Novell is now a part of OpenText

NetIQ Plug–in SDK



NetIQ has provided this Plug-in SDK to assist customers and partners with easy development of plug-ins to enhance and extend the functionality of Sentinel. The SDK is provided free of charge, but note that all documentation and components provided through this site are covered under the Novell Developer License Agreement unless more specific license terms are included with a particular component.

We encourage anyone interested in the SDK to join the Plug-in SDK Support Forum and contribute to the discussion there.

-+ Intended Audience

This SDK supports the development of plug-ins for Sentinel 6.1.x, RD 6.1.x, Sentinel 7.x, and Sentinel Log Manager 1.x (and also Identity Manager 4.x, but see below), although not all plug-in types are supported on all platforms.

  • Report Plug-ins developed using this SDK are based on the Jasper report framework, and hence won't work on Sentinel 6.1.x.
  • Solution Pack Plug-ins developed using this SDK will work on most platforms, but not all content can be imported by each platform (each Report Plug-in, for example, declares what platforms it will run correctly on). Native support for bulk-loading Report Plug-ins stored in Solution Packs was added in Sentinel Log Manager 1.1; if you have an earlier version an extraction utility is provided on the Plug-ins download site to assist you.
  • Identity Manager 4.x embeds a version of Sentinel RD called EAS but since the standard Sentinel UI is hidden, IDM provides some of their own utilities to create and package Report Plug-ins. You can create IDM reports using this SDK as well, but in general NetIQ recommends that you use the IDM tools. Using this SDK to develop IDM reports directly is not documented here, and may not be officially supported by Identity Manager.

This SDK (with some local extensions) is used by NetIQ to develop all plug-ins shipped for Sentinel, and is also used by NetIQ Consulting, sales engineers, partners, and many customers to develop custom plug-ins for a wide variety of environments. All the modifiable code is visible and editable, so users can create new plug-ins, customize existing ones, and/or borrow code from one or more other plug-ins to create a new one. We have attempted to make the most common modifications — slight adjustments to Collector parsing logic, changes to Report filters and displayed data, and so forth — relatively simple to do (and simple to disable for testing purposes), with more extensive modifications requiring deeper knowledge of the SDK and Sentinel. Plug-ins developed by any method are essentially no different than anyone else's plug-ins, although local extensions are supported: the NetIQ Engineering team, for example, has extended the SDK to sign the included JARs and compress the API-level JavaScript.

Required Skills

The skills required to develop plug-ins using this SDK vary depending on the type of plug-in and how extensively the basic template (or existing plug-in) will be customized. In general:

  • Report Plug-ins require familiarity with SQL and/or Lucene queries, depending on which data store will be queried (SLM and Sentinel 7.x use Lucene for storing events; other platforms use a SQL database; all platforms use a SQL database for storing configuration and enhanced metadata).
    SQL queries
    Sentinel platforms primarily use PostgreSQL; refer to that product's documentation for information on SQL syntax. You can also look at existing reports for examples of practical SQL queries and draw from those examples.
    Lucene queries
    Sentinel uses Lucene syntax with some extensions to form search queries; see the documentation for details. For reporting purposes, the Lucene syntax has been extended with some simple SQL-like semantics to allow for selecting specific columns, restricting the query by time range, and grouping and sorting options (none of which are available in the base Lucene language). These extensions are documented in this SDK documentation, and again existing reports can be examined for examples to draw upon.
  • Report Plug-ins are created and modified using iReport, provided by JasperSoft.
    This report design software is shipped by JasperSoft; they sell a full PDF manual but also have some basic information and tutorials online.
  • Solution Packs are created and modified using Solution Designer, part of the Sentinel system (but not included with Log Manager).
    Solution Designer
    This client application is shipped with Sentinel (but not Sentinel Log Manager); see the documentation for information.
  • Solution Packs allow you to assemble sets of Sentinel content, so if your Solution will require correlation rules, custom Actions, etc then familiarity with those technologies will be required.
    Correlation rules
    Information about writing correlation rules can be found in the Sentinel 7 documentation.
  • Collectors and Actions are built using JavaScript, hence familiarity the the JavaScript language is usually required (some common tasks are performed using simple CSV map files and property files, so minor customizations may not require such knowledge).
    Although we have not personally read it, this digital book has been mentioned as an excellent resource to start learning about JavaScript. The w3schools site is also a good reference source.

In general, in this SDK we attempt to eliminate the complexity of constructing a plug-in from the ground up, so that users can focus on the task at hand, such as parsing or displaying data. That said, writing a plug-in to perform some complex task — like dealing with a complicated stateful event source or doing deep analysis on report data — will still require architecture and systems integration skills.

Most other relevant information should be contained here in the SDK documentation; if you find some information missing or find another external resource that you can recommend, please mention it on the forum!

-+ Installation and Configuration of the SDK

The NetIQ Plug-in SDK is delivered in two parts: an Eclipse-based Integrated Developer Environment (IDE, a client application that helps you create, edit, and build your plug-ins), and a source code repository that contains the build scripts, templates, and many sample plug-ins (including the source for most of the plug-ins shipped with Sentinel).

The SDK is supported on Linux and Windows, but has been partially tested on MacOS as well. For the most part, platform dependencies are really based on what Eclipse is supported on — virtually all of the build tools use Ant, which is built into Eclipse.

The SDK is a developer toolkit, and some basic developer knowledge will be required (see Intended Audience, above). To proceed with the installation, visit our SDK Installation and Configuration page. If you have any issues getting your SDK up and running, please post questions to the forum.

-+ Using the Plug-in SDK to Develop Plug-ins

-+ Support and Feedback

The Sentinel Plug-In SDK includes libraries and code developed by NetIQ Engineering, as well as template and sample code which you can use to begin developing your own projects. Please ensure, however, that you understand the support policy:

  • NetIQ recommends that you take advantage of the Plug-in SDK Support Forum for support, advice, and sample code. This is a customer forum, but we do monitor and reply to as many posts as we can.
  • NetIQ officially supports the API (classes, attributes, and methods) documented as part of this SDK. NetIQ does not support any classes or methods developed by customers to extend their solutions.
  • NetIQ officially supports the SDK install, build scripts, template code and layouts for Collectors, Actions and Reports, except for any template code that is in the dev directory for the plug-in itself and is modifiable.
  • NetIQ does not officially support the sample code that is copied into the release.js files and which is editable by the developer.
  • NetIQ will not support any customer- or partner-developed code directly, though NTS will provide guidance on troubleshooting in order to determine whether the bug is in the supported components.
  • Support requests can be filed via the Support portal.

NetIQ strongly encourages SDK users to join the NetIQ Developer Support forum for the Plug-in SDK, where the community can assist in answering your questions.

NetIQ Plug-in SDK Developer Support Forum

-+ Related Sentinel Development Topics

Sentinel Event Schema

A critical part of the Sentinel system is the Event schema into which event records collected from event sources are parsed. Sentinel uses a large event structure with fields to hold a wide variety of event data. The schema is in part inspired by XDAS, but has significant extensions to support SIEM and customization. This section documents the schema and the data contained within each field.

Sentinel Taxonomy

Sentinel uses taxonomic classifications to categorize inbound events; this helps organize and group those events and makes it much easier to search for and analyze the event data. There are three main Sentinel taxonomies, one to categorize the type of activity that took place (the Action taxonomy), one to categorize the outcome or result of that activity (the Outcome taxonomy), and one to categorize the type of device/system which generated the event record (the Device Category taxonomy).

Note that up until Sentinel 6.0, we used an internal, proprietary taxonomy for classification; with Sentinel 6.1 we introduced the industry-standard XDAS taxonomy in parallel with our legacy taxonomy, and defined a one-to-one mapping between the two. The legacy taxonomy is now being phased out with Sentinel 7.

Sentinel Database Views

Sentinel embeds a standard SQL database to store a variety of information; Sentinel 7 and Sentinel Log Manager store only configuration information in a Postgres database, whereas Sentinel 6.1 RD also stores event data in that database. Sentinel 6.1 and previous supported additional databases such as Oracle and Microsoft SQL Server. You can leverage the internal Sentinel database when writing Report plug-ins; see the Report plug-in development section for detail.

Sentinel JavaScript APIs

Sentinel Collectors and Actions use a common JavaScript API that defines classes useful for the parsing and normalization of data and for interacting with Sentinel. Developers can use and extend this API as needed to perform whatever tasks they wish in Sentinel — it is even possible to embed Java classes within these plug-ins as well to support broader functionality.

Note that as of SDK 2011.1, the JavaScript API versioning now follows the SDK versioning, and can be used on more recent versions of Sentinel and Sentinel Log Manager. See the SDK compatibility chart for details.

Sentinel REST APIs

Although not directly related to Plug-in development, the new RESTful APIs introduced with Sentinel 7 do provide new ways to automate Sentinel and deliver data into and out of the product. The REST APIs are documented here and also directly in the product itself; log in to Sentinel and look for the REST documentation under the Help menu.

© Copyright Micro Focus or one of its affiliates