2.0 How Sentinel Works

Sentinel continuously manages security information and events across your IT environment to provide a complete monitoring solution.

Sentinel does the following:

  • Gathers logs, events, and security information from the various sources in your IT environment.

  • Normalizes the collected logs, events, and security information into a a standard Sentinel format.

  • Stores events in a file-based data storage with flexible, customizable data retention policies.

  • Collects IP Flow data and helps you monitor network activities in detail.

  • Provides the ability to hierarchically link multiple Sentinel systems, including Sentinel Log Manager.

  • Allows you to search for events on your local Sentinel server, and also on other Sentinel servers distributed across the globe.

  • Performs a statistical analysis that allows you to define a baseline and then compares it to what is occurring, to determine if there are unseen problems.

  • Correlates a set of similar or comparable events in a specific duration to determine a pattern.

  • Organizes events into incidents for efficient response management and tracking.

  • Provides reports based on real time and historical events.

The following figure illustrates how Sentinel works with traditional storage as the data storage option:

Figure 2-1 Sentinel Architecture

The following sections describe Sentinel components in detail: