The Event Source Management (Live View) interface provides a set of tools to manage and monitor connections between Sentinel and the event sources that provide data to Sentinel. The graphical interface shows the current event sources and the software components that are processing data from that event source. Each component can be easily deployed to integrate the devices in the enterprise, and it can be monitored in real time within the Event Source Management interface. Some Connectors and Collectors must be configured in Event Source Management, such as the WMS connector for Windows, Database connectors, and SDEE connectors for Cisco devices.
NOTE:If you are using openSUSE11.1, update your JRE to the latest version. Then use the Java Web Start (javaws) launcher command to launch the Event Source Management.
You can perform the following tasks through the Event Source Management window:
Add or modify connections to event sources by using Configuration wizards.
View the real-time status of the connections to event sources.
Import or export configuration of event sources to or from the Live View.
View and configure Connectors and Collectors that are installed.
Import or export Connectors and Collectors from or to a centralized repository.
Monitor data flowing through the Collectors and Connectors.
Design, configure, and create the components of the event source hierarchy, and execute required actions by using these components.
From Sentinel Main, click Applications > Launch Control Center.
or
From Sentinel Main, click Collection > Advanced > Launch Control Center.
Log in to the Sentinel Control Center.
In toolbar, click Event Source Management > Live View.
In the Event Source Management, you can view configuration data in different views:
The graphical view is the default view in Event Source Management. In the graphical view, you can view the status of a Collector and access the configuration settings of Collectors and Collector objects as a graph of connected nodes.
Figure 6-1 Graphical View
By default, the Health Monitor Display frame displays in the graphical view. The data can be displayed in several different layouts. The default layout in graph is the Hierarchic Left to Right layout. You can change between these layouts by selecting the layout format from the drop-down list in the toolbar.
HINT:Click in the graphical ESM view and use the “+” or “-”sign to zoom in or zoom out, or use the mouse wheel to zoom in and zoom out.
In the graphical view, the lines connecting the components are color-coded to indicate data flow.
Green Line: Indicates that data is flowing between the components.
Grey Line: Indicates that the connection is not live and there is no data flow.
Blue dashed Line: Indicates the logical relation of Event Source Servers to their associated Collector Managers and event sources.
To improve the manageability and performance of the graphical display, Sentinel automatically collapses any node with 20 or more immediate child node. This is especially useful for Connectors such as Syslog or Novell Audit that have the ability to automatically configure a large number of event sources.
In collapsed state, a node displays the number of immediate child nodes, such as WMI Connector (3) [Collector name (Number of immediate children)]. The Children panel of a collapsed node shows the immediate children of that node, each of which can be managed in the same way as nodes in the tabular ESM view.
NOTE:Event Source Server node do not have the plus or minus sign after their names even if they contain child nodes.
The parent node can take several minutes to expand if it has a large enough number of child nodes to potentially cause the user interface to become unresponsive.
The components visible in the graphical view of ESM can also be viewed in a table. You can view the status of a Collector in the table and access the configuration settings of Collectors and Collector related objects.
Figure 6-2 Event Source Management Table View
The columns in the ESM table view are as follows:
Configured Status: The On state the object is configured to be in. This is the state that is stored in the database, which does not necessarily match the actual On state of the object. For example, the two states do not match if a parent object is turned off or if there is an error.
Actual Status: The On state of the object as reported by the actual running Collector Manager.
Connection Info (populated for Event Sources only): A text description of the event source connection.
Error: A text description of an error that occurred in the running object.
HINT:Use the Table and Graph tabs to change to tabular and graphical views.
ESM displays the information on the Collectors and other components in a hierarchy specific to ESM.
Table 6-1 Components of the ESM Hierarchy
Sentinel |
The single Sentinel icon represents the main Sentinel Server that manages all events collected by the Sentinel system. The Sentinel object is installed automatically through the Sentinel installer. |
|
Collector Manager or the Sentinel Server |
The Collector Manager display name in the ESM is Sentinel Server. Each icon represents another instance of a Collector Manager process. Multiple Collector Manager processes can be installed throughout the enterprise. As each Collector Manager process connects to Sentinel, the objects are automatically created in ESM. |
|
Collector |
Collectors instantiate the parsing logic for data from a particular event source. Each Collector icon in ESM refers to a deployed Collector script as well as the runtime configuration of a set of parameters for that Collector. |
|
Connector |
Connectors are used to provide the protocol-level communication with an event source, using industry standards like Syslog, JDBC, and so forth. Each instance of a Connector icon in ESM represents the Connector code as well as the runtime configuration of that code. |
|
Event Source Server |
An Event Source Server (ESS) is considered part of a Connector, and is used when the data connection with an event source is inbound rather than outbound. The ESS represents the daemon or server that listens for these inbound connections. The ESS caches the received data, and one or more Connectors connect to the ESS to retrieve a set of data for processing. The Connector requests only the data from its configured event source (defined in the metadata for the event source) that matches additional filters. |
|
Event Source |
The event source represents the actual source of data for Sentinel. Unlike other components, this is not a plug-in, but is a container for metadata, including runtime configuration about the event source. In some cases a single event source can represent many real sources of event data, such as if multiple devices are writing to a single file. |
Indicators are used to represent various states as follows:
Table 6-2 Component Status Indicators
Stopped |
Indicates that the component is stopped. |
|
Running |
Indicates that the component is running. |
|
Warning |
Indicates that a warning is associated with the component. At this time, this warning indicator is primarily used to show when the configured state and actual state of a component differ. (That is, a component is configured to be running, but the actual state of the component is stopped.) |
|
Error |
Indicates that an error is associated with the component. See the individual component’s status display for details about the error. |
|
Reporter Time is Skewed |
Indicates when the time of a component differs from the main server’s time. (The difference is greater than a predefined time threshold.) |
|
Debug |
Indicates that the component is in Debug mode. Only a Collector can be in Debug mode. |
|
Unknown |
Indicates that the status of the object in the ESM panel is not yet known. |
The Health Monitor Display View provides a set of right-click menus that helps you execute a set of actions, as described below:
The right-click actions available depend on the object you click.
Status Details: View all information known about the status of the selected object.
Start: Run an object.
The selected object starts only after the parent nodes starts and is running.
Stop: Stops the running object.
Edit: Modifies the editable information (Filter information, Object name and so on).
Debug: Debugs the Collector. You must stop the running Collector before you debug it.
Move: Moves the selected object from its current parent object to another parent object. You can move objects from a Live View to the scratch pad and vice versa.
Clone: Creates a new object that has its configuration information pre-populated with the settings of the currently selected object. This allows you to quickly create a large number of similar event sources without retyping the same information over and over again. You can clone objects from Live View to the scratch pad and vice versa. Cloning an object copies all the settings except the Run status. New objects created using the Clone command are always in the Stopped state after creation.
Remove: Deletes a selected object from the system.
Contract: Collapses the child nodes into this node. This option is only available on parent nodes that are currently expanded.
Expand: Expands the child nodes of this node. This option is only available on parent nodes that are currently collapsed.
Add Collector: Opens an Add Collector Wizard that guides you through the process of adding a Collector to the selected Collector Manager.
Add Connector: Opens an Add Connector Wizard that guides you through the process of adding a Connector to the selected Collector.
Add Event Source: Opens an Add Event Source Wizard that guides you through the process of adding an event source to the selected Connector.
Open Raw Data Tap: Lets you view the live stream of raw data from an event source or flowing through the selected object.
Zoom: In the graphical view, zoom in on the selected object.
Show in Tabular/Graphical View: Lets you switch between the graphical view and the tabular view and automatically selects the object that is selected in the current view. When switching to the graphical view, it also zooms in on the selected object.
Raw Data Filter: Filters the raw data flowing through the selected node. The raw data filter is available on Collectors, Connectors, and event sources. If a filter specifies to drop data, the data to be dropped is not passed to the parent node and is not converted into events.
Import Configuration: Imports the configuration of ESM objects.
Export Configuration: Exports the configuration of ESM objects
Add Event Source Server: Adds an Event Source Server to the selected Collector Manager
Add Collector Manager: In Scratch pad mode, you can add a Collector Manager to the scratch pad by using this option. In the Live view, Collector Manager objects are created automatically as each Collector Manager connects to the Sentinel system.
When you select multiple objects in the ESM panel and right-click, the following options are available:
Start: Starts all objects
Stop: Stops all objects
Remove selected objects: Removes the selected objects along with their children.
You can use the Attribute Filter panel to search for event sources.
Access Event Source Management.
For more information, see Accessing Event Source Management.
In the Attribute Filter panel, use the following information to display objects you want:
Search: Specify the name of the objects you want displayed.
Limit to: Select the types of objects to display.
Status: Select the status of the objects to display.
As you define each filter, the display is automatically updated.
Although some Sentinel components are preinstalled with the Sentinel system, you should also check the Sentinel Plug-ins Web site to download the latest versions on the plug-ins.
Access Event Source Management.
For more information, see Accessing Event Source Management.
In the toolbar, click Tools > Import plug-in.
Select Import Collector Script or Connector plug-in package file (.zip, .clz, .cnz).
Click Next.
Click Browse.
Browse to and select the Connector plug-in package file, then click Open.
Click Next.
(Conditional) If the Connector already exists in the plug-in repository, select to replace the existing plug-in with the new plug-in by clicking Next.
(Conditional) In the plug-in details window, select Deployed Plug-ins to deploy the plug-in from this window.
Click Finish.
When you add a plug-in to Sentinel, it is placed in the plug-in repository, which enables Sentinel components on other machines to start using the plug-in without adding the plug-in separately.
Access Event Source Management.
For more information, see Accessing Event Source Management.
In the toolbar, click Tools > Import plug-in.
Select Import Collector Script or Connector plug-in package file (.zip, .clz, .cnz.).
or
Select Import Collector Script from directory.
Click Next.
Click Browse.
Browse to and select the Collector script from a file or directory, then click Open.
Click Next to display the plug-in details window.
Select Deploy Plug-in to deploy the plug-in from this window.
Click Finish.
If a new version of a Connector or Collector is released, you can update the Sentinel system and any deployed instances of the Connector or Collector.
Access Event Source Management.
For more information, see Accessing Event Source Management.
In the toolbar, click Tools > Import plug-in.
Select Import Collector Script or Connector plug-in package file (.zip, .clz, .cnz.).
or
Select Import Collector Script from directory.
Click Next.
Click Browse.
Browse to and select the Connector or Collector plug-in package file, then click Open.
Click Next.
Click Next to update an already-imported Connector or Collector.
In the plug-in details window, select Update Deployed Plug-ins to update any currently deployed plug-ins that use this Connector or Collector.
Click Finish.
When you add a plug-in to Sentinel, it is placed in the plug-in repository, which enables Sentinel components on other machines to start using the plug-in without adding the plug-in separately.
After the plug-ins are installed in the Event Source Management, you must add the different components to your Sentinel solution.
Access Event Source Management.
For more information, see Accessing Event Source Management.
In the main ESM display, locate the Collector Manager where the Collector will be associated.
Right-click the Collector Manager, then select Add Collector.
Follow the prompts in the Add Collector Wizard.
These prompts are unique for each Collector. For details, see the specific Collector documentation at the Sentinel Plug-ins Web page.
Click Finish.
The Collector Script enables the ESM panel to prompt you for parameter values as well as enable Event Source Management to automatically select supported connection methods that work well with the Collector script.
Access Event Source Management.
For more information, see Accessing Event Source Management.
In the main ESM display, locate the Collector where the new Connector will be associated
Right-click the Collector, then select Add Connector.
Follow the prompts in the Add Connector Wizard.
These prompts are unique for each Connector. For details, see the specific Connector documentation at the Sentinel Plug-ins Web page.
Click Finish.
Access Event Source Management.
For more information, see Accessing Event Source Management.
In the main ESM display, locate the Connector where the new event source will be associated.
Right-click the Connector, then select Add Event Source.
These prompts unique for each event source that is associated with the Connector. For details, see the specific Connector documentation at the Sentinel Plug-ins Web page.
Follow the prompts in the Add Event Source Wizard.
Click Finish.
Certain event source Connectors (such as the Syslog Connector) require a process to collect data from the actual data source. These processes are called Event Source Servers. They collect data from the data source and then serve it to the event source Connector. Event Source Servers must be added and associated to any event source Connectors that require a server.
Access Event Source Management.
For more information, see Accessing Event Source Management.
Right-click the Collector Manager, then select Add Event Source Server.
Select a Connector that supports your device, then click Next.
If you do not have any connectors in the list that supports your device, click Install More Connectors. For more information on installing a Connector plug-in, see Installing a Collector Plug-In.
Configure the various parameters for the server that is associated with the selected Connector. For example, Syslog Connector, NAudit Connector, and so on.
These parameters are unique for each Connector. For details, see the specific Connector documentation at the Sentinel Plug-ins Web page.
Click Next.
Specify a name for the Event Source Server.
(Optional) If you want this server to run, select Run.
Click Finish.
In the Health Monitor Display frame, the Event Source Server is displayed with a dashed line showing which the Collector Manager it is associated with.
This Add Event Source Server Wizard can also be initiated from within the Add Connector Wizard if a compatible Event Source Server has not yet been added.
There are many different ways to add an event source. The following procedures walk you through the process.
Make sure you have the following prerequisites:
Collector Script: Collector scripts can be downloaded from the Sentinel Plug-ins Web site or built with the Collector Builder.
Connector: Connectors can be downloaded from the Sentinel Plug-ins Web site. There are also some Connectors included in the installed Sentinel system, but there might be more recent versions on the Web site.
Documentation: Check the documentation for each Connector and Collector, because they have different configuration steps for the event source. The documentation is located on the Sentinel Plug-ins Web site. Make sure you download the documentation when you download the Connector and Collector.
Event Source Configuration: You must have configuration information for the event source.
Access Event Source Management.
For more information, see Accessing Event Source Management.
In the toolbar, click Tools > Connect to Event Source.
The event source types are for the compatible Collector parsing scripts are listed here.
Select the desired Event Source.
You can click Add More to import an event source not listed.
After the event source is selected, click Next.
Select a Collector script from the list.
You can click Install More Scripts to install additional Collector scripts that support your Event Source.
For more information on installing a Collector script, see Installing a Collector Plug-In.
Click Next.
Select a connection method from the list.
There are many different types of Connectors. Depending on the type of Connector you select, there are additional configuration screens.
You can click Install More Connectors to install additional Connectors.
For more information, see Installing a Connector Plug-In to install connectors.
Click Next.
Use the following information to select how to mange the event source connection, then proceed to Step 10.
Based on the existing Collectors and Connectors in your system that are compatible with your new event source, one or more of these options might be unavailable.
Use the following information to configure the event source:
Name: Specify a unique name for the event source.
Run: Select Run if you want the event source to run automatically.
Details: Allows you to see the details of the plug-in.
Alert if no data received in specified time period: Select this option to receive notifications if no data is received during the specified time period.
Limit Data Rate: Use this option to limit the maximum number of records the Connector receives per second.
Number of Threads: (Optional) Specify the number of CPU threads to use to process data. Using multiple threads allows the collector to process more events per second.
You can view the actual number of threads the collector is using in the Health statistics in the Sentinel Main interface.
Trust Event Source Time: (Optional) Select this option to set the event time to the time the event occurred, rather than the time Sentinel received the data.
You can also set this option while configuring an event source. If the Trust Event Source Time option is selected, all data flowing through the Collector has the event time set to the time the event occurred, even if the event sources do not have this option selected.
Set Filters: Allows you to set filters on the data in the event source.
Click Next.
Click Test Connection to test the event source.
Click the Data tab to view the data in the event source.
It takes a few seconds for the raw data to be displayed in the Data tab.
Specify the maximum number of rows to control the number of raw data records obtained at one time.
Click the Error tab to view if there are any errors in the configuration of the event source.
Click Stop to stop the test.
Click Finish.
The Collector parsing script is executed on the same system as the Collector Manager that you select here.
Use the following information to create a new Collector and Connector to manage the event source connection. This procedure is a continuation of Step 9.
Select Create a new Collector and Connector, then click Next.
Select the Collector Manager you want to use, then click Next.
Change any of the Collector properties, then click Next.
Use the following information to configure the Collector:
Name: Specify a unique name for the Collector.
Run: Select Run if you want to run the Collector automatically.
Details: Allows you to view the details of the plug-in.
Alert if no data received in specified time period: Select this option to receive notifications if no data is received during the specified time period.
Lime Data Rate: Use this option to limit the maximum number of records the Collector receives per second.
Trust Event Source Time: (Optional) Select this option to set the event time to the time the event occurred, rather than the time Sentinel received the data.
You can also set this option while configuring an event source. If the Trust Event Source Time option is selected, all data flowing through the Collector has the event time set to the time the event occurred, even if the event sources do not have this option selected.
Set Filters: Allows you to set filters on the data in the Collector.
Click Next.
There is a different configuration page displayed depending on the type of Connector you selected in Step 7. For the Connector-specific documentation, see the Sentinel Plug-ins Web site.
Use the following information to configure the Connector:
Name: Specify a unique name for the Connector.
Run: Select Run if you want to run the Connector automatically.
Details: Allows you to view the details of the plug-in.
Alert if no data received in specified time period: Select this option to receive notifications if no data is received during the specified time period.
Limit Data Rate: You can limit the maximum number of records the Connector receives per second.
Set Filters: Allows you to set filters on the data in the Connector.
Copy Raw Data to a file: Select this option, then specify a location where you want to copy the raw data coming from the event source.
Click Next, then continue with Step 10.
If you are using an existing Collector, but want to create a new Connector to manage the Event Source connection, use the following information to complete the procedure from Step 9.
Select Use an Existing Collector, then click Next.
Select the Collector you want to use, then click Next.
There is a different configuration page displayed depending on the type of Connector you selected in Step 7. For the Connector-specific documentation, see the Sentinel Plug-ins Web site.
Use the following information to configure the Connector:
Name: Specify a unique name for the Connector.
Run: Select Run if you want to run the Connector automatically.
Details: Allows you to view the details of the plug-in.
Alert if no data received in specified time period: Select this option to receive notifications if no data is received during the specified time period.
Limit Data Rate: Use this option to limit the maximum number of records the Connector receives per second.
Set Filters: Allows you to set filters on the data in the Connector.
Copy Raw Data to a file: Select this option, then specify a location where you to want copy the raw data coming from the event source.
Click Next, the continue with Step 10.
If you are using an existing Connector, but want to create a new Collector to manage the event source connection, use the following information to continue the procedure from Step 9.
Select Use an Existing Connector, then click Next.
Select the Collector Manager you want to use, then click Next.
Change any of the Collector properties, then click Next.
Use the following information to configure the Collector:
Name: Specify a unique name for the Collector.
Run: Select Run if you want to run the Collector automatically.
Details: Allows you to view the details of the plug-in.
Alert if no data received in specified time period: Select this option to receive notifications if no data is received during the specified time period.
Lime Data Rate: Use this option to limit the maximum number of records the Collector receives per second.
Trust Event Source Time: (Optional) Select this option to set the event time to the time the event occurred, rather than the time Sentinel received the data.
You can also set this option while configuring an event source. If the Trust Event Source Time option is selected, all data flowing through the Collector has the event time set to the time the event occurred, even if the event sources do not have this option selected.
Set Filters: Allows you to set filters on the data in the Collector.
Click Next, then continue with Step 10.
Event Source Management allows you to export the configuration of Event Source Management objects along with the associated Collector scripts and the Connector plug-ins. You can export the configuration at Sentinel level or at individual objects’ level such as Collector Manager, Collector and Connector. However, exporting the configuration at Collector Manager level allows you to easily import the configuration to individual Collector Manager.
Access Event Source Management.
For more information, see Accessing Event Source Management.
Right-click the Collector Manager, then click Export Configuration.
Select which nodes you want to export, then click Next.
Select the Collector scripts to export, then click Next.
Select the Connector plug-ins to export, then click Next.
Click Browse, then browse to a location to save the export.
Specify a file name, then click Save.
The export information is saved as a .zip file.
Click Next.
Review the items to be exported, then click Finish.
Event Source Management allows you to import the configuration files that you export. The configuration files contain configuration information for Event Source Management objects along with the associated Collector scripts and Connector plug-ins.
Access Event Source Management.
For more information, see Accessing Event Source Management.
Right-click the Collector Manager, then click Import Configuration.
Click Browse and browse to and select the configuration file, then click Open.
The configuration files are .zip files.
Click Next.
Select the nodes to import, then click Next.
Select the Collector scripts to import, then click Next.
Select the Connector plug-ins to import, then click Next.
Review the items to import, then click Finish.
Sentinel's Collectors are designed to be easily customizable and to be created by customers and partners.The debugging interface analyzes the Collector code running in place on the Collector Manager.
For more information on customizing or creating new Collectors, obtain the Developer's Kit for Sentinel at the Sentinel SDK Web site.
Collectors are simple text scripts that are run by a Collector Manager. The handling of these scripts is a bit complex:
The code for all Collectors is stored in a plug-in repository on the central Sentinel server when the Collectors are imported.
Location: sentinel/data/plugin_repository on the Sentinel server.
The runtime configuration for the Collector (when it is configured to run on a particular Collector Manager) is stored separately in the Sentinel database.
When a Collector is actually started in the Collector Manager, the Collector plug-in is deployed to the Collector Manager, the runtime configuration is applied, and the code is started. Any pre-existing instance of the Collector code on that Collector Manager is overwritten.
Location: sentinel/data/collector_mgr.cache/collector_instances on each Collector Manager.
In order to edit a Collector, you need to use the ESM Debugger Download button, which copies the Collector to the local Collector workspace on the client machine (the machine where you are running Sentinel Control Center). Edits are made against that local copy and then uploaded back into the central plug-in repository.
Location: sentinel/data/collector_workspace on the client application machine.
The debugger for JavaScript Collectors can be used to debug any JavaScript Collector.
Access Event Source Management.
For more information, see Accessing Event Source Management.
Select a Collector to debug in the Live View.
Select the debug mode:
Live Mode: Requires that the Collector Manager is currently running. For more information, see Live Mode.
Stand-alone Mode: Allows you to run the Collector in debug mode without a Collector Manager running. For more information, see Stand-alone Mode.
Right-click the Collector and select Stop, then click Debug.
The following describe how to use the JavaScript debug window:
Debug: Launches the JavaScript file in this window.
Upload/Download: Upload or download a JavaScript file here. You can download an existing JavaScript file, edit it, and upload it again to continue debugging.
Context: Displays the variable that the debugger is pointing to and its value.
Expression: Watch the values of a selected parameter here.
You can use the following options when debugging a Collector:
Run |
Starts debugging. |
Pause |
Pauses debugging. |
Step Into |
Steps to the next line in the script. |
Step Over |
Steps over a function. |
Step Out |
Steps out of a function. |
Stop |
Stops debugging. |
When the source code window has the focus in the debugger, you can use the following hot keys:
Ctrl+F to find a string in the source code
Ctrl+G to go to a line number
Ctrl+M to find the parenthesis or brace that matches the selected parenthesis or brace
You can also open a script file, set break-point, step through the script code, and watch variables and methods values at each step.
Live debug mode requires that the Collector Manager associated with the Collector is running.
In Live debug mode, Input to the script comes from actual event sources connected to the Collector. To get data from a specific event source, you must right-click and start the desired event source via the Event Source Management display. Starting or stopping event sources can be done any time during the debug session.
If no event source is started during the debug session, no data is available in the buffer for the Collector and you see the Collector script’s readData method blocking.
In Live debug mode, output from the script is via live Sentinel Events.
When you are in Live debug mode, the script engine is executed on the local computer rather than the actual computer that the associated Collector Manager is running on. The Connectors and event sources still runs on the same box as the Collector Manager. When you are running debug mode, data is automatically routed from the event sources to the script engine running in debug on the local box.
Stand-alone debug mode allows you to debug a Collector even if the associated Collector Manager is not running.
For stand-alone mode, input to the script comes from an input file rather than a live event source. Specify the path to a raw data file that is used as input. For Collectors that use a DB Connector, the input file is a text file with log data in nvp format and for a Collector that uses the File Connector, the input file is a text file with log data in CSV format.
For stand-alone mode, Output from the script is to an output file rather than to live events. You must specify the path to the output file that the script uses for output. If you specify an output file that does not exist, the system creates the file for you.
To debug in Stand-alone mode:
In Event Source Management, right-click the Collector to debug.
Select Stop.
Select Debug.
Select Stand-alone Mode, then specify a path for the input and output files.
If you specify an output file that does not exist, the system creates the file for you.
Click OK to display the Debug Collector window.
In the Debug Collector window, click Run.
In the Source text area, the source code of the Collector appears and stops at the first line of the text script.
Click the left side bar to toggle a breakpoint in the script code.
Click Step Into to go to the next breakpoint.
Click Pause to pause debugging whenever you want.
After debugging is complete, click Stop to stop debugging.
Click the Upload/Download tab in the debugger window.
Click Download, then specify a location to download the script file.
Open the file with any JavaScript editor, then make your edits.
Save the file, then click Upload.
Debug the uploaded script to have a Collector Script ready to use.
Occasionally when debugging, it might be helpful to view Connector output data. In addition to the Raw Data Tap right-click option for nodes in the Sentinel Control Center, Sentinel also includes an option to save the raw data from a Connector to a file for further analysis.
To save raw data from a deployed Connector to a file:
Access Event Source Management.
For more information, see Accessing Event Source Management.
Right-click the Connector node, then click Edit.
Click the Configure Connector tab.
Select the Copy Raw Data to a file.
Specify (or browse to and select) a path on the Collector Manager machine where the raw data is saved.
IMPORTANT:The account running the Sentinel service on the Collector Manager machine must have permissions to write to the file location.
If the help does not launch, there is a cache file on the local machine that is running the Event Source Management that must be deleted.
Exit Event Source Management and the Sentinel Control Center.
On the local machine running Event Source Management, search for the .novell directory.
Delete the sentinel subdirectory in the .novell directory.
Launch Event Source Management, then click Help.
For more information, see Accessing Event Source Management.