This section helps you understand the post-installation configuration for the Sentinel Rapid Deployment services.
The default date and time format in the Sentinel Control Center can be overridden. For more information about customizing the date and time format to your local time zone, see the Java Web site.
Edit the SentinelPreferences.properties file.
<install_directory>/config/SentinelPreferences.properties
Remove the comment from the following line and customize the date and time format for Sentinel Control Center event date/time fields:
com.eSecurity.Sentinel.event.datetimeformat=yyyy-MM-dd'T'HH:mm:ss.SSSZ
In Sentinel Rapid Deployment, a JavaScript SendEmail action works with an SMTP integrator to send mail messages from various contexts within the Sentinel interface to mail recipients. The SMTP Integrator must be configured with valid connection information before it works. For more information, see Sending an E-mail
in the Sentinel Rapid Deployment User Guide.
A single action instance of the SendEmail action plug-in is created automatically in every Sentinel installation. No configuration is necessary to the SendEmail action except the recipients of the mail message and the message contents are configured in the action parameters.
This SendEmail action is triggered internally by Sentinel to send mail in the following situations:
When a Correlation rule is generated, a SendEmail action is triggered. This SendEmail action is the action indicated by the gear icon, which is only valid for correlation (as opposed to the JavaScript SendEmail action, which is indicated by the JS JavaScript icon).
When a workflow includes a Mail Step or Activity that is configured to send email.
When a user opens an incident and selects to execute an Activity that is configured to send email.
When a user right-clicks an event and selects .
When a user opens an incident and selects .
Collector Managers manage all the data collection processes and data parsing. Occasionally, it might be necessary to add an additional Sentinel Collector Manager node to a Sentinel environment in order to load-balance across machines. Remote Collector Managers provide several benefits:
They allow distributed event parsing and processing to improve system performance.
They allow filtering, encryption, and data compression at the source system through collocation with event sources. This reduces network bandwidth requirements and provides additional data security.
They allow installation on additional operating systems. For example, installing a Collector Manager node on Microsoft Windows to enable data collection by using the WMI protocol.
They allow file caching that enables the remote collector manager to cache large amounts of data when the server is temporarily busy with archiving or processing a spike in events. This is an advantage for protocols, such as syslog, that do not natively support event caching.
The Collector Manager components can be load-balanced by installing instances of these components on additional machines. You can install additional Collector Manager by running the installer on a new machine. For more information on installing Collector Manager, see Section 3.3.4, Installing the Sentinel Collector Manager on SLES or Windows.
During the installation of the Sentinel Rapid Deployment Server, a Collector called the Generic Collector is configured. By default, it creates events at the rate of 5 events per second (eps).
If you want any additional collectors for your system, you can download them from the Novell Web site.
You must connect the Sentinel Server to an NTP (Network Time Protocol) server or other type of time server. If the system time across machines is not synchronized, the Sentinel Correlation Engine and Active Views do not work properly. The events from the Collector Managers are not considered to be real-time and are therefore not sent directly to the Sentinel database, bypassing the Sentinel Control Centers and Correlation Engines.
By default, the threshold for real-time data is 120 seconds. This can be modified by changing the value of esecurity.router.event.realtime.expiration in the event-router.properties file. The Sentinel event time populates based on the Trust Device Time or the Collector Manager Time. You can select the Trust Device Time while configuring a collector. Trust Device Time is the time when the log was generated by the device and the Collector Manager Time is the local system time of the Collector Manager system.