Sentinel

From MicroFocusInternationalWiki
Jump to: navigation, search

Sentinel Wiki Page

Welcome to Sentinel Wiki Page.

Cool Solutions

If you are beginning at Sentinel, you probably will like this article from otoquero. Sentinel Installation for Dummies
http://www.novell.com/communities/node/4710/sentinel-installation-dummies

Terminology

Terminology is one of the hardest parts of any part of life, and that is especially true in Information Technology (IT). We love to overload ambiguous terms that may be very descriptive, but are not very distinguished. The following is meant to help clarify terms for the Sentinel product line:

Data Collection

  • Collector Manager (CM) - The Sentinel instance assigned to run Collectors, Connectors, and Event Source Servers to receive and parse events from Event Sources. A Collector Manager is represented within the Event Source Management (ESM) tool by a Collector Manager node, of which there can be many in a single Sentinel or Log Manager environment. A CM is also the parent to all collectors and Event Source Servers running within it.
  • Collector Plugin - A bundle of code in Java and ECMAscript (aka JavaScript) written to parse events from a specific application, such as eDirectory, Identity Manager, a certain type of Cisco Firewall, or anything else that can send events.
  • Collector - An instance of a Collector Plugin. If you are a programmer, think of the Collector Plugin as a class and the Collector as an instance of that class which is actually running. This has instance-specific settings for the data parsed from a specific application. An instance of a collector has connector objects beneath it and a parent Collector Manager object.
  • Connector Plugin - A bundle of code (Java) which manages the actual connection between the Collector (which parses) and the Event Source (from which the data originate). Event sources can listen for events pushed to them (such as Syslog, SNMP, or Audit) or pull events from other locations (such as File, SAP, JDBC, or LEA). The Process connector runs any given process and handles event from that process for the maximum amount of customization possible.
  • Connector - An instance of a Connector Plugin. If you are a programmer, think of the Connector Plugin as a class and the Connector as an instance of that class which is actually running. This contains connection-specific settings. A Connector's parent object is the Collector, and its child objects are Event Sources. It can also have a link to an Event Source Server for Connectors which receive data which are pushed to them.
  • Event Source Server (ESS) - A special object which, when "Running" manages the port on the Collector Manager which is listening for data from a Push-based event source. For example, the Syslog connector receives data from various Event Sources, and therefore it needs to listen on one or many ports to receive those data. An Event Source Server listening (by default) on TCP port 1468, UDP port 1514, or on an SSLized port 1443, can be linked to a connector to receive these data from an external system. An Event Source Server's parent object is the Collector Manager.
  • Event Source - A logical representation of a system which is a source of events. This often contains Event Source-specific settings, such as whet or nor not to trust the time of events coming from the source, or how long to wait before alerting due to a lack of events, or which encoding to use for data read from a file. An Event Source is the child or leaf object in Event Source Management (ESM) and is within/below a Connector.

Analysis

  • Solution Pack Plugin - A collection of data specific to a given solution, such as PCI-DSS auditing. This plugin can include correlation rules, reports, identities/users, groups, and other objects within Sentinel in a single package dedicated to a purpose. These plugins are created in Solution Designer, part of the Sentinel product.
  • Solution Pack - Almost indistinguishable from the plugin form, a Solution Pack is only deployed once (unlike Collector or Connector plugins which can be deployed multiple times). Solution Manager is the tool within Sentinel from which the plugins are deployed and their components managed.

Products

  • Sentinel - The full Security Information and Event Management solution, Sentinel delivers real-time monitoring and remediation for automated security and compliance. With a single view of security and compliance events across the enterprise, Sentinel combines identity management and security events management for real-time. Sentinel streamlines labor-intensive and error-prone processes, cuts costs through automation, and enables you to deliver a more rigorous security and compliance program.
  • Log Manager - Log Manager provides high event-rate processing, long-term data retention, regional data aggregation, and simple searching and reporting functionality for a broad range of applications and devices. Novell Sentinel Log Manager collects data from a wide variety of devices, including intrusion detection systems, firewall, operating systems, routers, Web servers, databases, switches, mainframes, and antivirus event sources.

Main Components

  • Sentinel Control Center (SCC) - The primary administration interface through Sentinel 6.1, it still plays a major role in configuration and administration of Sentinel 7.0+ systems which also have a primary web-based interface.
  • Event Source Management (ESM) - ESM is the primary way to modify data collection in a Sentinel or Log Manager environment. It is accessed via the SCC in Sentinel, and via the web interface in Log Manager.
  • Solution Manager - A tool to configure a Solution Pack imported into Sentinel.
  • Solution Designer - A tool to create new Solution Pack plugins for Sentinel.