1.3 Event Source Management

The Event Source Management (ESM) interface in the Sentinel Control Center (SCC) monitors and configures advanced data collection capabilities beyond the settings currently available in the Web interface. Some Connectors and Collectors must be configured in the Event Source Management interface.

1.3.1 Accessing Event Source Management

  1. Log in to the Sentinel Web interface as a user in the administrator role.

    https://<IP_Address/DNS_Sentinel_server:8443>
    

    IP_Address/DNS_Sentinel_server is the IP address or DNS name of the Sentinel server and 8443 is the default port for the Sentinel server.

  2. In the toolbar, click Applications > Launch Control Center.

    or

    In the toolbar, click Collection > Launch Control Center.

  3. Log in to the Sentinel Control Center.

    For more information, see Section 1.2.1, Accessing the Sentinel Control Center.

  4. In toolbar, click Event Source Management > Live View.

1.3.2 Viewing Data in Event Source Management

In the Event Source Management, you can view configuration data in different views:

Graphical ESM View

The graphical view is the default view in Event Source Management. In the graphical view, you can view the status of a Collector and access the configuration settings of Collectors and Collector objects as a graph of connected nodes.

Figure 1-1 Graphical View

By default, the Health Monitor Display frame displays in the graphical view. The data can be displayed in several different layouts. The default layout in graph is the Hierarchic Left to Right layout. You can change between these layouts by selecting the layout format from the drop-down list in the toolbar.

HINT:Click in the graphical ESM view and use the “+” or “-”sign to zoom in or zoom out, or use the mouse wheel to zoom in and zoom out.

In the graphical view, the lines connecting the components are color-coded to indicate data flow.

Green Line: Indicates that data is flowing between the components.

Grey Line: Indicates that the connection is not live and there is no data flow.

Blue dashed Line: Indicates the logical relation of Event Source Servers to their associated Collector Managers and event sources.

To improve the manageability and performance of the graphical display, Sentinel automatically collapses any node with 20 or more immediate children. This is especially useful for Connectors such as Syslog or Novell Audit that have the ability to automatically configure a large number of event sources.

In collapsed state, a node displays the number of immediate children next to the node, such as WMI Connector (3) [Collector name (Number of immediate children)]. The Children panel of a collapsed node shows the immediate children of that node, each of which can be managed in the same way as nodes in the tabular ESM view.

NOTE:Event Source Server node do not have the plus or minus sign after their names even if they contain children.

Double-clicking a parent node changes the state from collapsed to expanded and vice versa. Double-clicking a node with no children displays the status details for that node. If an additional node is added to an expanded parent with more than 20 children, the node is collapsed automatically. If an additional node is added to a manually expanded parent with over 20 children the node is not collapsed automatically.

The parent node can take several minutes to expand if it has a large enough number of child nodes to potentially cause the UI to become unresponsive. An alert message appears to warn you about the delay in response.

If you choose not to show this message again, the preferences are saved on the machine, and any user logging into Sentinel from that machine does not see an alert again.

Table ESM View

The components visible in the graphical view of ESM can also be viewed in a table. You can view the status of a Collector in the table and access the configuration settings of Collectors and Collector related objects.

Figure 1-2 Event Source Management Table View

The columns in the ESM table view are:

Configured Status: The On state the object is configured to be in. This is the state that is stored in the database, which does not necessarily match the actual On state of the object. For example, the two states do not match if a parent object is turned off or if there is an error.

Actual Status: The On state of the object as reported by the actual running Collector Manager.

Connection Info (populated for Event Sources only): A text description of the event source connection.

Error: A text description of an error that occurred in the running object.

HINT:Use the Table and Graph tabs to change to tabular and graphical views.

How the Components Are Displayed

ESM displays the information on the Collectors and other components in a hierarchy specific to ESM.

Table 1-1 Components of the ESM Hierarchy

Sentinel

The single Sentinel icon represents the main Sentinel Server that manages all events collected by the Sentinel system.

The Sentinel object is installed automatically through the Sentinel installer.

Collector Manager or the Sentinel Server

The Collector Manager display name in the ESM is Sentinel Server.

Each icon represents another instance of a Collector Manager process. Multiple Collector Manager processes can be installed throughout the enterprise. As each Collector Manager process connects to Sentinel, the objects are automatically created in ESM.

Collector

Collectors instantiate the parsing logic for data from a particular event source. Each Collector icon in ESM refers to a deployed Collector script as well as the runtime configuration of a set of parameters for that Collector.

Connector

Connectors are used to provide the protocol-level communication with an event source, using industry standards like Syslog, JDBC, and so forth. Each instance of a Connector icon in ESM represents the Connector code as well as the runtime configuration of that code.

Event Source Server

An Event Source Server (ESS) is considered part of a Connector, and is used when the data connection with an event source is inbound rather than outbound. The ESS represents the daemon or server that listens for these inbound connections. The ESS caches the received data, and one or more Connectors connect to the ESS to retrieve a set of data for processing. The Connector requests only the data from its configured event source (defined in the metadata for the event source) that matches additional filters.

Event Source

The event source represents the actual source of data for Sentinel. Unlike other components, this is not a plug-in, but is a container for metadata, including runtime configuration about the event source. In some cases a single event source can represent many real sources of event data, such as if multiple devices are writing to a single file.

Component Status Indicators

Indicators are used to represent various states as follows:

Table 1-2 Component Status Indicators

Stopped

Indicates that the component is stopped.

Running

Indicates that the component is running.

Warning

Indicates that a warning is associated with the component. At this time, this warning indicator is primarily used to show when the configured state and actual state of a component differ. (That is, a component is configured to be running, but the actual state of the component is stopped.)

Error

Indicates that an error is associated with the component. See the individual component’s status display for details about the error.

Reporter Time is Skewed

Indicates when the time of a component differs from the main server’s time. (The difference is greater than a predefined time threshold.)

Debug

Indicates that the component is in Debug mode. Only a Collector can be in Debug mode.

Unknown

Indicates that the status of the object in the ESM panel is not yet known.

Right-Click Menus

The Health Monitor Display View provides a set of right-click menus that helps you execute a set of actions, as described below:

The right-click actions available depend on the object you click.

Status Details: View all information known about the status of the selected object.

Start: Run an object.

The selected object starts only after the parent nodes starts and is running.

Stop: Stops the running object.

Edit: Modifies the editable information (Filter information, Object name and so on).

Debug: Debugs the Collector. You must stop the running Collector before you debug it.

Move: Moves the selected object from its current parent object to another parent object. You can move objects from a Live View to the scratch pad and vice versa.

Clone: Creates a new object that has its configuration information prepopulated with the settings of the currently selected object. This allows you to quickly create a large number of similar event sources without retyping the same information over and over again. You can clone objects from Live View to the scratch pad and vice versa. Cloning an object copies all the settings except the Run status. New objects created using the Clone command are always in the Stopped state after creation.

Remove: Deletes a selected object from the system.

Contract: Collapses the child nodes into this node. This option is only available on parent nodes that are currently expanded.

Expand: Expands the child nodes of this node. This option is only available on parent nodes that are currently collapsed.

Add Collector: Opens an Add Collector Wizard that guides you through the process of adding a Collector to the selected Collector Manager.

Add Connector: Opens an Add Connector Wizard that guides you through the process of adding a Connector to the selected Collector.

Add Event Source: Opens an Add Event Source Wizard that guides you through the process of adding an event source to the selected Connector.

Open Raw Data Tap: Lets you view the live stream of raw data from an event source or flowing through the selected object.

Open Active View: Opens an Active View window that displays only events that have been generated by data from or flowing through the selected object.

Zoom: In the graphical view, zoom in on the selected object.

Show in Tabular/Graphical View: Lets you switch between the graphical view and the tabular view and automatically selects the object that is selected in the current view. When switching to the graphical view, it also zooms in on the selected object.

Raw Data Filter: Filters the raw data flowing through the selected node. The raw data filter is available on Collectors, Connectors, and event sources. If a filter specifies to drop data, the data to be dropped is not passed to the parent node and is not converted into events.

Import Configuration: Imports the configuration of ESM objects.

Export Configuration: Exports the configuration of ESM objects

Add Event Source Server: Adds an Event Source Server to the selected Collector Manager

Add Collector Manager: In Scratch pad mode, you can add a Collector Manager to the scratch pad by using this option. In the Live view, Collector Manager objects are created automatically as each Collector Manager connects to the Sentinel system.

When you select multiple objects in the ESM panel and right-click, the following options are available:

Start: Starts all objects

Stop: Stops all objects

Remove selected objects: Removes the selected objects along with their children.

1.3.3 Searching for Event Sources

You can use the Attribute Filter panel to search for event sources.

  1. Access Event Source Management.

    For more information, see Section 1.3.1, Accessing Event Source Management.

  2. In the Attribute Filter panel, use the following information to display objects you want:

    Search: Specify the name of the objects you want displayed.

    Limit to: Select the types of objects to display.

    Status: Select the status of the objects to display.

    As you define each filter, the display is automatically updated.

1.3.4 Installing Plug-Ins

Although some Sentinel components are preinstalled with the Sentinel system, you should also check the Sentinel Plug-ins Web site to download the latest versions on the plug-ins.

Installing a Connector Plug-In

  1. Access Event Source Management.

    For more information, see Section 1.3.1, Accessing Event Source Management.

  2. In the toolbar, click Tools > Import plug-in.

  3. Select Import Collector Script or Connector plug-in package file (.zip, .clz, .cnz).

  4. Click Next.

  5. Click Browse.

  6. Browse to and select the Connector plug-in package file, then click Open.

  7. Click Next.

  8. (Conditional) If the Connector already exists in the plug-in repository, select to replace the existing plug-in with the new plug-in by clicking Next.

  9. (Conditional) In the plug-in details window, select Deployed Plug-ins to deploy the plug-in from this window.

    For more information, see .

  10. Click Finish.

    When you add a plug-in to Sentinel, it is placed in the plug-in repository, which enables Sentinel components on other machines to start using the plug-in without adding the plug-in separately.

Installing a Collector Plug-In

  1. Access Event Source Management.

    For more information, see Section 1.3.1, Accessing Event Source Management.

  2. In the toolbar, click Tools > Import plug-in.

  3. Select Import Collector Script or Connector plug-in package file (.zip, .clz, .cnz.).

    or

    Select Import Collector Script from directory.

  4. Click Next.

  5. Click Browse.

  6. Browse to and select the Collector script from a file or directory, then click Open.

  7. Click Next to display the plug-in details window.

  8. Select Deploy Plug-in to deploy the plug-in from this window.

    For more information on the deployment procedure, see .

  9. Click Finish.

1.3.5 Updating a Connector or a Collector Plug-In

If a new version of a Connector or Collector is released, you can update the Sentinel system and any deployed instances of the Connector or Collector.

  1. Access Event Source Management.

    For more information, see Section 1.3.1, Accessing Event Source Management.

  2. In the toolbar, click Tools > Import plug-in.

  3. Select Import Collector Script or Connector plug-in package file (.zip, .clz, .cnz.).

    or

    Select Import Collector Script from directory.

  4. Click Next.

  5. Click Browse.

  6. Browse to and select the Connector or Collector plug-in package file, then click Open.

  7. Click Next.

  8. Click Next to update an already-imported Connector or Collector.

  9. In the plug-in details window, select Update Deployed Plug-ins to update any currently deployed plug-ins that use this Connector or Collector.

  10. Click Finish.

When you add a plug-in to Sentinel, it is placed in the plug-in repository, which enables Sentinel components on other machines to start using the plug-in without adding the plug-in separately.

1.3.6 Adding Components to Sentinel

After the plug-ins are installed in the Event Source Management, you must add the different components to your Sentinel solution.

Adding a Collector

  1. Access Event Source Management.

    For more information, see Section 1.3.1, Accessing Event Source Management.

  2. In the main ESM display, locate the Collector Manager where the Collector will be associated.

  3. Right-click the Collector Manager, then select Add Collector.

  4. Follow the prompts in the Add Collector Wizard.

    These prompts are unique for each Collector. For details, see the specific Collector documentation at the Sentinel Plug-ins Web page.

  5. Click Finish.

The Collector Script enables the ESM panel to prompt you for parameter values as well as enable Event Source Management to automatically select supported connection methods that work well with the Collector script.

Adding a Connector

  1. Access Event Source Management.

    For more information, see Section 1.3.1, Accessing Event Source Management.

  2. In the main ESM display, locate the Collector where the new Connector will be associated

  3. Right-click the Collector, then select Add Connector.

  4. Follow the prompts in the Add Connector Wizard.

    These prompts are unique for each Connector. For details, see the specific Connector documentation at the Sentinel Plug-ins Web page.

  5. Click Finish.

Adding an Event Source

  1. Access Event Source Management.

    For more information, see Section 1.3.1, Accessing Event Source Management.

  2. In the main ESM display, locate the Connector where the new event source will be associated.

  3. Right-click the Connector, then select Add Event Source.

    These prompts unique for each event source that is associated with the Connector. For details, see the specific Connector documentation at the Sentinel Plug-ins Web page.

  4. Follow the prompts in the Add Event Source Wizard.

  5. Click Finish.

Adding an Event Source Server

Certain event source Connectors (such as the Syslog Connector) require a process to collect data from the actual data source. These processes are called Event Source Servers. They collect data from the data source and then serve it to the event source Connector. Event Source Servers must be added and associated to any event source Connectors that require a server.

  1. Access Event Source Management.

    For more information, see Section 1.3.1, Accessing Event Source Management.

  2. Right-click the Collector Manager, then select Add Event Source Server.

  3. Select a Connector that supports your device, then click Next.

    If you do not have any connectors in the list that supports your device, click Install More Connectors. For more information on installing a Connector plug-in, see Installing a Collector Plug-In.

  4. Configure the various parameters for the server that is associated with the selected Connector. For example, Syslog Connector, NAudit Connector, and so on.

    These parameters are unique for each Connector. For details, see the specific Connector documentation at the Sentinel Plug-ins Web page.

  5. Click Next.

  6. Specify a name for the Event Source Server.

  7. (Optional) If you want this server to run, select Run.

  8. Click Finish.

    In the Health Monitor Display frame, the Event Source Server is displayed with a dashed line showing which the Collector Manager it is associated with.

This Add Event Source Server Wizard can also be initiated from within the Add Connector Wizard if a compatible Event Source Server has not yet been added.

1.3.7 Connecting to Event Sources

There are many different ways to add an event source. The following procedures walk you through the process.

Prerequisites

Make sure you have the following prerequisites:

Collector Script: Collector scripts can be downloaded from the Sentinel Plug-ins Web site or built with the Collector Builder.

Connector: Connectors can be downloaded from the Sentinel Plug-ins Web site. There are also some Connectors included in the installed Sentinel system, but there might be more recent versions on the Web site.

Documentation: Check the documentation for each Connector and Collector, because they have different configuration steps for the event source. The documentation is located on the Sentinel Plug-ins Web site. Make sure you download the documentation when you download the Connector and Collector.

Event Source Configuration: You must have configuration information for the event source.

Connecting to the Event Source

  1. Access Event Source Management.

    For more information, see Section 1.3.1, Accessing Event Source Management.

  2. In the toolbar, click Tools > Connect to Event Source.

    The event source types are for the compatible Collector parsing scripts are listed here.

  3. Select the desired Event Source.

    You can click Add More to import an event source not listed.

  4. After the event source is selected, click Next.

  5. Select a Collector script from the list.

    You can click Install More Scripts to install additional Collector scripts that support your Event Source.

    For more information on installing a Collector script, see Installing a Collector Plug-In.

  6. Click Next.

  7. Select a connection method from the list.

    There are many different types of Connectors. Depending on the type of Connector you select, there are additional configuration screens.

    You can click Install More Connectors to install additional Connectors.

    For more information, see Installing a Connector Plug-In to install connectors.

  8. Click Next.

  9. Use the following information to select how to mange the event source connection, then proceed to Step 10.

    Based on the existing Collectors and Connectors in your system that are compatible with your new event source, one or more of these options might be unavailable.

  10. Use the following information to configure the event source:

    Name: Specify a unique name for the event source.

    Run: Select Run if you want the event source to run automatically.

    Details: Allows you to see the details of the plug-in.

    Alert if no data received in specified time period: Select this option to receive notifications if no data is received during the specified time period.

    Limit Data Rate: Use this option to limit the maximum number of records the Connector receives per second.

    Trust Event Source Time: (Optional) Select this option to set the event time to the time the event occurred, rather than the time Sentinel received the data.

    You can also set this option while configuring an event source. If the Trust Event Source Time option is selected, all data flowing through the Collector has the event time set to the time the event occurred, even if the event sources do not have this option selected.

    Set Filters: Allows you to set filters on the data in the event source.

  11. Click Next.

  12. Click Test Connection to test the event source.

    1. Click the Data tab to view the data in the event source.

      It takes a few seconds for the raw data to be displayed in the Data tab.

    2. Specify the maximum number of rows to control the number of raw data records obtained at one time.

    3. Click the Error tab to view if there are any errors in the configuration of the event source.

    4. Click Stop to stop the test.

  13. Click Finish.

The Collector parsing script is executed on the same system as the Collector Manager that you select here.

Creating a New Collector and Connector

Use the following information to create a new Collector and Connector to manage the event source connection. This procedure is a continuation of Step 9.

  1. Select Create a new Collector and Connector, then click Next.

  2. Select the Collector Manager you want to use, then click Next.

  3. Change any of the Collector properties, then click Next.

  4. Use the following information to configure the Collector:

    Name: Specify a unique name for the Collector.

    Run: Select Run if you want to run the Collector automatically.

    Details: Allows you to view the details of the plug-in.

    Alert if no data received in specified time period: Select this option to receive notifications if no data is received during the specified time period.

    Lime Data Rate: Use this option to limit the maximum number of records the Collector receives per second.

    Trust Event Source Time: (Optional) Select this option to set the event time to the time the event occurred, rather than the time Sentinel received the data.

    You can also set this option while configuring an event source. If the Trust Event Source Time option is selected, all data flowing through the Collector has the event time set to the time the event occurred, even if the event sources do not have this option selected.

    Set Filters: Allows you to set filters on the data in the Collector.

  5. Click Next.

    There is a different configuration page displayed depending on the type of Connector you selected in Step 7. For the Connector-specific documentation, see the Sentinel Plug-ins Web site.

  6. Use the following information to configure the Connector:

    Name: Specify a unique name for the Connector.

    Run: Select Run if you want to run the Connector automatically.

    Details: Allows you to view the details of the plug-in.

    Alert if no data received in specified time period: Select this option to receive notifications if no data is received during the specified time period.

    Limit Data Rate: You can limit the maximum number of records the Connector receives per second.

    Set Filters: Allows you to set filters on the data in the Connector.

    Copy Raw Data to a file: Select this option, then specify a location where you want to copy the raw data coming from the event source.

  7. Click Next, then continue with Step 10.

Using an Existing Collector

If you are using an existing Collector, but want to create a new Connector to manage the Event Source connection, use the following information to complete the procedure from Step 9.

  1. Select Use an Existing Collector, then click Next.

  2. Select the Collector you want to use, then click Next.

    There is a different configuration page displayed depending on the type of Connector you selected in Step 7. For the Connector-specific documentation, see the Sentinel Plug-ins Web site.

  3. Use the following information to configure the Connector:

    Name: Specify a unique name for the Connector.

    Run: Select Run if you want to run the Connector automatically.

    Details: Allows you to view the details of the plug-in.

    Alert if no data received in specified time period: Select this option to receive notifications if no data is received during the specified time period.

    Limit Data Rate: Use this option to limit the maximum number of records the Connector receives per second.

    Set Filters: Allows you to set filters on the data in the Connector.

    Copy Raw Data to a file: Select this option, then specify a location where you to want copy the raw data coming from the event source.

  4. Click Next, the continue with Step 10.

Using an Existing Connector

If you are using an existing Connector, but want to create a new Collector to manage the event source connection, use the following information to continue the procedure from Step 9.

  1. Select Use an Existing Connector, then click Next.

  2. Select the Collector Manager you want to use, then click Next.

  3. Change any of the Collector properties, then click Next.

  4. Use the following information to configure the Collector:

    Name: Specify a unique name for the Collector.

    Run: Select Run if you want to run the Collector automatically.

    Details: Allows you to view the details of the plug-in.

    Alert if no data received in specified time period: Select this option to receive notifications if no data is received during the specified time period.

    Lime Data Rate: Use this option to limit the maximum number of records the Collector receives per second.

    Trust Event Source Time: (Optional) Select this option to set the event time to the time the event occurred, rather than the time Sentinel received the data.

    You can also set this option while configuring an event source. If the Trust Event Source Time option is selected, all data flowing through the Collector has the event time set to the time the event occurred, even if the event sources do not have this option selected.

    Set Filters: Allows you to set filters on the data in the Collector.

  5. Click Next, then continue with Step 10.

1.3.8 Exporting Configurations

Event Source Management allows you to export the configuration of Event Source Management objects along with the associated Collector scripts and the Connector plug-ins.

  1. Access Event Source Management.

    For more information, see Section 1.3.1, Accessing Event Source Management.

  2. Click File > Export Configuration.

    or

    Right-click an object, then click Export Configuration.

  3. Select which nodes you want to export, then click Next.

  4. Select the Collector scripts to export, then click Next.

  5. Select the Connector plug-ins to export, then click Next.

  6. Click Browse, then browse to a location to save the export.

  7. Specify a file name, then click Save.

    The export information is saved as a .zip file.

  8. Click Next.

  9. Review the items to be exported, then click Finish.

1.3.9 Importing Configurations

Event Source Management allows you to import the configuration files that you export. The configuration files contain configuration information for Event Source Management objects along with the associated Collector scripts and Connector plug-ins.

  1. Access Event Source Management.

    For more information, see Section 1.3.1, Accessing Event Source Management.

  2. Click File > Import Configuration.

  3. Click Browse and browse to and select the configuration file, then click Open.

    The configuration files are .zip files.

  4. Click Next.

  5. Select the nodes to import, then click Next.

  6. Select the Collector scripts to import, then click Next.

  7. Select the Connector plug-ins to import, then click Next.

  8. Review the items to import, then click Finish.

1.3.10 Debugging

Sentinel's Collectors are designed to be easily customizable and to be created by customers and partners.The debugging interface analyzes the Collector code running in place on the Collector Manager.

For more information on customizing or creating new Collectors, obtain the Developer's Kit for Sentinel at the Sentinel SDK Web site.

Collector Workspace and Collector Directory

Collectors are simple text scripts that are run by a Collector Manager. The handling of these scripts is a bit complex:

  1. The code for all Collectors is stored in a plug-in repository on the central Sentinel server when the Collectors are imported.

    Location: sentinel/data/plugin_repository on the Sentinel server.

  2. The runtime configuration for the Collector (when it is configured to run on a particular Collector Manager) is stored separately in the Sentinel database.

  3. When a Collector is actually started in the Collector Manager, the Collector plug-in is deployed to the Collector Manager, the runtime configuration is applied, and the code is started. Any pre-existing instance of the Collector code on that Collector Manager is overwritten.

    Location: sentinel/data/collector_mgr.cache/collector_instances on each Collector Manager.

  4. In order to edit a Collector, you need to use the ESM Debugger Download button, which copies the Collector to the local Collector workspace on the client machine (the machine where you are running SCC). Edits are made against that local copy and then uploaded back into the central plug-in repository.

    Location: sentinel/data/collector_workspace on the client application machine.

Debugging JavaScript Collectors

The debugger for JavaScript Collectors can be used to debug any JavaScript Collector.

  1. Access Event Source Management.

    For more information, see Section 1.3.1, Accessing Event Source Management.

  2. Select a Collector to debug in the Live View.

  3. Select the debug mode:

    Live Mode: Requires that the Collector Manager is currently running. For more information, see Live Mode.

    Stand-alone Mode: Allows you to run the Collector in debug mode without a Collector Manager running. For more information, see Stand-alone Mode.

  4. Right-click the Collector and select Stop, then click Debug.

The following describe how to use the JavaScript debug window:

Debug: Launches the JavaScript file in this window.

Upload/Download: Upload or download a JavaScript file here. You can download an existing JavaScript file, edit it, and upload it again to continue debugging.

Context: Displays the variable that the debugger is pointing to and its value.

Expression: Watch the values of a selected parameter here.

You can use the following options when debugging a Collector:

Run

Starts debugging.

Pause

Pauses debugging.

Step Into

Steps to the next line in the script.

Step Over

Steps over a function.

Step Out

Steps out of a function.

Stop

Stops debugging.

Hot Keys

When the source code window has the focus in the debugger, you can use the following hot keys:

  • Ctrl+F to find a string in the source code

  • Ctrl+G to go to a line number

  • Ctrl+M to find the parenthesis or brace that matches the selected parenthesis or brace

You can also open a script file, set break-point, step through the script code, and watch variables and methods values at each step.

Live Mode
  • Live debug mode requires that the Collector Manager associated with the Collector is running.

  • In Live debug mode, Input to the script comes from actual event sources connected to the Collector. To get data from a specific event source, you must right-click and start the desired event source via the Event Source Management display. Starting or stopping event sources can be done any time during the debug session.

    If no event source is started during the debug session, no data is available in the buffer for the Collector and you see the Collector script’s readData method blocking.

  • In Live debug mode, output from the script is via live Sentinel Events. The Events can be viewed on the Active Views display.

    When you are in Live debug mode, the script engine is executed on the local computer rather than the actual computer that the associated Collector Manager is running on. The Connectors and event sources still runs on the same box as the Collector Manager. When you are running debug mode, data is automatically routed from the event sources to the script engine running in debug on the local box.

Stand-alone Mode
  • Stand-alone debug mode allows you to debug a Collector even if the associated Collector Manager is not running.

  • For stand-alone mode, input to the script comes from an input file rather than a live event source. Specify the path to a raw data file that is used as input. For Collectors that use a DB Connector, the input file is a text file with log data in nvp format and for a Collector that uses the File Connector, the input file is a text file with log data in CSV format.

  • For stand-alone mode, Output from the script is to an output file rather than to live events. You must specify the path to the output file that the script uses for output. If you specify an output file that does not exist, the system creates the file for you.

To debug in Stand-alone mode:

  1. In Event Source Management, right-click the Collector to debug.

  2. Select Stop.

  3. Select Debug.

  4. Select Stand-alone Mode, then specify a path for the input and output files.

    If you specify an output file that does not exist, the system creates the file for you.

  5. Click OK to display the Debug Collector window.

  6. In the Debug Collector window, click Run.

    In the Source text area, the source code of the Collector appears and stops at the first line of the text script.

  7. Click the left side bar to toggle a breakpoint in the script code.

  8. Click Step Into to go to the next breakpoint.

  9. Click Pause to pause debugging whenever you want.

  10. After debugging is complete, click Stop to stop debugging.

  11. Click the Upload/Download tab in the debugger window.

  12. Click Download, then specify a location to download the script file.

  13. Open the file with any JavaScript editor, then make your edits.

  14. Save the file, then click Upload.

  15. Debug the uploaded script to have a Collector Script ready to use.

Generating a Flat File using the Raw Data Tap

Occasionally when debugging, it might be helpful to view Connector output data. In addition to the Raw Data Tap right-click option for nodes in the Sentinel Control Center, Sentinel also includes an option to save the raw data from a Connector to a file for further analysis.

To save raw data from a deployed Connector to a file:

  1. Access Event Source Management.

    For more information, see Section 1.3.1, Accessing Event Source Management.

  2. Right-click the Connector node, then click Edit.

  3. Click the Configure Connector tab.

  4. Select the Copy Raw Data to a file.

  5. Specify (or browse to and select) a path on the Collector Manager machine where the raw data is saved.

IMPORTANT:The account running the Sentinel service on the Collector Manager machine must have permissions to write to the file location.

1.3.11 Troubleshooting

If the help does not launch, there is a cache file on the local machine that is running the Event Source Management that must be deleted.

  1. Exit Event Source Management and the Sentinel Control Center.

  2. On the local machine running Event Source Management, search for the .novell directory.

  3. Delete the sentinel subdirectory in the .novell directory.

  4. Launch Event Source Management, then click Help.

    For more information, see Section 1.3.1, Accessing Event Source Management.