Product Description

NetIQ Sentinel™ is a full-featured security analytics platform that simplifies the deployment, management, and day-to-day use of Log Management and SIEM. Sentinel readily adapts to dynamic enterprise environments and delivers the actionable intelligence security professionals need to quickly understand their organization's threat and compliance posture and to prioritize response.

The Sentinel platform can be licensed to provide two different sets of capabilities according to enterprise needs:

Sentinel Enterprise
A full-featured solution that enables the complete set of log management plus real-time analytics capabilities. Sentinel Enterprise focuses on security analytics and SIEM use cases such as real-time threat detection, alerting, and remediation. The Enterprise solution includes all the capabilities of Sentinel for Log Management.
Sentinel for Log Management
A solution that focuses on log management use cases such as the ability to collect, store, search, and report on data in a highly flexible and scalable system.

Deployment Options

High Availability installation
The Sentinel High Availability add-on provides rapid failover within a cluster in the event of a major system failure, built right into our simple soft appliance. Whereas the certified HA solution for traditional Sentinel installation relies upon separately-purchased SUSE Linux High Availability Extensions, this solution rolls the entire package into a software appliance, allowing you to easily roll out new or additional Sentinel HA cluster nodes. The High Availability (HA) version of the appliance embeds additional HA capabilities right into the appliance installer. In a distributed environment, you can deploy any combination of traditional installers and soft appliance, depending on your requirements.

Traditional installation or Appliance installation
Sentinel is offered both as a traditional installer and as a soft appliance. The traditional installation deploys Sentinel on an existing Linux operating system by using the application installer. The Sentinel appliance is a ready-to-run software appliance built on SUSE Studio.

The appliance combines a hardened SLES operating system and the Sentinel software in a pre-built package. Sentinel provides appliances in Open Virtual Machine (OVF) and Live CD (ISO) formats, which eliminates the need for different appliance formats for each hypervisor platform. The Sentinel OVF appliance can be used on hypervisors such as VMware and Xen appliance packages. The Live CD can be used to install a soft appliance to bare metal or to hypervisors that do not support OVF.

High Performance Multi-Tiered Traditional Storage or Hadoop-based Scalable Storage
Traditional storage is a file-based event storage system optimized for fast retrieval and long-term archival of events. The event store provides 10:1 compression, fully indexed searches, flexible retention/privacy policies, and speeds up relevant reporting tasks while also providing you the flexibility to archive your data to traditional backup and forward some or all of your events to a traditional relational database store.

Scalable storage leverages the Cloudera's Distribution Including Apache Hadoop (CDH) framework to store and manage large data. Hadoop-based scalable storage provides you the ability to seamlessly scale up data collection and visualization to a very large EPS with a single Sentinel server.

Data Federation

Sentinel enables organizations that have deployed several instances of Sentinel Enterprise and/or Sentinel for Log Management in different locations to search events not only on their local Sentinel servers but also on existing remote Sentinel servers from a single, centralized console.

Agent-Based or Agentless Data Collection

Sentinel provides you the flexibility to use either agent-based or agentless data collection for your Windows and UNIX/Linux event sources. You can determine which method to use for each event source based on the needs of your environment.

For more information, see the "Deployment Considerations" section in the Sentinel Installation and Configuration guide.

Key Features

Anomaly Detection
Sentinel allows you to identify threat patterns and anomalies in your environment by establishing specific baselines respective to your unique IT environment to deliver better intelligence and faster detection of anomalous activities. Baselining and trending allow you to view patterns of historical activities and to develop models of typical IT activities to spot new, potentially harmful trends. (Available in Sentinel Enterprise with traditional storage.)
Event Correlation and Alerts
Correlation adds intelligence to security event management by automating analysis of the incoming event stream to find potential threats and generates alerts to send instant notification about such potential threats. Sentinel also provides alert dashboards that enable you to perform powerful exploration and analysis of many alerts at once. (Available in Sentinel Enterprise.)
Threat Intelligence
Sentinel provides packaged support for Threat Intelligence feeds that help you detect known bad activity such as interaction of your own hosts with compromised internet hosts. This capability supports immediate prioritization of threats based on externally-provided intelligence. (Available in Sentinel Enterprise.)
Real-time Event Visualization
Comprehensive, categorized real-time visualization of incoming event data with full filtering and drill-down capabilities to give you access to your event data instantly.
Security Management and Compliance Monitoring
Sentinel provides integrated, automated real-time security management and compliance monitoring across all systems and networks while allowing you to demonstrate and monitor compliance with internal policies and government regulations such as PCI, ISO27xx, Sarbanes-Oxley, HIPAA, GLBA, FISMA, and others.

Evaluation Information

Sentinel is provided with a built-in license key to enable a 60-day evaluation period. During the evaluation period, you can use all the Sentinel Enterprise features.

After 60 days, Sentinel continues to run with a free license key that enables a limited set of features (similar to Sentinel for Log Management) and a limited event rate of 25 stored events per second (eps). The free license key does not expire. This is applicable for Sentinel systems configured with traditional storage. For Sentinel systems configured with scalable storage, Sentinel will no longer store events and raw data when the evaluation license expires.

You can supplement the pre-installed keys with a purchased license key for either Sentinel Enterprise or Sentinel for Log Management during installation or at any time thereafter. For more information about licenses, see "Understanding License Information" in the Sentinel Installation and Configuration Guide.

System Requirements

For the most recent information about system requirements, see the NetIQ Sentinel Technical Information web site.

Downloading and Installing Sentinel

Sentinel offers several different packages for installing various components of the system.

  • Sentinel HA appliance installer (sentinel_server_ha_*.iso) - contains the HA version of the installation image that can deploy the software appliance to physical (bare metal) or virtual hardware provided by a hypervisor such as Microsoft Hyper-V (certified).
  • Sentinel Traditional installer (sentinel_server_*.tar.gz) - contains the standard installer that you can use to install Sentinel on an existing operating system.
  • Sentinel OVF appliance (sentinel_server_*.ovf.tar.gz) - contains a pre-built virtual machine for VMware ESX (both certified) and other hypervisors that support OVF.
  • Sentinel ISO appliance (sentinel_server_*.iso) - contains an installation image that can deploy the Sentinel software appliance to physical (bare metal) or virtual hardware provided by a hypervisor such as Microsoft Hyper-V (certified).
  • Sentinel Open Source Components (sentinel_opensourcecomponents_*.tar.gz) - contains source code for selected open source components used in Sentinel and its plug-ins. This is strictly an optional download that is provided to comply with licensing terms.

There are additional appliance images provided for Collector Managers and Correlation Engines.

This is a high-level overview of the installation process for typical customers. For more details and alternatives, see the Sentinel Installation and Configuration Guide.

High Availability Installation

For information about deploying Sentinel for high availability, see the "Deploying Sentinel for High Availability" section in the Sentinel Installation and Configuration Guide.

Traditional Installation

  • Download the main Sentinel installation file named sentinel_server* to the host where you will install Sentinel and unpack it into a temporary directory using a Linux-compatible utility.
  • Run the Sentinel installation and follow the on-screen prompts to install the Sentinel Server.

Appliance Installation

Download the virtual image, then load the image in your virtualization platform or boot the ISO Live CD and follow the prompts to configure the appliance. For more information, see the Sentinel Installation and Configuration Guide.

Sentinel Configuration

  1. For data collection, deploy one or more Collector Managers. You can download the installer for Collector Manager from within the Sentinel Main interface or use one of the appliance images.
  2. Identify the set of sources from which you want to collect event data and configure them to deliver events to Sentinel. Sentinel supports data collection from many sources using Collector and Connector plug-ins. It also supports specialized agent-based data collection for Windows and UNIX-type data sources. Many of the plug-ins to support data collection are bundled with Sentinel, but you can download additional options and updates from the Sentinel Plug-ins Web site or create your own using the Sentinel Plug-in SDK.
    1. To use Sentinel plug-ins for any supported device, deploy the associated Collector and Connector from the Sentinel Plug-ins Web site. Each supported product has an associated Collector that understands the data format generated by that source. See the documentation provided with each Collector for details on how to configure the associated product and Sentinel data collection components to deliver events to Sentinel.
    2. To use agent-based event collection for Windows, deploy Sentinel Agent Manager to act as a proxy for those agents. You can download the Sentinel Agent Manager from this page (file Agent_Manager*). For more information about installing Sentinel Agent Manager, see the Agent Manager Installation Guide. Windows Agents are included in the Sentinel Agent Manager download and are managed by Sentinel Agent Manager itself, so no additional components are necessary.
    3. To use agent-based event collection for UNIX or Linux sources, download the NetIQ Security Agent for UNIX and refer to the documentation to install and set up data collection.
    4. For real-time correlation analytics you can use the Correlation Engine built into the core server, or deploy one or more remote Correlation Engines. You can download the installer for Correlation Engine from within the Sentinel Main interface or use one of the appliance images.
    5. For network flow analysis, deploy one or more NetFlow Collector Managers. You can download the installer for NetFlow Collector Manager from within the Sentinel Main interface.
    6. Perform additional configuration as needed after reviewing the Sentinel Documentation Web site.
      1. Configure the event routing rules and data retention policies to define where data is stored (or sent) and for how long.
      2. Deploy correlation rules to automatically detect activity of interest in the enterprise. Attach automated actions to those rules as needed.
      3. Customize the environment by creating filters, refining reports, adding contextual data, and so on.

Known Issues

For the list of known issues, see the release notes for this version on the Sentinel Documentation Web site.