1.1 Product Overview

Novell Sentinel Log Manager 1.2 provides a flexible and scalable log management solution to organizations. Novell Sentinel Log Manager is a log management solution that addresses basic log collection and management challenges and also delivers a complete solution focused on reducing the cost and complexity of managing risk and simplifying compliance requirements.

Figure 1-1 Novell Sentinel Log Manager Architecture

Novell Sentinel Log Manager has the following features:

This section has the following information:

1.1.1 Event Sources

Novell Sentinel Log Manager collects data from event sources that generate logs to syslog, Windows event log, files, databases, SNMP, Novell Audit, Security Device Event Exchange (SDEE), Check Point Open Platforms for Security (OPSEC), and other storage mechanisms and protocols.

Sentinel Log Manager supports all event sources if there are suitable Connectors to parse data from those event sources. Novell Sentinel Log Manager provides Collectors for many event sources. The Generic Event Collector collects and processes data from unrecognized event sources that have suitable connectors.

You can configure the event sources for data collection by using the Event Source Management interface.

For a complete list of supported event sources, see Section 2.6, Supported Event Sources.

1.1.2 Event Source Management

The Event Source Management interface enables you to import and configure the Sentinel 6.0 and 6.1 Connectors and Collectors.

You can perform the following tasks through the Live View of the Event Source Management window:

  • Add or edit connections to event sources by using Configuration wizards.

  • View real-time status of connections to event sources.

  • Import or export configuration of event sources to or from the Live View.

  • View and configure Connectors and Collectors installed with Sentinel.

  • Import or export Connectors and Collectors from or to a centralized repository.

  • Monitor data flowing through the configured Collectors and Connectors.

  • View the raw data information.

  • Design, configure, and create the components of the Event Source hierarchy, and execute required actions by using these components.

For more information, see to the Event Source Management section of the Sentinel User Guide.

1.1.3 Data Collection

Novell Sentinel Log Manager collects data from configured event sources with the help of Connectors and Collectors.

Collectors are scripts that parse the data from a variety of event sources into the normalized Sentinel event structure, or in some cases collect other forms of data from external data sources. Each Collector should be deployed with a compatible Connector. Connectors facilitate the connectivity between Sentinel Log Manager Collectors and event or data sources.

Novell Sentinel Log Manager provides enhanced Web-based user interface support for syslog and Novell Audit to easily collect logs from different event sources.

Novell Sentinel Log Manager collects data using a variety of connection methods:

  • The Syslog Connector automatically accepts and configures syslog data sources that send data over the User Datagram Protocol (UDP), the Transmission Control Protocol (TCP), or the secure Transport Layer System (TLS).

  • The Audit Connector automatically accepts and configures audit-enabled Novell data sources.

  • The File Connector reads log files.

  • The SNMP Connector receives SNMP traps.

  • The JDBC Connector reads from database tables.

  • The WMS Connector accesses Windows event logs on desktops and servers.

  • The SDEE Connector connects to devices that support the SDEE protocol such as the Cisco devices.

  • Check Point Log Export API (LEA) Connector facilitates integration between Sentinel Collectors and Check Point firewall servers.

  • The Sentinel Link Connector accepts data from other Novell Sentinel Log Manager servers.

  • The Process Connector accepts data from custom-written processes that output event logs.

You can also purchase an additional license to download connectors for SAP and mainframe operating systems.

To get the license, either call 1-800-529-3400 or contact Novell Technical Support.

For more information on configuring Connectors, see the Connector documents at the Sentinel Plug-ins Web site.

For more information on configuring data collection, see Configuring Data Collection in the Sentinel Log Manager 1.2.2 Administration Guide.

NOTE:You must always download and import the latest version of the Collectors and Connectors. Updated Collectors and Connectors are posted to the Sentinel 6.1 Plug-ins Web site on a regular basis. Updates to Connectors and Collectors include fixes, support for additional events, and performance improvements.

1.1.4 Collector Manager

The Collector Manager provides a flexible data collection point for Sentinel Log Manager. The Novell Sentinel Log Manager installs a Collector Manager by default during installation. However, you can remotely install Collector Managers at suitable locations in your network, These remote Collector Managers run Connectors and Collectors and forward the collected data to Novell Sentinel Log Manager for storage and processing.

For information on installing additional Collector Managers, see Installing Additional Collector Managers.

1.1.5 Data Storage

The data flows from data collection components to data storage components. These components use a file-based data storage and indexing system to keep the collected device log data, and a PostgreSQL database to keep Novell Sentinel Log Manager configuration data.

The data is stored in a compressed format on the server file system and then stored in a configured location for long-term storage.The data can be stored either locally or on a remotely mounted SMB (CIFS) or NFS share. Data files are deleted from the local and networked storage locations based on the schedule configured in the data retention policy

You can configure data retention policies to delete data from the storage location if the data retention time limit exceeded for that particular data or if the available space is reduced below a specified disk space value.

For more information on configuring data storage, see Configuring Data Storage in the Sentinel Log Manager 1.2.2 Administration Guide.

1.1.6 Searching and Reporting

The searching and reporting components help you to search and report the event log data in both local and networked data storage and indexing systems. The stored event data can be searched either generically or against specific event fields such as source username. These search results can be further refined or filtered and saved as a report template for future use.

The Sentinel Log Manager comes with preinstalled reports. You can also upload additional reports. You can run reports on a schedule or whenever it is necessary.

For information on list of default reports, see Reporting in the Sentinel Log Manager 1.2.2 Administration Guide.

For information on searching events and generating reports, see Searching Events and Reporting in the Sentinel Log Manager 1.2.2 Administration Guide.

1.1.7 Sentinel Link

Sentinel Link can be used to forward event data from one Sentinel Log Manager to another. With a hierarchical set of Sentinel Log Managers, complete logs can be retained at multiple regional locations while more important events are forwarded to a single Sentinel Log Manager for centralized search and reporting.

In addition, Sentinel Link can forward important events to Novell Sentinel, a full-fledged Security Information Event Management (SIEM) system, for advanced correlation, incident remediation, and injection of high-value contextual information such as server criticality or identity information from an identity management system.

1.1.8 Web-Based User Interface

The Novell Sentinel Log Manager comes with a Web-based user interface to configure and use Log Manager. The user interface functionality is provided by a Web server and a graphical user interface based on Java Web Start. All user interfaces communicate with the server by using an encrypted connection.

You can use the Novell Sentinel Log Manager Web interface to perform the following tasks:

  • Search for events

  • Save the search criteria as a report template

  • View and manage reports

  • Launch the Event Source Management interface to configure data collection for data sources other than syslog and Novell applications. (administrators only)

  • Configure data forwarding (administrators only)

  • Download the Sentinel Collector Manager installer for remote installation (administrators only)

  • View the health of event sources (administrators only)

  • Configure data collection for syslog and Novell data sources (administrators only)

  • Configure data storage and view the health of the database (administrators only)

  • Configure data archiving (administrators only)

  • Configure associated actions to send matching event data to output channels (administrators only)

  • Manage user accounts and permissions (administrators only)