NetIQ Sentinel™ is a full-featured security analytics platform that simplifies the deployment, management, and day-to-day use of Log Management and SIEM. Sentinel readily adapts to dynamic enterprise environments and delivers the actionable intelligence security professionals need to quickly understand their organization's threat and compliance posture and to prioritize response.

The Sentinel platform can be licensed to provide two different sets of capabilities according to enterprise needs:

Sentinel Enterprise

A full-featured solution that enables the complete set of log management plus real-time analytics capabilities. Sentinel Enterprise focuses on security analytics and SIEM use cases such as real-time threat detection, alerting, and remediation. The Enterprise solution includes all the capabilities of Sentinel for Log Management.

Sentinel for Log Management

A solution that focuses on log management use cases such as the ability to collect, store, search, and report on data in a highly flexible and scalable system.

For existing Sentinel Log Manager 1.x users: Sentinel for Log Management 7.4 represents a substantial upgrade from the functionality provided in Sentinel Log Manager 1.x and as a result, significant parts of the architecture have changed. To plan your upgrade to Sentinel for Log Management 7.4, see the Upgrade FAQ document.

High Availability

The Sentinel High Availability add-on brings additional failover capabilities to the Sentinel soft appliance. Whereas the certified HA solution for our traditional install relies upon separately-purchased SUSE Linux High Availability Extensions, this solution rolls the entire package into a software appliance, allowing you to easily roll out new or additional Sentinel HA cluster nodes.

Evaluation Information

Sentinel is provided with a built-in license key to enable a 60-day evaluation period. During the evaluation period, you can use all the Sentinel Enterprise features. After 60 days, Sentinel continues to run with a free license key that enables a limited set of features (similar to Sentinel for Log Management) and a limited event rate of 25 stored events per second (stored). The free license key does not expire. You can supplement the pre-installed keys with a purchased license key for either Sentinel Enterprise or Sentinel for Log Management during installation or at any time thereafter. For more information about licenses, see the "Understanding License Information" section in the Sentinel Installation and Configuration Guide.

Features in all Sentinel Products

High Availability

This Sentinel package includes additional high availability components that provide rapid failover within a cluster in the event of a major system failure, built right into our simple soft appliance.

Real-time Event Visualization

Comprehensive, categorized real-time visualization of incoming event data is now available directly in the web interface, with full filtering and drill-down capabilities to give you access to your event data instantly.

Virtual Appliances

Sentinel provides appliances in Open Virtual Machine (OVF) and Live CD formats, which eliminates the need for different appliance formats for each hypervisor platform. The Sentinel OVF appliance replaces the VMware and Xen appliance packages, and can be used on other hypervisors as well. The Live CD can be used to install a soft appliance to bare metal or to hypervisors that do not support OVF.

Security Management and Compliance Monitoring

Sentinel provides integrated, automated real-time security management and compliance monitoring across all systems and networks while allowing you to demonstrate and monitor compliance with internal policies and government regulations such as PCI, ISO27xx, Sarbanes-Oxley, HIPAA, GLBA, FISMA, and others.

High Performance Multi-Tiered Storage

Sentinel implements an efficient, file-based event storage system optimized for fast retrieval and long-term archival of events. The event store provides 10:1 compression, fully indexed searches, flexible retention/privacy policies, and speeds up relevant reporting tasks while also providing you the flexibility to archive your data to traditional backup and forward some or all of your events to a traditional relational database store.

Data Federation

Sentinel enables organizations that have deployed several instances of Sentinel Enterprise and/or Sentinel for Log Management in different locations to search events not only on their local Sentinel servers but also on existing remote Sentinel servers from a single, centralized console.

Agent-Based or Agentless Data Collection

Sentinel provides you the flexibility to use either agent-based or agentless data collection for your Windows, UNIX/Linux, and IBM iSeries event sources. You can determine which method to use for each event source based on the needs of your environment.

Additional Features in Sentinel Enterprise

Alerts and Alert Triage

Sentinel provides alerts that prioritize the most critical threats for you to look at. Alerts can be quickly triaged and closed or escalated as necessary. Sentinel also provides alert dashboards that enable you to perform powerful exploration and analysis of many alerts at once.

Threat Intelligence

Sentinel introduces packaged support for Threat Intelligence feeds that help you detect known bad activity such as interaction of your own hosts with compromised internet hosts. This capability supports immediate prioritization of threats based on externally-provided intelligence.

Anomaly Detection

Sentinel allows you to identify threat patterns and anomalies in your environment by establishing specific baselines respective to your unique IT environment to deliver better intelligence and faster detection of anomalous activities. Baselining and trending allow you to view patterns of historical activities and to develop models of typical IT activities to spot new, potentially harmful trends, and the powerful pattern-based correlation engine can catch even complex threats by using a simple graphical rule builder.

For the most recent information about system requirements, see the NetIQ Sentinel Technical Information web site.

Sentinel offers several different packages for installing various components of the system. For more information, see the "Deployment Considerations" in the Sentinel Installation and Configuration guide.

Sentinel is offered both as a traditional installer and as a soft appliance. The traditional installation deploys Sentinel on an existing Linux operating system by using the application installer. The Sentinel appliance is a ready-to-run software appliance built on SUSE Studio. The appliance combines a hardened SLES operating system and the Sentinel software in a pre-built package.

The High Availability version of the soft appliance embeds additional HA capabilities right into the appliance installer. In a distributed environment, you can deploy any combination of traditional installers and soft appliance, depending on your requirements.

• Sentinel HA appliance installer (sentinel_server_ha_*.iso) - contains the HA version of the installation image that can deploy the soft appliance to physical (bare metal) or virtual hardware provided by a hypervisor such as Microsoft Hyper-V (certified).
• Sentinel Traditional installer (sentinel_server_*.tar.gz) - contains the standard installer that you can use to install Sentinel on an existing operating system.
• Sentinel OVF appliance (sentinel_server_*.ovf.tar.gz) - contains a pre-built virtual machine for XenServer systems and VMware ESX (both certified) and other hypervisors that support OVF.
• Sentinel ISO appliance (sentinel_server_*.iso) - contains an installation image that can deploy the Sentinel soft appliance to physical (bare metal) or virtual hardware provided by a hypervisor such as Microsoft Hyper-V (certified).
• Sentinel Open Source Components (sentinel_opensourcecomponents_*.tar.gz) - contains source code for selected open source components used in Sentinel and its plug-ins. This is a strictly optional download that is provided to comply with licensing terms.

There are additional appliance images provided for Collector Managers and Correlation Engines.

This is a high-level overview of the installation process for typical customers. For more details and alternatives, see the Sentinel Installation and Configuration Guide.

High Availability Appliance Installation

• Configure your HA cluster with storage shared by multiple cluster nodes that will each be able to run Sentinel.
• Download the sentinel_server_ha_*.iso file, boot it as a Live CD on each cluster node in turn, then follow the prompts to configure the appliance. During the installation of the first node shared storage will be configured with Sentinel data structures; subsequent node installations will point to that same install but deploy binaries and basic configuration to local storage on each cluster node. For more information, see the "Configuring Sentinel for High Availability" section in the Sentinel Installation and Configuration Guide.

Traditional Installation

• Download the main Sentinel installation file named sentinel_server* to the host where you will install Sentinel and unpack it into a temporary directory using a Linux-compatible utility.
• Run the Sentinel installation and follow the on-screen prompts to install the Sentinel Server.

Appliance Installation

Download the virtual image, then load the image in your virtualization platform or boot the ISO Live CD and follow the prompts to configure the appliance. For more information, see the "Appliance Installation" section in the Sentinel Installation and Configuration Guide.

Sentinel Configuration

1. For data collection, deploy one or more Collector Managers. You can download the installer for Collector Manager from within the Sentinel Web console or use one of the appliance images.
2. Identify the set of sources from which you want to collect event data, and configure them to deliver events to Sentinel. Sentinel supports data collection from many sources using Collector and Connector plug-ins. It also supports specialized agent-based data collection for Windows and UNIX-type data sources. Many of the plug-ins to support data collection are bundled with Sentinel, but you can download additional options and updates from the Sentinel Plug-ins Web site or create your own using the Sentinel Plug-in SDK.
   1. To use Sentinel plug-ins for any supported device, deploy the associated Collector and Connector from the Sentinel Plug-ins Web site. Each supported product has an associated Collector that understands the data format generated by that source. See the documentation provided with each Collector for details on how to configure the associated product and Sentinel data collection components to deliver events to Sentinel.
   2. To use agent-based event collection for Windows or IBM i sources, deploy Sentinel Agent Manager to act as a proxy for those agents. You can download the Sentinel Agent Manager from within the Sentinel Web console, or from this page (file Agent_Manager*). For more information about installing Sentinel Agent Manager, see the Agent Manager Installation Guide.
      1. Windows Agents are included in the Sentinel Agent Manager download and are managed by Sentinel Agent Manager itself, so no additional components are necessary.
      2. Agents for IBM i come as part of the NetIQ Security Solutions for iSeries - the Agent portion does not require a separate license. For more information, see the Auditing iSeries Log Data section of the Installation Guide; you will need to configure the Agent Communication Subsystem (PSECONFIG) and start the ZPSE subsystem, but replace 'Security Manager' with 'Sentinel Agent Manager' in the instructions.
3. To use agent-based event collection for UNIX or Linux sources, download the ISO for NetIQ Security Agent for Unix and refer to the documentation to install and set up data collection.
4. [Sentinel Enterprise only] For real-time correlation analytics you can use the Correlation Engine built into the core server, or deploy one or more remote Correlation Engines. You can download the installer for Correlation Engine from within the Sentinel Web console or use one of the appliance images.
5. For network flow analysis, deploy one or more NetFlow Collector Managers. You can download the installer for NetFlow Collector Manager from within the Sentinel Web console.
6. Perform additional configuration as needed after reviewing the Sentinel Documentation Web site.
   1. Configure the event routing rules and data retention policies to define where data is stored (or sent) and for how long.
   2. [Sentinel Enterprise only] Deploy analytic rules to automatically detect activity of interest in the enterprise. Attach automated actions to those rules as needed.
   3. Customize the environment by creating filters, refining reports, adding contextual data, and so on.

For the list of known issues, see the release notes for this version on the Sentinel Documentation Web site.