page 11
novdocx (en) 16 April 2010
“Data Storage and Management” on page 12
“Reporting and Searching” on page 12
Installation and Deployment
Novell Sentinel Log Manager is easy to install and deploy for data collection, storage, reporting, and
searching of log data. Installation of Novell Sentinel Log Manager includes installation of the
Sentinel Log Manager server, Web server, reporting server, and configuration database.
Data Collection
Novell Sentinel Log Manager can collect and manage data from event sources that generate logs to
syslog, windows event log, files, databases, SNMP, Novell Audit, SDEE, Check Point OPSEC, and
other storage mechanisms and protocols.
Novell Sentinel Log Manager contains enhanced web-based user interface support for Syslog and
Novell Audit connectivity to make it even easier to start collecting logs from event sources. You can
direct all the logs to Sentinel Log Manager.
Messages from recognized data sources are parsed into fields such as target IP address and source
username. Messages from unrecognized data sources are placed intact into a single field for storage,
search, and reporting. All data can be filtered to drop unwanted events.
For a complete list of supported event sources, see “Supported Event Sources” (http://
www.novell.com/documentation/novelllogmanager10/novell_log_manager/data/bhmwq0w.html) in
the Novell Sentinel Log Manager Guide.
Novell Sentinel Log Manager collects data using a wide variety of connection methods:
Syslog Connector automatically accepts and configures syslog data sources that send data over
the standard user datagram protocol (UDP), reliable transmission control protocol (TCP), or
secure transport layer system (TLS).
Audit Connector automatically accepts and configures audit-enabled Novell data sources.
Introduction 11
File Connector reads log files.
SNMP Connector receives SNMP traps.
JDBC* Connector reads from database tables.
WMS Connector accesses Windows* event logs on desktops and servers.
SDEE Connector for Cisco* devices.
LEA Connector for Check Point* devices.
Sentinel Link Connector accepts data from other Novell Sentinel Log Manager servers.
Process Connector accepts data from custom-written processes that output event logs.
You can also purchase an additional license to download connectors for SAP* and mainframe
operating systems.
To get the license, either call 1-800-529-3400 or contact Novell Technical Support (http://
support.novell.com).
For more information about configuring the connectors, see the connector documents at Sentinel
Content Web site (http://support.novell.com/products/sentinel/sentinel61.html).
novdocx (en) 16 April 2010
For more information about data collection configuration, see “Configuring Data Collection” (http:/
/www.novell.com/documentation/novelllogmanager10/novell_log_manager/data/bjxe7z1.html) in
the Novell Sentinel Log Manager Guide.
Data Storage and Management
Novell Sentinel Log Manager stores all of the log data in a compressed file format. Data can be
archived locally or on a remotely-mounted CIFS or NFS share. You can set up data retention
policies to configure the system to keep some data for longer time periods and other data for shorter
time periods.
For more information about system requirements, see “System Requirements” (http://
www.novell.com/documentation/novelllogmanager10/novell_log_manager/data/bjx8zq7.html) in
the Novell Sentinel Log Manager Guide.
For more information about data storage configuration, see “Configuring Data Storage” (http://
www.novell.com/documentation/novelllogmanager10/novell_log_manager/data/bjxe7z1.html) in
the Novell Sentinel Log Manager Guide.
Reporting and Searching
Novell Sentinel Log Manager can perform full text searches of all the stored event data or perform
focused searches against particular event fields, such as source username. Such searches can be
further refined, saved for future review, filtered, and formatted by applying a report template to the
results.
Sentinel Log Manager has pre-installed reports and also has the ability to upload additional reports.
Reports can be run as per a planned scheduled or for an unplanned requirement.
For more information on list of default reports, see “Sentinel Log Manager Reports” (http://
www.novell.com/documentation/novelllogmanager10/novell_log_manager/data/bl5jfoz.html) in the
Novell Sentinel Log Manager Guide.
Searches and reports can run against both online and archived data.
12 Sentinel Log Manager 1.0.0.5 Installation Guide
Loading...