18.1 Enabling Event Visualization in Sentinel

  1. Switch to the novell user:

    su novell

    Perform steps 2 and 3, if the java version is 292. To find the java version at the OS level, run java -version at the command prompt.

  2. (Conditional) Set the JAVA_HOME to Sentinel JDK bundled:

    JAVA_HOME=/opt/novell/sentinel/jdk

  3. (Conditional) Set the PATH for java to Sentinel JDK location:

    PATH=$JAVA_HOME/bin:$PATH

  4. Generate a Certificate Authority (CA) for your cluster in the Sentinel node. Run the following command in the Elasticsearch home directory <sentinel_installation_path>/opt/novell/sentinel/3rdparty/elasticsearch of the Sentinel:

    ./bin/elasticsearch-certutil ca

    You are prompted for the file name and a password of the CA certificate. Here the default file name is elastic-stack-ca.p12.

  5. Generate the certificates and private keys for the pre-bundled Elasticsearch node of Sentinel. For this, run the following command in the Elasticsearch home directory <sentinel_installation_path>/opt/novell/sentinel/3rdparty/elasticsearch of the Sentinel:

    ./bin/elasticsearch-certutil cert --ca <CA certificate filename>.p12 --out config/certs/node-1.p12

    You are prompted to enter the password for your CA certificate. You are also prompted to create a password for the generated certificate.

  6. Add the following settings in the <sentinel_installation_path>/opt/novell/sentinel/3rdparty/elasticsearch/config/elasticsearch.yml file in the Sentinel node:

    • xpack.security.transport.ssl.enabled: true

    • xpack.security.transport.ssl.keystore.path: certs/node-1.p12

    • xpack.security.transport.ssl.truststore.path: certs/node-1.p12

    • xpack.security.transport.ssl.verification_mode: certificate

  7. Store the password of the truststore and keystore certificate file generated above in the Elasticsearch keystore. For this, run the following commands in the Elasticsearch home directory: <sentinel_installation_path>/opt/novell/sentinel/3rdparty/elasticsearch of the Sentinel:

    ./bin/elasticsearch-keystore add xpack.security.transport.ssl.keystore.secure_password
    ./bin/elasticsearch-keystore add xpack.security.transport.ssl.truststore.secure_password

  8. Log in to the Sentinel server as the novell user.

  9. Open the /etc/opt/novell/sentinel/config/configuration.properties file.

  10. (Conditional) If you are using Sentinel in High Availability (HA) mode, ensure that the sentinel.ha.cluster property is set to true for all the nodes on the cluster.

  11. Set the eventvisualization.traditionalstorage.enabled to true.

  12. Refresh the user interface after few minutes to view event visualizations.

    You should now see all the dashboards enabled in the My Sentinel user interface. Launch any dashboard, the Threat Hunting dashboard for example, and click Search. The dashboard displays all the events generated in the last 1 hour.

  13. (Optional) Event visualization dashboards display only the events processed after you enabled event visualization. To view existing events present in file-based storage, you must migrate data from file-based storage to Elasticsearch. For more information, see Section 35.0, Migrating Data to Elasticsearch.

NOTE:Enabling or disabling event visualization generates an exception, as it restarts Sentinel indexing services. This exception is expected and you can ignore this exception.