Many Novell products send data to Sentinel by using a Platform Agent. Data is received by an Event Source Server called the Audit Server, which is packaged with Sentinel. The Audit Server is similar in many ways to a Syslog server.
The following sections describe the procedure to configure the Audit Server port to receive data and also to set the Audit Server options:
To specify the data collection settings for the Audit Server:
From Sentinel Main, click Collection > Event Source Servers.
In the Audit Server section, select the On or Off options to start or stop the data collection for the Audit Server.
In the Audit Server section, specify the port on which the Sentinel server listens to messages from the event sources.
For more information about setting the port, see Port Configuration and Port Forwarding for the Audit Server.
Set the appropriate client authentication and server key pairs settings.
For more information about client authentication, see Client Authentication for the Audit Server.
The Audit server and all related Audit Connectors are automatically restarted if any changes are made here.
Select the Sentinel server behavior when the number of events received exceeds the buffer capacity.
WARNING:If you select Drop oldest messages, there is no supported method to recover dropped messages,
Select Idle Connection to disconnect event sources that have not sent data for a certain period of time.
The event source connections are automatically re-created when they start sending data again.
Specify the number of minutes before an idle connection is disconnected.
(Optional) Select Event Signatures to receive a signature with the event.
To receive a signature, the Platform Agent on the event source must be configured properly. For information on validating event signatures, see the Signing Events section in the Audit Platform Agent Guide.
(Optional) Click Reset to restore the previous settings.
Click Save to save the new settings.
The Save button is disabled until a valid port is specified for the server.
These settings might affect data collection for several servers (for example, multiple eDirectory instances). However, they do not start or stop services on the event source computers. Changes on this page take effect immediately.
To view the health of the Audit Server and its event sources, see Managing Event Sources.
Administrators can change the settings for how Sentinel listens for data from the event source applications, set the port on which Sentinel listens, and select the type of authentication between the event source and Sentinel.
By default, Sentinel listens on port 1289 for messages from the server. When the port is changed, the system checks whether the specified port is valid and open.
Binding to ports lower than 1024 requires root privileges, so you should use a port higher than 1024. You can change the source devices to send data to a higher port or use port forwarding on the Sentinel server.
To change the Platform Agent to send data to a different port:
Log in to the event source computer.
Open the logevent file for editing. The file location depends on the operating system:
Linux: /etc/logevent.conf
Windows: C:\WINDOWS\logevent.cfg
NetWare: SYS:\etc\logevent.cfg
Solaris: /etc/logevent.conf
Set the LogEnginePort parameter to the desired port.
Save the file.
Restart the Platform Agent.
The method varies by operating system and application. Restart the computer or refer to the application-specific documentation on the Documentation Web site for more instructions.
To configure port forwarding on the Sentinel server:
Log in to the Sentinel server operating system as root (or su to root).
Open the /etc/init.d/boot.local file for editing.
Add the following command at the end of the bootup process:
iptables -A PREROUTING -t nat -p protocol --dport incoming port -j DNAT --to-destination IP:rerouted port
Replace protocol with tcp or udp, incoming port with the port where the messages are arriving, and IP:rerouted port with the IP address of the local computer and an available port above 1024.
Save the changes.
Reboot the server. If you cannot reboot immediately, run the iptables command in Step 3 from a command line.
The event sources send their data over an SSL connection, and the Client authentication setting for the Sentinel server determines what kind of authentication is performed for the certificates from the Audit Server on the event sources.
Open: No authentication is required. Sentinel does not request, require, or validate a certificate from the Event Source.
Loose: A valid X.509 certificate is required from the Event Source, but the certificate is not validated. It does not need to be signed by a certificate authority.
Strict: A valid X.509 certificate is required from the Event Source, and it must be signed by a trusted certificate authority. If the Event Source does not present a valid certificate, Sentinel does not accept its event data.
For strict authentication, you must have a trust store that contains the public certificate of the certificate authority (CA) that signed the event source certificate. After you have a DER or PEM certificate, you can create the trust store by using the CreateTrust store utility that comes with Sentinel.
Log in to the Sentinel server as novell.
Go to /var/opt/novell/sentinel/data/updates/done.
Unzip the audit_connector.zip file:
unzip audit_connector.zip
Copy TruststoreCreator.sh or TruststoreCreator.bat to the computer with the certificates
or
Copy the certificates to the computer with the TruststoreCreator utility
Run the TruststoreCreator.sh utility:
TruststoreCreator.sh -keystore /tmp/my.keystore -password password1 -certs /tmp/cert1.pem,/tmp/cert2.pem
In this example, the TruststoreCreator utility creates a keystore file called my.keystore that contains two certificates (cert1.pem and cert2.pem). It is protected by the password password1.
For strict authentication, the administrator can import a certificate. This helps ensure that only authorized event sources are sending data to Sentinel. The trust store must include public certificate of the certificate authority (CA) that signed the event source certificate.
The following procedure must be run on the machine that has the trust store on it. You can open a web browser on the machine with the trust store or move the trust store to any machine with a web browser.
NOTE:If the CA is signed by another CA, then you must import the chain of CA certificates until the root CA.
From Sentinel Main, click Collection > Event Source Servers.
In the Audit Server section, select the Strict option under Client authentication.
Click Browse and browse to the trust store file (for example, my.keystore)
Specify the password for the trust store file.
Click Import.
(Optional) Click Details to see more information about the trust store.
(Optional) Click Reset to restore the previous settings.
Click Save.
After the trust store is imported successfully, you can click Details to see the certificates included in the trust store.
Sentinel is installed with a built-in certificate, which is used to authenticate the Sentinel server to the event sources. This certificate can be overridden with a certificate signed by a public certificate authority (CA).
To replace the built-in certificate:
From Sentinel Main, click Collection > Event Source Servers.
In the Audit Server section, under Server key pairs, select Custom.
Click Browse and browse to the trust store file.
Specify the password for the trust store file.
Click Import.
(Optional) If there is more than one public-private key pair in the file, select the desired key pair and click OK.
(Optional) Click Details to see more information about the server key pair.
(Optional) Click Reset to restore the previous settings.
Click Save.