February 08, 2010
Novell® Sentinel™ Log Manager collects data from a wide variety of devices and applications, including intrusion detection systems, firewalls, operating systems, routers, Web servers, databases, switches, mainframes, and antivirus event sources. Novell Sentinel Log Manager provides high event-rate processing, long-term data retention, regional data aggregation, and simple searching and reporting functionality for a broad range of applications and devices.
The following sections list the new and enhanced features of Novell Sentinel Log Manager.
The new and enhanced data collection user interface enables you to perform several new tasks:
Refine all the event sources by using the new
screen.Start and stop the audit and syslog event source server by using the new
s tab.Set the time zone for event sources.
Search for events that are coming from one or many event sources.
For more information about data collection configuration, see Configuring Data Collection
in the Novell Sentinel Log Manager 1.0.0.4 Administration Guide.
Sentinel Log Manager now supports LDAP authentication in addition to the database authentication.
A new
option has been added in the > window of the Sentinel Log Manager, which enables you to create user accounts that use LDAP authentication.For more information about configuring the Sentinel Log Manager server for LDAP authentication, see User Administration
in the Novell Sentinel Log Manager 1.0.0.4 Administration Guide.
The enhanced search result interface enables you to perform several new tasks:
Export search report results.
Send search results to an action.
Download the raw data files for the selected event result's event source by using the
link.View new event fields information in the search results.
For example, it displays the Source IP address, Rawdata Record ID, Collector Script, Collector name, Collector Manager ID, Connector ID, and Event Source ID information for the incoming events.
View all the event fields information for the event source by using the
link.For more information about searching events and generating reports, see Searching
in the Novell Sentinel Log Manager 1.0.0.4 Administration Guide.
The new user interface for actions allows you to create multiple action instances that you can also use while configuring rules. You can also view the number of rules that are associated with an action.
For more information about configuring rules and actions, see Configuring Rules
in the Novell Sentinel Log Manager 1.0.0.4 Administration Guide.
The new admin user interface enables you to assign new permissions for a user:
You can now allow users to view all reports that are stored on the server
Enable Sentinel Log Manager configuration reporting
You can now set a filter for the events a user can view.
For more information about configuring users, see User Administration
in the Novell Sentinel Log Manager 1.0.0.4 Administration Guide.
Novell Sentinel Log Manager is easy to install and deploy for data collection, storage, reporting, and searching of log data. Installation of Novell Sentinel Log Manager includes installation of the Sentinel Log Manager server, Web server, reporting server, and configuration database.
Novell Sentinel Log Manager can collect and manage data from event sources that generate logs to syslog, windows event log, files, databases, SNMP, Novell Audit, SDEE, Check Point OPSEC, and other storage mechanisms and protocols.
Novell Sentinel Log Manager contains enhanced web-based user interface support for Syslog and Novell Audit connectivity to make it even easier to start collecting logs from event sources. You can direct all the logs to Sentinel Log Manager.
Messages from recognized data sources are parsed into fields such as target IP address and source username. Messages from unrecognized data sources are placed intact into a single field for storage, search, and reporting. All data can be filtered to drop unwanted events.
For a complete list of supported event sources, see “Supported Event Sources” in the Novell Sentinel Log Manager Guide.
Novell Sentinel Log Manager collects data using a wide variety of connection methods:
Syslog Connector automatically accepts and configures syslog data sources that send data over the standard user datagram protocol (UDP), reliable transmission control protocol (TCP), or secure transport layer system (TLS).
Audit Connector automatically accepts and configures audit-enabled Novell data sources.
File Connector reads log files.
SNMP Connector receives SNMP traps.
JDBC* Connector reads from database tables.
WMS Connector accesses Windows* event logs on desktops and servers.
SDEE Connector for Cisco* devices.
LEA Connector for Check Point* devices.
Sentinel Link Connector accepts data from other Novell Sentinel Log Manager servers.
Process Connector accepts data from custom-written processes that output event logs.
You can also purchase an additional license to download connectors for SAP* and mainframe operating systems.
To get the license, either call 1-800-529-3400 or contact Novell Technical Support.
For more information about configuring the connectors, see the connector documents at Sentinel Content Web site.
For more information about data collection configuration, see “Configuring Data Collection” in the Novell Sentinel Log Manager Guide.
Novell Sentinel Log Manager stores all of the log data in a compressed file format. Data can be archived locally or on a remotely-mounted CIFS or NFS share. You can set up data retention policies to configure the system to keep some data for longer time periods and other data for shorter time periods.
For more information about system requirements, see “System Requirements” in the Novell Sentinel Log Manager Guide.
For more information about data storage configuration, see “Configuring Data Storage” in the Novell Sentinel Log Manager Guide.
Novell Sentinel Log Manager can perform full text searches of all the stored event data or perform focused searches against particular event fields, such as source username. Such searches can be further refined, saved for future review, filtered, and formatted by applying a report template to the results.
Sentinel Log Manager has pre-installed reports and also has the ability to upload additional reports. Reports can be run as per a planned scheduled or for an unplanned requirement.
For more information on list of default reports, see “Sentinel Log Manager Reports” in the Novell Sentinel Log Manager Guide.
Searches and reports can run against both online and archived data.
For more information about searching events and generating reports, see “Searching” and “Reporting” respectively in the Novell Sentinel Log Manager Guide.
Collector managers for Sentinel Log Manager manage all of the data collection processes and data parsing. A Collector Manager is included in the Sentinel Log Manager server installation, but you can also install multiple collector managers throughout your enterprise. Remote collector managers provide several benefits:
Distributed event parsing and processing to improve system performance.
Co-location with event sources, which allows filtering, encryption, and data compression at the source. This can provide additional data security and decrease network bandwidth requirements.
Installation on additional operating systems (for example, installation on Microsoft* Windows* to enable data collection using the WMI protocol).
File caching, which enables the remote collector manager to cache large amounts of data while the server is temporarily busy performing archiving or processing a spike in events. This is an advantage for protocols, such as syslog, that do not natively support event caching.
Sentinel Link can be used to forward event data from one Sentinel Log Manager to another. With a hierarchical set of Sentinel Log Managers, complete logs can be retained at multiple regional locations while more important events are forwarded to a single Sentinel Log Manager for centralized search and reporting.
In addition, Sentinel Link can forward important events to Novell Sentinel, a full Security Information Event Management (SIEM) system, for advanced correlation, incident remediation, and injection of high-value contextual information such as server criticality or identity information from an identity management system.
A new Generic Forwarder Action 6.1r2 plug-in has been added to send search results to an action instance.
For a detailed information on hardware requirements and supported operating systems, browsers, and event sources, see “System Requirements” in the Novell Sentinel Log Manager Guide.
The Sentinel Log Manager Hot fix 4 (1.0.0.4) should be installed on top of an existing Sentinel Log Manager 1.0.0.0 or 1.0.0.1 or 1.0.0.2 or 1.0.0.3 installation.
IMPORTANT:The Sentinel Log Manager Hot fix 4 (1.0.0.4) must be installed on the Sentinel Log Manager server and all the Collector Managers running on remote machines. This hotfix does not update the Collector Manager installer script that you can download from the Sentinel Log Manager web server. Hence, regardless of whether you have installed a Collector Manager before or after applying the hotfix on the Sentinel Log Manager server, it is mandatory to apply this hotfix to all the Collector Managers.
To perform a quick and simple installation of Novell Sentinel Log Manager 1.0.0.4 on a Sentinel Log Manager server:
Log in to the Sentinel Log Manager as the novell user.
The novell user is created during the Sentinel Log Manager installation process and does not have a password by default. Therefore, you can create a password in order to log in as this user, or you can su - to this user.
Download or copy the installer SENTINEL_LOG_MANAGER_1.0.0.4.zip to a temporary directory.
Change to the temporary directory.
Unzip the install package by using the following command:
unzip SENTINEL_LOG_MANAGER_1.0.0.4.zip
Change to the unzipped directory.
cd SENTINEL_LOG_MANAGER_1.0.0.4
(Optional) Stop the Sentinel Log Manager services by using the following command:
Installation_Directory/bin/server.sh stop
Run the hotfix installer and follow the prompts.
./service_pack.sh
Log in to the Sentinel Log Manager as the root user.
Download or copy the installer SENTINEL_LOG_MANAGER_1.0.0.4.zip to a temporary directory.
Change to the temporary directory.
Unzip the install package by using the following command:
unzip SENTINEL_LOG_MANAGER_1.0.0.4.zip
Change to the unzipped directory.
cd SENTINEL_LOG_MANAGER_1.0.0.4
(Optional) Stop the Collector Manager by using the following command:
Installation_Directory/bin/sentinel.sh stop
Run the hotfix installer and follow the prompts.
./service_pack.sh
Log in to the Sentinel Log Manager as an Administrator.
Download or copy the installer SENTINEL_LOG_MANAGER_1.0.0.4.zip to a temporary directory.
Change to the temporary directory.
Unzip the installer package.
Change to the unzipped directory.
cd SENTINEL_LOG_MANAGER_1.0.0.4
(Optional) Stop the Collector Manager by using the following command:
Installation_Directory/bin/sentinel.bat stop
Go to the installation directory.
Execute the service_pack.bat from the command window and follow the prompt.
This section lists the issues fixed in Novell Sentinel Log Manager 1.0.0.4 Release.
Table 1 Issues fixed in Sentinel Log Manager 1.0.0.4 Release
This section lists the enhancements in Novell Sentinel Log Manager 1.0.0.4 Release.
Table 2 Enhancements in Sentinel Log Manager 1.0.0.4 Release
This section lists the issues fixed in Novell Sentinel Log Manager 1.0.0.3 Release.
Table 3 Issues fixed in Sentinel Log Manager 1.0.0.3 Release
Top N type reports are now supported. A Top N type report named All Vendors All Products Top 10 Report is installed with this hotfix and is available as a Visualization from the Search Save As Report dialog as well from the main report list. This report provides an easy way to view a dashboard of the most frequent activity being monitored by Sentinel Log Manager.
This section lists the issues fixed in Novell Sentinel Log Manager 1.0.0.2 Release.
Table 4 Issues fixed in Sentinel Log Manager 1.0.0.2 Release
This section lists the issues fixed in Novell Sentinel Log Manager 1.0.0.1 Release.
Table 5 Issues fixed in Sentinel Log Manager 1.0.0.1 Release
This section lists the known issues in Novell Sentinel Log Manager 1.0 Release.
Table 6 Known Issues in Sentinel Log Manager 1.0 Release
The collectors supporting the following event sources that are bundled with Sentinel Log Manager have known issues. These issues are fixed in the latest version of the collectors available on the Sentinel 6.1 Content Web site.
Novell Access Manager 3.1
Novell Identity Manager 3.6.1
Novell Netware 6.5
Novell Modular Authentication Services 3.3
Novell Open Enterprise Server 2.0.2
Novell SUSE® Linux Enterprise Server
Novell eDirectory™ 8.8.3 with the eDirectory instrumentation patch found on the Novell Support Web Site
Novell iManager 2.7
McAfee* VirusScan* Enterprise (8.0i, 8.5i, and 8.7i)
The following table lists known issues that still exist in other Sentinel Plug-ins:
Table 7 Known Issues in Sentinel Plug-ins
In this documentation, a greater-than symbol (>) is used to separate actions within a step and items in a cross-reference path.
A trademark symbol (®, ™, etc.) denotes a Novell trademark; an asterisk (*) denotes a third-party trademark
Novell, Inc. makes no representations or warranties with respect to the contents or use of this documentation, and specifically disclaims any express or implied warranties of merchantability or fitness for any particular purpose. Further, Novell, Inc. reserves the right to revise this publication and to make changes to its content, at any time, without obligation to notify any person or entity of such revisions or changes.
Further, Novell, Inc. makes no representations or warranties with respect to any software, and specifically disclaims any express or implied warranties of merchantability or fitness for any particular purpose. Further, Novell, Inc. reserves the right to make changes to any and all parts of Novell software, at any time, without any obligation to notify any person or entity of such changes.
Any products or technical information provided under this Agreement may be subject to U.S. export controls and the trade laws of other countries. You agree to comply with all export control regulations and to obtain any required licenses or classification to export, re-export, or import deliverables. You agree not to export or re-export to entities on the current U.S. export exclusion lists or to any embargoed or terrorist countries as specified in the U.S. export laws. You agree to not use deliverables for prohibited nuclear, missile, or chemical biological weaponry end uses. Please refer to the Novell International Trade Services Web page for more information on exporting Novell software. Novell assumes no responsibility for your failure to obtain any necessary export approvals.
Copyright © 2010 Novell, Inc. All rights reserved. No part of this publication may be reproduced, photocopied, stored on a retrieval system, or transmitted without the express written consent of the publisher.
Novell, Inc. has intellectual property rights relating to technology embodied in the product that is described in this document. In particular, and without limitation, these intellectual property rights may include one or more of the U.S. patents listed on the Novell Legal Patents Web page and one or more additional patents or pending patent applications in the U.S. and in other countries.
For Novell trademarks, see the Novell Trademark and Service Mark list.
All third-party trademarks are the property of their respective owners.