Sentinel Installation and Configuration Guide
- Sentinel Installation and Configuration Guide
- Understanding Sentinel
- What is Sentinel?
- Challenges of Securing an IT Environment
- The Solution That Sentinel Provides
- How Sentinel Works
- Event Sources
- Sentinel Event
- Collector Manager
- ArcSight SmartConnectors
- Agent Manager
- Sentinel Data Routing and Data Storage
- Event Visualizations
- Correlation
- Security Intelligence
- Incident Remediation
- iTrac Workflows
- Actions and Integrators
- Searching
- Reports
- Identity Tracking
- Event Analysis
- Planning Your Sentinel Installation
- Implementation Checklist
- Understanding License Information
- Sentinel Licenses
- Meeting System Requirements
- Connector and Collector System Requirements
- Virtual Environment
- Deployment Considerations
- Data Storage Considerations
- Advantages of Distributed Deployments
- All-In-One Deployment
- One-Tier Distributed Deployment
- One-Tier Distributed Deployment with High Availability
- Two-Tier and Three-Tier Distributed Deployment
- Deployment Considerations for FIPS 140-2 Mode
- FIPS Implementation in Sentinel
- FIPS-Enabled Components in Sentinel
- Data Connections Affected by FIPS Mode
- Implementation Checklist
- Deployment Scenarios
- Ports Used
- Sentinel Server Ports
- Collector Manager Ports
- Correlation Engine Ports
- Installation Options
- Traditional Installation
- Appliance Installation
- Installing Sentinel
- Installation Overview
- Installation Checklist
- Installing OpenSearch
- Prerequisites
- Installing OpenSearch
- Performance Tuning for OpenSearch
- Traditional Installation
- Performing Interactive Installation
- Performing a Silent Installation
- Installing Sentinel as a Non-root User
- Appliance Installation
- Prerequisites
- Installing the Sentinel ISO Appliance
- Installing the Sentinel VHD Appliance
- Installing the Sentinel OVF Appliance
- Post-Installation Configuration for the Appliance
- Installing Additional Collectors and Connectors
- Installing a Collector
- Installing a Connector
- Verifying the Installation
- Configuring Sentinel
- Configuring Time
- Understanding Time in Sentinel
- Configuring Time in Sentinel
- Configuring Delay Time Limit for Events
- Handling Time Zones
- Configuring OpenSearch for Event Visualization
- Prerequisite
- Enabling Event Visualization
- OpenSearch in Cluster Mode
- Modifying the Configuration after Installation
- Configuring Out-of-the-Box Plug-Ins
- Viewing the Preinstalled Plug-Ins
- Configuring Data Collection
- Configuring Solution Packs
- Configuring Actions and Integrators
- Certificate Revocation List Implementation in an Existing Sentinel Installation
- Enabling Mutual SSL Communication and Certificate Revocation List
- Creating and Importing a Custom Certificate
- Launching Sentinel over SSL Mutual Communication
- Revoking the Certificate and Adding to the CRL
- Disabling the CRL Feature
- Enabling FIPS 140-2 Mode in an Existing Sentinel Installation
- Enabling Sentinel Server to Run in FIPS 140-2 Mode
- Enabling FIPS mode on Traditional/Sentinel HA Appliance
- Enabling FIPS 140-2 Mode on Remote Collector Managers and Correlation Engines
- Operating Sentinel in FIPS 140-2 Mode
- Configuring Distributed Search in FIPS 140-2 Mode
- Configuring LDAP Authentication in FIPS 140-2 Mode
- Updating Server Certificates in Remote Collector Managers and Correlation Engines
- Configuring Sentinel Plug-Ins to Run in FIPS 140-2 Mode
- Importing Certificates into FIPS Keystore Database
- Reverting Sentinel to Non-FIPS Mode
- Adding a Consent Banner
- Limiting the Number of Concurrent Active Sessions
- Ending Inactive Sessions
- Configuring IP Flow Data Collection
- Upgrading Sentinel
- Implementation Checklist
- Prerequisites
- Exporting Data from Kibana Dashboard to Opensearch Dashboard
- Saving the Custom Configuration Information
- Extending the Retention Period for Event Associations Data
- Change Guardian Integration
- Upgrading from External Elasticsearch nodes to Opensearch nodes
- Upgrading Sentinel Traditional Installation
- Upgrading Sentinel
- Upgrading Sentinel as a Non-root User
- Upgrading the Collector Manager or the Correlation Engine
- Upgrading the Operating System
- Upgrading the Sentinel Appliance
- Prerequisites for Upgrading the Appliance
- Upgrading the Appliance
- Applying Operating System Patches
- Troubleshooting
- Cleaning Up Data From PostgreSQL When Migration Fails
- Unable to Run the Migration Script
- Cannot Connect to Servers or Other Components through Appliance
- Error When Upgrading the Appliance
- Unable to View Older Alerts in the Dashboard and Alert Views after Configuring OpenSearch
- Post-Upgrade Configurations
- Importing Data from Kibana Dashboard to Opensearch Dashboard
- Removing Data from MongoDB
- Synchronizing the postgresql.conf file
- Configuring Event Visualizations
- Settings in OpenSearch for Secure Cluster Communication
- Adding OpenSearch Certificate in FIPS Mode
- Configuring IP Flow Data Collection
- Adding the JDBC DB2 Driver
- Configuring Data Federation Properties in Sentinel Appliance
- Registering Sentinel Appliance for Updates
- Updating External Databases for Data Synchronization
- Updating Permissions for Users Who Send Data from Other Integrated Products to Sentinel
- Updating the Keystore Password
- Upgrading Sentinel Plug-Ins
- Migrating Data from Traditional Storage
- Forwarding Data to OpenSearch
- Migrating Data
- Deploying Sentinel for High Availability
- Concepts
- External Systems
- Shared Storage
- Service Monitoring
- Fencing
- System Requirements
- Installation and Configuration
- Initial Setup
- Shared Storage Setup
- Sentinel Installation
- Cluster Installation
- Cluster Configuration
- Resource Configuration
- Secondary Storage Configuration
- Upgrading Sentinel in High Availability
- Prerequisites
- Upgrading the Traditional Sentinel HA
- Upgrading a Sentinel HA Appliance Installation
- Backup and Recovery
- Backup
- Recovery
- Appendices
- Troubleshooting
- Alerts.alerts Index not getting Created while Upgrading from Sentinel 8.3.1 to 8.6.1
- “Visualization server is not ready yet” Message is Displayed when you Open the Visualization Page
- Event Visualization not Working as Expected
- Read-Only or Write Lock Exceptions on Index Files
- Frequent Sentinel RCE Out of Memory Error
- Default-Resource-Stickiness Cluster Property is Deprecated
- Unable to Configure RCM/RCE Using Virtual IP in HA Setup
- In DHCP Environment, Sentinel Server Web UI Icon from Sentinel Server Appliance Page is Redirecting to Blank Page
- Unable to Connect to Transformation Hub (T-Hub) After Giving the Correct IP Address/Hostname
- Failed Installation Because of an Incorrect Network Configuration
- The UUID Is Not Created for Imaged Collector Managers or Correlation Engine
- Sentinel Main Interface is Blank in Internet Explorer After Logging in
- Sentinel Does Not Launch in Internet Explorer 11 in Windows Server 2012 R2
- SSC Not Launching
- Sentinel Cannot Run Local Reports with Default EPS License
- Synchronization Needs to be Started Manually in Sentinel High Availability After You Convert the Active Node to FIPS 140-2 Mode
- The Event fields Panel is Missing in the Schedule Page When Editing Some Saved Searches
- Sentinel Does Not Return Any Correlated Events When You Search for Events for the Deployed Rule with the Default Fire Count Search
- Security Intelligence Dashboard Displays Invalid Baseline Duration When Regenerating a Baseline
- Sentinel Server Shuts Down When Running a Search If There Are Large Number of Events in a Single Partition
- Error While Using the report_dev_setup.sh Script to Configure Sentinel Ports for Firewall Exceptions on Upgraded Sentinel Appliance Installations
- Uninstalling
- Checklist to Uninstall Sentinel
- Uninstalling Sentinel
- Tasks after Uninstalling Sentinel
- Legal Notice