SentinelLogManager Day2 2 Rules

8/23/2019 SentinelLogManager Day2 2 Rules

1/16

Rules & Actions


2/16

Novell Inc. All rights reserved

2

Rules & Actions

Rules are used to

Evaluate and filter incoming event data and trigger an action

Action is typically to deliver selected ones to specific output

channels but can more then one

> Send E-mail

> Forward to another Sentinel System like SLM or Sentinel

> Forward to Syslogs server

> SNMP Trap

> Trigger a local script to execute

> Write to a file

Performance considerations must be weighed before firing

Action

Action is preformed every time rule is true


3/16


3

Executing a Script

Script should exist and novell account needs to haveexecute permissions to script

Cannot pass event data as parameter to script onlystatic parameters


4/16


4

Send to File

Direct path mounted on local server

Directory must have write permissions to novellaccount


5/16


5

JSON Overview

JavaScript Object Notation (JSON)

Lightweight data exchange format

{"st":"I","evt":"Start","sev":"1","sres":"Collector","res":"CollectorManager","rv99":"0","rv1":"0","repassetid":"0","rv7

7":"0","agent":"NovellSecureLogin","obsassetid":"0","vul":"0","port":"NovellSecureLogin","msg":"Processing started for CollectorNovell SecureLogin (ID D892E9F0-3CA7-102B-B5A1-

005056C00005).","dt":"1224204655689","id":"751D97B0-7E13-112B-B933-000C29E8CEDE","src":"D892E9F0-3CA7-102B-B5A2-005056C00004"}

http://www.json.org/


6/16


6

Sending to Syslogs

Standard forwarding to syslogs via UDP

Need a syslogs server and port number

Syslog sever applies to entire filter criteria


7/16


7

Sending to E-mail

SMTP server / relay is needed

Care must be taken not to flood e-mail systems

SMTP Server and sent to are for all rules


8/16


8

Configuring Sending an E-Mail


9/16


9

Sending to Sentinel Link

Can forward to another SLM, SentinelRD or Sentinel Very powerful capability

Allows the user to create a hierarchical topology of systems

Need Sentinel Link to be configured on the sending

SLM and the receiving SLM/RD/Sentinel servers HTTPS recommended

Forward immediately

Scheduled forwarding

Queuing only


10/16


10

Sending to Sentinel (Contd..)

Comes with built in rule to forward to another SentinelSystem

Filters out events with severity less than 4

Audit (A), Performance (P) and Internal (I)

Rule can be altered if needed

Best if you are forwarding limited ones that need realtime correlation and workflow to execute on Sentineland be stored there.


11/16


11

Configuring Sending to Sentinel Link


12/16


12

Configuring Sending to Sentinel Link


13/16


13

Send SNMP Traps

SNMP Integrator needed

SNMP Server with IP address, port and communitystring (password) required to configure

Object ID is required to associate message with

Uses the Novell Audit's if not specified

No MIBs as we are just sending the event

SNMP server applies to filter operative on the rule


14/16


14

Rule

Name

Filter

One or more actions


15/16


15

Creating a Rule


16/16


16

Lab Exercise

Configure File Action

Create to Rule to send unsupported event andcollector manager events that are not from a Genericcollector to file

Setup Setinel Link

No encryption, just http

Sentinel RD server: 192.168.3.X, Port 1290

Documents

SentinelLogManager Day2 2 Rules