Novell SENTINEL RAPID DEPLOYMENT User Guide

Novell®

www.novell.com

User Guide

SentinelTM Rapid Deployment

novdocx (en) 13 May 2009

AUTHORIZED DOCUMENTATION

6.1

December 2009

Sentinel 6.1 Rapid Deployment User Guide

Legal Notices

Novell, Inc., makes no representations or warranties with respect to the contents or use of this documentation, and specifically disclaims any express or implied warranties of merchantability or fitness for any particular purpose. Further, Novell, Inc., reserves the right to revise this publication and to make changes to its content, at any time, without obligation to notify any person or entity of such revisions or changes.

Further, Novell, Inc., makes no representations or warranties with respect to any software, and specifically disclaims any express or implied warranties of merchantability or fitness for any particular purpose. Further, Novell, Inc., reserves the right to make changes to any and all parts of Novell software, at any time, without any obligation to notify any person or entity of such changes.

Any products or technical information provided under this Agreement may be subject to U.S. export controls and the trade laws of other countries. You agree to comply with all export control regulations and to obtain any required licenses or classification to export, re-export or import deliverables. You agree not to export or re-export to entities on the current U.S. export exclusion lists or to any embargoed or terrorist countries as specified in the U.S. export laws. You agree to not use deliverables for prohibited nuclear, missile, or chemical biological weaponry end uses. See the

Novell International Trade Services Web page (http://www.novell.com/info/exports/) for more information on

exporting Novell software. Novell assumes no responsibility for your failure to obtain any necessary export approvals.

novdocx (en) 13 May 2009

Copyright © 1999-2009 Novell, Inc. All rights reserved. No part of this publication may be reproduced, photocopied, stored on a retrieval system, or transmitted without the express written consent of the publisher.

Novell, Inc., has intellectual property rights relating to technology embodied in the product that is described in this document. In particular, and without limitation, these intellectual property rights may include one or more of the U.S. patents listed on the Novell Legal Patents Web page (http://www.novell.com/company/legal/patents/) and one or more additional patents or pending patent applications in the U.S. and in other countries.

Novell, Inc. 404 Wyman Street, Suite 500 Waltham, MA 02451 U.S.A. www.novell.com

Online Documentation: To access the latest online documentation for this and other Novell products, see

the Novell Documentation Web page (http://www.novell.com/documentation).

Novell Trademarks

For Novell trademarks, see the Novell Trademark and Service Mark list (http://www.novell.com/company/legal/

trademarks/tmlist.html).

Third-Party Materials

All third-party trademarks are the property of their respective owners.

novdocx (en) 13 May 2009

4 Sentinel 6.1 Rapid Deployment User Guide

Contents

About This Guide 17

1 Managing Sentinel 6.1 Rapid Deployment Through the Web Interface 19

1.1 Accessing the Novell Sentinel Web Interface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19

1.2 Applications and Installers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19

1.3 Reporting . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21

1.3.1 Running Reports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21

1.3.2 Viewing Reports. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24

1.3.3 Scheduling a Report . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26

1.3.4 Managing Reports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27

1.4 Searching Events . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31

1.4.1 Running an Event Search . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31

1.4.2 Viewing Search Results. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 34

1.4.3 Event Fields . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 37

novdocx (en) 13 May 2009

2 Sentinel Control Center 41

2.1 Log In to the Sentinel Control Center. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 41

2.1.1 Linux . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 41

2.1.2 Windows . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 41

2.2 About Sentinel Control Center . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 42

2.2.1 Active Views . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 43

2.2.2 Incidents . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 43

2.2.3 iTRAC . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 43

2.2.4 Analysis . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 44

2.2.5 Admin. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 44

2.2.6 Correlation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 44

2.2.7 Event Source Management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 44

2.2.8 Solution Packs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 45

2.2.9 Identity Integration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 45

2.3 Introduction to the User Interface. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 45

2.3.1 Menu Bar . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 46

2.3.2 Toolbar. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 46

2.3.3 Tabs. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 48

2.3.4 Frames. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 48

2.3.5 Using the Sentinel Control Center to Navigate . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 48

2.3.6 Changing the Appearance of the Sentinel Control Center. . . . . . . . . . . . . . . . . . . . . 49

2.3.7 Saving User Preferences. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 50

2.3.8 Changing Password. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 50

2.3.9 Configuring the Attachment Viewer . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 50

3 Active Views Tab 53

3.1 Understanding Active Views . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 53

3.2 Introduction to the User Interface. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 54

3.3 Reconfiguring Total Display Time . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 57

3.4 Viewing Real-Time Events . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 57

3.4.1 Resetting the Parameters and Chart Type of an Active View . . . . . . . . . . . . . . . . . . 60

3.4.2 Rotating a 3D Bar or Ribbon Chart . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 61

3.5 Showing and Hiding Event Details . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 61

Contents 5

3.6 Sending Mail Messages about Events and Incidents. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 62

3.7 Creating Incidents . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 63

3.8 Viewing Events That Trigger Correlated Events . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 64

3.9 Investigating an Event or Events . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 65

3.9.1 Investigate: Event Query . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 66

3.9.2 Investigate: Graph Mapper . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 66

3.9.3 Historical Event Query . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 67

3.9.4 Active Browser. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 68

3.10 Viewing Advisor Data . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 70

3.11 Viewing Asset Data . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 71

3.12 Viewing Vulnerabilities . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 72

3.13 Ticketing System Integration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 77

3.14 Viewing User Information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 77

3.15 Using Custom Menu Options with Events . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 77

3.16 Managing Columns in a Snapshot or Navigator Window . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 78

3.17 Taking a Snapshot of a Navigator Window . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 79

3.18 Sorting Columns in a Snapshot . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 79

3.19 Closing a Snapshot or Navigator . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 79

3.20 Adding Events to an Incident . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 79

novdocx (en) 13 May 2009

4 Correlation Tab 83

4.1 Understanding Correlation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 83

4.1.1 Technical Implementation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 84

4.2 Introduction to the User Interface. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 85

4.3 Correlation Rules . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 85

4.3.1 Opening the Correlation Rule Manager . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 86

4.3.2 Creating a Rule Folder. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 86

4.3.3 Renaming a Rule Folder . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 86

4.3.4 Deleting a Rule Folder . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 86

4.3.5 Creating a Correlation Rule . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 86

4.3.6 Creating Correlation Rules . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 87

4.3.7 Deploying and Undeploying Correlation Rules . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 95

4.3.8 Enabling and Disabling Rules . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 96

4.3.9 Renaming and Deleting a Correlation Rule . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 96

4.3.10 Sorting Correlation Rules. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 96

4.3.11 Moving a Correlation Rule . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 97

4.3.12 Importing a Correlation Rule . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 97

4.3.13 Exporting a Correlation Rule . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 98

4.4 Dynamic Lists. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 98

4.4.1 Adding a Dynamic List . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 99

4.4.2 Modifying a Dynamic List. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 100

4.4.3 Deleting a Dynamic List . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 100

4.4.4 Removing Dynamic List Elements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 100

4.4.5 Using a Dynamic List in a Correlation Rule . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 100

4.5 Correlation Engine . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 102

4.5.1 Starting or Stopping a Correlation Engine . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 102

4.5.2 Renaming a Correlation Engine. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 102

4.6 Correlation Actions. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 102

4.6.1 Configuring a Correlated Event . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 103

4.6.2 Adding to a Dynamic List . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 104

4.6.3 Removing a Value from a Dynamic List. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 105

4.6.4 Executing a Command . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 106

4.6.5 Creating an Incident. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 107

4.6.6 Sending an E-mail . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 108

4.6.7 Imported JavaScript Action Plugins . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 108

6 Sentinel 6.1 Rapid Deployment User Guide

5 Incidents Tab 109

5.1 Understanding an Incident . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 109

5.2 Introduction to User Interface. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 109

5.2.1 Incident View . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 110

5.2.2 Incident . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 110

5.3 Manage Incident Views . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 111

5.3.1 Adding a View . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 111

5.3.2 Modifying a View . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 114

5.3.3 Deleting a View . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 115

5.3.4 Default View. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 115

5.4 Manage Incidents . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 115

5.4.1 Creating Incidents . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 115

5.4.2 Viewing an Incident . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 116

5.4.3 Attaching Workflows to Incidents. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 116

5.4.4 Adding Notes to Incidents . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 117

5.4.5 Adding Attachments to Incidents . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 117

5.4.6 Executing Incident Actions. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 118

5.4.7 E-Mailing an Incident . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 119

5.4.8 Modifying Incidents . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 120

5.4.9 Deleting Incidents . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 121

5.5 Switch between Existing Incident Views . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 121

novdocx (en) 13 May 2009

6 iTRAC Workflows 123

6.1 Understanding iTRAC Workflows. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 123

6.2 Introduction to the User Interface. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 124

6.3 Template Manager . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 125

6.3.1 Default Templates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 125

6.4 Template Builder Interface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 126

6.4.1 Creating Templates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 127

6.4.2 Managing Templates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 128

6.5 Steps . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 129

6.5.1 Start Step. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 130

6.5.2 Manual Step. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 130

6.5.3 Decision Step. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 134

6.5.4 Mail Step . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 134

6.5.5 Command Step . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 134

6.5.6 Activity Step . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 135

6.5.7 End Step . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 136

6.5.8 Adding Steps to a Workflow. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 136

6.5.9 Managing Steps. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 136

6.6 Transitions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 141

6.6.1 Unconditional Transitions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 141

6.6.2 Conditional Transitions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 142

6.6.3 Else Transitions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 146

6.6.4 Timeout Transitions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 146

6.6.5 Alert Transitions. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 147

6.6.6 Error Transition . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 148

6.6.7 Managing Transitions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 148

6.7 Activities . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 149

6.7.1 Incident Command Activity . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 150

6.7.2 Incident Internal Activity. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 151

6.7.3 Eradication Activity . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 151

6.7.4 Incident Composite Activity . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 151

6.7.5 Creating iTRAC Activities . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 151

6.7.6 Managing Activities . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 154

Contents 7

6.8 Process Management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 155

6.8.1 Instantiating a Process . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 156

6.8.2 Automatic Step Execution . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 156

6.8.3 Manual Step Execution . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 157

6.8.4 Displaying Status . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 157

6.8.5 Displaying the Status of a Process . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 157

6.8.6 Changing Views in the Process Manager . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 158

6.8.7 Starting or Terminating a Process . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 159

7 Work Items 161

7.1 Work Item Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 161

7.2 Processing a Work Item . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 164

7.2.1 Accepting and Completing a Work Item . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 164

7.3 Managing Work Items of Other Users . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 165

8 Analysis Tab 167

8.1 Introduction to the User Interface. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 167

8.1.1 Top Ten Dashboard. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 167

8.2 Offline Query . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 169

8.2.1 Creating an Offline Query . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 169

8.2.2 Viewing, Exporting, or Deleting an Offline Query . . . . . . . . . . . . . . . . . . . . . . . . . . 170

novdocx (en) 13 May 2009

9 Event Source Management 171

9.1 Understanding Event Source Management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 171

9.1.1 Using Event Source Management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 171

9.1.2 Plug-In Repository . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 172

9.1.3 Auxiliary Files. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 172

9.2 Introduction to the User Interface. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 172

9.2.1 Menu Bar . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 173

9.2.2 Toolbar. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 174

9.2.3 Zoom . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 174

9.2.4 Frames. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 175

9.3 Live View . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 180

9.3.1 Graphical ESM View . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 180

9.3.2 Tabular ESM View . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 182

9.3.3 Right-Click Menu . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 182

9.4 Components of Event Source Hierarchy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 184

9.4.1 Component Status Indicators . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 185

9.4.2 Adding Components to the Event Source Hierarchy . . . . . . . . . . . . . . . . . . . . . . . . 186

9.4.3 Collectors. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 186

9.5 Debugging . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 202

9.5.1 Collector Workspace and Collector Directory . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 203

9.5.2 Debugging Proprietary Collectors . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 203

9.5.3 Debugging JavaScript Collectors. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 205

9.5.4 Using the Raw Data Tap to Generate a Flat File . . . . . . . . . . . . . . . . . . . . . . . . . . . 209

9.6 Exporting a Configuration. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 210

9.7 Importing a Configuration. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 212

9.7.1 Enabling or Disabling the Import Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . 213

9.7.2 Resetting the Layout . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 215

9.7.3 Undoing the Layout . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 215

9.7.4 Redo Layout . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 215

9.8 Event Source Management Scratchpad . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 216

9.9 Comparing Sentinel 5.x and Sentinel 6.0. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 216

8 Sentinel 6.1 Rapid Deployment User Guide

10 Administration 219

10.1 Understanding the Admin Tab . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 219

10.2 Introduction to the User Interface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 220

10.3 Servers View . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 221

10.3.1 Monitoring a Process . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 222

10.3.2 Creating a Servers View . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 222

10.3.3 Starting, Stopping, and Restarting Processes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 223

10.4 Filters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 223

10.4.1 Public Filters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 223

10.4.2 Private Filters. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 224

10.4.3 Global Filters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 224

10.4.4 Configuring Public and Private Filters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 227

10.4.5 Color Filter Configuration. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 229

10.5 Configure Menu Options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 232

10.5.1 Adding an Option to the Event Menu. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 234

10.5.2 Cloning an Event Menu Option . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 235

10.5.3 Modifying an Event Menu Option. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 236

10.5.4 Viewing Event Menu Option Parameters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 236

10.5.5 Activating or Deactivating an Event Menu Option . . . . . . . . . . . . . . . . . . . . . . . . . . 236

10.5.6 Rearranging Event Menu Options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 236

10.5.7 Deleting an Event Menu Option . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 236

10.5.8 Editing Your Event Menu Browser Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 237

10.6 DAS Statistics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 238

10.7 Mapping . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 239

10.7.1 Adding Map Definitions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 241

10.7.2 Adding a Number Range Map Definition . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 243

10.7.3 Editing Map Definitions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 246

10.7.4 Deleting Map Definitions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 246

10.7.5 Updating Map Data . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 247

10.8 Event Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 249

10.8.1 Event Mapping. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 249

10.8.2 Renaming Tags . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 253

10.9 Report Data Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 254

10.9.1 Disabling or Enabling a Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 255

10.9.2 Viewing Information for a Summary. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 256

10.9.3 Checking the Validity of a Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 256

10.9.4 Query the Event Files for a Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 257

10.9.5 Running the Event Files for a Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 258

10.10 User Configurations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 259

10.10.1 Opening the User Manager Window . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 259

10.10.2 Creating a User Account . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 259

10.10.3 Modifying a User Account . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 264

10.10.4 Viewing Details of a User Account. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 264

10.10.5 Cloning a User Account . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 264

10.10.6 Deleting a User Account . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 264

10.10.7 Terminating an Active User Session . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 264

10.10.8 Adding an iTRAC Role. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 265

10.10.9 Deleting an iTRAC Role. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 265

10.10.10Viewing the Details of a Role. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 265

novdocx (en) 13 May 2009

11 Sentinel Data Manager 267

11.1 Understanding the Sentinel Data Manager . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 267

11.2 Using the SDM GUI . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 267

11.2.1 Prerequisites . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 267

11.2.2 Starting the SDM GUI . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 268

Contents 9

11.2.3 Connecting to the Database . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 268

11.2.4 Partitions Tab. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 269

11.2.5 Tablespaces Tab . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 272

11.2.6 Partition Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 273

11.2.7 Managing Disk Space Allocation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 275

11.3 Using the SDM Command Line . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 275

11.3.1 Prerequisite . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 276

11.3.2 Syntax of the SDM command . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 276

11.3.3 Starting the SDM GUI . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 276

11.3.4 Saving Connection Properties for Sentinel Data Manager . . . . . . . . . . . . . . . . . . . 276

11.3.5 Adding Partitions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 277

11.3.6 Dropping Partitions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 278

11.3.7 Viewing Partition Summaries. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 279

11.3.8 Archiving Data . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 280

11.3.9 Importing Data . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 281

11.3.10 Deleting Imported Data . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 282

11.3.11 Viewing Sentinel Database Space Usage . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 283

12 Utilities 285

12.1 Introduction to Sentinel Utilities . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 285

12.2 Starting and Stopping a Sentinel Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 285

12.2.1 Starting a Sentinel Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 286

12.2.2 Stopping a Sentinel Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 286

12.3 Sentinel Scripts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 286

12.3.1 Operational Scripts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 286

12.3.2 Troubleshooting Scripts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 287

12.4 Version Information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 289

12.4.1 Executable Version Information. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 289

12.4.2 Sentinel .jar Version Information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 289

12.5 Database Cleanup . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 289

12.5.1 Components . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 290

12.5.2 Prerequisites . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 290

12.5.3 Running Clean_Database.sh. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 290

12.6 Updating Your License Key . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 292

novdocx (en) 13 May 2009

13 Quick Start 293

13.1 Security Analysts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 293

13.1.1 Active Views Tab . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 293

13.1.2 Exploit Detection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 294

13.1.3 Asset Data . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 295

13.1.4 Event Query. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 296

13.2 Creating Incidents . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 297

13.3 iTRAC. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 298

13.3.1 Instantiating a Process . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 298

13.4 Correlation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 308

13.4.1 Creating a Simple Correlation Rule . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 309

13.4.2 Deploying the Simple Correlation Rule . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 309

13.4.3 Viewing the Events that Triggered Your Correlated Event . . . . . . . . . . . . . . . . . . . 310

14 Solution Packs 311

14.1 Solution Packs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 311

14.1.1 Components of a Solution Pack . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 312

14.1.2 Permissions for Using Solution Packs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 313

10 Sentinel 6.1 Rapid Deployment User Guide

14.2 Solution Manager . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 314

14.2.1 Solution Manager Interface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 315

14.3 Managing Solution Packs. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 316

14.3.1 Importing Solution Packs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 317

14.3.2 Opening Solution Packs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 319

14.3.3 Installing Content from Solution Packs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 321

14.3.4 Implementing Controls. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 325

14.3.5 Testing Controls. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 326

14.3.6 Uninstalling Controls . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 326

14.3.7 Viewing Solution Pack Status . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 328

14.3.8 Deleting Solution Packs. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 330

14.4 Solution Designer . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 331

14.4.1 Solution Designer Interface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 331

14.4.2 Connection Modes. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 333

14.4.3 Creating a Solution Pack . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 334

14.4.4 Managing Content Hierarchy Nodes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 335

14.4.5 Adding Content to a Solution Pack . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 336

14.4.6 Documenting a Solution Pack . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 338

14.4.7 Editing a Solution Pack . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 339

14.5 Deploying an Edited Solution Pack . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 340

novdocx (en) 13 May 2009

15 Action Manager and Integrator 341

15.1 Action Manager . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 341

15.2 Action Plug-Ins . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 343

15.2.1 Importing JavaScript Action Plug-Ins . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 343

15.2.2 Importing JavaScript Files . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 346

15.3 Actions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 354

15.3.1 Creating Actions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 354

15.3.2 Editing Actions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 355

15.3.3 Deleting Actions. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 355

15.3.4 Using JavaScript Actions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 355

15.3.5 Developing JavaScript Actions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 356

15.4 Integrator Manager. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 360

15.4.1 Permissions for Using Integrators . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 361

15.5 Integrator Plug-Ins . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 362

15.5.1 Importing Integrator Plugins. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 362

15.5.2 Deleting Integrator Plug-Ins . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 362

15.6 Integrators . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 363

15.6.1 Creating an Integrator Instance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 363

15.6.2 Editing an Integrator Instance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 363

15.6.3 Deleting an Integrator Instance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 363

15.6.4 Integrator Connection Status . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 363

15.6.5 Viewing Integrator Health Details . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 364

15.6.6 Integrator Events Query. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 365

15.6.7 Using Integrators from Actions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 367

16 Identity Integration 369

16.1 Integration with Novell Identity Manager . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 370

16.2 Identity Browser . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 373

16.2.1 Searching Profiles . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 373

16.2.2 Viewing Profile Details . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 374

16.2.3 Using the Clipboard Functionality . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 377

16.3 Reports. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 377

Contents 11

17 Advisor Usage and Maintenance 379

17.1 Understanding Advisor . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 379

17.2 Installing Advisor . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 381

17.3 Viewing Advisor Data . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 381

17.3.1 Using Menu Options to View Data . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 381

17.4 Maintaining Advisor . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 381

17.4.1 Updating Data in Advisor Tables . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 382

17.4.2 Changing the Advisor E-Mail Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 382

17.4.3 Changing the Scheduled Data Update Time . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 383

A Sentinel 6.1 Rapid Deployment Architecture 385

A.1 Sentinel 6.1 Rapid Deployment Features . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 385

A.2 Functional Architecture . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 385

A.3 Architecture Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 387

A.3.1 Communication Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 388

A.3.2 Sentinel Events . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 389

A.3.3 Event Source Management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 393

A.3.4 Application Integration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 394

A.3.5 Time . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 394

A.3.6 System Events . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 395

A.3.7 Processes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 396

A.4 Logical Architecture . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 398

A.4.1 Collection and Enrichment Layer . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 399

A.4.2 Business Logic Layer. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 403

A.4.3 Presentation Layer. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 409

novdocx (en) 13 May 2009

B System Events for Sentinel 413

B.1 Authentication Events . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 413

B.1.1 Authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 413

B.1.2 Creating Entry For External User. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 414

B.1.3 Duplicate User Objects . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 414

B.1.4 Failed Authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 414

B.1.5 Locked Account . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 415

B.1.6 No Such User Event . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 415

B.1.7 Too Many Active Users . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 416

B.1.8 User Discovered . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 416

B.1.9 User Logged In . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 416

B.1.10 User Logged Out . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 417

B.2 User Management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 417

B.2.1 Add Users To Role . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 417

B.2.2 Create Role . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 418

B.2.3 Create User . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 418

B.2.4 Creating User Account. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 418

B.2.5 Delete Role . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 419

B.2.6 Deleting User Account . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 419

B.2.7 Locking User Account . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 419

B.2.8 Remove Users From Role . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 420

B.2.9 Resetting Password . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 420

B.2.10 Unlocking User Account . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 420

B.2.11 Updating User . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 421

B.3 Database Event Management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 421

B.3.1 Diskspace Usage Reached Lower Threshold . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 422

B.3.2 Diskspace Usage Reached Upper Threshold . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 422

B.3.3 Dropping the Oldest Partition. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 422

12 Sentinel 6.1 Rapid Deployment User Guide

B.3.4 Failing to Drop Online CurrentPartition . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 423

B.3.5 Database Space Reached Specified Percent Threshold. . . . . . . . . . . . . . . . . . . . . 423

B.3.6 Database Space Reached Specified Time Threshold . . . . . . . . . . . . . . . . . . . . . . . 423

B.3.7 Database Space Very Low . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 424

B.3.8 Error inserting events. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 424

B.3.9 Error Moving Completed File . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 424

B.3.10 Error Processing Event Message . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 425

B.3.11 Error Saving Failed Events . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 425

B.3.12 Event Insertion Is Blocked . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 425

B.3.13 Event Insertion Is Resumed. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 426

B.3.14 Event Message Queue Overflow. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 426

B.3.15 Event Processing Failed . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 426

B.3.16 No Space In The Database . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 427

B.3.17 Opening Archive File Failed. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 427

B.3.18 Partition Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 427

B.3.19 Writing to Archive File failed . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 428

B.3.20 Writing to the overflow partition (P_MAX) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 428

B.4 Database Aggregation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 428

B.4.1 Creating Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 429

B.4.2 Deleting Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 429

B.4.3 Disabling Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 429

B.4.4 Enabling Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 430

B.4.5 Error inserting Summary Data into the Database . . . . . . . . . . . . . . . . . . . . . . . . . . 430

B.4.6 Saving Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 430

B.5 Mapping Service . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 430

B.5.1 Error . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 431

B.5.2 Error Applying Incremental Update . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 431

B.5.3 Error initializing map with ID . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 432

B.5.4 Error Refreshing Map . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 432

B.5.5 Error Saving Data File . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 433

B.5.6 Get File Size . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 433

B.5.7 Loaded Large Map. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 433

B.5.8 Long Time To Load Map . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 434

B.5.9 Out Of Sync Detected . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 434

B.5.10 Refreshing Map from Cache . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 434

B.5.11 Refreshing Map from Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 435

B.5.12 Save Data File . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 435

B.5.13 Saved Data File . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 436

B.5.14 Timed Out Waiting For Callback . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 436

B.5.15 Timeout Refreshing Map . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 436

B.5.16 Update . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 437

B.5.17 Update . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 437

B.6 Event Router . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 437

B.6.1 Event Router is Initializing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 438

B.6.2 Event Router Is Running . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 438

B.6.3 Event Router is Stopping . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 438

B.6.4 Event Router is Terminating . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 439

B.7 Correlation Engine . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 439

B.7.1 Correlation Action Definition . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 440

B.7.2 Correlation Engine Configuration. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 440

B.7.3 Correlation Engine is Running . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 440

B.7.4 Correlation Engine is Stopped . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 441

B.7.5 Correlation Rule . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 441

B.7.6 Correlation Rule Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 441

B.7.7 Deploy Rules With Actions To Engine . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 442

B.7.8 Disabling Rule . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 442

B.7.9 Enabling Rule . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 442

B.7.10 Rename Correlation Engine . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 443

novdocx (en) 13 May 2009

Contents 13

B.7.11 Rule Deployment is Modified. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 443

B.7.12 Rule Deployment Is Started. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 443

B.7.13 Rule Deployment is Stopped . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 444

B.7.14 Starting Engine . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 444

B.7.15 Stopping Engine . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 444

B.7.16 UnDeploy All Rules From Engine . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 445

B.7.17 UnDeploy Rule. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 445

B.7.18 Update Correlation Rule Actions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 445

B.8 Event Source Management:General . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 445

B.8.1 Collector Manager Initialized . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 446

B.8.2 Collector Manager Is Down . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 447

B.8.3 Collector Manager Started . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 447

B.8.4 Collector Manager Stopped . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 447

B.8.5 Collector Service Callback . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 448

B.8.6 Cyclical Dependency . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 448

B.8.7 Event Source Manager Callback . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 448

B.8.8 Initializing Collector Manager. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 449

B.8.9 Lost Contact With Collector Manager . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 449

B.8.10 No Data Alert . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 449

B.8.11 Persistent Process Died . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 449

B.8.12 Persistent Process Restarted . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 450

B.8.13 Port Start . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 450

B.8.14 Port Stop . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 450

B.8.15 Reestablished Contact With Collector Manager . . . . . . . . . . . . . . . . . . . . . . . . . . . 451

B.8.16 Restart Plugin Deployments . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 451

B.8.17 Restarting Collector Manager (Cold Restart). . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 452

B.8.18 Restarting Collector Manager (Warm Restart). . . . . . . . . . . . . . . . . . . . . . . . . . . . . 452

B.8.19 Start Event Source Group . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 452

B.8.20 Start Event Source Manager . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 453

B.8.21 Starting Collector Manager . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 453

B.8.22 Stop Event Source Group . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 453

B.8.23 Stop Event Source Manager . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 454

B.8.24 Stopping Collector Manager . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 454

B.9 Event Source Management-Event Sources . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 454

B.9.1 Start Event Source. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 454

B.9.2 Stop Event Source . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 455

B.10 Event Source Management-Collectors . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 455

B.10.1 Start Collector . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 455

B.10.2 Stop Collector . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 455

B.11 Event Source Management-Event Source Servers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 456

B.11.1 Start Event Source Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 456

B.11.2 Stop Event Source Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 456

B.11.3 Stop Event Source Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 456

B.12 Event Source Management-Connectors . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 457

B.12.1 Data Received After Timeout. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 457

B.12.2 Data Timeout . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 457

B.12.3 File Rotation. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 458

B.12.4 Process Auto Restart Error . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 458

B.12.5 Process Start Error . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 458

B.12.6 Process Stop . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 459

B.12.7 WMI Connector Status Message. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 459

B.13 Active Views. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 459

B.13.1 Active View Created . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 460

B.13.2 Active View Joined. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 460

B.13.3 Active View No Longer Permanent . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 460

B.13.4 Active View Now Permanent . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 461

B.13.5 Idle Active View Removed . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 461

B.13.6 Idle Permanent Active View Removed . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 461

novdocx (en) 13 May 2009

14 Sentinel 6.1 Rapid Deployment User Guide

B.14 Data Objects . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 462

B.14.1 Activity Definition . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 462

B.14.2 Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 462

B.14.3 Viewing Configuration Store . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 463

B.14.4 Write Data . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 463

B.15 Activities . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 463

B.15.1 Creating an Activity . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 464

B.15.2 Deleting an Activity . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 464

B.15.3 Saving an Activity . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 464

B.16 Incidents and Workflows . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 464

B.16.1 Add Events to Incident. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 465

B.16.2 Adding Process Definition . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 465

B.16.3 Create Incident . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 466

B.16.4 Creating Group . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 466

B.16.5 Creating User. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 466

B.16.6 Delete Incident. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 467

B.16.7 Deleting Group. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 467

B.16.8 Deleting Process Definition . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 467

B.16.9 Deleting User . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 468

B.16.10 E-Mail Incident . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 468

B.16.11 Get Incident . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 468

B.16.12 Save Incident . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 469

B.16.13 Saving Group . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 469

B.16.14 Saving Process Definition . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 469

B.16.15 Send Incident to Hp Service Desk . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 470

B.16.16 Send Incident to HpOVO . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 470

B.16.17 Viewing Process Definition . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 470

B.17 General . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 470

B.17.1 Configuration Service . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 471

B.17.2 Controlled Process is started. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 471

B.17.3 Controlled Process Is Stopped . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 472

B.17.4 Importing Auxiliary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 472

B.17.5 Importing Plug-In . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 472

B.17.6 Load Esec Taxonomy to XML . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 473

B.17.7 Process Auto Restart Error . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 473

B.17.8 Process Restarts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 473

B.17.9 Proxy Client Registration Service (medium) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 474

B.17.10 Restarting Process . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 474

B.17.11 Restarting Processes. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 474

B.17.12 Starting Process . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 475

B.17.13 Starting Processes. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 475

B.17.14 Stopping Process. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 475

B.17.15 Stopping Processes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 476

B.17.16 Store Esec Taxonomy From XML . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 476

B.17.17 Watchdog Process is started . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 476

B.17.18 Watchdog Process Is stopped . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 477

novdocx (en) 13 May 2009

C Documentation Updates 479

C.1 September 2009. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 479

C.2 August 2009 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 479

Contents 15

novdocx (en) 13 May 2009

16 Sentinel 6.1 Rapid Deployment User Guide

About This Guide

Novell® SentinelTM 6.1 Rapid Deployment is a security information and event management solution that receives information from many sources throughout an enterprise, standardizes it, prioritizes it, and presents it to you to make threat, risk, and policy-related decisions. This guide is divided into the following sections:

 Chapter 1, “Managing Sentinel 6.1 Rapid Deployment Through the Web Interface,” on page 19

 Chapter 2, “Sentinel Control Center,” on page 41

 Chapter 3, “Active Views Tab,” on page 53

 Chapter 4, “Correlation Tab,” on page 83

 Chapter 5, “Incidents Tab,” on page 109

 Chapter 6, “iTRAC Workflows,” on page 123

 Chapter 7, “Work Items,” on page 161

 Chapter 8, “Analysis Tab,” on page 167

novdocx (en) 13 May 2009

 Chapter 9, “Event Source Management,” on page 171

 Chapter 10, “Administration,” on page 219

 Chapter 11, “Sentinel Data Manager,” on page 267

 Chapter 12, “Utilities,” on page 285

 Chapter 13, “Quick Start,” on page 293

 Chapter 14, “Solution Packs,” on page 311

 Chapter 15, “Action Manager and Integrator,” on page 341

 Chapter 17, “Advisor Usage and Maintenance,” on page 379

 Appendix A, “Sentinel 6.1 Rapid Deployment Architecture,” on page 385

 Appendix B, “System Events for Sentinel,” on page 413

Audience

This documentation is intended for information security professionals.

Feedback

We want to hear your comments and suggestions about this manual and the other documentation included with this product. Please use the User Comments feature at the bottom of each page of the online documentation or go to Novell Documentation Feedback (http://www.novell.com/

documentation/feedback.html) and enter your comments there.

Additional Documentation

Sentinel technical documentation includes several different volumes:

 Novell Sentinel 6.1 Rapid Deployment Installation Guide (http://www.novell.com/

documentation/sentinel61rd/s61rd_install/data/index.html)

About This Guide 17

 Novell Sentinel 6.1 Rapid Deployment User Guide (http://www.novell.com/documentation/

sentinel61rd/s61rd_user/data/index.html)

 Novell Sentinel 6.1 Rapid Deployment Reference Guide (http://www.novell.com/

documentation/sentinel61rd/s61rd_reference/data/index.html)

 Sentinel 6.1 Install Guide (http://www.novell.com/documentation/sentinel61/pdfdoc/

sentinel_61_installation_guide.pdf)

 Sentinel 6.1 User Guide (http://www.novell.com/documentation/sentinel61/pdfdoc/

sentinel_61_user_guide.pdf)

 Sentinel 6.1 Reference Guide (http://www.novell.com/documentation/sentinel61/pdfdoc/

sentinel_61_reference_guide.pdf)

 Sentinel SDK (http://developer.novell.com/wiki/index.php?title=Develop_to_Sentinel)

The Sentinel SDK site provides the details about developing Collectors (proprietary or JavaScript*) and JavaScript correlation actions.

Documentation Conventions

In this documentation, a greater-than symbol (>) is used to separate actions within a step and items within a cross-reference path.

novdocx (en) 13 May 2009

A trademark symbol (®, ™, etc.) denotes a Novell trademark. An asterisk (*) denotes a third-party trademark.

When a single path name can be written with a backslash for some platforms or a forward slash for other platforms, the path name is presented with forward slashes to reflect the Linux* convention.

Users of platforms that require a backslash, such as NetWare

, should use backlashes as required by

your software.

Contacting Novell

 Novell Web site (http://www.novell.com)

 Novell Support (http://support.novell.com/phone.html?sourceidint=suplnav4_phonesup)

 Novell Self Support (http://support.novell.com/

support_options.html?sourceidint=suplnav_supportprog)

 Patch Download Site (http://download.novell.com/index.jsp)

 Novell 24x7 Support (http://www.novell.com/company/contact.html)

 Sentinel TIDS (http://support.novell.com/products/sentinel)

18 Sentinel 6.1 Rapid Deployment User Guide

Managing Sentinel 6.1 Rapid

novdocx (en) 13 May 2009

Deployment Through the Web Interface

This section discusses how to manage the services for Novell® SentinelTM by using the Sentinel Web interface.

 Section 1.1, “Accessing the Novell Sentinel Web Interface,” on page 19

 Section 1.2, “Applications and Installers,” on page 19

 Section 1.3, “Reporting,” on page 21

 Section 1.4, “Searching Events,” on page 31

1.1 Accessing the Novell Sentinel Web Interface

Use the Novell Sentinel Web interface to manage, run, schedule, and search reports, launch the Sentinel Control Center (SCC), the Sentinel Data Manager (SDM), and the Solution Designer, and download the Collector Manager installer and the Client installer. You can also perform full-text search on events by using the Web interface.

1 Open a Web browser to the following URL:

https://svrname.example.com: port/sentinel

Replace

192.168.1.1

svrname.example.com

) of the server where Sentinel is running.

with the actual DNS name or IP address (such as

IMPORTANT: The URL is case sensitive.

2 If you are prompted to verify the certificates, review the certificate information, then click Yes

if it is valid.

3 Specify the username and password for the Sentinel account you want to access.

4 Use the Languages drop-down list to specify which language you want to use.

This is typically the same language as the language code of the Sentinel server and your local computer. Make sure to configure your browser's Languages setting to support the desired language.

5 Click Sign in.

1.2 Applications and Installers

Click Applications in the left panel of the Novell Sentinel 6.1 Rapid Deployment Web interface to download the Sentinel components.

Managing Sentinel 6.1 Rapid Deployment Through the Web Interface

Figure 1-1 We bS ta rt

novdocx (en) 13 May 2009

Table 1-1 Downloading Options

Options Description Action

The Sentinel Control Center (SCC)

The Sentinel Control Center allows you monitor, configure, and control most features of

1. Click Launch Control Center.

2. Open SCC with the Java* Web Start

the Sentinel system.

3. Specify the user credentials and click Login. The SCC interface helps you manage and monitor the

security information received from different network resources. It creates and deploys rules to detect suspicious or malicious patterns of events, provides real-time indication of attacks and related risks, and manages and monitors connections between Sentinel and its event sources.

Launcher.

20 Sentinel 6.1 Rapid Deployment User Guide

Options Description Action

novdocx (en) 13 May 2009

The Sentinel Data Manager (SDM)

The Solution Designer

Collector Manager Installer

Client Installer The Client Installer allows

The Sentinel Data Manager allows you manage the Sentinel database.

You can monitor database space utilization, view and manage database partitions, configure auto-archives, and configure auto-addition of partitions.

The Collector Manager Installer allows you install the Sentinel Collector Manager on any machine where you want to forward the events from.

you install the Sentinel Control Center, Sentinel Collector Builder, Sentinel Solution Designer, and Sentinel Data Manager on any client machine.

1. Click Launch Data Manager.

2. Open SDM with the Java Web Start

Launcher.

3. Specify the server, database, host, and port

number.

4. Specify the user credentials and click

Connect.

Click download Collector Manager installer and follow the on-screen instructions.

Click download Client installer and follow the onscreen instructions.

1.3 Reporting

You can upload, run, view, and delete reports or report definitions by using the Sentinel 6.1 Rapid Deployment Web interface. You can run a report by using the desired parameters (such as start and end date) as given in the report definition. The report results are saved with a name of your choice. After the report runs, you can retrieve the results and view them as a PDF file.

Reports are organized by category.

 Section 1.3.1, “Running Reports,” on page 21

 Section 1.3.2, “Viewing Reports,” on page 24

 Section 1.3.3, “Scheduling a Report,” on page 26

 Section 1.3.4, “Managing Reports,” on page 27

1.3.1 Running Reports

Sentinel 6.1 Rapid Deployment is installed with a set of reports organized into several product categories. Reports run asynchronously, so you can continue to do other things in the application while the report is running. You can view the PDF report results after the report finishes running.

Many report definitions include parameters. You are prompted to set them before running the reports. Depending on how the report developer designed the report, the report parameters can be text, numbers, Boolean values, or dates. A parameter might have a default value or a list based on values in the Sentinel RD database.

Managing Sentinel 6.1 Rapid Deployment Through the Web Interface 21

IMPORTANT: If a report in progress is canceled by using the Cancel link, the query on the database is canceled.

Manually Running a Report

1 Click Reports to display the available reports.

novdocx (en) 13 May 2009

2 If desired, click a report definition to expand it. If you see a Sample Report link, you can click

View to find out how the completed report looks with a set of sample data.

3 Select the report you want to run and click Run.

4 Specify the following:

The report parameters are specific to the report definition. Therefore, the report parameters might vary based on the report definition you select.

22 Sentinel 6.1 Rapid Deployment User Guide

Report Parameters Description

Run Option Set the schedule for running the report. If you want the report to

run later, you must also enter a start time.

 Now: This is the default. It runs the report immediately.

 Once: Runs the report once at the specified date and time.

 Daily: Runs the report once a day at the specified time.

 Weekly: Runs the report once a week on the same day at

the specified time.

 Monthly: Runs the report on the same day of the month

every month, starting at the specified date and time. For example, if the start date and time is October 28 at 2:00 p.m, the report will run on the 28th day of the month at 2:00 p.m every month.

All time settings are based on the browser’s local time.

Name Specify a name to identify the report results.

novdocx (en) 13 May 2009

Because the username and time are also used to identify the report results, the report name does not need to be unique.

Language Choose the language in which the report labels and descriptions

should be displayed (English, French, German, Italian, Japanese, Traditional Chinese, Simplified Chinese, Spanish, or Portuguese).

The data in the report is displayed in whatever language was originally used by the event source.

Date Range If the report includes time period parameters, choose the date

range. You can also set start and end dates for all the time periods. All time periods are based on the local time for the browser.

 Current Day: Shows events from midnight of the current

day until 11:59 p.m of the current day. If the current time is 8 a.m, the report shows 8 hours of data.

 Previous Day: Shows events from midnight yesterday until

11:59 p.m yesterday.

 Week To Date: Shows events from midnight Sunday of the

current week until the end of the current day.

 Previous Week: Shows seven days of events, from

midnight Sunday of the previous week until 11:59 p.m Saturday of the previous week

 Month to Date: Shows events from midnight the first day of

the current month until the end of the current day.

 Previous Month: Shows a month of events, from midnight

of the first day of the previous month until 11:59 p.m of the last day of the previous month

 Custom Date Range: For this setting only, you also need to

set a start date and end date below.

From Date and To Date Set the start date (From Date) and the end date (To Date) for the

report.

Managing Sentinel 6.1 Rapid Deployment Through the Web Interface 23

Report Parameters Description

MinSev Specify the minimum severity of events to be included in the

report. The range is 0-5.

MaxSev Specify the maximum severity of events to be included in the

report. The range is 0-5.

Email Report To If the report should be mailed to a user or users, specify their e-

mail addresses, separated by commas.

To enable mailing reports, the administrator must configure the mail relay under Rules > Configuration.

5 Click Run.

A report results entry is created and mailed to the designated recipients.

1.3.2 Viewing Reports

You can view the reports for different applications in the Sentinel Rapid Deployment Web interface for reports. The report GUI by default shows up to 10 report results for any given report definition. The 10 report results displayed are the 10 most recent report results for that report definition.

novdocx (en) 13 May 2009

If there are more than 10 report results for any given report definition (that is, the report has been run more than 10 times), a Show all x reports link is displayed after the 10th report, where x is the total number of results available for that given report definition.

1 To view the list of report results, click View.

All previously run reports are shown with the user-defined report name, the user who ran them, and the time the report was run.

IMPORTANT: The default number of report results to be displayed for each report definition is managed by the

das_core.xml

<obj-component id="JasperReportingComponent">

<class>esecurity.ccs.comp.reporting.jasper.JasperReportingComponent</ class>

</obj-component>

You can change the

reporting.reportResultsDisplayed

file.

reporting.reportResultsDisplayed

property specified in the

property value. After changing

this value, ensure that you restart the das_core to apply the changes.

24 Sentinel 6.1 Rapid Deployment User Guide

novdocx (en) 13 May 2009

2 Click show parameters to see the exact values used to run the report.

 For Date Range, D=Current Day, PD=Previous Day, W=Week To Date, PW=Previous

Week, M=Month To Date, PM=Previous Month, and DR=Custom Date Range.

 For Language, en=English, fr=French, de=German, it=Italian, ja=Japanese, pt=Brazilian

Portuguese, es=Spanish, zh=Simplified Chinese, and zh_TW=Traditional Chinese.

3 Click View for the report results you want to see. The report results are displayed in a new

window in .

pdf

format.

Managing Sentinel 6.1 Rapid Deployment Through the Web Interface 25

novdocx (en) 13 May 2009

TIP: Report results are organized from newest to oldest.

1.3.3 Scheduling a Report

When you run a report, you can run the report immediately or schedule it to be run later, either once or on a recurring basis. For scheduled reports, you must choose a frequency and enter a time at which the report should run.

 Now: This is the default. It runs the report immediately.

 Once: Runs the report once at the specified date and time.

 Daily: Runs the report once a day at the specified time.

 Weekly: Runs the report once a week on the same day at the specified time.

 Monthly: Runs the report on the same day of the month every month, starting at the specified

date and time. For example, if the start date and time is October 28 at 2:00 p.m, the report runs on the 28th day of the month at 2:00 p.m.every month.

NOTE: All time settings are based on the browser’s local time.

26 Sentinel 6.1 Rapid Deployment User Guide

Figure 1-2 Scheduled Reports

novdocx (en) 13 May 2009

Report schedules can be removed or modified by using the Delete and Edit links.

1.3.4 Managing Reports

Sentinel Rapid Deployment users can add, delete, update, and schedule reports.

 “Adding Reports” on page 27

 “Creating New Reports” on page 29

 “Renaming Report Results” on page 29

 “Deleting Reports and Report Definitions” on page 29

 “Updating Report Definitions” on page 31

Adding Reports

Any user can add or update reports in Sentinel 6.1 Rapid Deployment.

 “Downloading New or Updated Reports” on page 27

 “Adding New Reports” on page 27

Downloading New or Updated Reports

New or updated reports by Novell can be downloaded from the Novell Content Web site (http://

support.novell.com/products/sentinel/secure/identityaudit.html).

Adding New Reports

Sentinel Rapid Deployment comes preloaded with reports, but new report plug-ins (special . files that include the report definition plus metadata) can be uploaded into Sentinel 6.1 Rapid Deployment. If there are no reports in the system, the following screen displays:

Managing Sentinel 6.1 Rapid Deployment Through the Web Interface 27

zip

Figure 1-3 No Reports Loaded

To add a report:

1 Click the Reports button on the left side of the screen.

2 Click the Upload Report button.

novdocx (en) 13 May 2009

3 Browse and select the report plug-in .

zip

file on your local machine.

4 Click Open.

5 Click Save.

6 If the same report already exists in the report repository (based on the report’s unique ID),

decide whether to replace the existing report.

Sentinel Rapid Deployment displays the details of both the report in the system and the one being imported. In the example below, the imported report is the same version as the existing report.

28 Sentinel 6.1 Rapid Deployment User Guide

The new report definition is added to the list in alphabetical order and can be run immediately, if desired.

Creating New Reports

Users can modify or write reports by using JasperForge iReport. a graphical report designer for JasperReports. iReport is an open source report development tool that is available for download from JasperForge.org (http://jasperforge.org/plugins/project/project_home.php?group_id=83) (as of the time of this publication).

New or modified reports can include additional database fields that are not presented in the Sentinel Rapid Deployment Web interface. They must adhere to the file and format requirements of the report plug-ins. For more information about database fields and file and format requirements for report plug-ins, see the Sentinel SDK Web site (http://developer.novell.com/wiki/

index.php?title=Develop_to_Sentinel).

Renaming Report Results

Report results (but not report definitions) can be renamed in the interface.

novdocx (en) 13 May 2009

1 Click the Reports button on the left side of the screen.

2 Click a report name to expand it.

3 Click the name of the report results you want to rename.

4 Specify the new name.

5 Click Rename.

Deleting Reports and Report Definitions

 “Deleting Report Definitions” on page 29

 “Deleting Report Results” on page 30

Deleting Report Definitions

You can delete either a set of report results or a report definition by using the button at the right side of the report definition. If a report definition is deleted, all associated report results are also deleted.

IMPORTANT: Only the users with Manage Reports permissions can delete the report definitions.

For more information on permissions, see “Reporting” in the Sentinel 6.1 Rapid Deployment

Reference Guide.

Managing Sentinel 6.1 Rapid Deployment Through the Web Interface 29

Deleting Report Results

There are two ways to delete report results.

 Delete a single report by using the button at the right side of the report result.

IMPORTANT: Users with the Run/View Reports or Manage Reports permission can delete the report results. For more information on permissions, see “Reporting” in the Sentinel 6.1

Rapid Deployment Reference Guide.

 Delete multiple report results by using the option at the bottom right side of the

report results for each report definition.

NOTE: If the number of report results you have created for a report definition is less than or equal to the default value, you need to use the button to delete each report result.

However, you can change the default value by editing the following property of the

JasperReportingComponent

in the

config/das_core.xml

file:

novdocx (en) 13 May 2009

After you modify this property value, restart the Sentinel services to apply the changes.

Using the Multi-delete Option

The option is displayed only if:

 You have either Run/View Reports or Manage Reports permissions.

 The number of report results created for a report definition is higher than the default value

specified in the Jasper Reporting component.

1 Click the Multi-delete option to:

 Expand the Multi-delete panel to list Select all and delete reports options.

 Display a check box next to each report result.

2 Select the report results for deletion.

You can also use the select all or unselect all options from the Multi-delete options panel.

3 Click delete # reports to delete the selected report results, where # is the number of report result

selected for deletion.

For example, if you select 3 reports for deletion, a delete 3 reports option displays under Multi-

delete panel. Click delete 3 reports to delete all the selected reports. Click Select all and select delete reports to remove all the reports for a selected report definition.

Click cancel to remove the Multi-delete panel and the check boxes for all the report results.

30 Sentinel 6.1 Rapid Deployment User Guide

+ 450 hidden pages

Novell SENTINEL RAPID DEPLOYMENT User Guide

Specifications and Main Features

Frequently Asked Questions

User Manual

Sentinel 6.1 Rapid Deployment User Guide

About This Guide

1.1 Accessing the Novell Sentinel Web Interface

1.2 Applications and Installers

Managing Sentinel 6.1 Rapid Deployment Through the Web Interface

1.3 Reporting

1.3.1 Running Reports

1.3.2 Viewing Reports

1.3.3 Scheduling a Report

1.3.4 Managing Reports