Technical Implementation

All correlation is done in-memory on the machine (or machines) that host the correlation engine. This model allows for fast, distributed processing that does not contend with database operations such as inserting events into the database.

For environments with large numbers of correlation rules or extremely high event rates, it may be advantageous to install more than one correlation engine and redeploy some rules to the new correlation engine. The ability to deploy multiple correlation engines provides the ability to scale as the Sentinel system incorporates additional data sources or as event rates increase.

Sentinel's correlation is near real-time and depends on the timestamp for the individual events. To synchronize time, you may use an NTP (Network Time Protocol) server to synchronize the time on all devices on your network, or you may rely on the time on the Collector Manager servers and synchronize only those few machines.

Correlation relies on the data that is collected, parsed, and normalized by the Collectors, so a working understanding of the data is necessary to write rules. Many Novell correlation rules rely on an event taxonomy that ensures that a "failed login" and an "unsuccessful logon" from two devices are classified the same.

In the Correlation tab, you have the ability to:

NOTE: Access to the correlation functions can be enabled by the administrator on a user-by-user basis.