NetIQ Sentinel Installation and Configuration Guide
Contents
1. 9 Mount the new partition at var opt novell sentinel 10 Specify the following command to change to novell user su novell 11 Move the contents of the data directory from the temporary location where it was saved in Step 4 back to var opt novell sentinel in the new partition 12 Run the following command to restart the Sentinel appliance etc init d sentinel start 96 NetlQ Sentinel Installation and Configuration Guide 13 4 3 Registering for Updates You must register the Sentinel appliance with the appliance update channel to receive patch updates To register the appliance you must first obtain your appliance registration code or the appliance activation key from the NetIQ Customer Care Center Use the following steps to register the appliance for updates 1 Log in to the Sentinel appliance 2 Click Appliance to launch WebYaST 3 Click Registration 4 Specify the e mail ID that you want to receive updates then specify the system name and the appliance registration code 5 Click Save 13 4 4 Configuring the Appliance with SMT In secured environments where the appliance must run without direct Internet access you can configure the appliance with the Subscription Management Tool SMT which enables you to upgrade the appliance to the latest versions of Sentinel as they are released SMT is a package proxy system that is integrated with NetIQ Customer Center and provides key NetIQ Customer Center capabilities2. rentp restart Set the root password then click Next The installation checks for the available memory and disk space If the available memory is less than 2 5 GB the installation will not let you proceed and the Next button is greyed out If the available memory is more than 2 5 GB but less than 6 7 GB the installation displays a message that you have less memory than is recommended When this message is displayed click Next to continue with the installation Set Sentinel admin password then click Next It might take few minutes for all services to start after installation because the system performs a one time initialization Wait until the installation finishes before you log in to the server Make a note of the appliance IP address that is shown in the console Proceed with Section 13 4 Post Installation Configuration for the Appliance on page 95 Installing Collector Managers and Correlation Engines The procedure to install a Collector Manager or a Correlation Engine is the same except that you need to download the appropriate file from the NetIQ Download Web site 1 Download the VMware appliance installation file from the NetIQ Download Web site The correct file for the VMware appliance has vmx in the filename For example sentinel collector_manager_7 2 0 0 x86 64 vmx tar gz 2 Establish an ESX datastore to which the appliance image can be installed 3 Log in as Administrator to the server where you want
3. cd opt novell sentinel 3rdparty postgresql bin Upgrading the Sentinel Appliance 137 11c Delete all the old postgreSQL files by using the following command delete_old_cluster sh NOTE To upgrade the Collector Manager or Correlation Engine follow Step 2 through Step 8 25 2 Upgrading the Appliance through WebYaST 138 NOTE Appliance upgrades from versions prior to Sentinel 7 2 must be done using the zypper command line utility because user interaction is required to complete the upgrade WebYaST is not capable of facilitating the required user interaction For information about using zypper to upgrade the appliance see Section 25 1 Upgrading the Appliance by Using zypper on page 137 1 Log in to the Sentinel appliance as a user in the administrator role 2 If you want to upgrade the Sentinel Appliance click Appliance to launch WebYaST 3 If you want to upgrade a Collector Manager or Correlation Engine Appliance specify the URL of the Collector Manager or Correlation Engine computer using port 4984 to launch WebYaST as https lt IP_address gt 4984 where lt IP_address gt is the IP address of the Collector Manager or Correlation Engine Follow Step 5 through Step 8 4 Back up your configuration then create an ESM export For more information on backing up data see Backing Up and Restoring Data in the NetIQ Sentinel Administration Guide 5 Conditional If you have not already registered the a
4. 4 Run the updateServerCert sh script and follow the on screen instructions Configuring Sentinel Plug Ins to Run in FIPS 140 2 Mode This section provides information about configuring various Sentinel plug ins to run in FIPS 140 2 mode NOTE These instructions assume that Sentinel is installed at the opt novell sentinel directory The commands must be executed as novel1 user Section 21 5 1 Agent Manager Connector on page 120 Section 21 5 2 Database JDBC Connector on page 121 Section 21 5 3 Sentinel Link Connector on page 121 Section 21 5 4 Syslog Connector on page 122 Operating Sentinel in FIPS 140 2 Mode 119 21 5 1 Section 21 5 5 Windows Event WMI Connector on page 123 Section 21 5 6 Sentinel Link Integrator on page 123 Section 21 5 7 LDAP Integrator on page 124 Section 21 5 8 SMTP Integrator on page 125 Section 21 5 9 Using Non FIPS Enabled Connectors with Sentinel in FIPS 140 2 Mode on page 125 Agent Manager Connector Follow the below procedure only if you have selected the Encrypted HTTPS option when configuring the networking settings of the Agent Manager Event Source Server To configure the Agent Manager Connector to run in FIPS 140 2 mode 1 Add or edit the Agent Manager Event Source Server Proceed through the configuration screens until the Security window is displayed For more information see the Agent Manager
5. FIPS mode 1 Log in to the distributed search target computer 2 Create the Web server keystore in certificate cer format lt sentinel install directory gt jre bin keytool export alias webserver keystore lt sentinel install directory gt config webserverkeystore jks storepass password file lt certificate_ name cer gt 3 Copy the certificate to a temporary location on the distributed search source computer 4 Import the target certificate into the source Sentinel FIPS keystore For more information about importing the certificate see Importing Certificates into FIPS Keystore Database on page 125 5 Restart the Sentinel services on the source computer 21 3 Configuring LDAP Authentication in FIPS 140 2 Mode To configure LDAP authentication for Sentinel servers running in FIPS 140 2 mode 1 Get the LDAP server certificate from the LDAP administrator or you can use a command For example 118 NetIQ Sentinel Installation and Configuration Guide 21 4 21 5 openssl s client connect lt LDAP server IP gt 636 and then copy the text returned between but not including the BEGIN and END lines into a file 2 Import the LDAP server certificate into the Sentinel FIPS keystore For more information about importing the certificate see Importing Certificates into FIPS Keystore Database on page 125 3 Log in to Sentinel Web console as a user in the administrator role and proceed with configuring LDAP auth
6. Network x devices Data Collection Tier 6 4 One Tier Distributed Deployment with High Availability The one tier distributed deployment shows how it can be turned into a highly available system with fail over redundancy For more information about deploying Sentinel in High Availability see Appendix A Configuring Sentinel for High Availability on page 145 52 NetIQ Sentinel Installation and Configuration Guide 6 5 Figure 6 3 One Tier Distributed Deployment with High Availability Sentinel Web Console NetFlow Collector E Managers e Scale Correlation Optional Network Collector devices F Managers Sentinel aa a Server LR Storage Storage dl PENHA Shared Primary yg Shared Secondary Sentinel Server Sources By H Passive Optional Mu aan E Agent Managers Agents Data Collection Tier Data Warehouse Optional Two Tier and Three Tier Distributed Deployment This deployment enables you to surpass the load handling capabilities of a single central Sentinel server and share the processing load across multiple Sentinel instance by leveraging Sentinel Link and Sentinel Distributed Search features The data collection is load balanced across several Sentinel servers each having several Collector Managers as shown in the Data Collection Tier If you want to perform event correlation or security intelligence you can optionally forward data up to the Analyti
7. Prerequisites on page 97 Configuring the Appliance on page 98 Upgrading the Appliance on page 98 Prerequisites Get the NetIQ Customer Center credentials for Sentinel to get updates from NetIQ For information on getting the credentials contact NetIQ Support Ensure that SLES 11 SP3 is installed with the following packages on the machine where you want to install SMT htmldoc perl DBIx Transaction perl File Basename Object perl DBIx Migration Director perl MIME Lite perl Text ASCIITable yum metadata parser createrepo perl DBI apache2 prefork libaprl perl Data ShowTable perl Net Daemon perl Tie IxHash Appliance Installation 97 fltk libapr utill perl PIRPC apache2 mod_perl apache2 utils apache2 perl DBD mysql Install SMT and configure the SMT server For more information refer to the following sections in the SMT documentation SMT Installation SMT Server Configuration Mirroring Installation and Update Repositories with SMT Install the wget utility on the appliance computer Configuring the Appliance For information on configuring the appliance with SMT see the Subscription Management Tool SMT for SUSE Linux Enterprise 11 documentation To enable the appliance repositories execute the following command smt repos e Sentinel Server 7 0 Updates sle 11 x86 64 smt repos e Sentinel Collector Manager 7 0 Updates sle
8. www novell com documentation sles11 stor_admin data filesystems html in the SLES 11 Storage Administration Guide Supported Database Platforms Sentinel includes an embedded file based storage system and the PostgreSQL database which is all that is necessary to run Sentinel However if you use the optional data synchronization feature to copy data to a data warehouse Sentinel supports using PostgreSQL Oracle version 11g R2 Microsoft SQL Server 2008 R2 DB2 and Sybase as the data warehouse Supported Browsers The Sentinel Web interface is optimized for viewing at 1280 x 1024 or higher resolution in the following supported browsers NOTE To load the Sentinel client applications properly you must install the Java Webstart on your system Platform Browser Windows 7 Google Chrome Firefox version 5 and later Internet Explorer 9 and 10 See Section 5 3 1 Prerequisites for Internet Explorer on page 37 SLES 11 SP3 and RHEL 6 Firefox version 5 and later NetIQ Sentinel Installation and Configuration Guide 5 3 1 5 4 Prerequisites for Internet Explorer If the Internet Security Level is set to High a blank page appears after logging in to Sentinel and the file download pop up might be blocked by the browser To work around this issue you need to first set the security level to Medium high and then change to Custom level as follows 1 Navigate to Tools gt Internet Options gt Security and set the
9. Central Computer NetFlow Collector Collector Manager gt A Connector NETWORK REFERENTIAL EVENT SOURCES SENTINEL DEVICES IT SOURCES AGENTS 3 Wu 7 RIA E Firewall J Asset Mgmt Patch Mgmt ae Directory Enterprise j sso SS x A Windows d Host 5 E F a fa a RS i l i iSeries Configuration Vulnerability Mgmt Mgmt Financial Custom H Access arn Identi a icati Applicati lanagement Managemen Network IDS Application pplication gi gi i Identity OPERATING SYSTEMS APPLICATION EVENTS USER ACCESS CONTROL The following sections describe Sentinel components in detail Section 2 1 Event Sources on page 21 Section 2 2 Sentinel Event on page 21 Section 2 3 Collector Manager on page 23 Section 2 4 Agent Manager on page 23 20 NetIQ Sentinel Installation and Configuration Guide 2 1 2 2 Section 2 5 NetFlow Collector Manager on page 24 Section 2 6 Sentinel Data Routing and Storage on page 24 Section 2 7 Correlation on page 25 Section 2 8 Security Intelligence on page 25 Section 2 9 Incident Remediation on page 25 Section 2 10 Trac Workflows on page 25 Section 2 11 Actions and Integrators on page 26 Section 2 12 Searching on page 26 Section 2 13 Reports on page 26 Section 2 14 Identity Tracking on page 26 Section 2 15 Event Analysis o
10. Reorder Buffer Event Routing Events from security devices example IDS O e Firewalls 0 S o Routers Le kR Ls e Web Servers Maa e Databases e Switches Collector e Mainframe e Anti Virus Event Store O Reorder Buffer Security Devices lt 4 ce Sentinel ng Server Correlation Engine 1 By default the Event Time is set to the Sentinel Process Time The ideal however is for the Event Time to match the Observer Event Time if it is available and trustworthy It is best to configure data collection to Trust Event Source Time if the device time is available accurate and properly parsed by the Collector The Collector sets the Event Time to match the Observer Event Time 2 The events that have an Event Time within a 5 minute range from the server time in the past or future are processed normally by Active Views Events that have an Event Time more than 5 minutes in the future do not show in the Active Views but are inserted into the event store Events that have an Event Time more than 5 minutes in the future and less than 24 hours in the past still are shown in the charts but are not shown in the event data for that chart A drill down operation is necessary to retrieve those events from the event store 3 Events are sorted into 30 second intervals so that the Correlation Engine can process them in chronological order If the Event Time is more than 30 seconds older than the server time
11. To change the NTP configuration after installation use YaST from the appliance command line You can use WebYast to change the time and date settings but not the NTP configuration Appliance Installation 93 13 3 3 94 13 14 15 16 17 18 19 20 21 22 23 24 If the time appears out of sync immediately after the install run the following command to restart NTP rentp restart Set the root password then click Next Set the Sentinel admin password then click Next Ensure that Install Sentinel appliance to hard drive for Live DVD image only is selected to install the appliance on the physical server This check box is selected by default If you deselect this check box the appliance is not installed on the physical server and will run only in the LIVE DVD mode proceed to Step 22 In the YaST2 live installer console select Next The YaST2 live installer console installs the appliance to the hard disk The YaST2 live installer console repeats some of the earlier installation steps Set the Time and Date then select Next The Suggested Partitioning screen displays the recommended partition setup Review the partition setup configure the setup if necessary and then select Next Modify these settings only if you are familiar with configuring partitions in SLES You can configure the partition setup by using the various partitioning options on the screen For more information about configuring partition
12. the Correlation Engine does not process the events 4 If the Event Time is older than 5 minutes relative to the Collector Manager system time Sentinel directly routes events to the event store bypassing real time systems like Correlation Active Views and Security Intelligence 108 NetIQ Sentinel Installation and Configuration Guide 17 2 17 3 17 4 Configuring Time in Sentinel The Correlation Engine processes time ordered streams of events and detects patterns within events as well as temporal patterns in the stream However sometimes the device generating the event might not include the time in its log messages To configure time to work correctly with Sentinel you have two options Configure NTP on the Collector Manager and deselect Trust Event Source Time on the event source in the Event Source Manager Sentinel uses the Collector Manager as the time source for the events Select Trust Event Source Time on the event source in Event Source Manager Sentinel uses the time from the log message as the correct time To change this setting on the event source 1 Log in to Event Source Management For more information see Accessing Event Source Management in the NetIQ Sentinel Administration Guide 2 Right click the event source you want to change the time setting for then select Edit 3 Select or deselect the Trust Event Source option on the bottom of the General tab 4 Click OK to save the change Configuri
13. var run sentinel server pid Using the PID administrators can identify the parent process of Sentinel server and monitor or terminate the process NetlQ Sentinel Installation and Configuration Guide 7 1 7 1 1 Deployment Considerations for FIPS140 2 Mode Sentinel can optionally be configured to use Mozilla Network Security Services NSS which is a FIPS 140 2 validated cryptographic provider for its internal encryption and other functions The purpose of doing so is to ensure that Sentinel is FIPS 140 2 Inside and is compliant with United States federal purchasing policies and standards Enabling Sentinel FIPS 140 2 mode causes communication between the Sentinel Server Sentinel remote Collector Managers Sentinel remote Correlation Engines the Sentinel Web UI the Sentinel Control Center and the Sentinel Advisor service to use FIPS 140 2 validated cryptography Section 7 1 FIPS Implementation in Sentinel on page 57 Section 7 2 FIPS Enabled Components in Sentinel on page 58 Section 7 3 Implementation Checklist on page 59 Section 7 4 Deployment Scenarios on page 59 FIPS Implementation in Sentinel Sentinel uses the Mozilla NSS libraries that are provided by the operating system Red Hat Enterprise Linux RHEL and SUSE Linux Enterprise Server SLES have different set of NSS packages The NSS cryptographic module provided by RHEL 6 3 is FIPS 140 2 validated The NSS cryptograph
14. Collector Manager Potts mis ee a aie rd pane dee Gee 8 2 1 Network PortS c cysteine au e eh Gee a Ge ee eine A 8 2 2 Collector Manager Appliance Specific Ports 0 0 cece ee 8 3 Correlation Engine Ports ivi pate wha ad Pea ae nde Bee eee end 8 3 1 Network POS er neadan aa ed on ee ea dade Lewis ewe bee eeu oe 8 3 2 Correlation Engine Appliance Specific Ports 0 0 0 cece eee 8 4 NetFlow Collector Manager Ports 0 00 eects 9 Installation Options 9 1 Traditionalilnstallation vs ioie a e al ae A 9 2 Appliance instalation iy capone a A a PEE AA A a NetlQ Sentinel Installation and Configuration Guide 49 49 50 50 51 51 52 53 54 55 55 56 57 57 57 58 58 59 59 59 60 63 64 64 64 65 66 66 66 67 67 67 67 Part Ill Installing Sentinel 71 10 Installation Overview 73 11 Installation Checklist 75 12 Traditional Installation 77 12 1 Understanding Installation Options 0 tte 77 12 2 Performing Interactive Installation 0 0 cette 78 12 2 1 Standard Installation 0 0 teeta 78 12 2 2 Gustom Installations tay dete A ath gle bree la ela 79 12 3 Performing a Silent Installation 0 0 0 teeta 80 12 4 Installing Sentinel as a Non root User 2 6 2 tenets 81 12 5 Installing Collector Managers and Correlation Engines wk ke 82 125 1 Installation Checklist 0 0 0 cette ene eee 83 12 5 2 Installing Collector Managers and Correlation En
15. Local File Connector Connector Event Source Types Sentinel Remote Collector Manager In FIPS mode You must perform the following procedure only if your environment involves data collection from event sources using Connectors that support FIPS 140 2 mode 1 You must have a Sentinel server in FIPS 140 2 mode NOTE If your Sentinel server freshly installed or upgraded is in non FIPS mode you must enable FIPS on Sentinel server For more information see Enabling Sentinel Server to Run in FIPS 140 2 Mode on page 115 2 You must have a Sentinel remote Collector Manager running in FIPS 140 2 mode NOTE If your remote Collector Manager freshly installed or upgraded is running in non FIPS mode you must enable FIPS on the remote Collector Manager For more information see Enabling FIPS 140 2 Mode on Remote Collector Managers and Correlation Engines on page 115 3 Ensure that FIPS server and remote Collector Managers communicates with each other 4 Convert Remote Correlation Engines if any to run in FIPS mode For more information see Enabling FIPS 140 2 Mode on Remote Collector Managers and Correlation Engines on page 115 5 Configure the Sentinel plug ins to run in FIPS 140 2 mode For more information see Configuring Sentinel Plug Ins to Run in FIPS 140 2 Mode on page 119 Scenario 2 Data Collection in Partial FIPS 140 2 Mode In this scenario data collection is done using Connectors that sup
16. RCM 1 2000 RCM 2 2000 Oracle Solaris 2011 1r2 RCM 1 2000 RCM 2 1000 NetIQ Agent Manager version 2011 1r3 RCM 1 2000 Sourcefire Snort 2011 1r1 RCM 1 1000 NetIQ Universal Event 2011 1r2 RCM 1 2000 Extra Large Contact NetIQ Services Category Total Data Storage Description Demo All in One not intended for producti on Event Source 101 EPS 103 Filtered 0 Medium Distribut ed Agent less Data Collectio n Event Source 2000 EPS 3000 Filtered 0 Medium Distribut ed Agent based Data Collectio n Event Source 5000 EPS 2500 Filtered 0 Large Distribute d Agent less Data Collectio n Raw Data Stored Event Source 500 EPS 11000 Filtered 0 Large Distributed Agent less Data Collection Raw Data Not Stored Event Source 500 EPS 13000 Filtered 0 Extra Large Contact NetlQ Services Meeting System Requirements 43 44 Demo Medium Distri AAN Large All in Distribut q d Agent Distributed NN One not ed Agent less Data Agent less Category Description intended Agent based Collectio Data f for _ less Data Data n Raw Collection producti Collectio Raw Data on n Collectio Data Not Stored n Stored How far Amount of 7 Days into the locally cached past will data for higher users search search for perfo
17. You can upgrade a Sentinel HA appliance installation by using the Zypper patch and also through WebYast Upgrading Sentinel HA Appliance by Using Zypper on page 162 Upgrading Sentinel HA Appliance Through WebYast on page 164 Upgrading Sentinel HA Appliance by Using Zypper You must register all the appliance nodes through WebYast before the upgrade For more information see Section 13 4 3 Registering for Updates on page 97 If you do not register the appliance Sentinel displays a yellow warning 1 Enable the maintenance mode on the cluster crm configure property maintenance mode true Maintenance mode helps you to avoid any disturbance to the running cluster resources while you update the Sentinel software You can run this command from any cluster node 2 Verify whether the maintenance mode is active crm status The cluster resources should appear in the unmanaged state 3 Upgrade the passive cluster node 3a Download updates for the Sentinel HA appliance zypper v patch d 162 NetIQ Sentinel Installation and Configuration Guide This command downloads updates for packages installed on the appliance including Sentinel to var cache zypp packages 3b Stop the cluster stack rcopenais stop Stopping the cluster stack ensures that the cluster resources remain accessible and avoids fencing of nodes 3c After you download the updates install the updates using the following command rpm Uvh var ca
18. and Domain Name page specify the hostname and domain name then ensure that the Assign Hostname to Loopback IP option is selected Select Next The hostname configurations are saved Do one of the following To use the current network connection settings select Use the following configuration on the Network Configuration II page To change the network connection settings select Change then make the desired changes Select Next The network connection settings are saved Set the time and date click Next To change the NTP configuration after installation use YaST from the appliance command line You can use WebYast to change the time and date but not the NTP configuration If the time appears out of sync immediately after the install run the following command to restart NTP rentp restart Set the SUSE Enterprise Server root password then click Next Set Sentinel admin password then click Next The Sentinel installation proceeds and completes It might take few minutes for all services to start up after installation as the system performs a one time initialization Wait until the installation finishes before you log in to the server Make a note of the appliance IP address that is shown in the console Proceed with Section 13 4 Post Installation Configuration for the Appliance on page 95 Appliance Installation 91 13 2 2 Installing Collector Managers and Correlation Engines The procedure to install a Collect
19. and day out That s the only way we can develop practical intelligent IT solutions that successfully yield proven measurable results And that s so much more rewarding than simply selling software Driving your success is our passion We place your success at the heart of how we do business From product inception to deployment we understand that you need IT solutions that work well and integrate seamlessly with your existing investments you need ongoing support and training post deployment and you need someone that is truly easy to work with for a change Ultimately when you succeed we all succeed Our Solutions Identity amp Access Governance Access Management Security Management Systems amp Application Management Workload Management Service Management About NetIQ Corporation 11 12 Contacting Sales Support For questions about products pricing and capabilities contact your local partner If you cannot contact your partner contact our Sales Support team Worldwide www netig com about_netiq officelocations asp United States and Canada 1 888 323 6768 Email info netig com Web Site www netiq com Contacting Technical Support For specific product issues contact our Technical Support team Worldwide www netiq com support contactinfo asp North and South America 1 713 418 5555 Europe Middle East and Africa 353 0 91 782 677 Email support netiq com Web Site www netiq com suppor
20. choice select the number next to the language The end user license agreement is displayed in the selected language 8 Read the end user license enter yes or y to accept the license then continue with the installation 10 11 12 The installation script detects that an older version of the product already exists and prompts you to specify if you want to upgrade the product To continue with the upgrade press y The installation starts installing all RPM packages This installation might take a few seconds to complete Clear your Web browser cache to view the latest Sentinel version Clear the Java Web Start cache on the client computers to use the latest version of Sentinel applications You can clear the Java Web Start cache by either using the javaws clearcache command or by using Java Control Center For more information see http www java com en download help plugin_cache xml Conditional If the PostgreSQL database has been upgraded to a major version for example 8 0 to 9 0 or 9 0 to 9 1 clear the old PostgreSQL files from the PostgreSQL database For information about whether the PostgreSQL database was upgraded see the Sentinel Release Notes 12a Switch to the novell user su novell 12b Browse to the bin folder Upgrading Sentinel Traditional Installation 133 13 cd opt novell sentinel 3rdparty postgresql bin 12c Delete all the old postgreSQL files by using the following command delete_old_cluste
21. command to return the valid hostname The UUID Is Not Created for Imaged Collector Managers or Correlation Engine If you image a Collector Manager server for example by using ZENworks Imaging and restore the images on different machines Sentinel does not uniquely identify the new instances of the Collector Manager This happens because of duplicate UUIDs You must generate a new UUID by performing the following steps on the newly installed Collector Manager systems 1 Delete the host id or sentinel id file that is located in the var opt novell sentinel data folder 2 Restart the Collector Manager The Collector Manager automatically generates the UUID Troubleshooting the Installation 167 168 NetIQ Sentinel Installation and Configuration Guide C 1 C 2 C 2 1 Uninstalling This appendix provides information about uninstalling Sentinel and post uninstallation tasks Section C 1 Uninstallation Checklist on page 169 Section C 2 Uninstalling Sentinel on page 169 Section C 3 Post Uninstallation Tasks on page 171 Uninstallation Checklist Use the following checklist to uninstall Sentinel O Uninstall the Sentinel server O Uninstall the Collector Manager and Correlation Engine if any O Perform post uninstallation tasks to complete the Sentinel uninstallation Uninstalling Sentinel An uninstall script is available to help you remove a Sentinel installation Before performing a new
22. configuration Specifies a file to record the parameters that can be used for unattended installation Uses the parameters from the specified file in order to install Sentinel on unattended systems Displays the options that can be used while installing Sentinel Records log messages to a file Suppresses the display of banner message Displays fewer messages Displays all messages during installation Traditional Installation 77 12 2 12 2 1 Performing Interactive Installation This section provides information about standard and custom installation Section 12 2 1 Standard Installation on page 78 Section 12 2 2 Custom Installation on page 79 Standard Installation Use the following steps to perform a standard installation 1 2 Download the Sentinel installation file from the NetIQ Downloads Web site 1a In the Product or Technology field browse to and select SIEM Sentinel 1b Click Search 1c Click the button in the Download column for Sentinel 7 2 Evaluation 1d Click proceed to download then specify your customer name and password 1e Click download for the installation version for your platform Specify at the command line the following command to extract the installation file tar zxvf lt install filename gt Replace lt install_filename gt with the actual name of the install file Change to the directory where you extracted the installer cd lt directory_name gt Speci
23. do not upgrade the plug ins unless a particular plug in is not compatible with the latest version of Sentinel New and updated Sentinel plug ins including Solution Packs are frequently uploaded to the Sentinel Plug ins Web site To get the latest bug fixes documentation updates and enhancements for a plug in download and install the latest version of the plug in For information about installing a plug in see the specific plug in documentation Upgrading Sentinel Plug Ins 141 142 NetIQ Sentinel Installation and Configuration Guide Appendices Appendix A Configuring Sentinel for High Availability on page 145 Appendix B Troubleshooting the Installation on page 167 Appendix C Uninstalling on page 169 Appendices 143 144 NetIQ Sentinel Installation and Configuration Guide A 1 Configuring Sentinel for High Availability Many customers seek to install Sentinel into highly available environments with the goal of ensuring that critical enterprise event data is collected as consistently as possible Many security and compliance requirements depend on comprehensive data collection to demonstrate adherence to those requirements a few missed events could prevent detection of a threat or violation and cause unacceptable risk to the organization NetIQ Corporation has tested and certified Sentinel to work in a high availability environment and it supports disaster recovery architectures This appendix d
24. for fencing purposes As before iSCSI devices can be created using any file or block device but for simplicity here we will use a file that we create for this purpose The following configuration steps are very similar to those in Shared Storage Setup SBD Setup Connect to storage03 and start a console session Use the dd command to create a blank file of any desired size dd if dev zero of sbd count 1024 bs 1024 In this case we create a 1MB file filled with zeros copied from the dev zero pseudo device Configure that file as an iSCSI Target 1 Run YaST from the command line or use the Graphical User Interface if preferred sbin yast Select Network Services gt iSCSI Target Click Targets and select the existing target Select Edit The UI will present a list of LUNs drives that are available Select Add to add anew LUN Leave the LUN number as 2 Browse in the Path dialog and select the sbd file that you created N Oo oO AO ND Leave the other options at their defaults then select OK then Next then click Next again to select the default authentication options 8 Click Finish to exit the configuration Restart the services if needed Exit YaST NOTE The following steps require that each cluster node be able to resolve the hostname of all other cluster nodes the file sync service csync2 will fail if this is not the case If DNS is not set up or available add entries for each host to the etc hosts file that list each
25. has been installed an additional RPM should be installed to provide the additional Sentinel specific cluster Resource Agents The HA RPM can be found in the novel1 Sentinelha lt Sentinel_version gt rpm stored in the normal Sentinel download which you unpacked to install the product Configuring Sentinel for High Availability 155 A 3 5 On each cluster node copy the novell Sentinelha lt Sentinel_version gt rpminto the tmp directory then cd tmp rpm i novell Sentinelha lt Sentinel version gt rpm Cluster Configuration You must configure the cluster software to register each cluster node as a member of the cluster As part of this configuration you can also set up fencing and STONITH resources to ensure cluster consistency In our exemplary solution we basically use the simplest configuration without additional redundancy or other advanced features We also use a unicast address instead of the preferred multicast address because it requires less interaction with network administrators and is sufficient for testing purposes We also set up a simple SBD based fencing resource Exemplary Solution The exemplary solution will use private IP addresses for internal cluster communications and will use unicast to minimize the need to request a multicast address from a network administrator The solution will also use an iSCSI Target configured on the same SUSE Linux VM that hosts the shared storage to serve as an SBD device
26. info or man page for dd for details on the command line options For example to create different sized disks The iSCSI Target treats this file as if it were a disk you could of course use an actual disk if you prefer Repeat this procedure to create a file for secondary storage dd if dev zero of networkdata count 10240000 bs 1024 For this example we use two files disks of the same size and performance characteristics For a production deployment you might put the primary storage on a fast SAN and the secondary storage on a slower iSCSI NES or CIFS volume 150 NetIQ Sentinel Installation and Configuration Guide Configuring iSCSI Targets Configure the files localdata and networkdata as iSCSI Targets a Ff Q N Run YaST from the command line or use the Graphical User Interface if preferred sbin yast Select Network Devices gt Network Settings Ensure that the Overview tab is selected Select the secondary NIC from the displayed list then tab forward to Edit and press Enter On the Address tab assign a static IP address of 10 0 0 3 This will be the internal iSCSI communications IP 6 Click Next then click OK 7 On the main screen select Network Services gt iSCSI Target 8 If prompted install the required software iscsitarget RPM from the SUSE Linux 11 SP3 10 11 12 13 14 15 16 17 media Click Service select the When Booting option to ensure that the service starts when the opera
27. install sentinel u lt response file gt The installation proceeds with the values stored in the response file The Sentinel upgrade is complete Specify the number for the language you want to use for the upgrade The end user license agreement is displayed in the selected language Read the end user license and enter yes or y to accept the license and continue with the upgrade The upgrade starts installing all RPM packages This installation might take a few seconds to complete Clear your Web browser cache to view the latest Sentinel version Clear the Java Web Start cache on the client computers to use the latest version of Sentinel applications 134 NetIQ Sentinel Installation and Configuration Guide 13 You can clear the Java Web Start cache by either using the javaws clearcache command or by using Java Control Center For more information see http www java com en download help plugin_cache xml Conditional If the PostgreSQL database has been upgraded to a major version for example 8 0 to 9 0 or 9 0 to 9 1 clear the old PostgreSQL files from the PostgreSQL database For information about whether the PostgreSQL database was upgraded see the Sentinel Release Notes 13a Switch to the novell user su novell 13b Browse to the bin folder cd opt novell sentinel 3rdparty postgresql bin 13c Delete all the old postgreSQL files by using the following command delete_old_cluster sh 24 3 Upgrading the Collector Manag
28. is the number used for the purposes of EPS based license compliance Network 300 FPM 60000 Not 60000 60000 FPM 60000 Flows per FPM Applicabl FPM FPM Minute e Sentinel Server Hardware NetIQ Sentinel Installation and Configuration Guide Demo medium Distribut Ibai Large One A ae ed d Agent PONa ne no e ent less Category Description intended Agent dale less Data Data Extra for less Data ased Collectio Collection Large 3 Data n Raw producti Collectio Raw Data on A Collectio Data Not Stored n Stored CPU Intel R Intel R TwoAMD Two Intel R Xeon R Contact Xeon R Xeon R Opteron CPU E5 2680 0 NetlQ CPU CPU 2431 2 70GHz 8 core CPUs Services E5420 X5355 2 40GHz 16 cores total with 2 50GHz 2 66GHz 6 cores hyper threading 4 CPU 4 core per CPU cores no CPUs 8 12 cores hyper cores total threading total no hyper threading Primary Locally cached 500 GB 5 x 300 3 x 146 5 TB 8 x 600 GB SAS Storage data for higher 7 2k RPM GB SAS GB SAS 15k RPM Hardware search drive 15k RPM 10KRPM RAID O stripe size 128k performance Hardwar RAID 0 e RAID 0 stripe size 128k Secondary Includes a copy Not Used Not Used Not Used Not Used Storage of the data in the primary storage Memory 4GB 24 GB 16 GB 128 GB Remote Collector Manager 1 Hardware CPU Not Intel R Not Same as Sentinel server C
29. learn about Sentinel components Review the Sentinel licensing to determine whether you need to use the trial license or the enterprise license of Sentinel Assess your environment to determine the hardware configuration Ensure that the computers on which you install Sentinel and its components meet the specified requirements Review the Collector Manager and Correlation Engine events per second EPS and NetFlow Collector Manager records per second RPS Determine the number of Collector Managers Correlation Engines and NetFlow Collector Managers you need to install to improve performance and load balancing Review the Sentinel release notes to understand the new functionality and the known issues Install Sentinel Ensure that you configure the time on the Sentinel server When you install Sentinel the Sentinel plug ins available at the time of the Sentinel release are installed by default Configure the out of the box plug ins for data collection and reporting purposes Install additional Collectors and Connectors as needed in your environment Install additional Collector Managers and Correlation Engines as needed in your environment See Part I Understanding Sentinel on page 13 Chapter 4 Understanding License Information on page 33 Chapter 5 Meeting System Requirements on page 35 Section 6 1 Advantages of Distributed Deployments on page 49 Sentinel Release Not
30. needs Much of this content comes from the pre installed Sentinel Core Solution Pack and Solution Pack for ISO 27000 Series For more information see Using Solution Packs in the NetIQ Sentinel Administration Guide Solution Packs allow categorization and grouping of content into controls or policy sets that are treated as a unit The controls in the Solution Packs are pre installed to provide you with this out of the box content but you have to formally implement or test those controls by using the Sentinel Web console If a certain amount of rigor is desired to help show that your Sentinel implementation is working as designed you may use the formal attestation process built into the Solution Packs This attestation process implements and tests the Solution Pack controls just as you would implement and test controls from any other Solution Pack As part of this process the implementer and tester will attest that they have completed their work these attestations will then become part of an audit trail that can be examined to demonstrate that any particular control was properly deployed You can do the attestation process by using the Solution Manager For more information on implementing and testing the controls see Installing and Managing Solution Packs in the NetIQ Sentinel Administration Guide Configuring the Collectors Connectors Integrators and Actions For information about configuring the out of the box plug ins see th
31. network shared storage location in much the same configuration as the primary storage In production implementations these would likely be different storage technologies Configuring Sentinel for High Availability 159 A 4 A 4 1 Use the following procedure to configure the secondary storage for use by Sentinel NOTE Since we will be using an iSCSI Target for this exemplary solution the target will be mounted as a directory for use as secondary storage Hence we will need to configure the mount as a filesystem resource akin to the way the primary storage filesystem is configured This was not automatically set up as part of the resource installation script since there are other possible variations we will do the configuration manually here 1 Review the steps above to determine which partition was created for use as secondary storage dev lt NETWORK1 gt or something like dev sdc1 If necessary create an empty directory on which the partition can be mounted such as var opt netdata 2 Set up the network filesystem as a cluster resource use the web console or run the command crm configure primitive sentinelnetfs ocf heartbeat Filesystem params device dev lt NETWORK1 gt directory lt PATH gt fstype ext3 op monitor interval 60s where dev lt NETWORK1 gt is the partition that was created in the Shared Storage Setup section above and lt PATH gt is any local directory on which it can be mounted 3 Add the n
32. option is prepended to the directory paths For example if you specify location foo the data directory will be foo var opt novell sentinel data and the config directory will be foo etc opt novell sentinel config You must not use filesystem links for example soft links for the 1location option Using Partitions in an Appliance Installation If you are using the DVD ISO appliance format you can configure the partitioning of the appliance filesystem during installation by following the instructions in the YaST screens For example you can create a separate partition for the var opt novell sentinel mount point to put all data on a separate partition However for other appliance formats you can configure the partitioning only after installation You can add partitions and move a directory to the new partition by using the SuSE YaST system configuration tool For information about creating partitions after the installation see Section 13 4 2 Creating Partitions on page 96 Best Practice Partition Layout Many organizations have their own documented best practice partition layout schemes for any installed system The following partition proposal is intended to guide organizations without any defined policy and considers Sentinel specific use of the filesystem Generally Sentinel adheres to the Filesystem Hierarchy Standard where practicable partition Mount point Size Notes Root 100GB Contains operating system files
33. server to free up system resources to other important functions such as event storage and searches You can install additional NetFlow Collector Managers in the following scenarios In environments with many network devices and high rates of network flow data you can install multiple NetFlow Collector Managers to distribute the load If you are in a multi tenant environment you should install individual NetFlow Collector Manager for each tenant to collect separate network flow data per tenant NetlQ Sentinel Installation and Configuration Guide 6 2 6 3 For more information about installing additional NetFlow Collector Managers see Chapter 14 NetFlow Collector Manager Installation on page 99 All In One Deployment The most basic deployment option is an all in one system that contains all of the Sentinel components on a single machine This is a good option if you are putting a relatively small load on the system and don t need to monitor Windows machines For production environments NetIQ Corporation recommends setting up a distributed deployment because it isolates data collection components on a separate machine which is important for handling spikes and other anomalies with maximum system stability Figure 6 1 All In One Deployment Sentinel Web Console Database de Event Sources Correlation Engine Collector Manager NetFlow Collector Manager UL Network devices One Tier Dis
34. the node on which you ran the full Sentinel install and do the following lt SHARED1 gt is the shared volume you created above 158 NetIQ Sentinel Installation and Configuration Guide A 3 7 mount dev lt SHARED1 gt var opt novell cd usr lib ocf resource d novell install resources sh There might be issues with the new resources coming up in the cluster run etc rc d openais restart on node02 if you experience this issue The install resources sh script will prompt you for a couple values namely the virtual IP that you would like people to use to access Sentinel and the device name of the shared storage and then will auto create the required cluster resources Note that the script requires the shared volume to already be mounted and also requires the unattended installation file which was created during Sentinel install to be present tmp install props You do not need to run this script on any but the first installed node all relevant config files will be automatically synced to the other nodes If the customer environment varies from this exemplary solution you can edit the resources cli file in the same directory and modify the primitives definitions from there For example the exemplary solution uses a simple Filesystem resource you may wish to use a more cluster aware cLVM resource After running the shell script you can issue a crm status command and the output should look like this crm status Last updat
35. the world However you cannot automatically determine what the local time was when the event occurred For this reason Sentinel allows customers to manually set the time zone of an event source by editing the Event Source node in the Event Source Manager and specifying the appropriate time zone This information does not affect the calculation of DeviceEventTime or EventTime but is placed into the ObserverTZ field and is used to calculate the various ObserverTZ fields such as ObserverT ZHour These fields are always expressed in local time In the second scenario if the long form time zone IDs or offsets are used you can convert to UTC to get the absolute canonical UTC time stored in DeviceEventTime but you can also calculate the local time ObserverTZ fields If a short form time zone ID is used there is some potential for conflicts The third scenario requires the administrator to manually set the event source time zone for all affected sources so that Sentinel can properly calculate the UTC time If the time zone is not properly specified by editing the Event Source node in the Event Source Manager then the DeviceEventTime and probably the EventTime can be incorrect also the ObserverTZ and associated fields might be incorrect In general the Collector for a given type of event source such as Microsoft Windows knows how an event source presents time stamps and adjusts accordingly It is always good policy to manually set the time zo
36. to another are provided for seamless transitions Investigating events in Sentinel often starts with the near real time Active Views Although more advanced tools are available Active Views display filtered event streams along with summary charts that can be used for simple rough analysis of event trends event data and identification of specific events Over time you build up tuned filters for specific classes of data such as output from correlation You can use Active Views as a dashboard showing an overall operational and security posture You can then use the interactive search to perform more detailed analysis of events This allows you to quickly and easily search for and find data related to a specific query such as activity by a specific user or on a particular system By clicking on the event data or using the left hand refinement pane you can quickly zero in on specific events of interest When analyzing hundreds of events the reporting capabilities of Sentinel provide custom control over event layout and can display larger volumes of data Sentinel makes this transition easier by allowing you to transfer the interactive searches built up in the Search interface into a reporting template which instantly creates a report that displays the same data but in a format better suited for a larger number of events Sentinel includes many templates for this purpose Some templates are tuned to display particular types of information such a
37. users in the cm section For example cm collectormanager cmuserl cmuser2 For Correlation Engine add the new users in the admins section For example admins system correlationengine ceuserl ceuser2 4 Save and close the file 5 Open the activemqusers properties file This file is located in the lt install_dir gt etc opt novell sentinel config directory Add the password for the ActiveMQ user you created in Step 3 The password can be any random string For example For Collector Manager users system c7f34372ecd20d831cceb29e754e5ac9 collectormanager 1c5lae56 cmuserl 1b51de55 cmuser2 1la51ce57 NetlQ Sentinel Installation and Configuration Guide For Correlation Engine users system c7f34372ecd20d831cceb29e754e5ac9 correlationengine 68790d7a ceuser1 69700c6d ceuser2 70701b5c 7 Save and close the file 8 Restart the Sentinel server Traditional Installation 85 86 NetIQ Sentinel Installation and Configuration Guide 13 1 13 1 1 Appliance Installation The Sentinel appliance is a ready to run software appliance built on SUSE Studio The appliance combines a hardened SLES 11 SP 3 operating system and the Sentinel software integrated update service to provide an easy and seamless user experience that allows customers to leverage existing investments Before you install the Sentinel appliance review new functionality and known issues in the supported SLES 11 Service Pack Release Notes You can inst
38. 11 x86 64 smt repos e Sentinel Correlation Engine 7 0 Updates sle 11 x86 64 Upgrading the Appliance For information about upgrading the appliance see Section 25 3 Upgrading the Appliance by Using SMT on page 139 13 5 Stopping and Starting the Server by Using WebYaST You can start and stop the Sentinel server by using the Web interface as follows 1 Log in to the Sentinel appliance 2 Click Appliance to launch WebYaST 3 Click System Services 4 To stop the Sentinel server click stop 5 To start the Sentinel server click start 98 NetIQ Sentinel Installation and Configuration Guide 14 1 14 2 NetFlow Collector Manager Installation You must install the NetFlow Collector Manager on a separate computer and not on the same computer where the Sentinel server is installed Installation Checklist Ensure that you have completed the following tasks before starting the installation O Make sure that your hardware and software meet the minimum requirements For more information see Chapter 5 Meeting System Requirements on page 35 O Synchronize time by using the Network Time Protocol NTP Installing the NetFlow Collector Manager You can install NetFlow Collector Managers by using one of the following methods Standard Uses the default values for the NetFlow configuration Custom Allows you to customize the port number of the Sentinel server NOTE To send network flow data to the
39. 359034887 tar gzis the backup file run the following command backup _util sh f non fips2013012419111359034887 tar gz m restore 5 Restart the Sentinel server Reverting Remote Collector Managers or Remote Correlation Engines to Non FIPS mode You can revert remote Collector Managers or remote Correlation Engines to non FIPS mode To revert a remote Collector Managers or a remote Correlation Engine to non FIPS mode 1 Login to the remote Collector Manager or remote Correlation Engine system 2 Switch to novell user su novell 3 Browse to the bin directory The default location is opt novell sentinel bin 4 Run the revert_to_nonfips sh script and follow the on screen instructions 5 Restart the remote Collector Manager or remote Correlation Engine 126 NetIQ Sentinel Installation and Configuration Guide V Upgrading Sentinel This section provides information about upgrading Sentinel and other components Chapter 22 Implementation Checklist on page 129 Chapter 23 Prerequisite for Versions Prior to Sentinel 7 1 1 on page 131 Chapter 24 Upgrading Sentinel Traditional Installation on page 133 Chapter 25 Upgrading the Sentinel Appliance on page 137 Chapter 26 Upgrading Sentinel Plug Ins on page 141 Upgrading Sentinel 127 128 NetIQ Sentinel Installation and Configuration Guide Implementation Checklist Before you upgrade Sentinel review the following checklist to ensur
40. CP 27017 Used for the Security Intelligence configuration database TCP 28017 Used for the Web interface for Security Intelligence database TCP 32000 Used for internal communication between the wrapper process and the server process 8 1 2 Network Ports 64 For Sentinel to work properly ensure that the following ports are open on the firewall Required Parr Ports Direction Optional Description TCP 5432 Inbound Optional By Used for the PostgreSQL database You do not need to default this open this port by default However you must open this port port listens when you develop reports by using the Sentinel SDK For only on more information see the Sentinel Plug in SDK loopback interface TCP 1099 and Inbound Optional Used together by monitoring tools to connect to Sentinel 2000 server process using Java Management Extensions JMX TCP 1289 Inbound Optional Used for Audit connections UDP 1514 Inbound Optional Used for syslog messages TCP 8443 Inbound Required Used for HTTPS communication and incoming connections from NetFlow Collector Managers TCP 1443 Inbound Optional Used for SSL encrypted syslog messages TCP 61616 Inbound Optional Used for incoming connections from Collector Managers and Correlation Engines TCP 10013 Inbound Required Used by the Sentinel Control Center and Solution Designer TCP 1468 Inbound Optional Used for syslog messages TCP 10014 Inbound Optional Used by the remote Collector Managers to connect to the
41. Collector Manager or Correlation Engine to run in FIPS 140 2 mode Login to the remote Collector Manager or Correlation Engine system Switch to novell user su novell Browse to the bin directory The default location is opt novell sentinel bin Run the convert_to_fips sh script and follow the on screen instructions a fF QO N Complete the FIPS 140 2 mode configuration by following the tasks mentioned in Chapter 21 Operating Sentinel in FIPS 140 2 Mode on page 117 Enabling FIPS 140 2 Mode in an Existing Sentinel Installation 115 116 NetIQ Sentinel Installation and Configuration Guide 21 1 21 2 Operating Sentinel in FIPS 140 2 Mode This chapter provides information about configuring and operating Sentinel in FIPS 140 2 mode Section 21 1 Configuring the Advisor Service in FIPS 140 2 Mode on page 117 Section 21 2 Configuring Distributed Search in FIPS 140 2 Mode on page 117 Section 21 3 Configuring LDAP Authentication in FIPS 140 2 Mode on page 118 Section 21 4 Updating Server Certificates in Remote Collector Managers and Correlation Engines on page 119 Section 21 5 Configuring Sentinel Plug Ins to Run in FIPS 140 2 Mode on page 119 Section 21 6 Importing Certificates into FIPS Keystore Database on page 125 Section 21 7 Reverting Sentinel to Non FIPS Mode on page 126 Configuring the Advisor Service in FIPS 140 2 Mode The Advisor service use
42. Connector Guide Select one of the options from the Client Authentication Type field The client authentication type determines how strictly the SSL Agent Manager Event Source Server verifies the identity of Agent Manager Event Sources that are attempting to send data Open Allows all the SSL connections coming from the Agent Manager agents Does not perform any client certificate validation or authentication Strict Validates the certificate to be a valid X 509 certificate and also checks that the client certificate is trusted by the Event Source Server New sources will need to be explicitly added to Sentinel this prevents rogue sources from sending unauthorized data For the Strict option you must import the certificate of each new Agent Manager client into the Sentinel FIPS keystore When Sentinel is running in FIPS 140 2 mode you cannot import the client certificate using the Event Source Management ESM interface For more information about importing the certificate see Importing Certificates into FIPS Keystore Database on page 125 NOTE In FIPS 140 2 mode the Agent Manager Event Source Server uses the Sentinel server key pair importing the server key pair is not required If server authentication is enabled in the agents the agents must additionally be configured to trust the Sentinel server or the remote Collector Manager certificate depending on where the Connector is deployed Sentinel server certificate
43. DAP server and save it as ldap cert file into the etc opt novell sentinel config directory of the Sentinel server For example use openssl s client connect lt LDAP server IP gt 636 and then copy the text returned between but not including the BEGIN and END lines into a file 2 Import the certificate into the Sentinel FIPS keystore For more information about importing the certificate see Importing Certificates into FIPS Keystore Database on page 125 3 Proceed with configuring the Integrator instance NetIQ Sentinel Installation and Configuration Guide 21 5 8 21 5 9 21 6 SMTP Integrator The SMTP Integrator supports FIPS 140 2 from version 2011 1r2 and later No configuration changes are required Using Non FIPS Enabled Connectors with Sentinel in FIPS 140 2 Mode This section provides information about how to use non FIPS enabled Connectors with a Sentinel server in FIPS 140 2 mode We recommend this approach if you have sources that do not support FIPS or if you want to collect events from the non FIPS Connectors in your environment To use non FIPS connectors with Sentinel in FIPS 140 2 mode 1 Install a remote Collector Manager in non FIPS mode to connect to the Sentinel server in FIPS 140 2 mode For more information see Section 12 5 Installing Collector Managers and Correlation Engines on page 82 2 Deploy the non FIPS Connectors specifically to the non FIPS remote Collector Manager
44. FIPS mode and the receiver is Sentinel in FIPS 140 2 mode the server certificate to be imported on the sender is the etc opt novell sentinel config sentinel cer file from the receiver Sentinel machine When Sentinel is running in FIPS 140 2 mode you cannot import the client certificate using the Event Source Management ESM interface For more information about importing the certificate see Importing Certificates into FIPS Keystore Database on page 125 NOTE In FIPS 140 2 mode the Sentinel Link Event Source server uses the Sentinel server key pair Importing the server key pair is not required Syslog Connector Follow the below procedure only if you have selected the SSL protocol when configuring the network settings of the Syslog Event Source Server To configure the Syslog Connector to run in FIPS 140 2 mode 1 Add or edit the Syslog Event Source Server Proceed through the configuration screens until the Networking window is displayed For more information see the Syslog Connector Guide 2 Click Settings 3 Select one of the options from the Client Authentication Type field The client authentication type determines how strictly the SSL Syslog Event Source Server verifies the identity of Syslog Event Sources that are attempting to send data Open Allows all the SSL connections coming from the clients event sources Does not perform any client certificate validation or authentication Strict Validat
45. IP and its hostname as reported by the hostname command This procedure should expose an iSCSI Target for the SBD device on the server at IP address 10 0 0 3 storage03 156 NetIQ Sentinel Installation and Configuration Guide Node Configuration Connect to a cluster node node01 and open a console 1 2 3 4 5 Run YaST Open Network Services gt iSCSI Initiator Select Connected Targets then the iSCSI Target you configured above Select the Log Out option and log out of the Target Switch to the Discovered Targets tab select the Target and log back in to refresh the list of devices leave the automatic startup option and No Authentication 6 Select OK to exit the iSCSI Initiator tool 7 Open System gt Partitioner and identify the SBD device as the 1MB JET VIRTUAL DISK It will be listed as dev sdd or similar note which one 8 Exit YaST 9 Execute the command 1s 1 dev disk by id and note the device ID that is linked to the device name you located above 10 Execute the command sleha init 11 When prompted for the network address to bind to specify the external NIC IP 172 16 0 1 12 Accept the default multicast address and port We will override this later 13 Enter y to enable SBD then specify dev disk by id lt device id gt where lt device id gt is the ID you located above you can use Tab to auto complete the path 14 Complete the wizard and make sure no errors are reported 15 Start YaST 16 Sel
46. Installing Sentinel on page 93 oa fF WwW Make a note of the appliance IP address that is shown in the console The console displays a message that this appliance is the Sentinel Collector Manager or Correlation Engine depending on what you chose to install along with the IP address The Console also displays the Sentinel server user interface IP address 7 Complete Step 23 through Step 24 in Section 13 3 2 Installing Sentinel on page 93 13 4 Post Installation Configuration for the Appliance After you install Sentinel you need to perform additional configuration for the appliance to work properly Section 13 4 1 Configuring WebYaST on page 96 Section 13 4 2 Creating Partitions on page 96 Section 13 4 3 Registering for Updates on page 97 Section 13 4 4 Configuring the Appliance with SMT on page 97 Appliance Installation 95 13 4 1 13 4 2 Configuring WebYaST The Sentinel appliance user interface is equipped with WebYaST which is a Web based remote console for controlling appliances based on SUSE Linux Enterprise You can access configure and monitor the Sentinel appliances with WebYaST The following procedure briefly describes the steps to configure WebYaST For more information on detailed configuration see the Web YaST User Guide http www novell com documentation webyast 1 Log in to the Sentinel appliance 2 Click Appliance 3 Configure the Sentinel Server t
47. Link connection to that system When Sentinel forwards events to the system receiving SNMP traps the port sends a packet to the receiver This port is used when Sentinel forwards events to the system receiving Syslog messages If the port is UDP it sends a packet to the receiver If the port is TCP it initiates a connection to the receiver Sentinel Server Appliance Specific Ports In addition to the above ports the following ports are open for appliance Ports TCP 22 TCP 4984 TCP 289 TCP 443 UDP 514 TCP 1290 UDP and TCP 40000 41000 TCP 443 or 80 Direction Inbound Inbound Inbound Inbound Inbound Inbound Inbound Outbound Required Optional Required Required Optional Optional Optional Optional Optional Required Description Used for secure shell access to the Sentinel appliance Used by the Sentinel Appliance Management Console WebYaST Also used by the Sentinel appliance for the update service Forwarded to 1289 for Audit connections Forwarded to 8443 for HTTPS communication Forwarded to 1514 for syslog messages Sentinel Link port that is allowed to connect through the SuSE Firewall Ports that can be used when configuring data collection servers such as syslog Sentinel does not listen on these ports by default Initiates a connect to the NetIQ appliance software update repository on the Internet or a Subscription Management Tool service in your network P
48. Manager 0 0 cece eee teeta 99 15 Installing Additional Collectors and Connectors 101 15 1 Installing a Collector eeiam nie Pete vik ee ee ee Ph ae eee 101 15 2 Installing a Connector 20 ec eet eet eee 101 Contents 5 16 Verifying the Installation 103 Part IV Configuring Sentinel 105 17 Configuring Time 107 17 1 Understanding Time in Sentinel ocooococcocccnccoo eee ee 107 17 2 Configuring Time in Sentinel aaau anana aeaaaee 109 17 3 Configuring Delay Time Limit for Events ococoocococcococoa 109 17 4 Handling Time Zones iii AD Goa ee ea ace pene ge be ea ee Be 109 18 Modifying the Configuration after Installation 111 19 Configuring Out of the Box Plug Ins 113 19 1 Configuring the Solution Packs ococccccocoococnar etntet eens 113 19 2 Configuring the Collectors Connectors Integrators and ActionS 20e cee eee 113 20 Enabling FIPS 140 2 Mode in an Existing Sentinel Installation 115 20 1 Enabling Sentinel Server to Run in FIPS 140 2 Mode 0c eee eee eee 115 20 2 Enabling FIPS 140 2 Mode on Remote Collector Managers and Correlation Engines 115 21 Operating Sentinel in FIPS 140 2 Mode 117 21 1 Configuring the Advisor Service in FIPS 140 2 Mode 0 0 0 cece eee eee 117 21 2 Configuring Distributed Search in FIPS 140 2 Mode 0 0 0 cece eee ee 117 21 3 Configuring LDAP Authentication in FIPS 140 2 Mode 0 0 cece eee ee 118 21 4 Upda
49. NOTE There are some known issues when non FIPS Connectors such as Audit Connector and File Connector are deployed on a non FIPS remote Collector Manager connected to a Sentinel server in FIPS 140 2 mode For more information about these known issues see the Sentinel 7 1 Release Notes Importing Certificates into FIPS Keystore Database You must insert certificates into the Sentinel FIPS keystore database to establish secure SSL communications from the components that own those certificates to Sentinel You cannot upload certificates by using the Sentinel user interface as normal when FIPS 140 2 mode is enabled in Sentinel You must manually import the certificates into the FIPS keystore database For event sources that are using Connectors deployed to a remote Collector Manager you must import the certificates to the FIPS keystore database of the remote Collector Manager rather than the central Sentinel server To import certificates to the FIPS Keystore Database 1 Copy the certificate file to any temporary location on the Sentinel server or remote Collector Manager 2 Browse to the Sentinel bin directory The default location is opt novell sentinel bin 3 Run the following command to import the certificate into the FIPS keystore database and then follow the on screen instructions convert_to_fips sh i lt certificate file path gt 4 Enter yes or y when prompted to restart the Sentinel server or remote Collector Manager O
50. NetiQ Sentinel Installation and Configuration Guide October 2014 4 Netia Legal Notice NetIQ Sentinel is protected by United States Patent No s 05829001 THIS DOCUMENT AND THE SOFTWARE DESCRIBED IN THIS DOCUMENT ARE FURNISHED UNDER AND ARE SUBJECT TO THE TERMS OF A LICENSE AGREEMENT OR A NON DISCLOSURE AGREEMENT EXCEPT AS EXPRESSLY SET FORTH IN SUCH LICENSE AGREEMENT OR NON DISCLOSURE AGREEMENT NETIO CORPORATION PROVIDES THIS DOCUMENT AND THE SOFTWARE DESCRIBED IN THIS DOCUMENT AS IS WITHOUT WARRANTY OF ANY KIND EITHER EXPRESS OR IMPLIED INCLUDING BUT NOT LIMITED TO THE IMPLIED WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE SOME STATES DO NOT ALLOW DISCLAIMERS OF EXPRESS OR IMPLIED WARRANTIES IN CERTAIN TRANSACTIONS THEREFORE THIS STATEMENT MAY NOT APPLY TO YOU For purposes of clarity any module adapter or other similar material Module is licensed under the terms and conditions of the End User License Agreement for the applicable version of the NetIQ product or software to which it relates or interoperates with and by accessing copying or using a Module you agree to be bound by such terms If you do not agree to the terms of the End User License Agreement you are not authorized to use access or copy a Module and you must destroy all copies of the Module and contact NetIQ for further instructions This document and the software described in this document may not be lent sold or given away with
51. PS on Sentinel server For more information see Enabling Sentinel Server to Run in FIPS 140 2 Mode on page 115 2 Ensure that one remote Collector Manager is running in FIPS 140 2 mode and another remote Collector Manager continues to run non FIPS mode 2a If you do not have a FIPS 140 2 mode enabled remote Collector Manager you must enable FIPS mode on the remote Collector Manager For more information see Enabling FIPS 140 2 Mode on Remote Collector Managers and Correlation Engines on page 115 2b Update the server certificate on the non FIPS remote Collector Manager For more information see Updating Server Certificates in Remote Collector Managers and Correlation Engines on page 119 3 Ensure that the two remote Collector Managers communicates with FIPS 140 2 enabled Sentinel server Deployment Considerations for FIPS140 2 Mode 61 4 Convert Remote Correlation Engines if any to run in FIPS mode For more information see Enabling FIPS 140 2 Mode on Remote Collector Managers and Correlation Engines on page 115 5 Configure the Sentinel plug ins to run in FIPS 140 2 mode For more information see Configuring Sentinel Plug Ins to Run in FIPS 140 2 Mode on page 119 5a Deploy Connectors that support FIPS 140 2 mode in the remote Collector Manager running in FIPS mode 5b Deploy the Connectors that do not support FIPS 140 2 mode in the non FIPS remote Collector Manager 62 NetlQ Sentinel Installat
52. Rein a Dee 6 3 One Tier Distributed DeployMent o oococcccccccococ ete e eee 6 4 One Tier Distributed Deployment with High Availability 2 0 0 0 0 6 5 Two Tier and Three Tier Distributed Deployment 0 0 eee eae 6 6 Planning Partitions for Data Storage 6 tenets 6 6 1 Using Partitions in Traditional Installations 00 0000s 6 6 2 Using Partitions in an Appliance Installation 0 0 0 0 cece eee 6 6 3 Best Practice Partition Layout 0 02 cee tees 6 6 4 Sentinel Directory Structure 2 0 teens 7 Deployment Considerations for FIPS140 2 Mode 7 1 FIPS Implementation in Sentinel 0 0 0 0 0 cee ete eee 7 1 1 R HELNSS Packages soos n erae ee op ae ce ke Gd A KE ee eRe GREET 7A SLES NSS Packages saab iis wre oe eee ee eed ee eee Pa ee 7 2 FIPS Enabled Components in Sentinel ocococcccccococnc eee eee 7 3 Implementation Checklist 0 0 0 0 ccc tte teens 74 sDEPloyMENt SCONariOS ii A a ea ae a Me AN 7 4 1 Scenario 1 Data Collection in Full FIPS 140 2 Mode 0 0 eee eee eee 7 4 2 Scenario 2 Data Collection in Partial FIPS 140 2 Mode 0 0 e eee eee ee 8 Ports Used 8 11 Sentinel Server PONS Serai Leki a a yas E Pe ate 8 1 1 Local POMS vas six hana hehehe eae Med ei pha Gea e kee ae hws A 4 8 1 2 Network PortS oo i ne tico dt ona ik oe Rdg idee pate Boas 8 13 Sentinel Server Appliance Specific Ports 0 0 0 cette 8 2
53. Sentinel server you must be an administrator belong to the NetFlow Provider role or have the Send NetFlow data permission If you plan to install more than one NetFlow Collector Manager you should create a new user account for each NetFlow Collector Manager to send network flow data to Sentinel Having different user accounts for each NetFlow Collector Manager provides an additional level of control over which NetFlow Collector Managers are allowed to send data to Sentinel To install the NetFlow Collector Manager 1 Launch the Sentinel Web interface by specifying the following URL in your Web interface https lt IP_Address Sentinel server gt 8443 The lt IP_Address_Sentinel_server gt is the IP address or DNS name of the Sentinel server and 8443 is the default port for the Sentinel server Log in with the user name and password specified during the installation of the Sentinel server In the toolbar click Downloads Under the NetFlow Collector Manager heading click Download Installer Click Save File to save the installer to the desired location a fF WO N In the command prompt specify the following command to extract the installation file NetFlow Collector Manager Installation 99 100 tar zxvf lt install_filename gt Replace lt install_filename gt with the actual name of the install file Change to the directory where you extracted the installer cd lt directory name gt Specify the following command to in
54. Used for secure shell access to the Sentinel appliance TCP 4984 Inbound Required Used by the Sentinel Appliance Management Console WebYaST Also used by the Sentinel appliance for the update service TCP 443 Outbound Required Initiates a connection to the NetIQ appliance software update repository on the Internet or a Subscription Management Tool service in your network TCP 80 Outbound Optional Initiates a connection to the Subscription Management Tool 8 4 NetFlow Collector Manager Ports The NetFlow Collector Manager uses the following ports to communicate with other components Ports Used 67 Required Ports Direction Optional Description HTTPS 8443 Outbound Required Initiates a connection to the Sentinel server 3578 Inbound Required Used for receiving network flow data from network devices 68 NetIQ Sentinel Installation and Configuration Guide 9 1 Installation Options You can perform a traditional installation of Sentinel or install the appliance This chapter provides information about the two installation options Traditional Installation The traditional installation installs Sentinel on an existing operating system by using the application installer You can install Sentinel in the following ways Interactive The installation proceeds with user inputs During installation you can record the installation options user inputs or default values to a file which you can use later for silent installation You
55. Verify the Sentinel version etc init d sentinel version Verify whether the Sentinel services are up and running etc init d sentinel status Verify whether the Web services are up and running netstat an grep LISTEN grep lt HTTPS_port_number gt The default port number is 8443 Access the Sentinel Web interface 1 Launch a supported Web browser 2 Specify the URL of the Sentinel Web interface https lt IP_Address DNS Sentinel server 8443 gt IP_Address DNS_Sentinel_ server is the IP address or DNS name of the Sentinel server and 8443 is the default port for the Sentinel server 3 Log in with the administrator name and password specified during the installation The default username is admin Verifying the Installation 103 104 NetIQ Sentinel Installation and Configuration Guide V Configuring Sentinel This section provides information about configuring Sentinel and the out of the box plug ins Chapter 17 Configuring Time on page 107 Chapter 18 Modifying the Configuration after Installation on page 111 Chapter 19 Configuring Out of the Box Plug Ins on page 113 Chapter 20 Enabling FIPS 140 2 Mode in an Existing Sentinel Installation on page 115 Chapter 21 Operating Sentinel in FIPS 140 2 Mode on page 117 Configuring Sentinel 105 106 NetIQ Sentinel Installation and Configuration Guide 17 1 Configuring Time The time of an event is very critical to its proces
56. a Servers Windows Event Collection Service WMI j q Microsoft Windows Servers Virtual IP AS Sentinel Client Section A 3 1 Initial Setup on page 149 Section A 3 2 Shared Storage Setup on page 150 148 NetIQ Sentinel Installation and Configuration Guide A 3 1 Section A 3 3 Sentinel Installation on page 152 Section A 3 4 Cluster Installation on page 155 Section A 3 5 Cluster Configuration on page 156 Section A 3 6 Resource Configuration on page 158 Section A 3 7 Secondary Storage Configuration on page 159 Initial Setup Configure the machine hardware network hardware storage hardware operating systems user accounts and other basic system resources per the documented requirements for Sentinel and local customer requirements Test the systems to ensure proper function and stability As a best practice all cluster nodes should be time synchronized use NTP or a similar technology for this purpose The cluster will require reliable hostname resolution As a best practice you may wish to enter all internal cluster hostnames into the etc hosts file to ensure cluster continuity in case of DNS failure If any cluster node cannot resolve all other nodes by name the cluster configuration described in this section will fail The CPU RAM and disk space characteristics for each cluster node must meet the system requirements defined
57. all the Sentinel appliance on the hardware or in a virtual environment Section 13 1 Installing the VMware Appliance on page 87 Section 13 2 Installing the Xen Appliance on page 90 Section 13 3 Installing the ISO Appliance on page 93 Section 13 4 Post Installation Configuration for the Appliance on page 95 Section 13 5 Stopping and Starting the Server by Using WebYaST on page 98 Installing the VMware Appliance This section provides information about installing Sentinel Collector Manager and Correlation Engine on a VMware ESX server Section 13 1 1 Installing Sentinel on page 87 Section 13 1 2 Installing Collector Managers and Correlation Engines on page 88 Section 13 1 3 Installing VMware Tools on page 89 Installing Sentinel Use the following steps to install Sentinel on a VMware ESX server 1 Download the VMware appliance installation file from the NetIQ Download Web site The correct file for the VMware appliance has vmx in the filename For example sentinel_server_7 2 0 0 x86_64 vmx tar gz 2 Establish an ESX datastore to which the appliance image can be installed 3 Login as Administrator to the server where you want to install the appliance 4 Specify the following command to extract the compressed appliance image from the machine where the VM Converter is installed tar zxvf lt install file gt Replace lt install_file gt with the act
58. and Sentinel binaries configuration Boot boot 150MB Boot partition Temp tmp 30GB Location for OS and Sentinel temporary files isolating this ona separate partition protects application data from corruption if a runaway process fills up the temp space Deployment Considerations 55 6 6 4 56 partition Mount point Size Primary storage var opt novell Calculate using the Secondary storage Location based on the Calculate using the type of storage NFS System Sizing CIFS or SAN Information on page 37 Archival storage Remote system Calculate using the sentinel System Sizing Information on page 37 System Sizing Information on page 37 Sentinel Directory Structure By default the Sentinel directories are in the following locations Notes This area will contain the primary Sentinel collected data plus other variable data such as logfiles This partition can be shared with other systems This is the secondary storage area which can be mounted locally as shown or remotely This storage is for archived data The data files are in var opt novell sentinel data and var opt novell sentinel 3rdparty directories Executables and libraries are stored in the opt novell sentinel directory Log files are in the directory var opt novell sentinel log Configuration files are in the following directory etc opt novell sentinel The process ID PID file is in the directory
59. atest Sentinel version 4h After the upgrade is complete restart the cluster stack rcopenais start 5 Disable the maintenance mode on the cluster crm configure property maintenance mode false You can run this command from any cluster node 6 Verify whether the maintenance mode is inactive crm status Configuring Sentinel for High Availability 163 The cluster resources should appear in the Started state 7 Optional Verify whether the Sentinel upgrade is successful rcsentinel version Upgrading Sentinel HA Appliance Through WebYast You must register all the appliance nodes through WebYast before the upgrade For more information see Section 13 4 3 Registering for Updates on page 97 If you do not register the appliance Sentinel displays a yellow warning 1 Enable the maintenance mode on the cluster crm configure property maintenance mode true Maintenance mode helps you to avoid any disturbance to the running cluster resources while you update the Sentinel software You can run this command from any cluster node 2 Verify whether the maintenance mode is active crm status The cluster resources should appear in the unmanaged state 3 Upgrade the passive cluster nodes 3a Stop the cluster stack rcopenais stop Stopping the cluster stack ensures that the cluster resources remain accessible and avoids fencing of nodes 3b Specify the URL of passive cluster node using port 4984 to launch WebYaST as h
60. by manually executing an event or incident operation and by correlation rules Sentinel provides a list of preconfigured Actions You can use the default Actions and reconfigure them as necessary or you can add new Actions For more information see Configuring Actions in the NetIQ Sentinel Administration Guide An Action can execute on its own or it can make use of an Integrator instance configured from an Integrator plug in Integrator plug ins extend the features and functionality of Sentinel remediation actions Integrators provide the ability to connect to an external system such as an LDAP SMTP or SOAP server to execute an action For more information see Configuring Integrators in the NetIQ Sentinel Administration Guide Searching Sentinel provides an option to perform a search on events You can search data in the primary storage or the secondary storage location With the necessary configuration you can also search system events generated by Sentinel and view the raw data for each event For more information see Performing a Search in the NetIQ Sentinel User Guide You can also search Sentinel servers that are distributed across different geographic locations For more information see Searching and Reporting Events in a Distributed Environment in the NetIQ Sentinel Administration Guide Reports Sentinel provides the ability to run reports on the data gathered Sentinel is prepackaged with a variety of
61. c partition proposal Installing Sentinel Use the following steps to install the Sentinel ISO appliance 1 Boot the physical machine from the DVD drive with the DVD 2 Use the on screen instructions of the installation wizard 3 Run the Live DVD appliance image by selecting the top entry in the boot menu The installation first checks for the available memory and disk space If the available memory is less than 2 5 GB the installation is automatically terminated If the available memory is more than 2 5 GB but less than 6 7 GB the installation displays a message that you have less memory than is recommended Enter y if you want to continue with the installation or enter n if you do not want to proceed Select the language of your choice then click Next Select the keyboard Configuration then click Next Read and accept the SUSE Enterprise Server Software License Agreement Click Next Read and accept the NetIQ Sentinel End User License Agreement Click Next oN Oo Ff On the Hostname and Domain Name page specify the hostname and domain name then ensure that the Assign Hostname to Loopback IP option is selected 9 Click Next 10 Do one of the following To use the current network connection settings select Use the following configuration on the Network Configuration II page To change the network connection settings click Change then make the desired changes 11 Click Next 12 Set the Time and Date then click Next
62. c OCF Resource Agent for Sentinel that can monitor for major hardware operating system or Sentinel system failure At this time the external monitoring capabilities for Sentinel are based on IP port probes and there is some potential for false positive and false negative readings We plan to improve both Sentinel and the Resource Agent over time to improve the accuracy of this component Fencing Within an HA cluster critical services are constantly monitored and restarted automatically on other nodes in the case of failure This automation can introduce problems however if some communications problem occurs with the primary node although the service running on that node appears to be down it in fact continues to run and write data to the shared storage In this case starting a new set of services on a backup node could easily cause data corruption Clusters use a variety of techniques collectively called fencing to prevent this from happening including Split Brain Detection SBD and Shoot The Other Node In The Head STONITH The primary goal is to prevent data corruption on the shared storage System Requirements When allocating cluster resources to support an HA installation consider the following requirements Conditional For HA appliance installations ensure that the Sentinel HA appliance with a valid license is available The Sentinel HA appliance is an ISO appliance that includes the following packages SUSE Linux En
63. can either perform a standard installation or a custom installation Custom Installation Standard Installation Uses the default values for the configuration User Prompts you to specify the values for the configuration input is required only for the password Installs with default 90 day evaluation key Allows you to specify the admin password and uses the admin password as the default password for both dbauser and appuser Installs the default ports for all the components Installs Sentinel in non FIPS mode Authenticates users with the internal database setup You can either select the default values or specify the necessary values Allows you to install with the 90 day license key or with a valid license key Allows you to specify the admin password For dbauser and appuser you can either specify new password or use admin password Allows you to specify ports for different components Allows you to install Sentinel in FIPS 140 2 mode Provides the option set up LDAP authentication for Sentinel in addition to the database authentication When you configure Sentinel for LDAP authentication users can log in to the server by using their Novell eDirectory or Microsoft Active Directory credentials For more information about interactive installation see Section 12 2 Performing Interactive Installation on page 78 Silent If you want to install multiple Sentinel servers in your deployment you can recor
64. che zypp packages sentinel server 7000 x86 64 Updates rpm noarch rpm var cache zypp packages sentinel server 7000 x86 64 Updates rpm x86_64 rpm var cache zypp packages sentinel_server_7000 x86 64 Updates rpm i586 rpm excludepath var opt novell 3d Run the following script to complete the upgrade process var adm update scripts sentinel server ha x86 64 update lt version gt overlay files sh 3e After the upgrade is complete restart the cluster stack rcopenais start Repeat Step 3 for all the passive cluster nodes 4 Upgrade the active cluster node 4a Back up your configuration then create an ESM export For more information on backing up data see Backing Up and Restoring Data in the NetIQ Sentinel Administration Guide 4b Stop the cluster stack rcopenais stop Stopping the cluster stack ensures that the cluster resources remain accessible and avoids fencing of nodes 4c Log in to the Sentinel appliance as an administrator 4d To upgrade the Sentinel appliance click Appliance to launch WebYaST 4e To check whether there are any updates click Updates 4f Select and apply the updates The updates might take few minutes to complete After the update is successful the WebYaST login page appears Before upgrading the appliance WebYaST automatically stops the Sentinel service You must manually restart this service after the upgrade is complete 4g Clear your Web browser cache to view the l
65. ck writes and fast retrieval Stores the most recently Storage formerly known as collected event data and the most frequently searched event data local storage Secondary storage Optimized to reduce space usage on optionally less expensive storage formerly known as while still supporting fast retrieval Sentinel automatically migrates data network storage partitions to the secondary storage optional NOTE Using the secondary storage is optional Data retention policies searches and reports operate on event data partitions regardless of whether they are residing on primary or secondary storage or both Offline Archival storage When partitions are closed you can back up the partition to offline storage Storage such as Amazon Glacier and similar If necessary you can temporarily re import partitions for use in long term forensic analysis You can also configure Sentinel to extract the event data and event data summaries to an external database by using data synchronization policies For more information see Configuring Data Storage in the NetIQ Sentinel Administration Guide NetIQ Sentinel Installation and Configuration Guide 2 7 2 8 2 9 2 10 Correlation A single event may seem trivial but in combination with other events it might warn you of a potential problem Sentinel helps you correlate such events by using the rules you create and deploy in the Correlation engine and take appropriate action to mitigate a
66. configuration then create an ESM export For more information see Backing Up and Restoring Data in the NetIQ Sentinel Administration Guide 2 Log in to the appliance console as the root user 3 Run the following command usr bin zypper patch 4 Conditional If you are upgrading from Sentinel 7 0 1 or earlier enter 1 to accept the vendor change from Novell to NetIQ 5 Conditional If you are upgrading from Sentinel versions prior to 7 2 the installer displays a message that indicates to resolve dependency for some appliance packages Enter 1 for deinstallation of dependent packages Enter Y to proceed Enter yes to accept the license agreement Restart the Sentinel appliance oo JJ OD Clear your Web browser cache to view the latest Sentinel version 10 Clear the Java Web Start cache on the client computers to use the latest version of Sentinel applications You can clear the Java Web Start cache by either using the javaws clearcache command or by using Java Control Center For more information see http www java com en download help plugin_cache xml 11 Conditional If the PostgreSQL database has been upgraded to a major version for example 8 0 to 9 0 or 9 0 to 9 1 clear the old PostgreSQL files from the PostgreSQL database For information about whether the PostgreSQL database was upgraded see the Sentinel Release Notes 11a Switch to the novell user su novell 11b Browse to the bin folder of PostgreSQL
67. cs Tier using Sentinel Link The Search Tier provides a convenient single access point for searching across all systems in all other tiers by using Sentinel Distributed Search Since the search request is federated across several instances of Sentinel this deployment also has search load balancing properties useful in scaling to handle a heavy search load Network flow data is stored in the Search Tier to enable easy navigation from search results to contextual network traffic analysis Deployment Considerations 53 Figure 6 4 Two Tier and Three Tier Distributed Deployment ay lt lt a E bi J 2 ay a Sentinel Web E dl Console Network NetFlow Collector Managers rT a a a Windows Collector Windows Collection Managers Services m Optional aa a L Ss aqu gt ies Event aqu Sources PL Agent a 4 Managers la Options 1 a A 8 0 see D Analytics Tier Optional E A E eee EES Data j i Warehouse Agents Data Collection Tier Optional 6 6 Planning Partitions for Data Storage When you install Sentinel you must mount the disk partition for primary storage in the location where Sentinel will be installed by default the var opt novel1 directory The entire directory structure under the var opt novell sentinel directory must reside ona single disk partition to ensure proper disk usage calculations Otherwise the automatic data management capabilities migh
68. ct the Sentinel Configuration type 3c Specify 2 to enter a new password If you specify 1 the install props file does not store the password 4 Shut down Sentinel using the following command resentinel stop This step removes the autostart scripts so that the cluster can manage the product insserv r sentinel 5 Move the Sentinel data folder to the shared storage using the following commands This movement allows the nodes to utilize the Sentinel data folder through shared storage mkdir p tmp new mount dev lt SHARED1 gt tmp new mv var opt novell sentinel tmp new umount tmp new 6 Verify the movement of the Sentinel data folder to the shared storage using the following commands mount dev lt SHARED1 gt var opt novell umount var opt novell Subsequent Node Installation Traditional HA Installation on page 154 Sentinel HA Appliance Installation on page 155 Repeat the installation on other nodes The initial Sentinel installer creates a user account for use by the product which uses the next available user ID at the time of the install Subsequent installs in unattended mode will attempt to use the same user ID for account creation but the possibility for conflicts if the cluster nodes are not identical at the time of the install does exist It is highly recommended that you do one of the following Synchronize the user account database across cluster nodes manually through LDAP or s
69. ction A 1 3 Service Monitoring on page 146 Section A 1 4 Fencing on page 147 Configuring Sentinel for High Availability 145 A 1 1 A 1 2 A 1 3 External Systems Sentinel is a complex multi tier application that depends upon and provides a wide variety of services Additionally it integrates with multiple external third party systems for data collection data sharing and incident remediation Most HA solutions allow implementors to declare dependencies between the services that should be highly available but this only applies to services running on the cluster itself Systems external to Sentinel such as event sources must be configured separately to be as available as required by the organization and must also be configured to properly handle situations where Sentinel is unavailable for some period of time such as a failover event If access rights are tightly restricted for example if authenticated sessions are used to send and or receive data between the third party system and Sentinel the third party system must be configured to accept sessions from or initiate sessions to any cluster node Sentinel should be configured with a virtual IP for this purpose Shared Storage All HA clusters require some form of shared storage so that application data can be quickly moved from one cluster node to another in case of a failure of the originating node The storage itself should be highly available this is usually achi
70. ctor Manager and Correlation Engine on the following operating systems and platforms Category Requirement Operating System Sentinel is supported on the following operating systems Non FIPS mode SUSE Linux Enterprise Server SLES 11 SP3 64 bit Red Hat Enterprise Linux Server RHEL 6 4 64 bit FIPS mode SUSE Linux Enterprise Server SLES 11 SP3 64 bit Red Hat Enterprise Linux Server RHEL 6 3 64 bit Sentinel is not supported on the Open Enterprise Server installs of SLES For information about new functionality and known issues in the supported SLES 11 Service Pack see the SUSE Release Notes Virtual Platform NetlQ provides appliances that install a SLES 11 SP3 64 bit server and Sentinel on the following virtual platforms VMWare ESX 4 0 and 5 0 Xen 4 0 Meeting System Requirements 35 36 5 2 5 3 Category Requirement DVD ISO NetlQ provides a DVD ISO file that installs SLES 11 SP3 64 bit and Sentinel on Hyper V Server 2012 Hardware without an operating system installed IMPORTANT For the ISO appliance to work properly you must disable the EFI BIOS and use the Legacy BIOS File System Traditional Installations On SLES systems Sentinel supports ext3 and XFS file systems On RHEL systems Sentinel supports ext4 and XFS file systems Appliance Installations Sentinel uses the ext3 file system For more information on file systems see Overview of File Systems in Linux http
71. customizable reports Some reports are flexible which allow you to specify the columns to be displayed in the results You can run schedule and e mail PDF reports You can also run any report as a search and then interact with the results as you would do with a search such as refining the search or performing an action on the results You can also run reports on Sentinel servers distributed across different geographic locations For more information see Reporting in the NetIQ Sentinel User Guide Identity Tracking Sentinel provides an integration framework to identity management systems to track the identities of for each user account and what events those identities have performed Sentinel provides user information such as contact information user accounts recent authentication events recent access events permission changes and so on By displaying information about the people initiating a given action or people affected by an action incident response times are improved and behavior based analysis is enabled For more information see Leveraging Identity Information in the NetIQ Sentinel User Guide 26 NetIQ Sentinel Installation and Configuration Guide 2 15 Event Analysis Sentinel provides a powerful set of tools to help you easily find and analyze critical event data The system is tuned and optimized for maximal efficiency in any particular type of analysis and methods to easily transition from one type of analysis
72. d and formatted data to the Collector Manager Device specific filtering of events For more information on Collectors see Sentinel Plug ins Web site Connectors The Connectors provide connections from the event sources to the Sentinel system Connectors use industry standard protocols to get events such as syslog JDBC to read from database tables WMI to read from Windows Event Logs and so on Connectors provide Transportation of raw event data from the events sources to the Collector Connection specific filtering Connection error handling Agent Manager Agent Manager provides host based data collection that complements agentless data collection by allowing you to Access logs not available from the network Operate in tightly controlled network environments Improve security posture by limiting attack surface on critical servers Provide enhanced reliability of data collection during times of network interruption How Sentinel Works 23 24 2 5 2 6 Agent Manager allows you to deploy agents manage agent configuration and act as a collection point for events flowing into Sentinel For more information about Agent Manager see the Agent Manager documentation NetFlow Collector Manager The NetFlow Collector Manager collects network flow data NetFlow IPFIX and so on from network devices such as routers switches and firewalls Network flow data describes basic information about all networ
73. d the installation options during the standard or custom installation in a configuration file and then use the file to run an unattended installation For more information on silent installation see Section 12 3 Performing a Silent Installation on page 80 Installation Options 69 9 2 Appliance Installation The appliance installation installs both the SLES 11 SP3 64 bit operating system and Sentinel The Sentinel appliance is available in the following formats A VMware appliance image A Xen appliance image A hardware appliance Live DVD image that is directly deployable to a hardware server For more information on appliance installation see Chapter 13 Appliance Installation on page 87 70 NetlQ Sentinel Installation and Configuration Guide Installing Sentinel This section provides information about installing Sentinel and additional components Chapter 10 Installation Overview on page 73 Chapter 11 Installation Checklist on page 75 Chapter 12 Traditional Installation on page 77 Chapter 13 Appliance Installation on page 87 Chapter 14 NetFlow Collector Manager Installation on page 99 Chapter 15 Installing Additional Collectors and Connectors on page 101 Chapter 16 Verifying the Installation on page 103 Installing Sentinel 71 72 NetIQ Sentinel Installation and Configuration Guide 1 0 Installation Overview The Sentinel installati
74. e a successful upgrade Table 22 1 Implementation Checklist O O O O Tasks Ensure that the computers on which you install Sentinel and its components meet the specified requirements Review the supported operating system release notes to understand the known issues Review the Sentinel release notes to see new functionality and understand the known issues See NetlQ Sentinel Technical Information Website SUSE Release Notes Sentinel Release Notes Implementation Checklist 129 130 NetIQ Sentinel Installation and Configuration Guide Prerequisite for Versions Prior to Sentinel 7 1 1 Sentinel 7 1 1 and later includes MongoDB version 2 4 1 MongoDB 2 4 requires removal of duplicate user names in the database If you are upgrading Sentinel versions prior to 7 1 1 verify whether there are any duplicate users and then remove the duplicate users Perform the following steps to identify duplicate users 1 Log in to the Sentinel server as the novell user 2 Change to the following directory cd opt novell sentinel 3rdparty mongodb bin 3 Run the following commands to verify duplicate users mongo port 27017 host localhost use analytics db system users find count If the count is more than 1 it indicates there are duplicate users Perform the following steps to remove duplicate users 1 Run the following command to list the users db system users find pretty The command lists
75. e made Assuming you create a single large partition on this shared iSCSI LUN you should end up with a dev sdb1 or similar formatted disk referred to as dev lt SHARED1 gt below Go back into the partitioner and repeat the partitioning formatting process steps 16 19 for dev sdc or whichever block device corresponds to the secondary storage This should result ina dev sdc1 partition or similar formatted disk referred to as dev lt NETWORK1 gt below Exit YaST Conditional If you are performing a traditional HA installation create a mountpoint and test mounting the local partition as follows the exact device name might depend on the specific implementation mkdir var opt novell mount dev lt SHARED1 gt var opt novell You should be able to create files on the new partition and see the files wherever the partition is mounted Conditional If you are performing a traditional HA installation to unmount umount var opt novell Repeat steps 1 15 for HA appliance installations or steps 1 15 22 and 23 for traditional HA installations in the procedure above to ensure that each cluster node can mount the local shared storage Replace the node IP in step 5 with a different IP for each cluster node e g node02 gt 10 0 0 2 Sentinel Installation There are two options to install Sentinel install every part of Sentinel onto the shared storage using the location option to redirect the Sentinel install to where
76. e specific plug in documentation available on the Sentinel Plug ins Web site Configuring Out of the Box Plug Ins 113 114 NetIQ Sentinel Installation and Configuration Guide 20 1 20 2 Enabling FIPS 140 2 Mode in an Existing Sentinel Installation This chapter provides information about enabling FIPS 140 2 mode in an existing installation of Sentinel NOTE These instructions assume that Sentinel is installed at the opt novell sentinel directory The commands must be executed as the novell user Section 20 1 Enabling Sentinel Server to Run in FIPS 140 2 Mode on page 115 Section 20 2 Enabling FIPS 140 2 Mode on Remote Collector Managers and Correlation Engines on page 115 Enabling Sentinel Server to Run in FIPS 140 2 Mode To enable the Sentinel Server to run in FIPS 140 2 mode Log in to the Sentinel server Switch to novell user su novell Browse to the Sentinel bin directory Run the convert_to_fips sh script and follow the on screen instructions a Ff O N Complete the FIPS 140 2 mode configuration by following the tasks mentioned in Chapter 21 Operating Sentinel in FIPS 140 2 Mode on page 117 Enabling FIPS 140 2 Mode on Remote Collector Managers and Correlation Engines You must enable FIPS 140 2 mode on the remote Collector Manager and Correlation Engine if you want to use FIPS approved communications with the Sentinel server running in FIPS 140 2 mode To enable a remote
77. e that you have completed the following tasks before you start the installation O Verify that your hardware and software meet the system requirements listed in Chapter 5 Meeting System Requirements on page 35 O If there was a previous installation of Sentinel ensure that there are no files or system settings remaining from a previous installation For more information see Appendix C Uninstalling on page 169 O If you plan to install the licensed version obtain your license key from the NetIQ Customer Care Center O Ensure that the ports listed in Chapter 8 Ports Used on page 63 are opened in the firewall O For the Sentinel installer to work properly the system must be able to return the hostname or a valid IP address To do this add the hostname to the etc hosts file to the line containing the IP address then enter hostname f to make sure that the hostname is displayed properly O Synchronize time by using the Network Time Protocol NTP On RHEL systems For optimal performance the memory settings must be set appropriately for the PostgreSQL database The SHMMAX parameter must be greater than or equal to 1073741824 To set the appropriate value append the following information in the etc sysct1 conf file for Sentinel Postgresql kernel shmmax 1073741824 O For traditional installations The operating system for the Sentinel server must include at least the Base Server components of the SLES
78. ect High Availability gt Cluster or just Cluster on some systems 17 In the box at left ensure Communication Channels is selected 18 Tab over to the top line of the configuration and change the udp selection to udpu this disables multicast and selects unicast 19 Select to Add a Member Address and specify this node 172 16 0 1 then repeat and add the other cluster node s 172 16 0 2 20 Select Finish to complete the configuration 21 Exit YaST 22 Run the command etc rc d openais restart to restart the cluster services with the new sync protocol Connect to each additional cluster node node02 and open a console a fF O N Run YaST Open Network Services gt iSCSI Initiator Select Connected Targets then the iSCSI Target you configured above Select the Log Out option and log out of the Target Switch to the Discovered Targets tab select the Target and log back in to refresh the list of devices leave the automatic startup option and No Authentication 6 Select OK to exit the iSCSI Initiator tool 7 Run the following command sleha join 8 Enter the IP address of the first cluster node Configuring Sentinel for High Availability 157 A 3 6 In some circumstances the cluster communications do not initialize correctly If the cluster does not start the openais service fails to start Manually copy etc corosync corosync conf from node01 to node02 or run csync2 x v on node01 or manually set the cluster
79. ed Thu Jul 26 16 34 34 2012 Last change Thu Jul 26 16 28 52 2012 by hacluster via crmd on node01 Stack openais Current DC node01 partition with quorum Version 1 1 6 b988976485d15cb702c9307d 55512d323831a5e 2 Nodes configured 2 expected votes 5 Resources configured Online node01 node02 stonith sbd stonith external sbd Started node01 Resource Group sentinelgrp sentinelip ocf heartbeat IPaddr2 Started node01 sentinelfs ocf heartbeat Filesystenm Started node01 sentineldb ocf novell pgsql Started node01 sentinelserver ocf novell sentinel Started node01 At this point the relevant Sentinel resources should be configured in the cluster You can examine how they are configured and grouped in the cluster management tool for example by running crm status Secondary Storage Configuration As the final step in this process configure secondary storage so that Sentinel can migrate event partitions to less expensive storage This is optional and in fact the secondary storage need not be made highly available in the same way that the rest of the system has been you can use any directory mounted from a SAN or not or NFS or CIFS volume In the Sentinel web console in the top menu bar click Storage then select Configuration then select one of the radio buttons under Secondary storage not configured to set this up Exemplary Solution The exemplary solution will use a simple iSCSI Target as a
80. ee ee ee di ey eet 26 2 12 Searching sii A A ee ee a ie e li 26 213 Repons a A A a Sie eee pa 26 2 14 Identity Tracking i b2 00th A A ee ee a ADA 26 2 10 Event Analysis ees 00d tia a a Sha Te a a OY ii 27 Part Il Planning Your Sentinel Installation 29 3 Implementation Checklist 31 4 Understanding License Information 33 4 1 TrialikiCenses ri a ag a da Sore ON Fa Se de A ein Pa a fobs AA ee 33 4 2 Enterprise LiCenses ni hese epee es eee ey ete Re ee este e ede ral lb ee a a Say eee 33 5 Meeting System Requirements 35 5 1 Supported Operating Systems and Platforms 0 0 0 00 cece eee eens 35 5 2 Supported Database Platforms 0 0 cette tenes 36 5 3 Supported Browsers 2 iia A eect dice saat Gig ec A Die le Ged 36 Contents 3 4 5 3 1 Prerequisites for Internet Explorer 0 0 cee eee tees 5 4 System Sizing Information 0 c ttt ete eee 5 5 Connector and Collector System Requirements 00 cee eee eee teens 5 6 Vit al Environment iaa Soe Sis ra a eee Se eg a ee 6 Deployment Considerations 6 1 Advantages of Distributed Deployments 0 0 eee nee 6 1 1 Advantages of Additional Collector Managers 0 00 cece eee eee eee 6 1 2 Advantages of Additional Correlation Engines 0 0 aaaea anaana 6 1 3 Advantages of Additional NetFlow Collector Managers 0 0 cece eee eee 6 2 All In One Deployment associ ee dish tate ete Tea cae Pee eke eee
81. el Use the following steps to install Sentinel on a Xen appliance image 1 Download the Xen virtual appliance installation file from the NetIQ Download Web site to var lib xen images The correct filename for the Xen virtual appliance has xen in the filename For example Sentinel_7 2 0 0 x86_64 xen tar gz 2 Specify the following command to unpack the file tar zxvf lt install file gt Replace lt install_file gt with the actual name of the installation file 3 Change to the new installation directory This directory has the following files lt file name gt raw lt file name gt xenconfig 4 Open the lt file_name gt xenconfig file by using a text editor 5 Modify the file as follows Specify the full path to raw file in the disk setting Specify the bridge setting for your network configuration For example bridge br0 or bridge xenbr0 Specify values for the name and memory settings For example mode python name Sentinel_7 2 0 0 x86 64 memory 4096 Comment the following line vfb type vnc vncunused 1 vnclisten 0 0 0 0 Add the following line extra console hvc0 xencons tty The updated xenconfig file must be as follows mode python name install file name memory 4096 disk tap aio var lib xen images install directory install filename vif bridge br0 vfb type vnc vncunused 1 vnclisten 0 0 0 0 extra console hvc0 xencons tty 6 Af
82. entication For more information see Configuring LDAP Authentication in the NetIQ Sentinel Administration Guide NOTE You can also configure LDAP authentication for a Sentinel server running in FIPS 140 2 mode by running the ldap_auth_config sh script in the opt novell sentinel setup directory Updating Server Certificates in Remote Collector Managers and Correlation Engines To configure existing remote Collector Managers and Correlation Engines to communicate with a Sentinel server running in FIPS 140 2 Mode you can either convert the remote system in FIPS 140 2 mode or you can update the Sentinel server certificate to the remote system and leave the Collector Manager or Correlation Engine in non FIPS mode Remote Collector Managers in FIPS mode may not work with event sources that do not support FIPS or that require one of the Sentinel Connectors that are not yet FIPS enabled If you do not plan to enable FIPS 140 2 mode on the remote Collector Manager or Correlation Engine you must copy the latest Sentinel server certificate to the remote system so that the Collector Manager or Correlation Engine can communicate with the Sentinel server To update the Sentinel server certificate in the remote Collector Manager or Correlation Engine 1 Log in to the remote Collector Manager or Correlation Engine computer 2 Switch to novell user su novell 3 Browse to the bin directory The default location is opt novell sentinel bin
83. er or the Correlation Engine Use the following steps to upgrade the Collector Manager or the Correlation Engine 1 Make a backup of your configuration and create an ESM export For more information see Backing Up and Restoring Data in the NetIQ Sentinel Administration Guide 2 Log in to the Sentinel Web interface as a user in the administrator role 3 Select Downloads 4 Click Download Installer in the Collector Manager Installer section on O UO A window is displayed with options to either open or to save the installer file on the local machine Save the file Copy the file to a temporary location Extract the contents of the file Run the following script For Collector Manager install cm For Correlation Engine install ce Follow the on screen instructions to complete the installation Upgrading Sentinel Traditional Installation 135 136 NetIQ Sentinel Installation and Configuration Guide Upgrading the Sentinel Appliance The procedures in this chapter guide you through upgrading the Sentinel appliance as well as Collector Manager and Correlation Engine appliances Section 25 1 Upgrading the Appliance by Using zypper on page 137 Section 25 2 Upgrading the Appliance through WebYaST on page 138 Section 25 3 Upgrading the Appliance by Using SMT on page 139 25 1 Upgrading the Appliance by Using zypper To upgrade the appliance by using the zypper patch 1 Back up your
84. erver To access the Sentinel Web interface specify the following URL in your Web browser https lt IP Address Sentinel server gt 8443 The lt IP_Address_Sentinel_server gt is the IP address or DNS name of the Sentinel server and 8443 is the default port for the Sentinel server Performing a Silent Installation The silent or unattended installation is useful if you need to install more than one Sentinel server in your deployment In such a scenario you can record the installation parameters during the interactive installation and then run the recorded file on other servers You can record the installation parameters while installing Sentinel with the standard configuration or a custom configuration To perform silent installation ensure that you have recorded the installation parameters to a file For information on creating the response file see Section 12 2 1 Standard Installation on page 78 or Section 12 2 2 Custom Installation on page 79 80 NetIQ Sentinel Installation and Configuration Guide 12 4 To enable Sentinel in FIPS 140 2 mode ensure that the response file includes the following parameters ENABLE_FIPS_MODE NSS_DB_PASSWORD To perform a silent installation use the following steps 1 Download the installation files from the NetIQ Downloads Web site 2 Login as root to the server where you want to install Sentinel 3 Specify the following command to extract the install files from
85. es Part Ill Installing Sentinel on page 71 Chapter 17 Configuring Time on page 107 Chapter 19 Configuring Out of the Box Plug Ins on page 113 Chapter 15 Installing Additional Collectors and Connectors on page 101 Section 12 5 Installing Collector Managers and Correlation Engines on page 82 Implementation Checklist 31 32 NetIQ Sentinel Installation and Configuration Guide 4 1 4 2 Understanding License Information Sentinel has several licenses that you can use By default Sentinel comes with the trial license Trial License The Sentinel default licensing allows you to use all the enterprise features of Sentinel for the evaluation period of 90 days A system running with the trial license displays an indicator on the Web Interface indicating that the temporary license key is being used It also displays the number of days left before the functionality expires and indicates how to upgrade to a full license NOTE The expiration date of the system is based on the oldest data in the system If you restore old events into your system the expiration date will be adjusted accordingly After the 90 day trial period most functionality is disabled but you are still able to log in and update the system to use an enterprise license key After you upgrade to an enterprise license all functionality is restored To prevent any interruption in functionality you must upgrade the system
86. es 134 24 3 Upgrading the Collector Manager or the Correlation Engine 0 nanenane 135 25 Upgrading the Sentinel Appliance 137 25 1 Upgrading the Appliance by Using zypper 1 2 2 2 0 eee teens 137 25 2 Upgrading the Appliance through WebYaST 1 2 0 0 ett tee 138 25 3 Upgrading the Appliance by Using SMT oococccoccccccoc 139 26 Upgrading Sentinel Plug Ins 141 Part VI Appendices 143 A Configuring Sentinel for High Availability 145 AA A E a AN 145 A 1 1 External SySteEMS ar risa A oe SAG ge Be as a ile 146 A 1 2 Shared Storage oooocoocoocccr tte eee nes 146 A 1 3 Service Monitoring 0 0 cece eee tees 146 Aided ENCINA a o da 147 A 2 System Requirements annaa anaana eee teens 147 A 3 Installation and Configuration 0 2 0 0 0c ete 148 A 3 1 Initial SUP e 3 ei n a aa a id aiii 149 A 3 2 Shared Storage Setup 2 eee es 150 A333 Sentinel Installationiy ns 4 sues aaa a a a ie ee a aig ee ak ea ed 152 A 3 4 Cluster Installation 0 0 tenet tenes 155 A 3 5 Cluster Configuration sasssa aeaaaee teens 156 A 3 6 Resource Configuration 0 0 0 tte tte es 158 A 3 7 Secondary Storage Configuration 0 00 ccna 159 A 4 Upgrading Sentinel in High Availability 0 0 0 0 cette nee 160 A 4 1 Prerequisites ovalada Peet A paola Bee eee BEE el a 160 A 4 2 Upgrading a Traditional Sentinel HA Installation 0 0 0 0 cece eee 161 A 4 3 Upgrading a Sen
87. es the certificate to be a valid X 509 certificate and also checks that the client certificate is trusted by the Event Source Server New sources will have to be explicitly added to Sentinel this prevents rogue sources from sending data to Sentinel For the Strict option you must import the certificate of the syslog client into the Sentinel FIPS keystore When Sentinel is running in FIPS 140 2 mode you cannot import the client certificate using the Event Source Management ESM interface For more information about importing the certificate see Importing Certificates into FIPS Keystore Database on page 125 NOTE In FIPS 140 2 mode the Syslog Event Source Server uses the Sentinel server key pair Importing the server key pair is not required If server authentication is enabled in the syslog client the client must trust the Sentinel server certificate or the remote Collector Manager certificate depending on where the Connector is deployed The Sentinel server certificate file is in the etc opt novell sentinel config sentinel cer location The Remote Collector Manger certificate file is in etc opt novell sentinel config rem cer location NOTE When using custom certificates that are digitally signed by a certificate authority CA the client must trust the appropriate certificate file 122 NetIQ Sentinel Installation and Configuration Guide 21 5 5 Windows Event WMI Connector To configure the Windows E
88. escribes how to install the product in an Active Passive High Availability mode which allows Sentinel to fail over to a redundant cluster node in case of hardware or software failure It does not cover Active Active configurations and does not guarantee any particular uptime target NetIQ Consulting and NetIQ partners can help you implement Sentinel high availability and disaster recovery NOTE High Availability HA configuration is supported only on the Sentinel server However Collector Managers and Correlation Engines can still communicate with the Sentinel HA server Section A 1 Concepts on page 145 Section A 2 System Requirements on page 147 Section A 3 Installation and Configuration on page 148 Section A 4 Upgrading Sentinel in High Availability on page 160 Section A 5 Backup and Recovery on page 165 Concepts High availability refers to a design methodology that is intended to keep a system available for use as much as is practicable The intent is to minimize the causes of downtime such as system failures and maintenance and to minimize the time it will take to detect and recover from downtime events that do occur In practice automated means of detecting and recovering from downtime events quickly become necessary as higher levels of availability must be achieved Section A 1 1 External Systems on page 146 Section A 1 2 Shared Storage on page 146 Se
89. ether the NetFlow Collector Manager has established a connection with the Sentinel server netstat an grep ESTABLISHED grep lt HTTPS port _number gt Verify whether the NetFlow Collector Manager appears in the Sentinel Web console by clicking Collection gt NetFlow Enable network flow traffic forwarding on the device from which you want to collect network flow data As part of enabling NetFlow on the device you must specify the IP address of the Sentinel server and the port on which the NetFlow Collector Manager receives data from the NetFlow enabled device The default port number is 3578 For more information refer to the specific NetFlow enabled device documentation NetIQ Sentinel Installation and Configuration Guide 15 1 15 2 Installing Additional Collectors and Connectors By default all released Collectors and Connectors are installed when you install Sentinel If you want to install a new Collector or Connector released after the Sentinel release use the information in the following sections Section 15 1 Installing a Collector on page 101 Section 15 2 Installing a Connector on page 101 Installing a Collector Use the following steps to install a Collector 1 Download the desired Collector from the Sentinel Plug ins Web site 2 Log in to the Sentinel Web interface at https lt IP address gt 8443 where 8443 is the default port for the Sentinel server Click applications in the
90. eved by using Storage Area Network SAN technology connected to the cluster nodes using a Fibre Channel network Other systems use Network Attached Storage NAS iSCSI or other technologies that allow for remote mounting of shared storage The fundamental requirement of the shared storage is that the cluster can cleanly move the storage from a failed cluster node to a new cluster node NOTE For iSCSI you should use the largest Message Transfer Unit MTU supported by your hardware Larger MTUs benefits the storage performance Sentinel might experience issues if latency and bandwidth to storage is slower than recommended There are two basic approaches that Sentinel can use for the shared storage The first locates all components application binaries configuration and event data on the shared storage On failover the storage is unmounted from the primary node and moved the backup node which loads the entire application and configuration from the shared storage The second approach stores the event data on shared storage but the application binaries and configuration reside on each cluster node On failover only the event data is moved to the backup node Each approach has benefits and disadvantages but the second approach allows the Sentinel installation to use standard FHS compliant install paths allows for verification of the RPM packaging and also allows for warm patching and reconfiguration to minimize downtime This solution wi
91. ew resource to the group of managed resources crm resource stop sentinelgrp crm configure delete sentinelgrp crm configure group sentinelgrp sentinelip sentinelfs sentinelnetfs sentineldb sentinelserver crm resource start sentinelgrp 4 You can connect to the node currently hosting the resources use crm status or Hawk and make sure that the secondary storage is properly mounted use the mount command 5 Login to the Sentinel Web interface 6 Select Storage then select Configuration then select the SAN locally mounted under Secondary storage not configured 7 Type in the path where the secondary storage is mounted for example var opt netdata The exemplary solution uses simple versions of the required resources such as the simple Filesystem Resource Agent customers can choose to use more sophisticated cluster resources like cLVM a logical volume version of the filesystem if they wish Upgrading Sentinel in High Availability When you upgrade Sentinel in an HA environment you should first upgrade the passive nodes in the cluster then upgrade the active cluster node Section A 4 1 Prerequisites on page 160 Section A 4 2 Upgrading a Traditional Sentinel HA Installation on page 161 Section A 4 3 Upgrading a Sentinel HA Appliance Installation on page 162 Prerequisites Download the latest installer from the NetIQ download Web site 160 NetIQ Sentinel Installation and Configuration Gu
92. fy the following command to install Sentinel install sentinel or If you want to install Sentinel on more than one system you can record your installation options in a file You can use this file for an unattended Sentinel installation on other systems To record your installation options specify the following command install sentinel r lt response filename gt Specify the number for the language you want to use for the installation then press Enter The end user license agreement is displayed in the selected language 6 Press the Spacebar to read through the license agreement 7 Enter yes or y to accept the license and continue with the installation 10 The installation might take a few seconds to load the installation packages and prompt for the configuration type When prompted specify 1 to proceed with the standard configuration Installation proceeds with the 90 day evaluation license key included with the installer This license key activates the full set of product features for a 90 day trial period At any time during or after the trial period you can replace the evaluation license with a license key you have purchased Specify the password for the administrator user admin Confirm the password again 78 NetlQ Sentinel Installation and Configuration Guide 12 2 2 This password is used by admin dbauser and appuser The Sentinel installation finishes and the server starts It might take few minutes f
93. gines 000 cece eee eee 83 12 5 3 Adding a Custom ActiveMQ User for the Collector Manager or Correlation Engine 84 13 Appliance Installation 87 13 1 Installing the VMware Appliance 0 cee tte eee 87 13 01 Installing Sentinel m castor tae PL US ee adie eed bos 87 13 1 2 Installing Collector Managers and Correlation Engines 00 00 e eee eee 88 13 1 3 Installing VMware To0 S ooooocooocoocorrr ttt eee 89 13 2 Installing the Xen Appliance 0 6 tte nents 90 13 21 installing Sentinelis ws s an a Hh eee NE 90 13 2 2 Installing Collector Managers and Correlation Engines 0 000 e eee eee 92 13 3 Installing the ISO Appliance 1 2 teen eee 93 13 331 Prerequisites aTi ie yk A ee es Se ee ae ee e 93 13 3 2 Installing Sentinel 2 0 0 0 tenets 93 13 3 3 Installing Collector Managers and Correlation Engines 0000 eee cues 94 13 4 Post Installation Configuration for the Appliance 2 0 0 0 cc eee eee 95 13 4 1 Configuring WebYaST 1 asaan aeaaaee 96 13 4 2 Creating Partitions vse naw IA ah ae eae ee da 96 13 4 3 Registering for Updates 2 2 2 0 ee eee 97 13 4 4 Configuring the Appliance with SMT 1 0 2 0 cece tees 97 13 5 Stopping and Starting the Server by Using WebYaST 0000 e cee eee 98 14 NetFlow Collector Manager Installation 99 14 1 Installation Checklist 0 0 0 tee ett 99 14 2 Installing the NetFlow Collector
94. he Collector Manager or Correlation Engine should connect to Sentinel Communication Channel Port Specify the Sentinel server communication channel port number The default port number is 61616 Communication Channel User Name Specify the communication channel user name which is the Collector Manager or Correlation Engine user name NetIQ Sentinel Installation and Configuration Guide Communication Channel User Password Specify the communication channel user Password The communication channel user credentials are stored in the lt install_dir gt etc opt novell sentinel config activemqusers properties file located on the Sentinel server To verify the credentials see the following line in the activemqusers properties file For Collector Manager collectormanager lt password gt In this example collectormanager is the username and the corresponding value is the password For Correlation Engine correlationengine lt password gt In this example correlationengine is the username and the corresponding value is the password Install Sentinel appliance to hard drive for Live DVD image only Ensure you select this check box to install the appliance on the physical server If you deselect this check box the appliance will not be installed on the physical server and will run only in the Live DVD mode Click Next Accept the certificate when prompted Complete Step 15 through Step 21 in Section 13 3 2
95. he Sentinel Web interface by specifying the following URL in your Web browser https lt IP_Address Sentinel server gt 8443 The lt IP_Address_Sentinel_server gt is the IP address or DNS name of the Sentinel server and 8443 is the default port for the Sentinel server Log in with the username and password specified during the installation of the Sentinel server In the toolbar click Downloads Click Download Installer under the required installation Click Save File to save the installer to the desired location a A WO N Specify the following command to extract the installation file tar zxvf lt install_filename gt Replace lt install_filename gt with the actual name of the install file 6 Change to the directory where you extracted the installer 7 Specify the following command to install the Collector Manager or the Correlation Engine For Collector Manager install cm For Correlation Engine install ce Traditional Installation 83 12 5 3 84 The install script first checks for the available memory and disk space If the available memory is less than 1 5 GB the script automatically terminates the installation Specify the number for the language you want to use for the installation The end user license agreement is displayed in the selected language 9 Press the Spacebar to read through the license agreement 11 12 13 14 15 16 Enter yes or y to accept the license agreement and continue wi
96. hine which is important for handling spikes 82 NetIQ Sentinel Installation and Configuration Guide 12 5 1 12 5 2 and other anomalies with maximum system stability For information about the advantages of installing additional components see Section 6 1 Advantages of Distributed Deployments on page 49 IMPORTANT You must install the additional Collector Manager or the Correlation Engine on separate systems The Collector Manager or the Correlation Engine must not be on the same system where the Sentinel server is installed Section 12 5 1 Installation Checklist on page 83 Section 12 5 2 Installing Collector Managers and Correlation Engines on page 83 Section 12 5 3 Adding a Custom ActiveMQ User for the Collector Manager or Correlation Engine on page 84 Installation Checklist Ensure that you have completed the following tasks before starting the installation O Make sure that your hardware and software meet the minimum requirements For more information see Chapter 5 Meeting System Requirements on page 35 O Synchronize time by using the Network Time Protocol NTP O A Collector Manager requires network connectivity to the message bus port 61616 on the Sentinel server Before you start installing the Collector Manager make sure that all firewall and network settings are allowed to communicate over this port Installing Collector Managers and Correlation Engines 1 Launch t
97. ic module provided by SLES 11 SP3 are not yet officially FIPS 140 2 validated but work is in progress to get the SUSE module FIPS 140 2 validated Once the validation is available no necessary changes to Sentinel are anticipated to provide FIPS 140 2 Inside on the SUSE platform For more information about RHEL 6 2 FIPS 140 2 certification see Validated FIPS 140 1 and FIPS 140 2 Cryptographic Modules RHEL NSS Packages Sentinel requires the following 64 bit NSS packages to support FIPS 140 2 mode nspr 4 9 1 el6 x86_64 nss sysinit 3 13 3 6 el6 x86_64 nss util 3 13 3 2 el6 x86_64 nss softokn freebl 3 12 9 11 el6 x86_64 nss softokn 3 12 9 11 el6 x86_64 nss 3 13 3 6 el6 x86_64 nss tools 3 13 3 6 el6 x86_64 Deployment Considerations for FIPS140 2 Mode 57 58 7 1 2 7 2 If any of these packages are not installed you must install them before enabling FIPS 140 2 mode in Sentinel SLES NSS Packages Sentinel requires the following 64 bit NSS packages to support FIPS 140 2 mode libfreebl3 3 13 1 0 2 1 mozilla nspr 4 8 9 1 2 2 1 mozilla nss 3 13 1 0 2 1 mozilla nss tools 3 13 1 0 2 1 If any of these packages are not installed you must install them before enabling FIPS 140 2 mode in Sentinel FIPS Enabled Components in Sentinel The following Sentinel components provide FIPS 140 2 support All Sentinel platform components are updated to support FIPS 140 2 mode The following Senti
98. ide Ifyou are using the SLES operating system with kernel version 3 0 101 or later you must manually load the watchdog driver in the computer To find the appropriate watchdog driver for your computer hardware contact your hardware vendor To load the watchdog driver perform the following 1 2 In the command prompt run the following command to load the watchdog driver in the current session sbin modprobe v ignore install lt watchdog driver name gt Add the following line to the etc init d boot local file to ensure that the computer automatically loads the watchdog driver at every boot time sbin modprobe v ignore install lt watchdog driver name gt A 4 2 Upgrading a Traditional Sentinel HA Installation 1 Enable the maintenance mode on the cluster crm configure property maintenance mode true Maintenance mode helps you to avoid any disturbance to the running cluster resources while you update Sentinel You can run this command from any cluster node 2 Verify whether the maintenance mode is active crm status The cluster resources should appear in the unmanaged state 3 Upgrade the passive cluster node 3a 3b 3c 3d 3e Stop the cluster stack rcopenais stop Stopping the cluster stack ensures that the cluster resources remain accessible and avoids fencing of nodes Log in as root to the server where you want to upgrade Sentinel Extract the install files from the tar file tar xf
99. iew the latest Sentinel version 4h After the upgrade is complete restart the cluster stack rcopenais start 5 Disable the maintenance mode on the cluster crm configure property maintenance mode false You can run this command from any cluster node 6 Verify whether the maintenance mode is inactive crm status The cluster resources should appear in the Started state 7 Optional Verify whether the Sentinel upgrade is successful rcsentinel version Backup and Recovery The highly available failover cluster described in this document provides a level of redundancy so that if the service fails on one node in the cluster it will automatically failover and recover on another node in the cluster When an event like this happens it s important to bring the node that failed back into an operational state so that the redundancy in the system can be restored and protect in the case of another failure This section talks about restoring the failed node under a variety of failure conditions Section A 5 1 Backup on page 165 Section A 5 2 Recovery on page 166 Backup While a highly available failover cluster like the one described in this document provides a layer of redundancy it is still important to regularly take a traditional backup of the configuration and data which would not be easy to recover from if lost or corrupted The section Backing Up and Restoring Data in the NetIQ Sentinel Administratio
100. iguration The shared storage will be used to hold Sentinel s databases and event data so must be sized accordingly for the customer environment based on the expected event rate and data retention policies A typical implementation might use a fast SAN attached using FibreChannel to all the cluster nodes with a large RAID array to store the local event data A separate NAS or iSCSI node might be used for the slower secondary storage As long as the cluster node can mount the primary storage as a normal block device it can be used by the solution The secondary storage can also be mounted as a block device or could be an NFS or CIFS volume NOTE You should configure your shared storage and test mounting it on each cluster node but the actual mount of the storage will be handled by the cluster configuration For the exemplary solution we will use iSCSI Targets hosted by a SUSE Linux VM The exemplary solution uses iSCSI Targets configured on a SUSE Linux VM The VM is storage03 as listed in Initial Setup iSCSI devices can be created using any file or block device but for simplicity here we will use a file that we create for this purpose Connect to storage03 and start a console session Use the dd command to create a blank file of any desired size for Sentinel primary storage dd if dev zero of localdata count 10240000 bs 1024 In this case we create a 10GB file filled with zeros copied from the dev zero pseudo device See the
101. imilar making sure that the sync happens before subsequent installs In this case the installer will detect the presence of the user account and use the existing one Watch the output of the subsequent unattended installs a warning will be issued if the user account could not be created with the same user ID Traditional HA Installation 1 Connect to each additional cluster node node02 and open a console window 2 Execute the following commands cd tmp scp rootenode01 tmp sentinel_server tar gz NetlQ Sentinel Installation and Configuration Guide A 3 4 scp root node01 tmp install props tar xvzf sentinel server tar gz install sentinel no start cluster node unattended tmp install props cd insserv r sentinel Sentinel HA Appliance Installation 1 Connect to each additional cluster node node02 and open a console window 2 Execute the following command insserv r sentinel 3 Stop Sentinel services rcsentinel stop 4 Remove Sentinel directory rm rf var opt novell sentinel At the end of this process Sentinel should be installed on all nodes but it will likely not work correctly on any but the first node until various keys are synchronized which will happen when we configure the cluster resources Cluster Installation You need to install the cluster software only for traditional HA installations The Sentinel HA appliance includes the cluster software and does not require manual installa
102. in Chapter 5 Meeting System Requirements on page 35 based on the expected event rate The disk space and I O characteristics for the storage nodes must meet the system requirements defined in Chapter 5 Meeting System Requirements on page 35 based on the expected event rate and data retention policies for primary and secondary storage If you want to configure the operating system firewalls to restrict access to Sentinel and the cluster refer to Chapter 8 Ports Used on page 63 for details of which ports must be available depending on your local configuration and the sources that will be sending event data The exemplary solution will use the following configuration Conditional For traditional HA installations Two SUSE Linux 11 SP3 cluster node VMs The OS install need not install X Windows but can if Graphical User Interface configuration is desired The boot scripts can be set to start without X runlevel 3 which can then be started only when needed Conditional For HA appliance installations Two HA ISO appliance based cluster node VMs For information about installing the HA ISO appliance see Section 13 3 2 Installing Sentinel on page 93 The nodes will have two NICs one for external access and one for iSCSI communications Configure the external NICs with IP addresses that allow for remote access through SSH or similar For this example we will use 172 16 0 1 node01 and 172 16 0 2 n
103. ine correlationengine lt password gt In this example correlationengine is the username and the corresponding value is the password 13 Click Next 14 Accept the certificate 15 Click Next to complete the installation When the installation is complete the installer displays a message indicating that this appliance is the Sentinel Collector Manager or the Sentinel Correlation Engine depending on what you chose to install along with the IP address It also displays the Sentinel server user interface IP address Installing VMware Tools For Sentinel to work effectively on the VMware server you need to install VMware Tools VMware Tools is a suite of utilities that enhances the performance of the virtual machine s operating system It also improves management of the virtual machine For more information on installing VMware Tools see VMware Tools for Linux Guests https www vmware com support ws55 doc ws_newguest_tools_linux html wp1127177 For more information on the VMware documentation see Workstation User s Manual http www vmware com pdf ws71_manual pdf Appliance Installation 89 13 2 Installing the Xen Appliance This section provides information about installing Sentinel Collector Manager and a Correlation Engine on a Xen appliance image Section 13 2 1 Installing Sentinel on page 90 Section 13 2 2 Installing Collector Managers and Correlation Engines on page 92 13 2 1 Installing Sentin
104. inel server tar gz cd sentinel server install sentinel record unattended tmp install props 4 Run through the standard installation configuring the product as appropriate The installation program installs the binaries databases and configuration files The installation program also sets up the login credentials configuration settings and the network ports 5 Start Sentinel and test the basic functions You can use the standard external cluster node IP to access the product 6 Shut down Sentinel and dismount the shared storage using the following commands rcsentinel stop umount var opt novell This step removes the autostart scripts so that the cluster can manage the product cd insserv r sentinel Sentinel HA Appliance Installation The Sentinel HA appliance includes the Sentinel software that is already installed and configured To configure the Sentinel software for HA perform the following steps 1 Connect to one of the cluster nodes node01 and open a console window 2 Navigate to the following directory cd opt novell sentinel setup 3 Record the configuration 3a Execute the following command configure sh record unattended tmp install props no start Configuring Sentinel for High Availability 153 154 This step records the configuration in the file install props which is required to configure the cluster resources using the install resources sh script 3b Specify the option to sele
105. installation you should perform all of the following steps to ensure there are no files or system settings remaining from a previous installation WARNING These instructions involve modifying operating system settings and files If you are not familiar with modifying these system settings and files please contact your system administrator Uninstalling the Sentinel Server Use the following steps to uninstall the Sentinel server 1 Log in to the Sentinel server as root NOTE You cannot uninstall Sentinel server as a non root user if the installation is performed as a root user However a non root user can uninstall the Sentinel server if the installation was performed by non root user 2 Access the following directory opt novell sentinel setup 3 Run the following command uninstall sentinel Uninstalling 169 4 When prompted to reconfirm that you want to proceed with the uninstall press y The script first stops the service and then removes it completely C 2 2 Uninstalling the Collector Manager and Correlation Engine Use the following steps to uninstall the Collector Manager and Correlation Engine 1 Log in as root to the Collector Manager and Correlation Engine computer NOTE You can not uninstall the remote Collector Manager or remote Correlation Engine as a non root user if the installation was performed as a root user However a non root user can uninstall if the installation was done as a non roo
106. ion and Configuration Guide Ports Used Sentinel uses different ports for external communication with other components For the appliance installation the ports are opened on the firewall by default However for the traditional installation you must configure the operating system on which you are installing Sentinel to open the ports on the firewall The following figure illustrates the ports used in Sentinel Figure 8 1 Ports Used in Sentinel Sentinel Server TE TGR 4 Web console 5432 27017 TCP wa nne 1 8 9 3 i PostgreSQL Security Intelligence Audit Database Configuration Database Event Source ay NetFlow Collector Manager TCP TCP 4 6 E 9 1 l 6 ActiveMQ D 6 1 8 6 a Syslog Sentinel Server Event Sources Processes Additional Collector Manager a ue Correlation Engine 10013 1099 2000 a Sentinel itori JMX Monitoring Control Center Tools Solution Designer Section 8 1 Sentinel Server Ports on page 64 Section 8 2 Collector Manager Ports on page 66 Section 8 3 Correlation Engine Ports on page 67 Section 8 4 NetFlow Collector Manager Ports on page 67 Ports Used 63 8 1 Sentinel Server Ports The Sentinel server uses the following ports for internal and external communication 8 1 1 Local Ports Sentinel uses the following ports for internal communication with database and other internal processes Ports Description T
107. ions IP 6 Select Next then click OK 7 Click Network Services gt iSCSI Initiator Configuring Sentinel for High Availability 151 A 3 3 152 8 If prompted install the required software open iscsi RPM from the SUSE Linux 11 SP3 media 9 Click Service select When Booting to ensure the iSCSI service is started on boot 10 11 12 13 14 15 16 17 18 19 20 21 22 23 Click Discovered Targets and select Discovery Specify the iSCSI Target IP address 10 0 0 3 select No Authentication and then click Next Select the discovered iSCSI Target with the IP address 10 0 0 3 and then select Log In Switch to automatic in the Startup drop down and select No Authentication then click Next Switch to the Connected Targets tab to ensure that we are connected to the target Exit the configuration This should have mounted the iSCSI Targets as block devices on the cluster node In the YaST main menu select System gt Partitioner In the System View you should see new hard disks such as dev sdb and dev sdc in the list they will have a type of IET VIRTUAL DISK Tab over to the first one in the list which should be the primary storage select that disk then press Enter Select Add to add a new partition to the empty disk Format the disk as a primary ext3 partition but do not mount it Ensure that the option Do not mount partition is selected Select Next then Finish after reviewing the changes that will b
108. is attempting to exploit a vulnerable system This is accomplished through Advisor Feed Intrusion detection Vulnerability scanning Firewalls Advisor provides a cross reference between event data signatures and vulnerability scanner data Advisor feed contains information about vulnerabilities and threats as well as a normalization of event signatures and vulnerability plug ins For more information on Advisor see Detecting Vulnerabilities and Exploits in the NetIQ Sentinel Administration Guide NetIQ Sentinel Installation and Configuration Guide 2 3 2 3 1 2 3 2 2 4 Collector Manager The Collector Manager manages data collection monitors system status messages and performs event filtering as needed The main functions of the Collector Manager include the following Transforming events Adding business relevance to events through the mapping service Routing events Determining real time vulnerability asset or non real time data Sending health message to the Sentinel server Collectors The Collectors normalize and collect the information from the Connectors Collectors are written in JavaScript and they define the logic for the following Receiving raw data from the Connectors Parsing and normalizing the data Applying repeatable logic to the data Translating device specific data into Sentinel specific data Formatting the events Passing the normalized parse
109. is located on the Sentinel Server machine Meeting System Requirements 41 42 Category Collectors Used Description Demo All in One not intended for producti on Oracle Solaris 2011 1r2 Sources 100 EPS 100 Juniper Netscree n 2011 1r1 Sources 4 EPS 3 Medium Distribut ed Agent less Data Collectio n Each collector had its own syslog server Oracle Solaris 2011 1r2 Sources 1000 EPS 1500 Microsoft AD and Windows version 2011 1r2 Sources 1000 EPS 1500 NetlQ Sentinel Installation and Configuration Guide Medium Distribut ed Agent based Data Collectio n Custom Testing Collector no parsing Agent Manager Connect or Server 1 Sources 5000 EPS 2500 Large Distribute d Agent less Data Collectio n Raw Data Stored Each of the following Collectors had its own syslog server parsing at the following EPS rates Microsoft Active Directory 2011 1r4 RCM 1 2000 RCM 2 2000 Oracle Solaris 2011 1r2 RCM 1 2000 RCM 2 2000 NetIQ Universal Event 2011 1r2 RCM 1 2000 NetlQ Agent Manager 2011 1r3 RCM 1 1000 Large Distributed Agent less Data Collection Raw Data Not Stored Each of the following Collectors had its own syslog server parsing at the following EPS rates Microsoft AD and Windows version 2011 1r4
110. itional information such as host and identity details to the incoming events from your source devices This additional information can be used for advanced correlation and reporting The system supports several built in maps as well as custom user defined maps Maps that are defined in Sentinel are stored in two ways Built in maps are stored in the database updated using APIs in Collector code and automatically exported to the Mapping service Custom maps are stored as CSV files and can be updated on the file system or via the Map Data Configuration UI then loaded by the Mapping service In both cases the CSV files are kept on the central Sentinel server but changes to the maps are distributed to each Collector Manager and applied locally This distributed processing ensures that mapping activity does not overload the main server Streaming Maps The Map Service employs a dynamic update model and streams the maps from one point to another avoiding the buildup of large static maps in dynamic memory The value of this streaming capability is particularly relevant in a mission critical real time system such as Sentinel where there needs to be a steady predictive and agile movement of data independent of any transient load on the system Exploit Detection Mapping Service Sentinel provides the ability to cross reference event data signatures with Vulnerability Scanner data Users are notified automatically and immediately when an attack
111. its own set of system requirements and supported platforms See the Connector and Collector documentation on the Sentinel Plug ins Web site Virtual Environment Sentinel is extensively tested and fully supported on a VMware ESX server When you set up a virtual environment the virtual machines must have 2 or more CPUs To achieve comparable performance results to the physical machine testing results on ESX or in any other virtual environment the virtual environment should provide the same memory CPUs disk space and I O as the physical machine recommendations For information about physical machine recommendations see Chapter 5 Meeting System Requirements on page 35 Meeting System Requirements 47 48 NetIQ Sentinel Installation and Configuration Guide 6 1 Deployment Considerations Sentinel has a scalable architecture that can grow to handle the load you need to place on it There are several types of load that you can place on Sentinel This chapter provides an overview of the most important considerations to make when scaling a Sentinel deployment A NetIQ Services or NetIQ Partner Services professional can work with you to more thoroughly design the complete system for your unique environment Section 6 1 Advantages of Distributed Deployments on page 49 Section 6 2 All In One Deployment on page 51 Section 6 3 One Tier Distributed Deployment on page 51 Section 6 4 One Tier Distrib
112. k connections between hosts including packets and bytes transmitted which helps you visualize the behavior of individual hosts or the entire network The NetFlow Collector Manager functionality includes the following Collects network flow data in bytes flows and packets from supported network devices Aggregates and sends the collected data to the Sentinel server for visualization and analysis of network activities in your environment For more information about visualizing and analyzing network flow data see Visualizing and Analyzing Network Flow Data in the NetIQ Sentinel User Guide Sentinel Data Routing and Storage Sentinel provides multiple options for routing storing and extracting the data collected By default Sentinel receives two separate but related data streams from the Collector Managers the parsed event data and the raw data The raw data is immediately stored in protected partitions to provide a secure evidence chain The parsed event data is routed according to rules you define which you can filter send to storage send to real time analytics and route to external systems All event data sent to storage is further matched to user defined retention policies that determine the partition in which data is placed and defines the grooming policy under which the event data is retained and then eventually deleted Sentinel data storage is based on a three tier structure Online Primary storage Optimized for qui
113. ll guide you through an example of the process of installing to a cluster that uses iSCSI shared storage and locates the application binaries configuration on each cluster node Service Monitoring A key component of any highly available environment is a reliable consistent way to monitor the resource s that should be highly available along with any resource s that they depend on The SLE HAE uses a component called a Resource Agent to perform this monitoring the Resource Agent s job is to provide the status for each resource plus when asked to start or stop that resource Resource Agents must provide a reliable status for monitored resources in order to prevent unnecessary downtime False positives when a resource is deemed to have failed but would in fact recover on its own can cause service migration and related downtime when it is not actually necessary and false negatives when the Resource Agent reports that a resource is functioning when in fact it is not operating properly can prevent proper use of the service On the other hand external 146 NetIQ Sentinel Installation and Configuration Guide A 1 4 A 2 monitoring of a service can be quite difficult a web service port might respond to a simple ping for example but may not provide correct data when a real query is issued In many cases self test functionality must be built into the service itself to provide a truly accurate measurement This solution provides a basi
114. location etc opt novell sentinel config sentinel cer Remote Collector Manager certificate location etc opt novell sentinel config Yrcm cer NOTE When using custom certificates that are digitally signed by a certificate authority CA the Agent Manager agent must trust the appropriate certificate file 120 NetIQ Sentinel Installation and Configuration Guide 21 5 2 21 5 3 Database JDBC Connector Follow the below procedure only if you have selected the SSL option when configuring the database connection To configure the Database Connector to run in FIPS 140 2 mode 1 Before configuring the Connector download the certificate from the Database server and save it as database cert file into the etc opt novell sentinel config directory of the Sentinel server For more information refer to the respective database documentation 2 Import the certificate into the Sentinel FIPS keystore For more information about importing the certificate see Importing Certificates into FIPS Keystore Database on page 125 3 Proceed with configuring the Connector Sentinel Link Connector Follow the below procedure only if you have selected Encrypted HTTPS option when configuring the networking settings of the Sentinel Link Event Source Server To configure the Sentinel Link Connector to run in FIPS 140 2 mode 1 Add or edit the Sentinel Link Event Source Server Proceed through the configuration screens until the Securi
115. low Collector Managers on page 50 Deployment Considerations 49 50 6 1 1 6 1 2 6 1 3 Advantages of Additional Collector Managers Sentinel server includes a Collector Manager by default However for production environments distributed Collector Managers provide much better isolation when large volumes of data is received In this situation a distributed Collector Manager may become overloaded but the Sentinel server will remain responsive to user requests Installing more than one Collector Manager in a distributed network provides several advantages Improved system performance Additional Collector Managers can parse and process event data in a distributed environment which increases the system performance Additional data security and decreased network bandwidth requirements If the Collector Managers are co located with event sources then filtering encryption and data compression can be performed at the source File caching Additional Collector Managers can cache large amounts of data while the server is temporarily busy archiving events or processing a spike in events This feature is an advantage for protocols such as syslog which do not natively support event caching You can install additional Collector Managers at suitable locations in your network These remote Collector Managers run Connectors and Collectors and forward the collected data to the Sentinel server for storage and processing For informati
116. ly compare Map events to standard regulations Analyze the data Compare events across multiple systems to determine if there are security issues Send notifications when the data is outside of the norms Take action on notifications to comply with business policies Generate reports to prove compliance After you understand the challenges of securing your IT environment you need to determine how to secure the enterprise for and from users without treating them like malicious users or burdening them to the point where it is impossible to be productive Sentinel provides the solution 1 2 The Solution That Sentinel Provides Sentinel acts as the central nervous system to the enterprise security It pulls in data from across your entire infrastructure applications databases servers storage and security devices It analyzes and correlates the data and makes the data actionable either automatically or manually NetlQ Sentinel Installation and Configuration Guide Figure 1 2 The Solution That Sentinel Provides Exchange Sentinel Mainframe Firewall The result is that you know what is happening in your IT environment at any given point and you have the ability to tie the actions taken on resources to the people taking those actions This allows you to determine user behavior and effectively monitor control No matter if that person is an insider or not you can tie together all the actions they take so that unau
117. mediation Sentinel provides an automated incident response management system that enables you to document and formalize the process of tracking escalating and responding to incidents and policy violations and provides two way integration with trouble ticketing systems Sentinel enables you to react promptly and resolve incidents efficiently For more information see Configuring Incidents in the NetIQ Sentinel User Guide iTrac Workflows iTRAC workflows are designed to provide a simple flexible solution for automating and tracking an enterprise s incident response processes iTRAC leverages Sentinel s internal incident system to track security or system problems from identification through correlation rules or manual identification through resolution Workflows can be built using manual and automated steps Advanced features such as branching time based escalation and local variables are supported Integration with external scripts and plug ins allows for flexible interaction with third party systems Comprehensive reporting allows administrators to understand and fine tune the incident response processes For more information see Configuring iTRAC Workflows in the NetIQ Sentinel User Guide How Sentinel Works 25 2 11 2 12 2 13 2 14 Actions and Integrators Actions either manually or automatically execute some type of action such as sending an email in Sentinel Actions can be triggered by routing rules
118. mends setting up a distributed deployment because it isolates data collection components on a separate machine which is important for handling spikes and other anomalies with maximum system stability For more information about distributed deployments see Chapter 6 Deployment Considerations on page 49 The ability of the CPU to perform hyperthreading has been shown to have a significant positive impact on the load the system can handle Therefore when deciding on a CPU to purchase be sure to note whether hyperthreading was enabled in the reference test below and ensure the CPU you choose has as good or better hyperthreading capabilities Meeting System Requirements 37 38 Medium Large Demo Medium pls ae Large Allin Distribut e ce Distributed ne not e ent less Category Description oa Agent poet less Data Data extra for less Data ased Collectio Collection Large E Data n Raw producti Collectio Collectio Data Raw Data on n Stored Not Stored Retained The events per 100 EPS 3000 EPS 2500 11000 13000 EPS 13000 EPS second rate EPS EPS EPS Capability processed by real time components and retained in storage by the system Operation The total events 100 EPS 3000 2500 11000 13000 13000 al EPS per second rate EPS EPS EPS EPS EPS Capability received by the system from event sources This includes data dropped by the system s intelligent filtering capability before being stored and
119. ministration information and tasks required to manage a Sentinel deployment User Guide Provides conceptual information about Sentinel This book also provides an overview of the user interfaces and step by step guidance for many tasks About this Book and the Library 9 10 NetIQ Sentinel Installation and Configuration Guide About NetIQ Corporation We are a global enterprise software company with a focus on the three persistent challenges in your environment Change complexity and risk and how we can help you control them Our Viewpoint Adapting to change and managing complexity and risk are nothing new In fact of all the challenges you face these are perhaps the most prominent variables that deny you the control you need to securely measure monitor and manage your physical virtual and cloud computing environments Enabling critical business services better and faster We believe that providing as much control as possible to IT organizations is the only way to enable timelier and cost effective delivery of services Persistent pressures like change and complexity will only continue to increase as organizations continue to change and the technologies needed to manage them become inherently more complex Our Philosophy Selling intelligent solutions not just software In order to provide reliable control we first make sure we understand the real world scenarios in which IT organizations like yours operate day in
120. n Guide describes how to use Sentinel s built in tools for creating a backup These tools should be used on the active node in the cluster because the passive node in the cluster will not have the required access to the shared storage device Other commercially available backup tools could be used instead and may have different requirements on which node they can be used Configuring Sentinel for High Availability 165 A 5 2 Recovery Transient Failure on page 166 Node Corruption on page 166 Cluster Data Configuration on page 166 Transient Failure If the failure was a temporary failure and there is no apparent corruption to the application and operating system software and configuration then simply clearing the temporary failure for example rebooting the node will restore the node to an operational state The cluster management user interface can be used to fail back the running service back to the original cluster node if desired Node Corruption If the failure caused a corruption in the application or operating system software or configuration that is present on the node s storage system then the corrupted software will need to be reinstalled Repeating the steps for adding a node to the cluster described earlier in this document will restore the node to an operational state The cluster management user interface can be used to fail back the running service back to the original cluster node if desired Clu
121. n page 27 Event Sources Sentinel gathers security information and events from many different sources in your IT environment These sources are called event sources The event sources can be many different items on your network Security Perimeter Security devices including hardware and software used to create a security perimeter for your environment such as firewalls IDS and VPNs Operating Systems Events from the different operating systems running in the network Referential IT Sources The software used to maintain and track assets patches configuration and vulnerability Application Events Events generated from the applications installed in the network User Access Control Events generated from applications or devices that allow users access to company resources For more information about collecting events from event sources see Configuring Agentless Data Collection Sentinel Event Sentinel receives information from devices normalizes this information into a structure called an event categorizes the event and then sends the event for processing By adding category information taxonomy to events events are easier to compare across systems that report events differently For example authentication failures Events are processed by the real time display correlation engine dashboards and the back end server An event comprises more than 200 fields Event fields are of different types and of different purp
122. nce Management Console WebYaST Also used by the Sentinel appliance for the update service Forwarded to 1289 for Audit connections Forwarded to 1514 for syslog messages This is the Sentinel Link port that is allowed to connect through the SuSE Firewall Ports that can be used when configuring data collection servers such as syslog Sentinel does not listen on these ports by default Required Ports Direction Optional Description TCP 443 Outbound Required Initiates a connection to the NetIQ appliance software update repository on the Internet or a Subscription Management Tool service in your network TCP 80 Outbound Optional Initiates a connection to the Subscription Management Tool 8 3 Correlation Engine Ports The Correlation Engine uses the following ports to communicate with other components 8 3 1 Network Ports For Sentinel Correlation Engine to work properly ensure that the following ports are open on the firewall Ports Direction Required Optional Description TCP 1099 and 2000 Inbound Optional Used together by monitoring tools to connect to Sentinel server process using Java Management Extensions JMX TCP 61616 Outbound Required Initiates a connection to the Sentinel server 8 3 2 Correlation Engine Appliance Specific Ports In addition to the above ports the following ports are open on Sentinel Correlation Engine appliance Required Ports Direction Optional Description TCP 22 Inbound Required
123. ne for all Event Source nodes in the Event Source Manager unless you know that the event source reports in local time and always includes the time zone in the time stamp Processing the event source presentation of the time stamp happens in the Collector and on the Collector Manager The DeviceEventTime and the EventTime are stored as UTC and the ObserverTZ fields are stored as strings set to local time for the event source This information is sent from the Collector Manager to the Sentinel server and stored in the event store The time zone that the Collector Manager and the Sentinel server are in should not affect this process or the stored data However when a client views the event in a Web browser the UTC EventTime is converted to the local time according to the Web browser so all events are presented to clients in the local time zone If the users want to see the local time of the source they can examine the ObserverTZ fields for details NetIQ Sentinel Installation and Configuration Guide Modifying the Configuration after Installation After installing Sentinel if you want to enter the valid license key change the password or modify any of the assigned ports you can run the configure sh script to modify them The script is available in the opt novell sentinel setup folder 1 Specify the following command at the command line to run the configure sh script configure sh 2 Specify 1 to perform a standard configuration or specif
124. ne whether they should trigger any of the correlation rules Advisor Advisor powered by Security Nexus is an optional data subscription service that provides device level correlation between real time events from intrusion detection and prevention systems and from enterprise vulnerability scan results For more information about Advisor see Detecting Vulnerabilities and Exploits in the NetIQ Sentinel Administration Guide Sentinel plug ins Sentinel supports a variety of plug ins to expand and enhance system functionality Some of these plug ins are preinstalled You can download additional plug ins and updates from the Sentinel Plug ins Web site Sentinel plug ins include the following Collectors Connectors Correlation rules and actions Reports iTRAC workflows Solution packs Sentinel has a highly scalable architecture and if high event rates are expected you can distribute components across several machines to achieve the best performance for the system For production environments NetIQ Corporation recommends setting up a distributed deployment because it isolates data collection components on a separate machine which is important for handling spikes and other anomalies with maximum system stability For more information see Section 6 1 Advantages of Distributed Deployments on page 49 Installation Overview 73 74 NetIQ Sentinel Installation and Configuration Guide 1 1 Installation Checklist Ensur
125. nector is deployed in the Sentinel server you must copy the etc opt novel1 sentinel config sentinel cer file from the receiver Sentinel machine to the sender Sentinel machine If the Connector is deployed in a remote Collector Manager you must copy the etc opt novell sentinel config rem cer file from the receiver remote Collector Manager machine to the receiver Sentinel machine Import this certificate into the sender Sentinel FIPS keystore NOTE When using custom certificates that are digitally signed by a certificate authority CA you must import the appropriate custom certificate file If Sentinel Link Connector is in non FIPS mode Import the custom Sentinel Link Server certificate into the sender Sentinel FIPS keystore NOTE When the Sentinel Link integrator is in FIPS 140 2 mode and the Sentinel Link Connector is in non FIPS mode use the custom server key pair on the connector Do not use the internal server key pair For more information about importing the certificate see Importing Certificates into FIPS Keystore Database on page 125 2 Proceed with configuring the Integrator instance NOTE In FIPS 140 2 mode the Sentinel Link Integrator uses the Sentinel server key pair Importing the Integrator key pair is not required 21 5 7 LDAP Integrator 124 To configure the LDAP Integrator to run in FIPS 140 2 mode 1 Before configuring the Integrator instance download the certificate from the L
126. nel plug ins that support cryptography are updated to support FIPS 140 2 mode Agent Manager Connector 2011 1r1 and later Database JDBC Connector 2011 1r2 and later File Connector 2011 1r1 and later Only if the file event source type is local or NFS LDAP Integrator 2011 1r1 and later Sentinel Link Connector 2011 1r3 and later Sentinel Link Integrator 2011 1r2 and later SMTP Integrator 2011 1r1 and later Syslog Connector 2011 1r2 and later Windows Event WMI Connector 2011 1r2 and later Check Point LEA Connector 2011 1r2 and later For more information about configuring these Sentinel plug ins to run in FIPS 140 2 mode see Configuring Sentinel Plug Ins to Run in FIPS 140 2 Mode on page 119 The following Sentinel Connectors that support optional cryptography are not yet updated to support FIPS 140 2 mode at the time of release of this document However you can continue to collect events using these Connectors For instructions on using these Connectors with Sentinel in FIPS 140 2 mode see Using Non FIPS Enabled Connectors with Sentinel in FIPS 140 2 Mode on page 125 Cisco SDEE Connector 2011 1r1 File Connector 2011 1r1 The CIFS and SCP functionalities involve cryptography and will not work in FIPS 140 2 mode NetIQ Audit Connector 2011 1r1 SNMP Connector 2011 1r1 NetlQ Sentinel Installation and Configuration Guide 7 3 7 4 7 4 1 The following Sentinel Integrators that supp
127. nformation about whether the PostgreSQL database was upgraded see the Sentinel Release Notes 11a Switch to the novell user su novell 11b Browse to the bin folder of PostgreSQL cd opt novell sentinel 3rdparty postgresql bin 11c Delete all the old postgreSQL files by using the following command delete_ old cluster sh Upgrading the Appliance by Using SMT In secured environments where the appliance must run without direct internet access you can configure the appliance with Subscription Management Tool SMT that allows you upgrade the appliance to the latest available versions 1 Ensure that the appliance is configured with SMT For more information see Section 13 4 4 Configuring the Appliance with SMT on page 97 2 Log in to the appliance console as the root user 3 Refresh the repository for upgrade zypper ref s Check whether the appliance is enabled for upgrade zypper lr Optional Check the available updates for the appliance zypper lu Optional Check the packages that include the available updates for the appliance zypper lp r SMT http lt smt_server fqdn gt lt package name gt Update the appliance zypper up t patch r SMT http lt smt_server fgdn gt lt package_name gt Restart the appliance rcsentinel restart Upgrading the Sentinel Appliance 139 140 NetIQ Sentinel Installation and Configuration Guide Upgrading Sentinel Plug Ins The upgrade installations of Sentinel
128. ng Delay Time Limit for Events When Sentinel receives events from event sources there may be a delay between the time the event was generated and the time Sentinel processes it Sentinel stores the events with large delays in separate partitions If many events are delayed over a long period of time it may be an indicator of an incorrectly configured event source This might also decrease the Sentinel performance as it attempts to handle the delayed events Since the delayed events may be the result of a misconfiguration and therefore may not be desirable to store Sentinel allows you to configure the acceptable delay limit for the incoming events The event router drops the events that exceed the delay limit Specify the delay limit in the following property in the configuration properties file esecurity router event delayacceptthreshold lt time in milliseconds gt You can also have a listing periodically logged to the Sentinel server log file showing the event sources from which events are received that are delayed beyond a specified threshold To log this information specify the threshold in the following property in the configuration properties file sentinel indexedlog eventdelay reportthreshold lt time in milliseconds gt Handling Time Zones Handling time zones can become very complex in a distributed environment For example you might have an event source in one time zone the Collector Manager in another the back end Sentinel
129. ng FIPS 140 2 Mode in an Existing Sentinel Installation on page 115 Configure Sentinel Plug ins to run in FIPS 140 2 Mode Section 21 5 Configuring Sentinel Plug Ins to Run in FIPS 140 2 Mode on page 119 Import certificates into the Sentinel FIPS Keystore Section 21 6 Importing Certificates into FIPS Keystore Database on page 125 NOTE NetIQ highly recommends taking a backup of your Sentinel systems before beginning the conversion to FIPS mode If for some reason the server must be reverted to non FIPS mode the only supported method for doing so involves restoring from a backup For more information about reverting to non FIPS mode see Reverting Sentinel to Non FIPS Mode on page 126 Deployment Scenarios This section provides information about the deployment scenarios for Sentinel in FIPS 140 2 mode Scenario 1 Data Collection in Full FIPS 140 2 Mode In this scenario data collection is done only through the Connectors that support FIPS 140 2 mode We assume that this environment involves a Sentinel server and data is collected through a remote Collector Manager You may have one or more remote Collector Managers Deployment Considerations for FIPS140 2 Mode 59 60 7 4 2 LIE A i Agent Manager Database JDBC Sentinel Link i Connector Connector Connector errrrrerrerrrrrri s i nf nf nf Sentinel Server i y In FIPS mode File Connector Syslog Windows Event WMI NFS or
130. ntinel on more than one system you can record your installation options in a file You can use this file for an unattended Sentinel installation on other systems To record your installation options specify the following command install sentinel r lt response filename gt 4 Specify the number for the language you want to use for the installation then press Enter The end user license agreement is displayed in the selected language 5 Press the Spacebar to read through the license agreement 6 Enter yes or y to accept the license agreement and continue with the installation The installation might take a few seconds to load the installation packages and prompt for the configuration type 7 Specify 2 to perform a custom configuration of Sentinel 8 Enter 1 to use the default 90 day evaluation license key or Enter 2 to enter a purchased license key for Sentinel Traditional Installation 79 12 3 9 Specify the password for the administrator user admin and confirm the password again 10 Specify the password for the database user dbauser and confirm the password again The dbauser account is the identity used by Sentinel to interact with the database The password you enter here can be used to perform database maintenance tasks including resetting the admin password if the admin password is forgotten or lost 11 Specify the password for the application user appuser and confirm the password again 12 Change the port assignments f
131. ny problems Correlation adds intelligence to security event management by automating analysis of the incoming event stream to find patterns of interest Correlation allows you to define rules that identify critical threats and complex attack patterns so that you can prioritize events and initiate effective incident management and response For more information see Correlating Event Data in the NetIQ Sentinel User Guide To monitor events according to the Correlation rules you must deploy the rules in the Correlation Engine When an event occurs that satisfies the rule criteria the Correlation Engine generates a correlation event describing the pattern For more information see Correlation Engine in the NetIQ Sentinel User Guide Security Intelligence The correlation capability in Sentinel provides the ability to look for known patterns of activity whether it be for security compliance or other reasons The Security Intelligence capability looks for activity that is out of the ordinary which may be malicious but does not match any known pattern The Security Intelligence feature in Sentinel focuses on statistical analysis of time series data to enable analysts to identify and analyze deviations anomalies either by an automated statistical engine or by visual representation of the statistical data for manual interpretation For more information see Analyzing Trends in Data in the NetIQ Sentinel User Guide Incident Re
132. o receive updates as described in Section 13 4 3 Registering for Updates on page 97 4 Click Next to finish the initial setup Creating Partitions As a best practice ensure that you create separate partitions to store Sentinel data on a different partition than the executables configuration and operating system files The benefits of storing variable data separately include easier backup of sets of files simpler recovery in case of corruption and provides additional robustness if a disk partition fills up For information about planning your partitions see Section 6 6 Planning Partitions for Data Storage on page 54 You can add partitions in the appliance and move a directory to the new partition by using the YaST tool Use the following procedure to create a new partition and move the data files from its directory to the newly created partition 1 Log in to Sentinel as root 2 Run the following command to stop the Sentinel on the appliance etc init d sentinel stop 3 Specify the following command to change to novel user su novell 4 Move the contents of the directory at var opt novell sentinel to a temporary location 5 Change to root user 6 Enter the following command to access the YaST2 Control Center yast 7 Select System gt Partitioner 8 Read the warning and select Yes to add the new unused partition For information about creating partitions see Using the YaST Partitioner in the SLES 11 documentation
133. ode02 Each node should have sufficient disk for the operating system Sentinel binaries and configuration data cluster software temp space and so forth See the SUSE Linux and SLE HAE system requirements and Sentinel application requirements One SUSE Linux 11 SP3 VM configured with iSCSI Targets for shared storage The OS install need not install X Windows but can if Graphical User Interface configuration is desired The boot scripts can be set to start without X runlevel 3 which can then be started only when needed The system will have two NICs one for external access and one for isCSI communications Configuring Sentinel for High Availability 149 A 3 2 Configure the external NIC with an IP address that allows for remote access using SSH or similar For example 172 16 0 3 storage03 The system should have sufficient space for the operating system temp space a large volume for shared storage to hold Sentinel data and a small amount of space for an SBD partition See the SUSE Linux system requirements and Sentinel event data storage requirements NOTE In a production cluster you can use internal non routable IPs on separate NICs possibly a couple for redundancy for internal cluster communications Shared Storage Setup Set up your shared storage and make sure that you can mount it on each cluster node If you are using FibreChannel and a SAN this may involve physical connections and other conf
134. on about installing additional Collector Managers see Section 12 5 Installing Collector Managers and Correlation Engines on page 82 NOTE You cannot install more than one Collector Manager on a single system You can install additional Collector Managers on remote systems and then connect them to the Sentinel server Advantages of Additional Correlation Engines You can deploy multiple Correlation Engines each on its own server without the need to replicate configurations or add databases For environments with large numbers of Correlation rules or extremely high event rates it can be advantageous to install more than one Correlation engine and redeploy some rules to the new Correlation engine Multiple Correlation engines provide the ability to scale as the Sentinel system incorporates additional data sources or as event rates increase For information on installing additional Correlation Engines see Section 12 5 Installing Collector Managers and Correlation Engines on page 82 NOTE You cannot install more than one Correlation Engine on a single system You can install additional Correlation Engines on remote systems and then connect them to the Sentinel server Advantages of Additional NetFlow Collector Managers NetFlow Collector Manager collects network flow data from network devices However you can install additional NetFlow Collector Managers rather than using the NetFlow Collector Manager on the Sentinel
135. on installs the following components in the Sentinel server Sentinel server process This is the primary component of Sentinel The Sentinel server process processes requests from other components of Sentinel and enables seamless functionality of the system The Sentinel server process handles requests such as filtering data processing search queries and managing administrative tasks that include user authentication and authorization Web server Sentinel uses Jetty as its Web server to allow secure connection to the Sentinel Web interface PostgreSQL database Sentinel has a built in database that stores Sentinel configuration information asset and vulnerability data identity information incident and workflow status and so on MongoDB database Stores the Security Intelligence data Collector Manager Collector Manager provides a flexible data collection point for Sentinel The Sentinel installer installs a Collector Manager by default during installation NetFlow Collector Manager The NetFlow Collector Manager collects network flow data NetFlow IPFIX and so on from network devices such as routers switches and firewalls Network flow data describes basic information about all network connections between hosts including packets and bytes transmitted which helps you visualize the behavior of individual hosts or the entire network Correlation Engine Correlation Engine processes events from the real time event stream to determi
136. onal To verify the password see the following line in the activemqusers properties file For Collector Manager collectormanager lt password gt In this example collectormanager is the username and the corresponding value is the password For Correlation Engine correlationengine lt password gt In this example correlationengine is the username and the corresponding value is the password 12 Select Next to complete the installation When the installation is complete it displays a message that this appliance is the Sentinel Collector Manager or the Correlation Engine depending on what you chose to install along with the IP address 92 NetIQ Sentinel Installation and Configuration Guide 13 3 13 3 1 13 3 2 Installing the ISO Appliance This section provides information about installing Sentinel Collector Manager and Correlation Engine as an ISO appliance Section 13 3 1 Prerequisites on page 93 Section 13 3 2 Installing Sentinel on page 93 Section 13 3 3 Installing Collector Managers and Correlation Engines on page 94 Prerequisites Download the appliance ISO disk image from the support site unpack the file and make a DVD Ensure that the system bare metal and Hyper V where you want to install the ISO disk image has a minimum memory of 4 5 GB for the installation to complete Ensure that the minimum hard disk space is 30 GB for the installer to make the automati
137. ontact Applicabl Xeon R Applicabl NetlQ e Local CPU e Local Services Embedde E5450 Embedde d CM 3 00GHz dCM Only 4 cores Only virtual machine Storage 50 GB 20 GB free space Memory 4GB 24 GB Remote Collector Manager 2 Hardware Meeting System Requirements 39 Demo medium Distribut Distibuto Large All in Distribut q d Agent Distributed One not ed z Agent less Category Description intended Agent Agen less Data pata pios based Collectio Large for less Data Data n Raw Collection producti Collectio Collecti Dat Raw Data on n cr oe Not Stored n Stored CPU Not Applicable 8 Core Intel R Xeon R Contact CPU X5570 2 93GHz NetlQ virtual machine Services Storage 50 GB Memory 8 GB NetFlow Collector Manager Hardware CPU 4 Core Intel R Not 4 Core Intel R Xeon R Contact Xeon R CPU X5570 Applicabl CPU X5570 2 93GHz NetIQ 2 93GHz virtual e virtual machine Services machine Storage 50 GB 50 GB Memory 4 GB 4 GB Agent Manager Hardware CPU Not Applicable Agent Two Intel Not Applicable Agent Contact less collection only Xeon less collection only NetIQ 5140 O Services 2 33 GHz 2 cores per CPU 4 cores total Storage 2 x 300 GB SAS 10K RPM RAID 0 stripe size 128k Memory 16 GB Remote Correlation Engine Hardware CPU Not Applicable Local Embedded CE Only C
138. ontact NetlQ Storage Services Memory NetlQ Sentinel Installation and Configuration Guide Demo Medium Distribut Distribute Large All in Distribut q d Agent Distributed WE One not ed Agent less Data A9entless Extra Category Description intended Agent based Collectio Data f Large for less Data Collection Data n Raw producti Collectio Raw Data on Collectio Data Not Stored n Stored Data Collection Collector The number of Local Local Local Local Local Contact Manager event sources Embedde Embedde Embedd Embedde Embedded NetlQ CM and events per d CM d CM ed CM d CM CM Services Distributio second load n placed on each Event Not Used Event Not Used Not Used collector Sources Sources 101 Remote 5000 Remote Remote e ed CM 1 CM 1 CM 1 The filtered Pee Event ae Event Event percentage Filtered Sources Sources Sources indicates how o 2000 Filtered 350 350 many 0 normalized EPS EPS 7000 EPS 9000 events were 3000 filtered out Filtered Filtered 0 immediately Filtered 0 after collection 0 Raw Data without being Remote Disabled stored or CM 2 Remote passed to Event CM 2 analytic Sources engines Note 150 Event that the non Sources normalized raw EPS 4000 150 log data that the normalized Filtered EPS 4000 events are 0 based off of is Filtered 0 not affected by Raw Data filtering and is Disabled always stored The Local Embedded CM
139. or Manager or a Correlation Engine is the same except that you need to download the appropriate file from the NetIQ Download Web site 1 Complete Step 1 through Step 14 in Section 13 2 1 Installing Sentinel on page 90 2 On the Network Configuration II screen select Change and specify the IP address of the virtual machine where you want to install the additional Collector Manager or Correlation Engine 3 Specify the subnet mask of the specified IP 4 Select Next The network connection settings are saved 5 Set the time and date then select Next To change the NTP configuration after installation use YaST from the appliance command line You can use WebYast to change the time and date but not the NTP configuration If the time appears out of sync immediately after the install run the following command to restart NTP rentp restart 6 Set the SUSE Enterprise Server root password then select Next 7 Specify the hostname IP address of the Sentinel server to which the Collector Manager or Correlation Engine should connect to 8 Specify the communication server port number The default message bus port is 61616 9 Specify the ActiveMQ User Name which is the Collector Manager or Correlation Engine username 10 Specify the password for the ActiveMQ User The ActiveMQ user credentials are stored in the lt install_dir gt etc opt novell sentinel config activemqusers properties file located on the Sentinel server 11 Opti
140. or all services to start after installation because the system performs a one time initialization Wait until the installation finishes before you log in to the server To access the Sentinel Web interface specify the following URL in your Web browser https lt IP_Address Sentinel server gt 8443 The lt IP_Address_Sentinel_server gt is the IP address or DNS name of the Sentinel server and 8443 is the default port for the Sentinel server Custom Installation If you are installing Sentinel with a custom configuration you can specify the license key change the password for different users and specify values for different ports that are used to interact with the internal components 1 Download the Sentinel installation file from the NetIQ Downloads Web site la In the Product or Technology field browse to and select SIEM Sentinel 1b Click Search 1c Click the button in the Download column for Sentinel 7 2 Evaluation 1d Click proceed to download then specify your customer name and password 1e Click download for the installation version for your platform 2 Specify at the command line the following command to extract the installation file tar zxvf lt install_filename gt Replace lt install_filename gt with the actual name of the install file 3 Specify the following command in the root of the extracted directory to install Sentinel install sentinel or If you want to use this custom configuration to install Se
141. or the Sentinel services by entering the desired number then specifying the new port number 13 After you have changed the ports specify 7 for done 14 Enter 1 to authenticate users using only the internal database or If you have configured an LDAP directory in your domain enter 2 to authenticate users by using LDAP directory authentication The default value is 1 15 If you want to enable Sentinel in FIPS 140 2 mode press y 15a Specify a strong password for the keystore database and confirm the password again NOTE The password must be at least seven characters long The password must contain at least three of the following character classes Digits ASCII lowercase letters ASCII uppercase letters ASCII non alphanumeric characters and non ASCII characters If an ASCII uppercase letter is the first character or a digit is the last character they are not counted 15b If you want to insert external certificates into the keystore database to establish trust press y and specify the path for the certificate file Otherwise press n 15c Complete the FIPS 140 2 mode configuration by following the tasks mentioned in Chapter 21 Operating Sentinel in FIPS 140 2 Mode on page 117 The Sentinel installation finishes and the server starts It might take few minutes for all services to start after installation because the system performs a one time initialization Wait until the installation finishes before you log in to the s
142. orming at the same time on average Impacts the amount of lOPS for primary and secondary storage 4 100M events per search 1 150M events per search How many reports will an active user be running at the same time on average Impacts the amount of lOPS for primary and secondary storage 4 200k events per report 1 500k events per report Not tested with search or reporting load 1 1B events per search 1 600k events per report How many real time NetFlow monitoring views will be running at the sametime on average 2 last 1 hour and last 12 hours Not Applicabl e 2 last 12 hours and last 24 hours Contact NetlQ Services Analytics Meeting System Requirements 45 46 Demo medium Distribut Distibute Large All in Distribut q d Agent Distributed One not ed Agent less Data Agent less Category Description intended Agent based Collectio Data f for _ less Data Data n Raw Collection producti Collectio 5 Raw Data on Collectio Data Not Stored n Stored What Amount of data 100 out of the box 100 100 out of the box percentag the correlation l out of i e of the engine will 3 correlations per the box 10 correlations per event data process second second is relevant 0 to correlatio correlation ns per rules second How many Impacts the 116 out of
143. ort SSL are not updated to support FIPS 140 2 mode at the time of release of this document However you may continue to use unencrypted connections when these Integrators are used with Sentinel in FIPS 140 2 mode Remedy Integrator 2011 1r1 or later SOAP Integrator 2011 1r1 or later Any other Sentinel plug ins that are not listed above do not use cryptography and are not affected by enabling FIPS 140 2 mode in Sentinel You do not need to perform any additional steps to use them with Sentinel in FIPS 140 2 mode For more information about the Sentinel plug ins see Sentinel Plug ins Web site If you would like to request that one of the plug ins that has not yet been updated be made available with FIPS support please submit a request using Bugzilla Implementation Checklist The following table provides an overview of the tasks required to configure Sentinel for operation in FIPS 140 2 mode Tasks Plan the deployment For more information see Section 7 4 Deployment Scenarios on page 59 Determine whether you need to enable FIPS 140 2 mode during the Sentinel installation or you want to enable it in future To enable Sentinel in FIPS 140 2 mode during the installation you need to select the Custom or Silent installation method during the installation process Section 12 2 2 Custom Installation on page 79 Section 12 3 Performing a Silent Installation on page 80 Chapter 20 Enabli
144. orts Used 65 8 2 1 8 2 2 66 8 2 Required Direction Optional Ports TCP 80 Outbound Optional Collector Manager Ports Description Initiates a connection to the Subscription Management Tool The Collector Manager uses the following ports to communicate with other components Network Ports For Sentinel Collector Manager to work properly ensure that the following ports are open on the firewall Required Ports Direction Optional TCP 1289 Inbound Optional UDP 1514 Inbound Optional TCP 1443 Inbound Optional TCP 1468 Inbound Optional TCP 1099 and 2000 Inbound Optional TCP 61616 Outbound Required Description Used for Audit connections Used for syslog messages Used for SSL encrypted syslog messages Used for syslog messages Used together by monitoring tools to connect to Sentinel server process using Java Management Extensions JMX Initiates a connection to the Sentinel server Collector Manager Appliance Specific Ports In addition to the above ports the following ports are open for the Sentinel Collector Manager appliance 3 Required Ports Direction Optional TCP 22 Inbound Required TCP 4984 Inbound Required TCP 289 Inbound Optional UDP 514 Inbound Optional TCP 1290 Inbound Optional UDP and TCP Inbound Optional 40000 41000 NetIQ Sentinel Installation and Configuration Guide Description Used for secure shell access to the Sentinel appliance Used by the Sentinel Applia
145. oses There are some predefined fields such as severity criticality destination IP and destination port There are two sets of configurable fields Reserved fields are for Sentinel internal use to allow future expansion and Customer fields are for customer extensions Fields can be re purposed by renaming them The source for a field can either be external which means that it is set explicitly by the device or the corresponding Collector or referential The value of a referential field is computed as a function of one or more other fields using the mapping service How Sentinel Works 21 22 2 2 1 2 2 2 2 2 3 For example a field can be defined to be the building code for the building containing the asset mentioned as the destination IP of an event For example a field can be computed by the mapping service using a customer defined map using the destination IP from the event Section 2 2 1 Mapping Service on page 22 Section 2 2 2 Streaming Maps on page 22 Section 2 2 3 Exploit Detection Mapping Service on page 22 Mapping Service The Mapping Service allows a sophisticated mechanism to propagate business relevance data throughout the system This data can enrich events with referential information that will provide context that enables analysts to make better decisions write more useful reports and write well thought out correlation rules You can enrich your event data by using maps to add add
146. out the prior written permission of NetIQ Corporation except as otherwise permitted by law Except as expressly set forth in such license agreement or non disclosure agreement no part of this document or the software described in this document may be reproduced stored in a retrieval system or transmitted in any form or by any means electronic mechanical or otherwise without the prior written consent of NetIQ Corporation Some companies names and data in this document are used for illustration purposes and may not represent real companies individuals or data This document could include technical inaccuracies or typographical errors Changes are periodically made to the information herein These changes may be incorporated in new editions of this document NetIQ Corporation may make improvements in or changes to the software described in this document at any time U S Government Restricted Rights If the software and documentation are being acquired by or on behalf of the U S Government or by a U S Government prime contractor or subcontractor at any tier in accordance with 48 C F R 227 7202 4 for Department of Defense DOD acquisitions and 48 C F R 2 101 and 12 212 for non DOD acquisitions the government s rights in the software and documentation including its rights to use modify reproduce release perform display or disclose the software or documentation will be subject in all respects to the commercial license rights and rest
147. perating Sentinel in FIPS 140 2 Mode 125 21 7 21 7 1 21 7 2 Reverting Sentinel to Non FIPS Mode This section provides information about how to revert Sentinel and its components to non FIPS mode Section 21 7 1 Reverting Sentinel Server to Non FIPS mode on page 126 Section 21 7 2 Reverting Remote Collector Managers or Remote Correlation Engines to Non FIPS mode on page 126 Reverting Sentinel Server to Non FIPS mode You can revert a Sentinel server running in FIPS 140 2 mode to non FIPS mode only if you have taken a backup of your Sentinel server before converting it to run in FIPS 140 2 mode NOTE When you revert a Sentinel server to non FIPS mode you will lose the events incident data and configuration changes made to your Sentinel server after converting to run FIPS 140 2 mode The sentinel system will be restored back to the last restoration point of non FIPS mode You should take a backup of the current system before reverting to non FIPS mode for future use To revert your Sentinel server to non FIPS mode 1 Log in to the Sentinel server as the root user 2 Switch to the novell user 3 Browse to the Sentinel bin directory The default location is opt novell sentinel bin 4 Run the following command to revert your Sentinel server to non FIPS mode and follow the on screen instructions backup util sh f lt backup_file_name tar gz gt m restore For example if non fips2013012419111
148. plication user If you want to keep the existing password enter 1 then continue with Step 9 If you want to change the existing password enter 2 specify the new password confirm the password then continue with Step 9 The appuser account is an internal identity which Sentinel java process uses to establish connection and interact with the database The password you enter here is used to perform database tasks Modifying the Configuration after Installation 111 9 Change the port assignments for the Sentinel services by entering the desired number then specifying the new port number 10 After you have changed the ports specify 7 for done 11 Enter 1 to authenticate users using only the internal database or If you have configured an LDAP directory in your domain enter 2 to authenticate users by using LDAP directory authentication The default value is 1 112 NetIQ Sentinel Installation and Configuration Guide 19 1 19 2 Configuring Out of the Box Plug Ins By default Sentinel comes with several plug ins This chapter provides information about how to configure the out of the box plug ins Section 19 1 Configuring the Solution Packs on page 113 Section 19 2 Configuring the Collectors Connectors Integrators and Actions on page 113 Configuring the Solution Packs Sentinel ships with a wide variety of useful out of the box content that you can use immediately to meet many of your analysis
149. port FIPS 140 2 mode and Connectors that do not support FIPS 140 2 mode We assume that this environment involves a Sentinel server and data is collected through a remote Collector Manager You may have one or more remote Collector Managers NetIQ Sentinel Installation and Configuration Guide Agent Manager Database JDBC Sentinel Link Connector Connector Connector File Connector Syslog Windows Event WMI NFS or Local File Connector Connector j SS a Event Source Types l Sentinel Remote Collector Manager a E In FIPS mode Sentinel Server In FIPS mode a gt A of s Audit Check Point LEA File Connector Connector Connector All File Event Source Types A A SDEE SNMP Connector Connector Sentinel Remote Collector Manager In non FIPS mode To handle data collection using Connectors that support and those that do not support the FIPS 140 2 mode you should have two remote Collector Managers one running in FIPS 140 2 mode for FIPS supported Connectors and another running in non FIPS normal mode for Connectors that do not support the FIPS 140 2 mode You must perform the following procedure if your environment involves data collection from event sources using Connectors that support FIPS 140 2 mode and Connectors that do not support FIPS 140 2 mode yet 1 You must have a Sentinel server in FIPS 140 2 mode NOTE If your Sentinel server freshly installed or upgraded is in non FIPS mode you must enable FI
150. ppliance for automatic updates register for updates For more information see Section 13 4 3 Registering for Updates on page 97 If the appliance is not registered Sentinel displays a yellow warning that indicates that the appliance is not registered 6 To check if there are any updates click Updates The available updates are displayed 7 Select and apply the updates The updates might take a few minutes to complete After the update is successful the WebYaST login page is displayed Before upgrading the appliance WebYaST automatically stops the Sentinel service You must manually restart this service after the upgrade is complete 8 Restart the Sentinel service by using the Web interface For more information see Section 13 5 Stopping and Starting the Server by Using WebYaST on page 98 9 Clear your Web browser cache to view the latest Sentinel version 10 Clear the Java Web Start cache on the client computers to use the latest version of Sentinel applications You can clear the Java Web Start cache by either using the javaws clearcache command or by using Java Control Center For more information see http www java com en download help plugin_cache xml NetIQ Sentinel Installation and Configuration Guide 25 3 11 Conditional If the PostgreSQL database has been upgraded to a major version for example 8 0 to 9 0 or 9 0 to 9 1 clear the old PostgreSQL files from the PostgreSQL database For i
151. r sh Conditional To upgrade Collector Manager systems and Correlation Engine systems see Section 24 3 Upgrading the Collector Manager or the Correlation Engine on page 135 24 2 Upgrading Sentinel as a Non root User If your organizational policy does not allow you to run the full upgrade of Sentinel as root you can upgrade Sentinel as another user In this upgrade a few steps are performed as a root user then you proceed to upgrade Sentinel as another user created by the root user 1 2 Download the installation files from the NetIQ Downloads Web site Specify the following command at the command line to extract the install files from the tar file tar zxvf lt install_filename gt Replace lt install_filename gt with the actual name of the install file 3 Log in as root to the server where you want to upgrade Sentinel 4 Extract the squashfs RPM from the Sentinel install files 5 Install the squashfs on the Sentinel server 10 11 12 rpm Uvh lt install_filename gt Specify the following command to change to the newly created non root novell user novel1 su novell Conditional To do an interactive upgrade 7a Specify the following command install sentinel To upgrade Sentinel in a non default location specify the location option along with the command For example install sentinel location foo 7b Continue with Step 9 Conditional To do a silent upgrade specify the following command
152. rage device that meets the performance and size characteristics as documented in Chapter 5 Meeting System Requirements on page 35 The exemplary solution will use a standard SUSE Linux VM configured with iSCSI Targets as shared storage Minimum two cluster nodes that meet the resource requirements for running Sentinel in the customer environment The exemplary solution will use two SUSE Linux VMs A method for the cluster nodes to communicate with the shared storage such as FibreChannel for a SAN The exemplary solution will use a dedicated IP address to connect to the iSCSI Target A virtual IP that can be migrated from one node to another node in a cluster to serve as the external IP address for Sentinel At least one IP address per cluster node for internal cluster communications The exemplary solution will use a simple unicast IP address but multicast is preferred for production environments A 3 installation and Configuration This section provides the steps for installing and configuring Sentinel in an HA environment Each step describes the general approach then refer to a demo setup that documents the details of an exemplary cluster solution The following diagram represents an active passive HA architecture Cluster SLE HAE vMotion etc gt Syslog LEA etc Pic f Sentinel Collector Sentinel software Manager config data Virtual IP Sentinel Syslog JDBC etc event dat
153. re you want to install Sentinel as root 4 Specify the following command bin root_install prepare A list of commands to be executed with root privileges is displayed If you want the non root user to install Sentinel in non default location specify the location option along with the command For example bin root_install prepare location foo The value that you pass to the 1location option foo is prepended to the directory paths This also creates a novell group and a novel11 user if they do not already exist Accept the command list Traditional Installation 81 6 7 8 10 11 12 The displayed commands are executed Specify the following command to change to the newly created non root novel1 user novel1 su novell Conditional To do an interactive installation 7a Specify the following command install sentinel To install Sentinel in non default location specify the location option along with the command For example install sentinel location foo 7b Continue with Step 9 Conditional To do a silent installation 8a Specify the following command install sentinel u lt response file gt The installation proceeds with the values stored in the response file 8b Continue with Step 12 Specify the number for the language you want to use for the installation The end user license agreement is displayed in the selected language Read the end user license and enter yes or y to accep
154. red to protect your IT environment Section 1 1 Challenges of Securing an IT Environment on page 15 Section 1 2 The Solution That Sentinel Provides on page 16 Challenges of Securing an IT Environment Securing your IT environment is a challenge due to the complexity of your environment There are many different applications databases mainframes workstations and servers that all have logs of events You also have the security devices and network infrastructure devices that all contain logs of what is happening in your IT environment Figure 1 1 What Happens in Your Environment A aa Network Databases Infrastructure Routers Oracle Switches SQLServer VPN Concentrators DB2 Devices mE ae Applications Firewalls SAP IDSs What s Happening Orde IPSs Home Grow AN Bs E Workstations and Servers Mainframes Windows RACF Unix ACF2 Netware TopSecre What is Sentinel 15 16 The challenges arise because of the following facts There are many devices in your IT environment The logs are in different formats The logs are stored in silos The amount of information generated in the logs You can t determine who did what without manually analyzing all of the logs To make the information useful you must be able to perform the following Collect the data Consolidate the data Normalize disparate data into events that you can easi
155. rictions provided in the license agreement 2014 NetIQ Corporation and its affiliates All Rights Reserved For information about NetIQ trademarks see http www netiq com company legal Contents About this Book and the Library 9 About NetIQ Corporation 11 Part Understanding Sentinel 13 1 What is Sentinel 15 1 1 Challenges of Securing an IT Environment 00 00 tees 15 1 2 The Solution That Sentinel Provides 0 0 0 cece eee eee 16 2 How Sentinel Works 19 29 EVENT SOURCES tice triada td A cd Gee 21 22 Sentinel Eventi corria ri a AA A A A A A ea 21 2 2 1 Mapping SeIvice id ee tae ea a e 22 2 2 2 Streaming MapS o oocoocococ tenet eee 22 2 2 3 Exploit Detection Mapping Service 0 22 2 3 Collector Manager aite a A en ee ee es 23 2 3 1 Collectors insidan oi ia ost lad 23 RI A is zc ih oie eects T ee etn aoe oe doe tate EE ed talon eda cag went Gust put don meade hs 23 24 Agent Manager sen cue tanker A ee Sion ace eds Blas Oe Se ee eb es 23 2 5 NetFlow Collector Manager 0 cece tenet teens 24 2 6 Sentinel Data Routing and Storage 1 6 tte eeeeee 24 250 Correlati 5 reie ba Sedona e i i iaoa Wadd pai a AOR Sk ach aoa EA bok 25 2 8 Security Intelligence 0 tenet eee eee 25 2 9 Incident Remediation ir oa yo hee ae ee ts ed ae De Ee ee ey eed 25 2 10 Drac Workflows 2034 beet A ee a net ee A ed 25 2 11 Actions and Integrators 0 stn sires a Set ae
156. rity information from all of the different event sources in your IT environment Normalizes the collected logs events and security information into a common format Stores events in a file based data store with flexible customizable data retention policies Collects network flow data and helps you monitor network activities in detail Provides the ability to hierarchically link multiple Sentinel systems including Sentinel Log Manager Allows you to search for events not only on your local Sentinel server but also on other Sentinel servers distributed across the globe Performs a statistical analysis that allows you define a baseline and then compares it to what is occurring to determine if there are unseen problems Correlates a set of similar or comparable events in a given period to determine a pattern Organizes events into incidents for efficient response management and tracking Provides reports based on real time and historical events The following figure illustrates how Sentinel works How Sentinel Works 19 Figure 2 1 Sentinel Architecture Data Other Sentinel and Warehouse Sentinel Log Manager Systems Sentinel Web Correlation Engine Console Primary Secondary Storage Storage Incident Search Reports Correlation Trending iTRAC Actions and Remediation Event and Analysis Workflows Integrators Routing N Sentinel Server Collector Manager Event Routing aa iss Agent Manager
157. rmance data on a regular basis What Impacts the 10 percentag amount of e of input output searches operations per will be second IOPS over data for primary or older than secondary the storage number of days above How far Impacts how 14 Days into the much disk past must space is data be needed to retained retain all of the data If secondary storage is enabled this impacts the size of secondary storage needed Otherwise it impacts the size of primary storage needed Will a Impacts No secondary whether all data Storage will be stored in device be primary storage available or if secondary and storage is connected available for lower cost long term online storage Data in secondary storage remains online NetIQ Sentinel Installation and Configuration Guide Extra Large Contact NetIQ Services Category User Activit y Description Demo All in One not intended for producti on Medium Distribut ed Agent less Data Collectio n Medium Distribut ed Agent based Data Collectio n Large Distribute d Agent less Data Collectio n Raw Data Stored Large Distributed Agent less Data Collection Raw Data Not Stored Extra Large How many users will be active at the same time on average Impacts the amount of IOPS for primary and secondary storage and other items How many searches will an active user be perf
158. s see Using the YaST Partitioner in the SLES documentation and Section 6 6 Planning Partitions for Data Storage on page 54 Enter the root password and select Next The Live Installation Settings screen displays the selected installation settings Review the settings configure the settings if necessary and then select Install Select Install to confirm the Installation Wait until the installation finishes It might take few minutes for all services to start up after installation because the system performs a one time initialization Select OK to reboot the system Make a note of the appliance IP address that is shown in the console Enter the root username and password at the console to log in to the appliance The default value for the username is root and the password is the password you set in Step 18 Proceed with Section 13 4 Post Installation Configuration for the Appliance on page 95 Installing Collector Managers and Correlation Engines The procedure to install a Collector Manager or a Correlation Engine is the same except that you need to download the appropriate ISO appliance file from the NetIQ Download Web site 1 2 Complete Step 1 through Step 13 in Section 13 3 2 Installing Sentinel on page 93 Specify the following configuration for the Collector Manager or the Correlation Engine Sentinel Server Hostname or IP Address Specify the host name or IP address of the Sentinel server that t
159. s a secure HTTPS connection to download its feed from the Advisor server The certificate used by the server for secure communication needs to be added to the Sentinel FIPS keystore database To verify successful registration with the Resource Management database 1 Download the certificate from the Advisor server and save the file as advisor cer 2 Import the Advisor server certificate into the Sentinel FIPS keystore For more information about importing the certificate see Importing Certificates into FIPS Keystore Database on page 125 Configuring Distributed Search in FIPS 140 2 Mode This section provides information about configuring distributed search in FIPS 140 2 mode Scenario 1 Both the source and the target Sentinel servers are in FIPS 140 2 mode To allow distributed searches across multiple Sentinel servers running in FIPS 140 2 mode you need to add the certificates used for secure communication to the FIPS keystore 1 Log in to the distributed search source computer 2 Browse to the certificate directory cd lt sentinel_install_directory gt config 3 Copy the source certificate sentinel cer to a temporary location on the target computer 4 Import the source certificate into the target Sentinel FIPS keystore Operating Sentinel in FIPS 140 2 Mode 117 For more information about importing the certificate see Importing Certificates into FIPS Keystore Database on page 125 5 Log in to the distributed
160. s authentication data or user creation and some are general purpose templates that allow you to customize groups and columns on the report interactively Over time you will develop commonly used filters and reports that make your workflows easier Sentinel fully supports storing this information and distributing it with people in your organization For more information see the NetIQ Sentinel User Guide How Sentinel Works 27 28 NetIQ Sentinel Installation and Configuration Guide Planning Your Sentinel Installation This section guides you through planning considerations before installing Sentinel If you want to install a configuration that is not identified in the sections that follow or if you have any questions contact NetIQ Technical Support Chapter 3 Implementation Checklist on page 31 Chapter 4 Understanding License Information on page 33 Chapter 5 Meeting System Requirements on page 35 Chapter 6 Deployment Considerations on page 49 Chapter 7 Deployment Considerations for FIPS140 2 Mode on page 57 Chapter 8 Ports Used on page 63 Chapter 9 Installation Options on page 69 Planning Your Sentinel Installation 29 30 NetIQ Sentinel Installation and Configuration Guide Implementation Checklist Use the following checklist to complete planning installing and configuring Sentinel O uu Q QO Tasks Review the product architecture information to
161. search target computer 6 Browse to the certificate directory ed etc opt novell sentinel config 7 Copy the target certificate sentinel cer to a temporary location on the source computer 8 Import the target system certificate into the source Sentinel FIPS keystore 9 Restart the Sentinel services on both the source and target computer Scenario 2 The source Sentinel server is in non FIPS mode and the target Sentinel server is in FIPS 140 2 mode You must convert the Web server keystore on the source computer to the certificate format and then export the certificate to the target computer 1 Log in to the distributed search source computer 2 Create the Web server keystore in certificate cer format lt sentinel install directory gt jre bin keytool export alias webserver keystore lt sentinel install directory gt config webserverkeystore jks storepass password file lt certificate_name cer gt 3 Copy the distributed search source certificate Sentinel cer to a temporary location on the distributed search target computer 4 Login to the distributed search target computer 5 Import the source certificate into the target Sentinel FIPS keystore For more information about importing the certificate see Importing Certificates into FIPS Keystore Database on page 125 6 Restart Sentinel services on the target computer Scenario 3 The source Sentinel server is in FIPS mode and the target Sentinel server is in non
162. security level to Medium high 2 Make sure that the Tools gt Compatibility View option is not selected 3 Navigate to Tools gt Internet Options gt Security tab gt Custom Level then scroll down to the Downloads section and select Enable under the Automatic prompting for file downloads option System Sizing Information A Sentinel implementation can vary based on the needs of your environment so you should consult NetIQ Consulting Services or any of the NetIQ Sentinel partners prior to finalizing the Sentinel architecture This section provides sizing information based on the testing performed at NetIQ with the hardware available to us at the time of testing It is likely that larger more powerful hardware configurations exist that can handle a greater load All in one configurations put all of the processing load on the Sentinel server rather than distributing it out to remote Collector Managers and Correlation Engines While an all in one configuration can work well for simple scenarios where only a small set of features are used in limited ways they do not scale well when a large number of features are used or are used in an extensive manner For example if you use more than the out of the box correlation rules this puts a greater load on the system and can result in other features on the same server suffering due to the increased resource utilization of the Correlation Engine For production environments NetIQ Corporation recom
163. server in another and the client viewing the data in yet another When you add concerns such as daylight saving time and the many event sources that don t report what time zone they are set to Configuring Time 109 110 such as all syslog sources there are many possible problems that need to be handled Sentinel is flexible so that you can properly represent the time when events actually occur and compare those events to other events from other sources in the same or different time zones In general there are three different scenarios for how event sources report time stamps The event source reports the time in UTC For example all standard Windows Event Log events are always reported in UTC The event source reports in local time but always includes the time zone in the time stamp For example any event source that follows RFC3339 in structuring time stamps include the time zone as an offset other sources report long time zone IDs such as Americas New York or short time zone IDs such as EST which can present problems because of conflicts and inadequate resolutions The event source reports local time but does not indicate the time zone Unfortunately the extremely common syslog format follows this model For the first scenario you can always calculate the absolute UTC time that an event occurred assuming that a time sync protocol is in use so you can easily compare the timing of that event to any other event source in
164. server or the RHEL 6 server Sentinel requires the 64 bit versions of the following RPMs bash be coreutils gettext glibc grep libgce libstdc Isof net tools openssl python libs Installation Checklist 75 sed zlib 76 NetIQ Sentinel Installation and Configuration Guide 12 1 Traditional Installation This chapter provides information about the various ways to install Sentinel Section 12 1 Understanding Installation Options on page 77 Section 12 2 Performing Interactive Installation on page 78 Section 12 3 Performing a Silent Installation on page 80 Section 12 4 Installing Sentinel as a Non root User on page 81 Section 12 5 Installing Collector Managers and Correlation Engines on page 82 Understanding Installation Options install sentinel help displays the following options Options location m manifest no configure n no start r recordunattended u unattended h help 1 log file no banner q quiet v verbose Value Directory File name Filename Filename Filename Description Specifies a directory other than the root to install Sentinel Specifies a product manifest file to use instead of the default manifest file Specifies to not configure the product after installation Specifies to not start or restart Sentinel after installation or
165. server through the SSL proxy However this is uncommon By default remote Collector Managers use the SSL port 61616 to connect to the server TCP 443 Outbound Optional ff Advisor is used the port initiates a connection to the Advisor service over the Internet to the Advisor Updates URL https secure www novell com sentinel download advisor NetIQ Sentinel Installation and Configuration Guide 8 1 3 Ports TCP 8443 TCP 389 or 636 TCP UDP 111 and TCP UDP 2049 TCP 137 138 139 445 TCP JDBC database dependent TCP 25 TCP 1290 UDP 162 UDP 514 or TCP 1468 Direction Outbound Outbound Outbound Outbound Outbound Outbound Outbound Outbound Outbound Required Optional Optional Optional Optional Optional Optional Optional Optional Optional Optional Description If distributed search is used the port initiates a connection to other Sentinel systems to perform the distributed search If LDAP authentication is used the port initiates a connection to the LDAP server If secondary storage is configured to use NFS If secondary storage is configured to use CIFS If data synchronization is used the port initiates a connection to the target database using JDBC The port that is used is dependent on the target database Initiates a connection to the email server When Sentinel forwards events to another Sentinel system this port initiates a Sentinel
166. sing in Sentinel It is important for reporting and auditing purposes as well as for real time processing This section provides information about understanding time in Sentinel how to configure time and handling time zones Section 17 1 Understanding Time in Sentinel on page 107 Section 17 2 Configuring Time in Sentinel on page 109 Section 17 3 Configuring Delay Time Limit for Events on page 109 Section 17 4 Handling Time Zones on page 109 Understanding Time in Sentinel Sentinel is a distributed system that is made up of several processes distributed through out your network In addition there can be some delay introduced by the event source To accommodate this the Sentinel processes reorder events into a time ordered stream before processing Every event has three time fields Event Time This is the event time used by all analytical engines searches reports and so on Sentinel Process Time The time Sentinel collected the data from the device which is taken from the Collector Manager system time Observer Event Time The time stamp the device put in the data The data might not always contain a reliable time stamp and can be quite different than the Sentinel Process Time For example when the device delivers data in batches The following illustration explains how Sentinel does this Configuring Time 107 Figure 17 1 Sentinel Time al Active Views Reports e J
167. stall the NetFlow Collector Manager install netflow 8 Specify the number for the language you want to use for the installation then press Enter 9 Press the Spacebar to read through the license agreement 10 11 12 13 14 15 16 Enter yes or y to accept the license and continue with the installation The installation might take a few seconds to load the installation packages and prompt for the configuration type Specify whether you want to proceed with Standard or Custom installation Specify the hostname or IP address of the Sentinel server that should receive network flow data Conditional If you chose Custom installation specify the port number of the Sentinel server The default port number is 8443 Specify the user name and password to authenticate to the Sentinel server NOTE Ensure that the user credentials you specify have the Send NetFlow data permission or administration privileges Otherwise the installation completes but the authentication fails when the NetFlow Collector Manager sends data to the Sentinel server The installation completes It might take a few minutes for the NetFlow Collector Manager to establish a connection to the Sentinel server Optional You can determine whether the NetFlow Collector Manager installation is successful by performing one of the following Verify whether the NetFlow Collector Manager services are running etc init d sentinel status Verify wh
168. ster Data Configuration If data corruption occurs on the shared storage device in a way that the shared storage device can t recover from this would result in the corruption affecting the entire cluster in a way that cannot be automatically recovered from using the highly available failover cluster described in this document The section Backing Up and Restoring Data in the NetIQ Sentinel Administration Guide describes how to use Sentinel s built in tools for restoring from a backup These tools should be used on the active node in the cluster because the passive node in the cluster will not have the required access to the shared storage device Other commercially available backup and restore tools could be used instead and may have different requirements on which node they can be used 166 NetIQ Sentinel Installation and Configuration Guide B 1 B 2 Troubleshooting the Installation This section contains some of the issues that might occur during installation along with the actions to work around the issues Failed Installation Because of an Incorrect Network Configuration During the first boot if the installer finds that the network settings are incorrect an error message is displayed If the network is unavailable installing Sentinel on the appliance fails To resolve this issue properly configure the network settings To verify the configuration use the ifconfig command to return the valid IP address and use the hostname f
169. t Contacting Documentation Support Our goal is to provide documentation that meets your needs If you have suggestions for improvements click Add Comment at the bottom of any page in the HTML versions of the documentation posted at www netiq com documentation You can also email Documentation FeedbackOnetiq com We value your input and look forward to hearing from you Contacting the Online User Community Qmunity the NetIQ online community is a collaborative network connecting you to your peers and NetIQ experts By providing more immediate information useful links to helpful resources and access to NetlQ experts Omunity helps ensure you are mastering the knowledge you need to realize the full potential of IT investments upon which you rely For more information visit http community netiq com NetlQ Sentinel Installation and Configuration Guide Understanding Sentinel This section provides detailed information about what Sentinel is and how Sentinel provides an event management solution for your organization Chapter 1 What is Sentinel on page 15 Chapter 2 How Sentinel Works on page 19 Understanding Sentinel 13 14 NetIQ Sentinel Installation and Configuration Guide 1 1 What is Sentinel Sentinel is a security information and event management SIEM solution as well as a compliance monitoring solution Sentinel automatically monitors the most complex IT environments and provides the security requi
170. t delete event data prematurely For more information about the Sentinel directory structure see Section 6 6 4 Sentinel Directory Structure on page 56 As a best practice ensure that this data directory is located on a separate disk partition than the executables configuration and operating system files The benefits of storing variable data separately include easier backup of sets of files simpler recovery in case of corruption and provides additional robustness if a disk partition fills up It also improves the overall performance of systems where smaller file systems are more efficient For more information see Disk Partitioning 54 NetlQ Sentinel Installation and Configuration Guide 6 6 1 6 6 2 6 6 3 Using Partitions in Traditional Installations On traditional installations you can modify the disk partition layout of the operating system prior to installing Sentinel The administrator should create and mount the desired partitions to the appropriate directories based on the directory structure detailed in Section 6 6 4 Sentinel Directory Structure on page 56 When you run the installer Sentinel is installed into the pre created directories resulting in an installation that spans multiple partitions NOTE You can use the location option while running the installer to specify a different top level location than the default directories to store the file The value that you pass to the location
171. t the license and continue with the installation The installation starts installing all RPM packages This installation might take a few seconds to complete You are prompted to specify the mode of installation If you select to proceed with the standard configuration continue with Step 8 through Step 10 in Section 12 2 1 Standard Installation on page 78 If you select to proceed with the custom configuration continue with Step 7 through Step 14 in Section 12 2 2 Custom Installation on page 79 Log in as a root user and specify the following command to finish installation bin root_install finish The Sentinel installation finishes and the server starts It might take few minutes for all services to start after installation because the system performs a one time initialization Wait until the installation finishes before you log in to the server To access the Sentinel Web interface specify the following URL in your Web browser https lt IP_Address Sentinel server gt 8443 The lt IP_Address_Sentinel_server gt is the IP address or DNS name of the Sentinel server and 8443 is the default port for the Sentinel server 12 5 Installing Collector Managers and Correlation Engines By default Sentinel installs a Collector Manager and a Correlation Engine For production environments NetIQ Corporation recommends setting up a distributed deployment because it isolates data collection components on a separate mac
172. t user 2 Go to the following location opt novell sentinel setup 3 Run the following command uninstall sentinel The script displays a warning that the Collector Manager or Correlation Engine and all associated data will be completely removed 4 Enter y to remove the Collector Manager or Correlation Engine The script first stops the service and then removes it completely However the Collector Manager and Correlation Engine icon is still displayed in inactive state in the Web interface 5 Perform the following additional steps to manually delete the Collector Manager and Correlation Engine in the Web interface Collector Manager 1 Access Event Source Management gt Live View 2 Right click the Collector Manager you want to delete then click Delete Correlation Engine 1 Log in to the Sentinel Web interface as an administrator 2 Expand Correlation then select the Correlation Engine that you want to delete 3 Click the Delete button garbage can icon C 2 3 Uninstalling the NetFlow Collector Manager Use the following steps to uninstall the NetFlow Collector Manager 1 Log in to the NetFlow Collector Manager computer NOTE You must log in with the same user permission that was used to install the NetFlow Collector Manager 2 Change to the following directory opt novell sentinel setup 3 Run the following command uninstall sentinel 170 NetIQ Sentinel Installation and Configuration G
173. ter you have modified the lt filename gt xenconfig file specify the following command to create the VM 90 NetIQ Sentinel Installation and Configuration Guide 10 11 12 13 14 15 16 17 18 19 20 xm create lt file_name gt xenconfig Optional To verify if the VM is created specify the following command xm list The VM appears in the list that is generated For example if you have configured name Sentinel_7 2 0 0 x86_64 inthe xenconfig file then the VM appears with that name To start the installation specify the following command xm console lt vm name gt Replace lt vm_name gt with the name specified in the name setting of the xenconfig file which is also the value returned in Step 7 For example xm console Sentinel _7 2 0 0 x86 64 The installation first checks for the available memory and disk space If the available memory is less than 2 5 GB the installation is automatically terminated If the available memory is more than 2 5 GB but less than 6 7 GB the installation displays a message that you have less memory than is recommended Enter y if you want to continue with the installation or enter n if you do not want to proceed Select the language of your choice then click Next Select the keyboard layout then click Next Read and accept the SUSE Linux Enterprise Server SLES 11 SP3 Software License Agreement Read and accept the NetIQ Sentinel End User License Agreement On the Hostname
174. terprise Server SLES 11 SP3 operating system SUSE Linux Enterprise Server High Availability Extension SLES HAE package Sentinel software including HA rpm Conditional For traditional HA installations ensure that the Sentinel installer TAR file and the SUSE Linux High Availability Extension SLE HAE ISO image with valid licenses are available If you are using the SLES operating system with kernel version 3 0 101 or later you must manually load the watchdog driver in the computer To find the appropriate watchdog driver for your computer hardware contact your hardware vendor To load the watchdog driver perform the following 1 In the command prompt run the following command to load the watchdog driver in the current session sbin modprobe v ignore install lt watchdog driver name gt 2 Add the following line to the etc init d boot local file to ensure that the computer automatically loads the watchdog driver at every boot time sbin modprobe v ignore install lt watchdog driver name gt Each cluster node that hosts the Sentinel services must meet the requirements specified in Chapter 5 Meeting System Requirements on page 35 Ensure that sufficient shared storage is available for the Sentinel data and application Configuring Sentinel for High Availability 147 Ensure that you use a virtual IP address for the services that can be migrated from node to node on failover A shared sto
175. th the installation The installation might take a few seconds to load the installation packages and prompt for the configuration type When prompted specify 1 to proceed with the standard configuration Enter default Communication Server Hostname or IP Address of the machine on which Sentinel is installed Specify the ActiveMQ user credentials for the Collector Manager or the Correlation Engine The ActiveMQ user credentials are stored in the lt install_dir gt etc opt novell sentinel config activemqusers properties file located in the Sentinel server Accept the certificate permanently when prompted Enter yes or y to enable FIPS 140 2 mode in Sentinel and continue with the FIPS configuration Continue with the installation as prompted until the installation is complete Adding a Custom ActiveMQ User for the Collector Manager or Correlation Engine Sentinel recommends that you use the default ActiveMQ usernames for the remote Collector Manager and Correlation Engine However if you have installed multiple remote Collector Managers and you want to identify them separately you can create new ActiveMQ users 1 2 Log in to the server as the Sentinel user who has access to the installation files Open the activemggroups properties file This file is located in the lt install_dir gt etc opt novell sentinel config directory Add the new ActiveMQ usernames separated by comma as follows For Collector Manager add the new
176. the Windows client the client must trust the Sentinel server certificate or the remote Collector Manager certificate depending on where the Connector is deployed The Sentinel server certificate file is in the etc opt novell sentinel config sentinel cer location The remote Collector Manager certificate file is in the etc opt novel1 sentinel config rcm cer location NOTE When using custom certificates that are digitally signed by a certificate authority CA the client must trust the appropriate certificate file 5 If you want to automatically synchronize the event sources or populate the list of event sources using an Active Directory connection you must import the Active Directory server certificate into the Sentinel FIPS keystore For more information about importing the certificate see Importing Certificates into FIPS Keystore Database on page 125 21 5 6 Sentinel Link Integrator Follow the below procedure only if you have selected the Encrypted HTTPS option when configuring the network settings of the Sentinel Link Integrator Operating Sentinel in FIPS 140 2 Mode 123 To configure the Sentinel Link Integrator to run in FIPS 140 2 mode 1 When Sentinel Link Integrator is in FIPS 140 2 mode server authentication is mandatory Before configuring the Integrator instance import the Sentinel Link Server certificate into the Sentinel FIPS keystore If Sentinel Link Connector is in FIPS 140 2 mode If the Con
177. the box simple CPU utilization correlation of the rules filter correlation trigger engine only will be used How many Impacts the O out of the box complex CPU and correlation memory rules will utilization of the be used correlation engine Correlation Local Embedded CE all rules Engine CE Distributio n How many The number of 1 Not 1 20 of 1 30 of sets of Security Applicabl event event data will Intelligence 100 of event stream e stream stream anomaly dashboards each each each detection which impacts be the CPU performed primary storage on size and memory utilization NetlQ Sentinel Installation and Configuration Guide Extra Large Contact NetlQ Services 9 9 5 6 Demo medium DB BE OE Large All in Distribut q d Agent Distributed o One not ed Agent less Data Agentless Extra Category Description intended Agent based Collectio Data Lame for less Data Data n Raw Collection 9 producti Collectio Collectio Data Raw Data on n Not Stored n Stored High Not Used Availabilit y Notes Notable Raw Data Contact functionality Disabled NetlQ disabled or Services warnings of Increasing what happens Retained when EPS will exceeding the eventually system load cause described instability in above this system configuratio n Connector and Collector System Requirements Each Connector and Collector has
178. the tar file tar zxvf lt install filename gt Replace lt install_filename gt with the actual name of the install file Specify the following command to install Sentinel in silent mode install sentinel u lt response file gt The installation proceeds with the values stored in the response file Conditional If you chose to enable FIPS 140 2 mode complete the FIPS 140 2 mode configuration by following the tasks mentioned in Chapter 21 Operating Sentinel in FIPS 140 2 Mode on page 117 The Sentinel installation finishes and the server starts It might take few minutes for all services to start after installation because the system performs a one time initialization Wait until the installation finishes before you log in to the server Installing Sentinel as a Non root User If your organizational policy does not allow you to run the full installation of Sentinel as root you can install Sentinel as another user In this installation a few steps are performed as a root user then you proceed to install Sentinel as another user created by the root user Finally the root user completes the installation 1 2 Download the installation files from the NetIQ Downloads Web site Specify the following command at the command line to extract the install files from the tar file tar zxvf lt install filename gt Replace lt install_filename gt with the actual name of the install file 3 Log in as root to the server whe
179. thorized activities become clear before they do damage Sentinel does this in a cost effective way by Providing a single solution to address IT controls across multiple regulations Closing the knowledge gap between what should happen and what is actually happening in your networked environment Demonstrating to auditors and regulators that your organization documents monitors and reports on security controls Providing out of the box compliance monitoring and reporting programs Gaining the visibility and control required to continually assess the success of your organization s compliance and security programs What is Sentinel 17 Sentinel automates log collection analysis and the reporting processes to ensure that IT controls are effective in supporting threat detection and audit requirements Sentinel provides automated monitoring of security events compliance events and IT controls allowing you to take immediate action if there is a security breach or non compliant event occurring Sentinel also allows you to easily gather summary information about your environment so you can communicate your overall security posture to key stakeholders 18 NetIQ Sentinel Installation and Configuration Guide How Sentinel Works Sentinel continuously manages security information and events throughout your IT environment to provide a complete monitoring solution Sentinel does the following Gathers logs events and secu
180. tinel HA Appliance Installation oooo ococooooooooooo 162 A 5 Backup and Recovery serres cei ap neen o a eee eee eee teen beens 165 A 5 1 Backup sean t ite tt ee ale ed Sake a Be Sat ot Be eae 165 AL5 2 ROCOVO Vitoria aang Bred g tte a o A Rie alae Rue AA 166 B Troubleshooting the Installation 167 B 1 Failed Installation Because of an Incorrect Network Configuration 00e eee eae 167 B 2 The UUID Is Not Created for Imaged Collector Managers or Correlation Engine 167 C Uninstalling 169 C 1 Uninstallation Checklist 0 0 ete eee eee 169 Contents 7 G2 Uninstalling Sentinel 00 cortar gone oe slated eek eee ba Ge wales eee hea EA 169 C 2 1 Uninstalling the Sentinel Server 0 0 0 0 c cece ete 169 C 2 2 Uninstalling the Collector Manager and Correlation Engine 4 170 C 2 3 Uninstalling the NetFlow Collector Manager 0 0 cece eee eee eee 170 C 3 Post Uninstallation TaskS o o ooooooooorrrrr teen nents 171 8 NetIQ Sentinel Installation and Configuration Guide About this Book and the Library The Installation and Configuration Guide provides an introduction to NetIQ Sentinel and explains how to install and configure Sentinel Intended Audience This guide is intended for Sentinel administrators and consultants Other Information in the Library The library provides the following information resources Administration Guide Provides ad
181. ting Server Certificates in Remote Collector Managers and Correlation Engines 119 21 5 Configuring Sentinel Plug Ins to Run in FIPS 140 2 Mode 0 0 0 c eee eee 119 21 5 1 Agent Manager Connector 0 0 0 teeta 120 21 5 2 Database JDBC Connector 0 cece tees 121 21 5 3 Sentinel Link Connector 00 cette eee eee 121 21 5 4 Syslog Connector is sie ok eae alba che de clea A aden Gee ead Rew a h 122 21 5 5 Windows Event WMI Connector oococcccccoco tee eee 123 21 5 6 Sentinel Link Integrator 0 cect tees 123 21 5 F JEDAP Integrators ve dt pede eee a na 124 21 59 82 SMIP Integrator lt i 2505 605 ook cia data 125 21 5 9 Using Non FIPS Enabled Connectors with Sentinel in FIPS 140 2 Mode 125 21 6 Importing Certificates into FIPS Keystore Database 2 0 cece eee ee 125 21 7 Reverting Sentinel to Non FIPS Mode 0 0 0 0 cette eee 126 21 7 1 Reverting Sentinel Server to Non FIPS mode 0 0c eee eee eee 126 21 7 2 Reverting Remote Collector Managers or Remote Correlation Engines to Non FIPS MOJE o A a gases 126 6 NetlQ Sentinel Installation and Configuration Guide Part V Upgrading Sentinel 127 22 Implementation Checklist 129 23 Prerequisite for Versions Prior to Sentinel 7 1 1 131 24 Upgrading Sentinel Traditional Installation 133 24 1 Upgrading Sentinel 1 0 0 0 cette ene 133 24 2 Upgrading Sentinel as a Non root User 2 0 0 te
182. ting system boots Click Global and then select No Authentication because the current OCF Resource Agent for iSCSI does not support authentication Click Targets and then click Add to add a new target The iSCSI Target will auto generate an ID and then present an empty list of LUNs drives that are available Click Add to add anew LUN Leave the LUN number as 0 then browse in the Path dialog under Type fileio and select the localdata file that you created If you have a dedicated disk for storage specify a block device such as dev sdc Repeat steps 12 and 13 and add LUN 1 and networkdata this time Leave the other options at their defaults Click OK and then click Next Click Next again to select the default authentication options then Finish to exit the configuration Accept if asked to restart iSCSI Exit YaST The above procedure exposes two iSCSI Targets on the server at IP address 10 0 0 3 At each cluster node ensure that it can mount the local data shared storage device Configuring iSCSI Initiators You must also format the devices once to utilize them a A QO N Connect to one of the cluster nodes node01 and start YaST Select Network Devices gt Network Settings Ensure that the Overview tab is selected Select the secondary NIC from the displayed list then tab forward to Edit and press Enter Click Address assign a static IP address of 10 0 0 1 This will be the internal iSCSI communicat
183. tion Install the cluster software on each node and register each cluster node with the cluster manager Procedures to do so will vary depending on the cluster implementation but at the end of the process each cluster node should show up in the cluster management console For our exemplary solution we will set up SUSE Linux High Availability Extension and overlay that with Sentinel specific Resource Agents If you do not use the OCF Resource Agent to monitor Sentinel you will likely have to develop a similar monitoring solution for the local cluster environment The OCF Resource A gent for Sentinel is a simple shell script that runs a variety of checks to verify if Sentinel is functional If you wish to develop your own you should examine the existing Resource Agent for examples the Resource Agent is stored in the Sentinelha rpm in the Sentinel download package There are many different ways in which a SLE HAE cluster can be configured but we will select options that keep it fairly simple The first step is to install the core SLE HAE software the process is fully detailed in the SLE HAE Documentation For information about installing SLES add ons see the Deployment Guide You must install the SLE HAE on all cluster nodes node01 and node02 in our example The add on will install the core cluster management and communications software as well as many Resource Agents that are used to monitor cluster resources Once the cluster software
184. to install the appliance 4 Specify the following command to extract the compressed appliance image from the machine where the VM Converter is installed NetIQ Sentinel Installation and Configuration Guide 13 1 3 tar zxvf lt install_file gt Replace lt install_file gt with the actual file name 5 To import the VMware image to the ESX server use the VMware Converter and follow the on screen instructions in the installation wizard 6 Log in to the ESX server machine 7 Select the imported VMware image of the appliance and click the Power On icon 8 Specify the host name IP address of the Sentinel server that the Collector Manager should connect to 9 Specify the Communication Server port number The default message bus port is 61616 10 Specify the ActiveMQ User Name which is the Collector Manager or Correlation Engine username The default username is collectormanager for Collector Manager and correlationengine for Correlation Engine 11 Specify the password for the ActiveMQ User The ActiveMQ user credentials are stored in the lt install_dir gt etc opt novell sentinel config activemqusers properties file which is located in the Sentinel server 12 Optional To verify the password see the following line in the activemqusers properties For Collector Manager collectormanager lt password gt In this example collectormanager is the username and the corresponding value is the password For Correlation Eng
185. toolbar then click Applications Click Launch Control Center to launch the Sentinel Control Center In the toolbar click Event Source Management gt Live View then click Tools gt Import plugin Browse to and select the Collector file you downloaded in Step 1 then click Next N Oo oO AO Follow the remaining prompts then click Finish To configure the Collector see the documentation for the specific Collector on the Sentinel Plug ins Web site Installing a Connector Use the following steps to install a Connector 1 Download the desired Connector from the Sentinel Plug ins Web site 2 Log in to the Sentinel Web interface at https lt IP address gt 8443 where 8443 is the default port for the Sentinel server Click application in the toolbar then click Applications Click Launch Control Center to launch the Sentinel Control Center In the toolbar select Event Source Management gt Live View then click Tools gt Import plugin Browse to and select the Connector file you downloaded in Step 1 then click Next N Oo oO AO Follow the remaining prompts then click Finish Installing Additional Collectors and Connectors 101 To configure the Connector see the documentation for the specific Connector on the Sentinel Plug ins Web site 102 NetIQ Sentinel Installation and Configuration Guide Verifying the Installation You can determine whether the installation is successful by performing either of the following
186. tributed Deployment The one tier deployment adds the ability to monitor Windows machines as well as handle a larger load than the all in one deployment Data collection and correlation can be scaled out by adding Collector Manager NetFlow Collector Manager and Correlation Engine machines that off load processing from the central Sentinel server In addition to handling the load of events correlation rules and network flow data remote Collector Managers Correlation Engines and NetFlow Collector Managers also free up resources on the central Sentinel server to service other requests such as event storage and searches As the load gets higher on the system the central Sentinel server will eventually become a bottleneck and you need a deployment with more tiers to scale out further Optionally you can configure Sentinel to copy event data to a data warehouse which can be useful to offload custom reporting analytics and other processing to another system Deployment Considerations 51 Figure 6 2 One Tier Distributed Deployment p Sentinel Web Console E Windows a z Collector Windows i Event F Collection Managers J Services Optional a ff Y aqu Sentinel Server E Event nu a 7 Sources aaa F a Agent Y W ma Managers A Optional ni a Scale Correlation e UU a oO a Optional NetFlow Collector Managers y Data Say Warehouse Optional lt a Say i
187. ttps lt IP_address gt 4984 where lt IP_address gt is the IP address of passive cluster node Log in to the Sentinel appliance as an administrator 3c To check whether there are any updates click Updates 3d Select and apply the updates The updates might take few minutes to complete After the update is successful the WebYaST login page appears 3e After the upgrade is complete restart the cluster stack rcopenais start Repeat Step 4 for all passive cluster nodes 4 Upgrade the active cluster node 4a Back up your configuration then create an ESM export For more information on backing up data see Backing Up and Restoring Data in the NetIQ Sentinel Administration Guide 4b Stop the cluster stack rcopenais stop Stopping the cluster stack ensures that the cluster resources remain accessible and avoids fencing of nodes 4c Log in to the Sentinel appliance as an administrator 4d To upgrade the Sentinel appliance click Appliance to launch WebYaST 164 NetIQ Sentinel Installation and Configuration Guide A 5 A 5 1 4e To check whether there are any updates click Updates 4f Select and apply the updates The updates might take few minutes to complete After the update is successful the WebYaST login page appears Before upgrading the appliance WebYaST automatically stops the Sentinel service You must manually restart this service after the upgrade is complete 4g Clear your Web browser cache to v
188. ty window is displayed For more information see the Sentinel Link Connector Guide 2 Select one of the options from the Client Authentication Type field The client authentication type determines how strictly the SSL Sentinel Link Event Source Server verifies the identity of Sentinel Link Event Sources Sentinel Link Integrators that are attempting to send data Open Allows all the SSL connections coming from the clients Sentinel Link Integrators Does not perform any Integrator certificate validation or authentication Strict Validates the Integrator certificate to be a valid X 509 certificate and also checks that the Integrator certificate is trusted by the Event Source Server For more information refer to the respective database documentation For the Strict option If the Sentinel Link Integrator is in FIPS 140 2 mode you must copy the etc opt novell sentinel config sentinel cer file from the sender Sentinel machine to the receiver Sentinel machine Import this certificate into the receiver Sentinel FIPS keystore NOTE When using custom certificates that are digitally signed by a certificate authority CA you must import the appropriate custom certificate file If Sentinel Link Integrator is in non FIPS mode you must import the custom Integrator certificate into the receiver Sentinel FIPS keystore Operating Sentinel in FIPS 140 2 Mode 121 21 5 4 NOTE If the sender is Sentinel Log Manager in non
189. ual filename 5 To import the VMware image to the ESX server use the VMware Converter and follow the on screen instructions in the installation wizard 6 Log in to the ESX server machine Appliance Installation 87 13 1 2 88 7 Select the imported VMware image of the appliance and click the Power On icon 8 Select the language of your choice then click Next 9 Select the keyboard layout then click Next 10 11 12 13 14 15 16 17 18 19 Read and accept the SUSE Linux Enterprise Server SLES 11 SP3 Software License Agreement Read and accept the NetIQ Sentinel End User License Agreement On the Hostname and Domain Name page specify the hostname and domain name then ensure that the Assign Hostname to Loopback IP option is selected Click Next The hostname configurations are saved Do one of the following To use the current network connection settings select Use Following Configuration on the Network Configuration II page then click Next To change the network connection settings select Change make the desired changes then click Next The network connection settings are saved Set the time and date then click Next To change the NTP configuration after installation use YaST from the appliance command line You can use WebYast to change the time and date but not the NTP configuration If the time appears out of sync immediately after the install run the following command to restart NTP
190. uide C 3 4 Enter y to uninstall the Collector Manager The script first stops the service and then uninstalls it completely Post Uninstallation Tasks Uninstalling the Sentinel server does not remove the Sentinel Administrator User from the operating system You must manually remove that user After you uninstall Sentinel certain systems settings remain These settings should be removed before performing a clean installation of Sentinel particularly if the Sentinel uninstallation encountered errors To manually clean up the Sentinel system settings 1 Login as root 2 Ensure that all Sentinel processes are stopped 3 Remove the contents of opt novell sentinel or wherever the Sentinel software was installed 4 Make sure no one is logged in as the Sentinel Administrator operating system user novell by default then remove the user the home directory and the group userdel r novell groupdel novell 5 Restart the operating system Uninstalling 171 172 NetIQ Sentinel Installation and Configuration Guide
191. up on node02 through YaST Run etc rc d openais start on node02 In some cases the script might fail because the xinetd service does not properly add the new csync2 service This service is required so that the other node can sync the cluster configuration files down to this node If you see errors like csync2 run failed you may have this problem To fix this execute kill HUP cat var run xinetd init pidand then re run the sleha join script At this point you should be able to run crm_mon on each cluster node and see that the cluster is running properly Alternatively you can use hawk the web console the default login credentials are hacluster linux There are two additional parameters we need to tweak for this example whether these will apply to a customer s production cluster will depend on its configuration 1 Set the global cluster option no quorum policy to ignore We do this because we have only a two node cluster so any single node failure would break quorum and shut down the entire cluster crm configure property no quorum policy ignore NOTE If your cluster has more than two nodes do not set this option 2 Set the global cluster option default resource stickiness to 1 This will encourage the resource manager to leave resources running in place rather than move them around crm configure property default resource stickiness 1 Resource Configuration As mentioned in the Cluster Installation this sol
192. users along with duplicate entries The first user in the list is the original user You should keep the first user and delete the others in the list Run the following command to remove duplicate users db system users remove _id ObjectId object_ ID Run the following command to verify whether the duplicate users have been removed db system users find pretty Switch to database admin user use admin Repeat Step 1 through Step 3 to verify and remove duplicate dbausers in the admin database Prerequisite for Versions Prior to Sentinel 7 1 1 131 132 NetIQ Sentinel Installation and Configuration Guide 24 1 Upgrading Sentinel Traditional Installation Upgrading Sentinel Use the following steps to upgrade the Sentinel server 1 Make a backup of your configuration then create an ESM export For more information on backing up data see Backing Up and Restoring Data in the NetIQ Sentinel Administration Guide 2 Download the latest installer from the NetIQ download Web site 3 Log in as root to the server where you want to upgrade Sentinel 4 Specify the following command to extract the install files from the tar file tar xfz lt install_filename gt Replace lt install_filename gt with the actual name of the install file 5 Change to the directory where the install file was extracted Specify the following command to upgrade Sentinel install sentinel To proceed with a language of your
193. uted Deployment with High Availability on page 52 Section 6 5 Two Tier and Three Tier Distributed Deployment on page 53 Section 6 6 Planning Partitions for Data Storage on page 54 Advantages of Distributed Deployments By default the Sentinel server includes the following components Collector Manager Collector Manager provides a flexible data collection point for Sentinel The Sentinel installer installs a Collector Manager by default during installation Correlation Engine Correlation Engine processes events from the real time event stream to determine whether they should trigger any of the correlation rules NetFlow Collector Manager The NetFlow Collector Manager collects network flow data NetFlow IPFIX and so on from network devices such as routers switches and firewalls Network flow data describes basic information about all network connections between hosts including packets and bytes transmitted which helps you visualize the behavior of individual hosts or the entire network For production environments NetIQ Corporation recommends distributed deployments because it isolates data collection components on separate machines This section describes the advantages of distributed deployments Section 6 1 1 Advantages of Additional Collector Managers on page 50 Section 6 1 2 Advantages of Additional Correlation Engines on page 50 Section 6 1 3 Advantages of Additional NetF
194. ution provides an OCF Resource Agent to monitor the core services under SLE HAE and you can create alternatives if desired The software also depends on several other resources for which Resource Agents are provided by default with SLE HAE If you do not want to use SLE HAE you need to monitor these additional resources using some other technology A filesystem resource corresponding to the shared storage that the software uses An IP address resource corresponding to the virtual IP by which the services will be accessed The Postgres database software that stores configuration and event metadata There are additional resources such as MongoDB used for Security Intelligence and the ActiveMQ message bus for now at least these are monitored as part of the core services Exemplary Solution The exemplary solution uses simple versions of the required resources such as the simple Filesystem Resource Agent You can choose to use more sophisticated cluster resources like cLVM a logical volume version of the filesystem if required The exemplary solution provides a crm script to aid in cluster configuration The script pulls relevant configuration variables from the unattended setup file generated as part of the Sentinel installation If you did not generate the setup file or you wish to change the configuration of the resources you can edit the script accordingly Connect to the original node on which you installed Sentinel this must be
195. vent WMI Connector to run in FIPS 140 2 mode 1 Add or edit the Windows Event Connector Proceed through the configuration screens until the Security window is displayed For more information see the Windows Event WMI Connector Guide 2 Click Settings 3 Select one of the options from the Client Authentication Type field The client authentication type determines how strictly the Windows Event Connector verifies the identity of the client Windows Event Collection Services WECS that are attempting to send data Open Allows all the SSL connections coming from the client WECS Does not perform any client certificate validation or authentication Strict Validates the certificate to be a valid X 509 certificate and also checks that the client WECS certificate is signed by a CA New sources will need to be explicitly added this prevents rogue sources from sending data to Sentinel For the Strict option you must import the certificate of the client WECS into the Sentinel FIPS keystore When Sentinel is running in FIPS 140 2 mode you cannot import the client certificate using the Event Source Management ESM interface For more information about importing the certificate see Importing Certificates into FIPS Keystore Database on page 125 NOTE In FIPS 140 2 mode the Windows Event Source Server uses the Sentinel server key pair Importing the server key pair is not required 4 If server authentication is enabled in
196. ver you have mounted the shared storage or only the variable application data on the shared storage In this exemplary solution we will follow the latter approach and install Sentinel to each cluster node that can host it The first time Sentinel is installed we will do a complete installation including the application binaries configuration and all the data stores Subsequent installations on the other cluster nodes will only install the application and will assume that the actual Sentinel data will be available some time later e g once the shared storage is mounted NetIQ Sentinel Installation and Configuration Guide Exemplary Solution In this exemplary solution we install for traditional HA installations or configure for HA appliance installations Sentinel to each cluster node storing only the variable application data on shared storage This keeps the application binaries and configuration in standard locations allows us to verify the RPMs and also allows us to support warm patching in certain scenarios First Node Installation Traditional HA Installation on page 153 Sentinel HA Appliance Installation on page 153 Traditional HA Installation 1 Connect to one of the cluster nodes node01 and open a console window 2 Download the Sentinel installer a tar gz file and store it in tmp on the cluster node 3 Execute the following commands mount dev lt SHARED1 gt var opt novell cd tmp tar xvzf sent
197. with an enterprise license before the expiration date Enterprise Licenses When you purchase Sentinel you receive a license key through the customer portal Depending on what you purchase your license key enables certain features data collection rates and event sources There may be additional license terms that are not enforced by the license key so please read your license agreement carefully To make changes to your licensing please contact your account manager You can add the enterprise license key during the installation To add the license key during the evaluation period see in the NetIQ Sentinel Administration Guide Understanding License Information 33 34 NetIQ Sentinel Installation and Configuration Guide Meeting System Requirements This chapter provides information about the hardware operating system and browser requirements for Sentinel For the latest information about these requirements see the NetIQ Sentinel Technical Information Website Section 5 1 Supported Operating Systems and Platforms on page 35 Section 5 2 Supported Database Platforms on page 36 Section 5 3 Supported Browsers on page 36 Section 5 4 System Sizing Information on page 37 Section 5 5 Connector and Collector System Requirements on page 47 Section 5 6 Virtual Environment on page 47 Supported Operating Systems and Platforms NetIQ Corporation supports the Sentinel server Colle
198. y 2 to perform a custom configuration of Sentinel 3 Press the Spacebar to read through the license agreement 4 Enter yes or y to accept the license agreement and continue with the installation The installation might take a few seconds to load the installation packages 5 Enter 1 to use the default 90 day evaluation license key or Enter 2 to enter a purchased license key for Sentinel 6 Decide whether you want to keep the existing password for the admin administrator user If you want to keep the existing password enter 1 then continue with Step 7 If you want to change the existing password enter 2 specify the new password confirm the password then continue with Step 7 The admin user is the identity used to perform administration tasks through the Sentinel web console including the creation of other user accounts 7 Decide whether you want to keep the existing password for the dbauser database user If you want to keep the existing password enter 1 then continue with Step 8 If you want to change the existing password enter 2 specify the new password confirm the password then continue with Step 8 The dbauser account is the identity that Sentinel uses to interact with the database The password you enter here can be used to perform database maintenance tasks including resetting the admin password if the admin password is forgotten or lost 8 Decide whether you want to keep the existing password for the appuser ap
199. z lt install_filename gt Run the following command in the directory where you extracted the install files install sentinel cluster node After the upgrade is complete restart the cluster stack rcopenais start Repeat Step 3 for all passive cluster nodes 4 Upgrade the active cluster node 4a 4b Back up your configuration then create an ESM export For more information about backing up data see Backing Up and Restoring Data in the NetIQ Sentinel Administration Guide Stop the cluster stack rcopenais stop Configuring Sentinel for High Availability 161 Stopping the cluster stack ensures that the cluster resources remain accessible and avoids fencing of nodes 4c Log in as root to the server where you want to upgrade Sentinel 4d Run the following command to extract the install files from the tar file tar xfz lt install_filename gt 4e Run the following command in the directory where you extracted the install files install sentinel 4f After the upgrade is complete start the cluster stack rcopenais start 5 Disable the maintenance mode on the cluster crm configure property maintenance mode false You can run this command from any cluster node 6 Verify whether the maintenance mode is inactive crm status The cluster resources should appear in the Started state 7 Optional Verify whether the Sentinel upgrade is successful rcsentinel version A 4 3 Upgrading a Sentinel HA Appliance Installation
Download Pdf Manuals
Related Search