All correlation is done in-memory on the machine (or machines) that host the Correlation engine. This model allows fast, distributed processing that does not contend with database operations such as inserting events into the database.
For environments with large numbers of Correlation rules or extremely high event rates, it might be advantageous to install more than one Correlation engine and redeploy some rules to the new Correlation engine. The ability to deploy multiple Correlation engines provides the ability to scale as the Sentinel system incorporates additional data sources or as event rates increase.
Sentinel correlation is nearly real-time and depends on the time stamp for the individual events. To synchronize time, you can use an NTP (Network Time Protocol) server to synchronize the time on all devices on your network, or you can rely on the time on the Collector Manager servers and synchronize only those few machines.
Correlation relies on the data that is collected, parsed, and normalized by the Collectors, so a working understanding of the data is necessary to write rules. Many Novell Correlation rules rely on an event taxonomy that ensures that a “failed login” and an “unsuccessful logon” from two devices are classified the same.
In the
tab, you can:Create/modify Correlation rules and rule folders
Deploy Correlation rules on the Correlation engine
Create and associate an action to a rule
Configure dynamic lists
NOTE:Access to the correlation functions can be enabled by the administrator on a user-by-user basis.
For trademark and copyright information, see Legal Notices.