Collector Development Guide

COLLECTOR PARAMETERS

Sentinel Collector plug-ins can include configuration-time parameters that control the run-time operation of those Collectors. The parameter system is designed to be modular and re-usable, and you will find that there are quite a few template parameters that you can use as you wish, or you can create your own.

You might use or create parameters, for example, to:

• Allow implementors to select which version of a product they are integrating with, if it cannot be auto-detected based on the event stream.
• Allow implementors to tune the size of database queries for their particular environment and database/Sentinel loads.
• Allow implementors to specify certain properties about how their particular source products are configured, if the source offers several common options.
• Allow implementors to control error reporting behavior of the Collector itself.
• Allow implementors to specify whether certain optional fields are filled in or not, such as the legacy taxonomy fields, IP to hostname conversions, etc.

Adding Parameters to a Collector

Parameters are included with a given Collector in a very simple way; by listing them in a file. There are two different types of parameters — those provided with the template, and those created custom for each Collector — and hence there are two relevant files under the individual Collector's parameters directory:

template.pml

This file allows the developer to list the parameters to be included from the template. Template parameters are stored in //current/sdk/2011.1/Collector/static/parameters as individual files; review those files to see what parameters you can use from the template.

release.pml

This file lists the parameters that are locally defined for this particular release of the Collector. These parameters are also implemented as individual files, each of which is included in the same parameters directory where release.pml is located.

The format of the PML files is very simple; each parameter to be included is listed on its own line. The parameter name is just the filename of the file that contains the parameter, with no extension. So for example to include the parameters defined in missing_year.xml and max_rows.xml, you would add two lines to template.pml:

missing_year
max_rows
                

Using Parameters In Your Code

Parameters are configured at deployment time of the Collector by the person implementing that particular integration. The values set at that time for each parameter are then automatically loaded into memory in JavaScript so that you can access them from your code. Parameters are loaded into a global area of the instance object, which represents the running Collector. The template will create a hash table called params under the global CONFIG area, with the name of each hash element the name of the parameter and the value whatever value was configured for that parameter. Note however that the parameter name here is the InternalName defined in the parameter XML file, not the filename as specified in the PML file. For example, if an implementor sets the max_rows parameter to 200000, then you will have:

instance.CONFIG.params.Max_Rows_To_Return == 200000

(review the contents of //current/sdk/2011.1/Collector/static/parameters and see the InternalName element to find the name of the parameter).

Most parameters are simply specified as strings, whether they are typed in by the implementor or they are part of an enumerated selectable list. Boolean parameters, however, will show up as true Booleans in JavaScript, so they can be tested directly for truth/falsehood. Here's an example directly from the Event.send() method:

if (instance.CONFIG.params.Resolve_IP_and_Hostname) {
    // perform resolution
}
                

Defining Custom Parameters

The process of defining custom parameters is as simple as creating a small XML file that describes the parameter and possible values. An example called sample.xml is provided for you in the default Collector template, which is safe to delete if you are not planning to use it. You can copy that file and edit it to suit your needs, then all you have to do is add your new filename (without extension) to the release.pml file to include your custom parameter with the Collector. An example of where this happens commonly is also included, the query_variant_sample.xml file; in several cases we've found it necessary to give the implementor a way to choose between several alternate query variants, depending on the version or configuration of their source database. But we can't make this parameter a true template parameter, because the enumerated list of options will vary depending on the source product.

You may be able to figure out how to create your parameter simply by examining the samples, but the format of the parameters file is fully documented on a separate page — the format is used for several different plug-in types, including Actions and Reports.

Internal Parameters

In Collectors, parameters are stored in the global instance.CONFIG.params area, which is pre-loaded with the user-settable parameters from the UI. But we also use this area to store several "internal" parameters, set by the developer or automatically set, which are then used to control various aspects of Collector operations (typically, these trigger some automatic processing by the Collector template).

These parameters roughly break down into the following categories:

• Parameters that are automatically set by internal code and control how the Collector behaves. Examples include auto-detecting the platform to determine what fields should be present in the output event, and turning on/off "user privilege level" lookups if the associated map file is present.
• Pre-defined parameters that should be set by the developer based on the behavior of the specific product being integrated with. Examples include a parameter that specifies whether the source uses UTC, or whether it uses case-sensitive usernames. These parameters are defaulted in the release.js file with the assumption that the developer will review them and modify as necessary.
• Parameter that are defined by the developer as a convenient way to consistently control Collector behavior. Use of these would be entirely up to the developer.

Here are the pre-defined internal parameters in release.js, all of which are members of instance.CONFIG.params:

usernameIsCaseSensitive

This parameter specifies that the event source treats usernames (and the domains/containers in which those usernames live) as case-sensitive, i.e. the user Test1 is different than the user test1. Sentinel defaults to treating all names as case-sensitive, so if the source system is not we have to do special processing (the names are universally lowercased) to ensure that correlation can properly match across events.

datanameIsCaseSensitive

This parameter specifies that the event source treats data object names (files, paths, etc) as case-sensitive, i.e. the file FILE.TXT is different than the file file.txt. Sentinel defaults to treating all names as case-sensitive, so if the source system is not we have to do special processing (the names are universally lowercased) to ensure that correlation can properly match across events.

hostnameIsCaseSensitive

This parameter specifies that the event source treats hostnames (and the domains in which those hosts live) as case-sensitive, i.e. the host myHOST is different than the user MYhost. Sentinel assumes that all hostnames are NOT case-sensitive, since that's the DNS standard, but you can override that default behavior by setting this parameter to true.

reportsUTC

This parameter specifies that the event source reports a UTC timestamp in its events. Sentinel stores all timestamps as UTC, so this inhibits timezone conversion for this source. Whether or not the source reports UTC, if it actually resides in a timezone other than UTC the source must either include timezone information in the event, or the customer must manually specify a timezone for the Event Source node in Event Source Manager. In either case that information will be used to calculate the "local time" ObserverTZ fields.

And here are the internal parameters that are used by the template, which should be set automatically without the developer needing to do anything:

schemaVersion

The template will autodetect the platform version and hence the version of the Event schema that it expects to receive. This will change the behavior of the Event.send() method to ensure that the output Event meets the requirements of the platform.

lookupPriv

This parameter controls whether the privilege level of users is looked up when events are sent. It is automatically set based on the contents of the privlevel.map file.

privDomain

If true, this parameter sets the privilege lookup to ignore user domains/containers when looking up privilege level; if you wish, you can override this in your initialize()

lookupSens

This parameter controls whether the sensitivity level of a given data object is looked up when events are sent. It is automatically set based on the contents of the datasensitivity.map file.

sensContainer

If true, this parameter sets the data sensitivity lookup to ignore namespace/container when looking up sensitivity; if you wish, you can override this in your initialize()

• Forward to Additional Information
• Back up to Develop to Sentinel

Collector Development Guide

• Overview
• Getting Started
• Initial Build
• Plug-in Contents
• Data Parsing
• Build Process
• Event Construction
• Taxonomy
• Connector Interaction
• Common Code
• Parameters
• Additional Information

Development Topics

• Troubleshooting and Debugging
• Extended String Methods
• KeyMap and DataMap
• Identity and Account
• Asset and Vulnerability
• Working With Dates
• Sessions
• On-site Customization

• Feedback
• Print
  •  
  • Full
  • Simple
•  
• Request a Call
• Follow Us
  •  
  • Facebook
  • YouTube
  • Twitter
  • LinkedIn
  • Newsletter Subscription
  • RSS