Upload
ryan-belicov
View
215
Download
0
Embed Size (px)
Citation preview
8/23/2019 SentinelLogManager Day2 2 Rules
1/16
Rules & Actions
8/23/2019 SentinelLogManager Day2 2 Rules
2/16
Novell Inc. All rights reserved
2
Rules & Actions
Rules are used to
Evaluate and filter incoming event data and trigger an action
Action is typically to deliver selected ones to specific output
channels but can more then one
> Send E-mail
> Forward to another Sentinel System like SLM or Sentinel
> Forward to Syslogs server
> SNMP Trap
> Trigger a local script to execute
> Write to a file
Performance considerations must be weighed before firing
Action
Action is preformed every time rule is true
8/23/2019 SentinelLogManager Day2 2 Rules
3/16
Novell Inc. All rights reserved
3
Executing a Script
Script should exist and novell account needs to haveexecute permissions to script
Cannot pass event data as parameter to script onlystatic parameters
8/23/2019 SentinelLogManager Day2 2 Rules
4/16
Novell Inc. All rights reserved
4
Send to File
Direct path mounted on local server
Directory must have write permissions to novellaccount
8/23/2019 SentinelLogManager Day2 2 Rules
5/16
Novell Inc. All rights reserved
5
JSON Overview
JavaScript Object Notation (JSON)
Lightweight data exchange format
{"st":"I","evt":"Start","sev":"1","sres":"Collector","res":"CollectorManager","rv99":"0","rv1":"0","repassetid":"0","rv7
7":"0","agent":"NovellSecureLogin","obsassetid":"0","vul":"0","port":"NovellSecureLogin","msg":"Processing started for CollectorNovell SecureLogin (ID D892E9F0-3CA7-102B-B5A1-
005056C00005).","dt":"1224204655689","id":"751D97B0-7E13-112B-B933-000C29E8CEDE","src":"D892E9F0-3CA7-102B-B5A2-005056C00004"}
http://www.json.org/
8/23/2019 SentinelLogManager Day2 2 Rules
6/16
Novell Inc. All rights reserved
6
Sending to Syslogs
Standard forwarding to syslogs via UDP
Need a syslogs server and port number
Syslog sever applies to entire filter criteria
8/23/2019 SentinelLogManager Day2 2 Rules
7/16
Novell Inc. All rights reserved
7
Sending to E-mail
SMTP server / relay is needed
Care must be taken not to flood e-mail systems
SMTP Server and sent to are for all rules
8/23/2019 SentinelLogManager Day2 2 Rules
8/16
Novell Inc. All rights reserved
8
Configuring Sending an E-Mail
8/23/2019 SentinelLogManager Day2 2 Rules
9/16
Novell Inc. All rights reserved
9
Sending to Sentinel Link
Can forward to another SLM, SentinelRD or Sentinel Very powerful capability
Allows the user to create a hierarchical topology of systems
Need Sentinel Link to be configured on the sending
SLM and the receiving SLM/RD/Sentinel servers HTTPS recommended
Forward immediately
Scheduled forwarding
Queuing only
8/23/2019 SentinelLogManager Day2 2 Rules
10/16
Novell Inc. All rights reserved
10
Sending to Sentinel (Contd..)
Comes with built in rule to forward to another SentinelSystem
Filters out events with severity less than 4
Audit (A), Performance (P) and Internal (I)
Rule can be altered if needed
Best if you are forwarding limited ones that need realtime correlation and workflow to execute on Sentineland be stored there.
8/23/2019 SentinelLogManager Day2 2 Rules
11/16
Novell Inc. All rights reserved
11
Configuring Sending to Sentinel Link
8/23/2019 SentinelLogManager Day2 2 Rules
12/16
Novell Inc. All rights reserved
12
Configuring Sending to Sentinel Link
8/23/2019 SentinelLogManager Day2 2 Rules
13/16
Novell Inc. All rights reserved
13
Send SNMP Traps
SNMP Integrator needed
SNMP Server with IP address, port and communitystring (password) required to configure
Object ID is required to associate message with
Uses the Novell Audit's if not specified
No MIBs as we are just sending the event
SNMP server applies to filter operative on the rule
8/23/2019 SentinelLogManager Day2 2 Rules
14/16
Novell Inc. All rights reserved
14
Rule
Name
Filter
One or more actions
8/23/2019 SentinelLogManager Day2 2 Rules
15/16
Novell Inc. All rights reserved
15
Creating a Rule
8/23/2019 SentinelLogManager Day2 2 Rules
16/16
Novell Inc. All rights reserved
16
Lab Exercise
Configure File Action
Create to Rule to send unsupported event andcollector manager events that are not from a Genericcollector to file
Setup Setinel Link
No encryption, just http
Sentinel RD server: 192.168.3.X, Port 1290