Novell Sentinel Log Manager Installation Guide
Novell®
www.novell.com
Installation Guide
Sentinel Log Manager
1.1
December 2010
AUTHORIZED DOCUMENTATION
Legal Notices
Novell, Inc., makes no representations or warranties with respect to the contents or use of this documentation, and
specifically disclaims any express or implied warranties of merchantability or fitness for any particular purpose.
Further, Novell, Inc., reserves the right to revise this publication and to make changes to its content, at any time,
without obligation to notify any person or entity of such revisions or changes.
Further, Novell, Inc., makes no representations or warranties with respec t to any sof tware, a nd sp ecific ally disc laims
any express or implied warranties of merchantability or fitness for any particular purpose. Further, Novell, Inc.,
reserves the right to make changes to any and all parts of Novell software, at any time, without any obligation to
notify any person or entity of such changes.
Any products or technical information provided under this Agreement may be subject to U.S. export contr ols and the
trade laws of other countries. You agree to comply with all export control regulations and to obtain any required
licenses or classification to export, re-export or import deliverables. You agree not to export or re-export to entities on
the current U.S. export exclusion lists or to any embargoed or terrorist countries as specified in the U.S. export laws.
You agree to not use deliverables for prohibited nuclear, missile, or chemical biological weaponry end uses. See the
Novell International Trade Services Web page (http://www.novell.com/info/exports/) for more information on
exporting Novell software. Novell assumes no responsibility for your failure to obtain any necessary export
approvals.
Copyright © 2009-2010 Novell, Inc. All rights reserved. No part of this publication may be reproduced, photocopied,
stored on a retrieval system, or transmitted without the express written consent of the publisher.
Novell, Inc.
404 Wyman Street, Suite 500
Waltham, MA 02451
U.S.A.
www.novell.com
Online Documentation: To access the latest online documentation for this and other Novell products, see
the Novell Documentation Web page (http://www.novell.com/documentation).
Novell Trademarks
For Novell trademarks, see the Novell Trademark and Service Mark list (http://www.novell.com/company/legal/
trademarks/tmlist.html).
Third-Party Materials
All third-party trademarks are the property of their respective owners.
Contents
About This Guide 5
1 Introduction 7
1.1 Product Overview. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7
1.1.1 Event Sources . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9
1.1.2 Event Source Management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9
1.1.3 Data Collection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10
1.1.4 Collector Manager . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11
1.1.5 Data Storage . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11
1.1.6 Searching and Reporting. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11
1.1.7 Sentinel Link . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12
1.1.8 Web-Based User Interface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12
1.2 Installation Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12
2 System Requirements 15
2.1 Hardware Requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15
2.1.1 Sentinel Log Manager Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15
2.1.2 Collector Manager Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16
2.1.3 Data Storage Requirement Estimation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17
2.1.4 Recommended Limits . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18
2.1.5 Virtual Environment . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19
2.2 Supported Operating Systems. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19
2.2.1 Sentinel Log Manager . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19
2.2.2 Collector Manager . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19
2.3 Supported Browsers. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20
2.3.1 Linux . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20
2.3.2 Windows . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20
2.4 Supported Virtual Environment . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20
2.5 Supported Connectors. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20
2.6 Supported Event Sources . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21
3 Installing on an Existing SLES 11 System 23
3.1 Before You Begin. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23
3.2 Standard Installation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24
3.3 Custom Installation. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25
3.4 Silent Installation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27
3.5 Non-Root Installation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 28
4 Installing the Appliance 31
4.1 Before You Begin. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31
4.2 Ports Used . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31
4.2.1 Ports Opened in the Firewall . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 32
4.2.2 Ports Used Locally. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 32
4.3 Installing the VMware Appliance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 33
4.4 Installing the Xen Appliance. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 34
4.5 Installing the Appliance on Hardware. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 36
Contents 3
4.6 Post-Installation Setup for the Appliance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 37
4.7 Configuring WebYaST . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 37
4.8 Stopping and Starting the Server by Using Web UI. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 39
4.9 Registering for Updates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 40
5 Logging In to the Web Interface 41
6 Upgrading Sentinel Log Manager 43
6.1 Upgrading from 1.0 to 1.1 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 43
6.1.1 Upgrading Sentinel Log Manager Application from 1.0 to 1.1 . . . . . . . . . . . . . . . . . . 43
6.1.2 Migrating from 1.0 to 1.1 Appliance. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 44
6.2 Upgrading to Latest Patch Versions. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 45
6.2.1 Upgrading to Latest Patch Versions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 45
6.2.2 Automatically Upgrading the Appliance to Latest Updates . . . . . . . . . . . . . . . . . . . . 46
6.3 Upgrading the Collector Manager . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 47
7 Installing Additional Collector Managers 49
7.1 Before You Begin. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 49
7.2 Advantages of Additional Collector Managers. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 49
7.3 Installing Additional Collector Managers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 49
8 Uninstalling Sentinel Log Manager 51
8.1 Uninstalling the Appliance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 51
8.2 Uninstalling from an Existing SLES 11 System . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 51
8.3 Uninstalling the Collector Manager . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 51
8.3.1 Uninstalling the Linux Collector Manager . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 52
8.3.2 Uninstalling the Windows Collector Manager . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 52
8.3.3 Manual Cleanup of Directories . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 52
A Troubleshooting Installation 55
A.1 Failed Installation Because of an Incorrect Network Configuration . . . . . . . . . . . . . . . . . . . . . 55
A.2 Trouble Configuring the Network with VMware Player 3 on SLES 11 . . . . . . . . . . . . . . . . . . . 55
A.3 Upgrading Log Manager installed as a Non-Root User Other Than Novell User. . . . . . . . . . . 56
Sentinel Terminology 57
4 Sentinel Log Manager 1.1 Installation Guide
About This Guide
This guide provides an overview of Novell Sentinel Log Manager and its installation.
Chapter 1, “Introduction,” on page 7
Chapter 2, “System Requirements,” on page 15
Chapter 3, “Installing on an Existing SLES 11 System,” on page 23
Chapter 4, “Installing the Appliance,” on page 31
Chapter 5, “Logging In to the Web Interface,” on page 41
Chapter 6, “Upgrading Sentinel Log Manager,” on page 43
Chapter 7, “Installing Additional Collector Managers,” on page 49
Chapter 8, “Uninstalling Sentinel Log Manager,” on page 51
Appendix A, “Troubleshooting Installation,” on page 55
“Sentinel Terminology” on page 57
Audience
This guide is intended for Novell Sentinel Log Manager administrators and end users.
Feedback
We want to hear your comments and suggestions about this manual and the other documentation
included with this product. Please use the User Comments feature at the bottom of each page of the
online documentation, or go to Novell Documentation Feedback Web site (http://www.novell.com/
documentation/feedback.html) and enter your comments there.
Additional Documentation
For more information about building your own plug-ins (for example, JasperReports), go to the
Sentinel SDK Web page (http://developer.novell.com/wiki/index.php/Develop_to_Sent inel). The
build environment for Sentinel Log Manager report plug-ins is identical to what is documented for
Novell Sentinel.
For more information about the Sentinel documentation, refer to the Sentinel Documentation Web
site (http://www.novell.com/documentation/sentinel61/index.html).
For additional documentation about configuring Sent inel Log Manager, see the Sentinel Log
Manager 1.1 Administration Guide.
Contacting Novell
Novell Web site (http://www.novell.com)
Novell Technical Support (http://support.novell.com/
phone.html?sourceidint=suplnav4_phonesup)
Novell Self Support (http://support.novell.c om/
support_options.html?sourceidint=suplnav_supportprog)
About This Guide 5
Patch Download Site (http://download.novell.com/index.jsp)
Novell 24x7 Support (http://www.novell.com/company/contact.html)
Sentinel TIDS (http://support.novell.com/products/sentinel)
Sentinel Community Support Forum (http://forums.novell.com/novell-product-support-
forums/sentinel/)
6 Sentinel Log Manager 1.1 Installation Guide
1
Introduction
Novell Sentinel Log Manager collects and manages data from a variety of devic es and appl icatio ns,
including intrusion detection systems, firewal ls, op erat ing systems, routers, Web servers, databases,
switches, mainframes, and antivirus event sources. Novell Sentinel Log Manager provides high
event-rate processing, long-term data retention, policy-based data retention, regional data
aggregation, and simple searching and reporting functionality for a variety of applications and
devices.
Section 1.1, “Product Overview,” on page 7
Section 1.2, “Installation Overview,” on page 12
1.1 Product Overview
Novell Sentinel Log Manager 1.1 provides a flexible and scalable log management solution to
organizations. Novell Sentinel Log Manager is a log management solution that addresses basic log
collection and management challenges and also delivers a complete solution focused on reducing
the cost and complexity of managing risk and simplifying compliance requirements.
1
Introduction
7
Figure 1-1 Novell Sentinel Log Manager Architecture
Devices
Java Web Start
Message Bus (ActiveMQ)
Search
Search
NFS
httpsSSL SSL
CIFS
Search
Data Collection
Service
Data Access
Service
Reporting Service
(Jasper)
Event
Service
Tomcat Servlet Container
SSL Proxy
Client
Log Manager Appliance
Configuration Database
(PostgreSQL)
Online Event Store
• Event Source
Management
• Channels
Enterasys
Dragon
Raw
Data
Event
Index
Communication
Remoting
Partition 1
GWT
JSP
HP-UX
Events
Raw
Data
Event
Index
Partition 2
Events
Archive Event Store
Partition N-2
(zip)
Partition N-1
(zip)
Partition N
(zip)
SLES
Check Point
IPS
Cisco
Firewall
IBM
AIX
Tripwire
• Configuration
• User
Management
• Report Storage
• Report
Execution
• Event/Raw Data
Storage
• Event Search
• Archiving
ESM
Swing UI
Firefox/Internet
Explorer
Collector Manager
SSL
8 Sentinel Log Manager 1.1 Installation Guide
Novell Sentinel Log Manager has the following features:
Distributed search capabilities allow customers to search collected events not only on the local
Sentinel Log Manager server but also on one or more Sentinel Log Manager servers from one
centralized console
Pre-built compliance reports to simplify the task of generating compliance reports for audit or
forensic analysis
By utilizing non-proprietary storage technology, customers can leverage their existing
infrastructure to further manage cost.
Enhanced browser-based user interface supporting collection, storage, reporting and searching
of log data to greatly simplify monitoring and management tasks.
Granular and efficient controls and customization for IT administrators through new group and
user permissions capabilities to provide increased transparency into IT infrastructure activities.
This section has the following information:
Section 1.1.1, “Event Sources,” on page 9
Section 1.1.2, “Event Source Management,” on page 9
Section 1.1.3, “Data Collection,” on page 10
Section 1.1.4, “Collector Manager,” on page 11
Section 1.1.5, “Data Storage,” on page 11
Section 1.1.6, “Searching and Reporting,” on page 11
Section 1.1.7, “Sentinel Link,” on page 12
Section 1.1.8, “Web-Based User Interface,” on page 12
1.1.1 Event Sources
Novell Sentinel Log Manager collects data from event sources that generate logs to syslog,
Windows event log, files, databases, SNMP, Novell Audit, Security Device Event Exchange
(SDEE), Check Point Open Platforms for Security (OPSEC), and other storage mechanisms and
protocols.
Sentinel Log Manager supports all event sources if there are suitable Connectors to parse data from
those event sources. Novell Sentinel Log Manager provides Collectors for many event sources. The
Generic Event Collector collects and processes data from unrecognized event sources that have
suitable connectors.
You can configure the event sources for data collection by using the Event Source Management
interface.
For a complete list of supported event sources, see Section 2.6, “Supported Event Sources,” on
page 21.
1.1.2 Event Source Management
The Event Source Management interface enables you to import and configure the Sentinel 6.0 and
6.1 Connectors and Collectors.
Introduction 9
You can perform the following tasks through the Live View of the Event Source Management
window:
Add or edit connections to event sources by using Configuration wizards.
View real-time status of connections to event sources.
Import or export configuration of event sources to or from the Live View.
View and configure Connectors and Collectors installed with Sentinel.
Import or export Connectors and Collectors from or to a centralized repository.
Monitor data flowing through the configured Collectors and Connectors.
View the raw data information.
Design, configure, and create the components of the Event Source hierarchy, and execute
required actions by using these components.
For more information, see to the Event Source Management section of the Sentinel User Guide
(http://www.novell.com/documentation/sentinel61/#admin).
1.1.3 Data Collection
Novell Sentinel Log Manager collects data from configured even t sources with the help of
Connectors and Collectors.
Collectors are scripts that parse the data from a variety of event sources into the normalized Sentinel
event structure, or in some cases collect other forms of data from external data sources. Each
Collector should be deployed with a compatible Connector. Connectors facilitate the connectivity
between Sentinel Log Manager Collectors and event or data sources.
Novell Sentinel Log Manager provides enhanced Web-based user interface support for syslog and
Novell Audit to easily collect logs from different event sources.
Novell Sentinel Log Manager collects data using a variety of connection methods:
The Syslog Connector automatically accepts and configures syslog data sources that send data
over the User Datagram Protocol (UDP), the Transmission Control Protocol (TCP), or the
secure Transport Layer System (TLS).
The Audit Connector automatically accepts and configures audit-enabled Novell data sources.
The File Connector reads log files.
The SNMP Connector receives SNMP traps.
The JDBC Connector reads from database tables.
The WMS Connector accesses Windows event logs on desktops and servers.
The SDEE Connector connects to devices that support the SDEE protocol such as the Cisco
devices.
Check Point Log Export API (LEA) Connector facilitates integration between Sentinel
Collectors and Check Point firewall servers.
The Sentinel Link Connector accepts data from other Novell Sentinel Log Manager servers.
The Process Connector accepts data from custom-written processes that output event logs.
You can also purchase an additional license to download connectors for SAP and mainframe
operating systems.
10 Sentinel Log Manager 1.1 Installation Guide
To get the license, either call 1-800-529-3400 or contact Novell Technical Support (http://
support.novell.com).
For more information on configuring Connectors , see the Connector documents at the Sentinel
Content Web site (http://support.novell.com/products/sentinel/sentinel61.html).
For more information on configuring data collection, see “Configuring Data Collection” in the
Sentinel Log Manager 1.1 Administration Guide.
NOTE: You must always download and import the latest version of the Collectors and Connectors.
Updated Collectors and Connectors are posted to the Sentinel 6.1 Content Web site (http://
support.novell.com/products/sentinel/sentinel61.html) on a regular basis. Updates to Connectors
and Collectors include fixes, support for additional events, and performance improvements.
1.1.4 Collector Manager
The Collector Manager provides a flexible data collection point for Sentinel Log Manager. The
Novell Sentinel Log Manager installs a Collector Manager by default during installation. However,
you can remotely install Collector Managers at suitable locations in your network, These remote
Collector Managers run Connectors and Collectors and fo rward the collected d ata to Novell Sentinel
Log Manager for storage and processing.
For information on installing additional Collector Managers, see “Installing Additional Collector
Managers” on page 49.
1.1.5 Data Storage
The data flows from data collection components to data storage components. These components use
a file-based data storage and indexing system to keep the collected device log data, and a
PostgreSQL database to keep Novell Sentinel Log Manager configurat ion data.
The data is stored in a compressed format on the server file system and then stored in a configured
location for long-term storage.The data can be stored either locally or on a remotely mounted SMB
(CIFS) or NFS share. Data files are deleted from the local and networked storage locations based on
the schedule configured in the data retention policy
You can configure data reten tion policies to del ete data from the storage location i f the data reten tion
time limit exceeded for that particular data or if the available space is reduced below a specified disk
space value.
For more information on configuring data storage, see “Conf iguring Data Storage” in the Sentinel
Log Manager 1.1 Administration Guide.
1.1.6 Searching and Reporting
The searching and reporting components help you to search and report the event log data in both
local and networked data storage and indexing systems. The stored event data can be searched
either generically or against specific event fields such as source username. These search results can
be further refined or filtered and saved as a report template for future use.
The Sentinel Log Manager comes with preinstalled reports. You can also upload additional reports.
You can run reports on a schedule or whenever it is necessary.
Introduction 11
For information on list of default reports, see “Reporting” in the Sentinel Log Manager 1.1
Administration Guide.
For information on searching events and generating report s, see “Searching” and “Reporting” in the
Sentinel Log Manager 1.1 Administration Guide.
1.1.7 Sentinel Link
Sentinel Link can be used to forward event data from one Sentinel Log Manager to another. With a
hierarchical set of Sentinel Log Managers, complete logs can be retained at multiple regional
locations while more important events are forwarded to a single Sentinel Log Manager for
centralized search and reporting.
In addition, Sentinel Link can forward important events to Novell Sentinel, a full-fledged Security
Information Event Management (SIEM) system, for advanced correlation, incident remediation, and
injection of high-value contextua l informa tion suc h as server cri ticality or ident ity informat ion fro m
an identity management system.
1.1.8 Web-Based User Interface
The Novell Sentinel Log Manager comes with a Web-based user interface to configure and use Log
Manager. The user interface functionality is provided by a W eb server and a graphical user interface
based on Java Web Start. All user interfaces communicate with the server by using an encrypted
connection.
You can use the Novell Sentinel Log Manager Web interface to perform the following tasks:
Search for events
Save the search criteria as a report template
View and manage reports
Launch the Event Source Management interface to configure data collection for data sources
other than syslog and Novell applications. (administrators only)
Configure data forwarding (administrators only)
Download the Sentinel Collector Manager installer for remote installation (administrators only)
View the health of event sources (administrators only)
Configure data collection for syslog and Novell data sources (administrators only)
Configure data storage and view the health of the database (administrators only)
Configure data archiving (a dministrators only)
Configure associated actions to send matching event data to output channels (administrators
only)
Manage user accounts and permissions (administrators only)
1.2 Installation Overview
Novell Sentinel Log Manager can be installed either as an appliance or on an existing SUSE Linux
Enterprise Server (SLES) 11 operating system. When Sentinel Log Manager is installed as an
appliance, the Log Manager server is installed on a SLES 11 operating system.
12 Sentinel Log Manager 1.1 Installation Guide
The Novell Sentinel Log Manager installs the following components by default:
Sentinel Log Manager server
Communications server
Web server and Web-based user interface
Reporting server
Collector Manager
Some of these components require additional configuration.
The Novell Sentinel Log Manager installs a Collector Manager by default. If you want additional
Collector Managers, you can install them separa tely on remote machines. Fo r more informa tion, see
Chapter 7, “Installing Additional Collector Managers,” on page 49.
Introduction 13
14 Sentinel Log Manager 1.1 Installation Guide
2
System Requirements
The following sections describe the hardware, operating system, browser, supported Connectors,
and event source compatibility requirements for Novell Sentinel Log Manager.
Section 2.1, “Hardware Requirements,” on page 15
Section 2.2, “Supported Operating Systems,” on page 19
Section 2.3, “Supported Browsers,” on page 20
Section 2.4, “Supported Virtual Environment,” on page 20
Section 2.5, “Supported Connectors,” on page 20
Section 2.6, “Supported Event Sources,” on page 21
2.1 Hardware Requirements
Section 2.1.1, “Sentinel Log Manager Server,” on page 15
Section 2.1.2, “Collector Manager Server,” on page 16
Section 2.1.3, “Data Storage Requirement Estimation,” on page 17
Section 2.1.4, “Recommended Limits,” on page 18
Section 2.1.5, “Virtual Environment,” on page 19
2
2.1.1 Sentinel Log Manager Server
Novell Sentinel Log Manager is supported on 64-bit Intel Xeon and AMD Opteron processors, but
is not supported on Itanium processors.
NOTE: These requirements are for an average event size of 300 bytes.
The following hardware requirements are recommended for a production system that holds 90 days
of online data:
Table 2-1 Sentinel Log Manager Hardware Requirements
Requirements
Compression Up to 10:1 Up to 10:1 Up to 10:1
Maximum Event
Sources
Maximum Event
Rate
Sentinel Log Manager
(500 EPS)
Up to 1000 Up to 1000 Up to 2000
500 2500 7500
Sentinel Log Manager (2500
EPS)
Sentinel Log Manager (7500
EPS)
System Requirements
15
Requirements
Sentinel Log Manager
(500 EPS)
Sentinel Log Manager (2500
EPS)
Sentinel Log Manager (7500
EPS)
CPU One Intel Xeon E5450
3-GHz (4 core) CPU
or
Two Intel Xeon L5240
3-(2 core) CPUs (4
cores total)
Random Access
Memory (RAM)
Local Storage (30
days)
Networked Storage
(90 days)
4 GB 4 GB 8 GB
2x 500 GB, 7.2k RPM
drives (Hardware RAID
with 256 MB cache,
RAID 1)
600 GB 2 TB 5.8 TB
One Intel Xeon E5450 3GHz (4 core) CPU
or
Two Intel Xeon L5240 3-(2
core) CPUs (4 cores total)
4 x 1 TB, 7.2k RPM drives
(Hardware RAID with 256
MB cache, RAID 10)
Two Intel Xeon X5470 3.33GHz (4 core) CPUs (8 cores
total)
16 x 600 GB, 15k RPM
drives, (Hardware RAID with
512 MB cache, RAID 10) or
an equivalent storage area
network (SAN)
NOTE: Networked storage contains all 90 days worth of data, including a fully compressed copy of
the event data in local stor age. A copy of the event data is kept on local storage for search and
reporting performance reasons. Local storage size can be decreased if storage size is a concern,
however an estimated 70% penalty will be incurred while searching or reporting on data that would
otherwise be in local storage, due to decompression overhead.
NOTE:
One machine can include more than one event source. For example, a Windows server can
include two Sentinel event sources because you want to collect data from the Windows
operating system and also the SQL Server database hosted on that machine
You must set up the networked storage location to an external multi-drive storage network area
(SAN) or network-attached storage (NAS).
The recommended steady state volume is 80% of the maximum licensed EPS. Novell
recommends that you add additional Sentinel Log Manager instances if this limit is reached.
NOTE: Maximum event source limits are not hard limits, but, are recommendations based on the
performance testing done by Novell and assume a low average events rate per second per event
source (less than 3 EPS). Higher EPS rates result in lower sustainable maximum event sources.
You can use the equation (maximum event sources) x (average EPS per event source) = maximum
event rate to arrive at the approximate limits for your specific average EPS rate or number of event
sources, as long as the maximum number of event sources does not exceed the limit indicated above.
2.1.2 Collector Manager Server
One Intel Xeon L5240 3-GHz (2 core CPU)
256 MB RAM
10 GB free disk space.
16 Sentinel Log Manager 1.1 Installation Guide
2.1.3 Data Storage Requirement Estimation
Sentinel Log Manager is used to retain raw data for a long period of time to comply with legal and
other requirements. Sentinel Log Manager employs compression to help you make efficient use of
local and networked storage space. However, storage requirements might become significant over a
long period of time.
To overcome cost constraint issues with large storage systems, you can use cost-effective data
storage systems to store the data for a long term. Tape-based storage systems are the most common
and cost-effective solution. However, tape does not allow random access to the stored data , which is
necessary to perform quick searches. Because of this, a hybrid approach to long-term data storage is
desirable, where the data you need to search is available on a random-access storage syst em and data
you need to retain, but not search, is kept on a cost-effective alternative, such as tape. For
instructions on employing this hybrid approach, see “Using Sequen tial-Access Storage for Long
Term Data Storage” of in the Sentinel Log Manager 1.1 Administration Guide.
To determine the amount of random-access storage space required for Sentinel Log Manager, first
estimate how many days of data you need to regularly perform searches or run reports on. You
should have enough hard drive space either locally on the Sentinel Log Manager machine, or
remotely on the Server Message Block (SMB) protocol or CIFS protocol, the network file system
(NFS), or a SAN for Sentinel Log Manager to use for archiving data.
You should also have the following additional hard drive space beyond your minimum
requirements:
To account for data rates that are higher than expected.
To copy data from tape and back into the Sentinel Log Manager in order to perform searching
and reporting on historical data.
Use the following formulas to estimate the amount of space required to store data:
NOTE: The coefficients in each formula represent ((seconds per day) x (GB per byte) x
compression ratio).
Local event storage (partially compressed): {average byte size per event} x {number of
days} x {events per second} x 0.00007 = Total GB storage required
Networked event storage (fully compressed): {average byte size per event} x {number of
days} x {events per second} x 0.00002 = Total GB storage required
Raw Storage (fully compressed on both local and networked storage): {average byte size
per raw data record} x {number of days} x {events per second} x 0.00 0012 = Total GB storage
required
NOTE: These numbers are only estimates and depend on the size of your event data as well as on
the size of compressed data.
The above formulas calculate the minimum storage space required to store fully compressed data on
the external storage system. When local storage fills up, Sentinel Log Manager compresses and
moves data from a local (partially compressed) to an external (fully compressed) storage system.
Therefore, estimating the external storage space requirements becomes most critical for data
retention. To improve the search and reporting performance for recent data, you can increase the
local storage space beyond the hardware requirements of Sentinel Log Manager; however, it is not
required.
System Requirements 17
You can also use the above formulas to determine how much storage space is required for a longterm data storage system such as tape.
2.1.4 Recommended Limits
The limits mentioned in this section are recomme nd ati on s based on the performance testing done at
Novell or at customer sites. They are not hard-limits. The recommendations are approximations. In
highly dynamic systems, it is a good practice to build in buffers and allow room for growth.
Collector Manager Limits
Unless otherwise specified, Collector Manager limits assume 4 CPU cores at 2.2 GHz each, 4 GB of
RAM, running on SLES 11.
Table 2-2 Collector Manager Performance Numbers
Attribute Limits
Maximum number of Collector Managers
This limit assumes each Collector Manager is running at low
EPS (e.g, less than 100 EPS). The limit decreases as the
events per second increase.
Maximum number of Connectors (fully utilized) on a single
Collector Manager
A fully utilized Connector is one that is running at the highest
EPS possible for that type of Connector.
Maximum number of Collectors (fully utilized) on a single
Collector Manager
A fully utilized Collector is one that is running at the highest
EPS possible for that type of Collector.
Maximum number of event sources on a single Collector
Manager
The limit of the Sentinel 6.1 Rapid Deployment server is also
2000, so if 2000 event sources are on a single Collector
Manager, then the limit of event sources for the overall Sentinel
system has been reached with that single Collector Manager.
Maximum number of event sources on the Sentinel Log
Manager server
20
1 per CPU core, with at least 1 CPU
core reserved for the operating system
and other processing
1 per CPU core, with at least 1 CPU
core reserved for the operating system
and other processing
2000
2000
Reports Limits
Table 2-3 Reports Performance Numbers
Attribute Limits
Maximum number of saved reports 2000
18 Sentinel Log Manager 1.1 Installation Guide
Loading...