Novell Sentinel Log Manager 1.1.0.2 Release Notes

July 28, 2010

Novell
Novell Sentinel Log Manager collects data from a wide variety of devices and applications, including intrusion detection systems, firewalls, operating systems, routers, Web servers, databases, switches, mainframes, and antivirus event sources. Novell Sentinel Log Manager provides high event-rate processing, long-term data retention, regional data aggregation, and simple searching and reporting functionality for a broad range of applications and devices. You can upgrade Sentinel Log Manager to 1.1.0.2 from the Sentinel Log Manager versions: 1.0.0.4, 1.0.0.5, 1.1.0.0, or 1.1.0.1. The set of new features and fixed defects depend on the version from which you upgrade.
Section 1, Whats New, on page 1 Section 2, System Requirements, on page 4 Section 3, Installing Novell Sentinel Log Manager 1.1, on page 5 Section 4, Upgrading to Novell Sentinel Log Manager 1.1.0.2, on page 5 Section 5, Verifying Version Numbers After Upgrading, on page 5 Section 6, Defects Fixed, on page 5 Section 7, Known Issues, on page 8 Section 8, Documentation, on page 11 Section 9, Legal Notices, on page 12

1 Whats New

Section 1.1, Whats New in Sentinel Log Manager 1.1.0.2, on page 1 Section 1.2, Whats New in Sentinel Log Manager 1.1.0.1, on page 1 Section 1.3, What's New in Sentinel Log Manager 1.1, on page 2 Section 1.4, Whats New in Sentinel Log Manager 1.0.0.5, on page 4
1.1 Whats New in Sentinel Log Manager 1.1.0.2
This version includes defect fixes. For more information, see Section 6.1, Defects Fixed in Sentinel Log Manager 1.1.0.2, on page 6.
1.2 Whats New in Sentinel Log Manager 1.1.0.1
This version includes defect fixes. For more information, see Section 6.2, Defects Fixed in Sentinel Log Manager 1.1.0.1, on page 6.
1.3 What's New in Sentinel Log Manager 1.1
Roles on page 2 Distributed Search on page 2 Tags on page 3 Appliance on page 3 Enhancements to LDAP Authentication on page 3 Enhancements to Reports on page 4 Data Restoration on page 4 Upgrading Collectors and Connectors on page 4
1.3.1 Roles Administrators can now create roles that can be assigned to any number of users. Each role can be assigned with a different set of permissions, and the users inherit the permissions of the role they belong to. Sentinel Log Manager includes a few default roles with the required permissions. You can modify the permissions, create more roles, based on your requirements. For more information on group permissions, see Configuring Users and Roles (http:// www.novell.com/documentation/novelllogmanager11/log_manager_admin/?page=/documentation/ novelllogmanager11/log_manager_admin/data/bjxveru.html) in the Novell Sentinel Log Manager 1.1 Administration Guide. 1.3.2 Distributed Search The Distributed Search feature enables you to search for events not only on your local Sentinel Log Manager server, but also on other Sentinel Log Manager servers distributed across the globe. After you set up the Distributed Search configuration to link multiple servers with the local server (search initiator), you can perform a search on the local server, and optionally instruct the search engine to also perform the search on the linked servers. Corresponding events from all the selected servers are retrieved and displayed in the search results. Each event in the search results displays the server information from which the event is being retrieved. Exporting search results, sending search results to an action, and retrieving raw data events are enhanced to take advantage of this new feature. The reporting engine is also enhanced to use the same underlying search engine so that reports can include data from multiple Sentinel Log Manager servers. For more information on Distributed Search, see Searching and Reporting Events in a Distributed Environment (http://www.novell.com/documentation/novelllogmanager11/log_manager_admin/ ?page=/documentation/novelllogmanager11/log_manager_admin/data/bp5lx14.html) in the Novell Sentinel Log Manager 1.1 Administration Guide.

1.3.3 Tags The Tags feature enables you to create and assign one or more searchable tag attributes to Event Source Management (ESM) nodes such as event sources, event source servers, Collector Managers and Collector plug-ins, and also to reports. All the events coming from these ESM nodes are also tagged. By tagging, you can create logical groupings of these ESM nodes, the events themselves, and reports. Events can be searched based on the tags applied to them, and event sources and reports can be filtered based on the tags they have. Sentinel Log Manager includes some default tags; however, you can create new tags based on your requirements. For more information on tags, see Configuring Tags (http://www.novell.com/documentation/ novelllogmanager11/log_manager_admin/?page=/documentation/novelllogmanager11/ log_manager_admin/data/bp62o80.html) in the Novell Sentinel Log Manager 1.1 Administration Guide. 1.3.4 Appliance The Sentinel Log Manager appliance is a ready-to-run software appliance that combines a Novell SUSE Linux Enterprise Server (SLES) 11 operating system and Novell Sentinel Log Manager software with an update service. This appliance offers an enhanced browser-based user interface that supports collection, storage, reporting, and searching of log data from a wide variety of devices, applications, and protocols. Sentinel Log Manager 1.1 appliance is available in the following formats:
A VMware appliance image A Xen appliance image A hardware appliance Live DVD image that is directly deployable to a hardware server
NOTE: Sentinel Log Manager 1.0 users can migrate their installation to a Sentinel Log Manager 1.1 appliance by following the instructions in Section 6.4, Migrating from 1.0 to 1.1 Appliance (http:/ /www.novell.com/documentation/novelllogmanager11/log_manager_install/?page=/documentation/ novelllogmanager11/log_manager_install/data/bq9ckex.html) in the Novell Sentinel Log Manager 1.1 Installation Guide. For more information about Sentinel Log Manager appliance installation, see Installing the Appliance in the Novell Sentinel Log Manager 1.1 Installation Guide (http://www.novell.com/ documentation/novelllogmanager11/log_manager_install/?page=/documentation/ novelllogmanager11/log_manager_install/data/bookinfo.html). 1.3.5 Enhancements to LDAP Authentication

A new user interface is provided under the Users tab to configure a Sentinel Log Manager
server for LDAP authentication.
LDAP authentication can be performed with or without using anonymous search on the LDAP

directory.

For more information on LDAP authentication, see LDAP Authentication (http:// www.novell.com/documentation/novelllogmanager11/log_manager_admin/?page=/documentation/ novelllogmanager11/log_manager_admin/data/bpfef67.html) in the Novell Sentinel Log Manager 1.1 Administration Guide. 1.3.6 Enhancements to Reports Reports are enhanced to enable drill down to the events that make up the report. This drill-down option provides the ability to launch a search with the same query and time frame that was used to generate the report, so users can view details of the events used to generate the report. Multiple report definitions and report results can be exported at one time and multiple report definitions can be imported at one time either from a report definition export zip file or a Collector Pack file. For more information on these enhancements, see Reporting (http://www.novell.com/ documentation/novelllogmanager11/log_manager_admin/?page=/documentation/ novelllogmanager11/log_manager_admin/data/bjxdi87.html) in the Novell Sentinel Log Manager 1.1 Administration Guide. New report templates are added and existing report templates are updated. A few report templates that are not in use are also deleted. For more information on the available report templates, see Sentinel Log Manager Reports (http://www.novell.com/documentation/novelllogmanager11/ log_manager_admin/?page=/documentation/novelllogmanager11/log_manager_admin/data/ bl5jfoz.html) in the Novell Sentinel Log Manager 1.1 Administration guide. 1.3.7 Data Restoration The new data restoration feature can restore the old, lost, or deleted event data. You can also perform a search on the restored event data. A new Data Restoration section has been added in the storage > Configuration user interface. You can select specific event partitions to restore event data and configure when the restored event partitions can expire again. For more information on data restoration, see Restoring Event Data in Configuring Data Storage (http://www.novell.com/documentation/novelllogmanager11/log_manager_admin/?page=/ documentation/novelllogmanager11/log_manager_admin/data/) in the Novell Sentinel Log Manager 1.1 Administration guide. 1.3.8 Upgrading Collectors and Connectors When you install or upgrade to the Sentinel Log Manager 1.1 version, the Collectors and Connectors are upgraded to the most recent version at the time of that release.
1.4 Whats New in Sentinel Log Manager 1.0.0.5
This version includes defect fixes. For more information, see Section 6.4, Issues Fixed in Sentinel Log Manager 1.0.0.5 Release, on page 7.

2 System Requirements

There are no major changes in the system requirements since the Sentinel Log Manager 1.0 release.
NOTE: Sentinel Log Manager is supported only on the SLES 11 platform. Sentinel Log Manager is not supported on SLES 11 SP1 because of known issues while searching event data in the networked storage. For more information, see 666893 in Section 7, Known Issues, on page 8. For a detailed information on hardware requirements and supported operating systems, browsers, and event sources, see the Novell Sentinel Log Manager 1.1 Installation Guide (http:// www.novell.com/documentation/novelllogmanager11/log_manager_install/?page=/documentation/ novelllogmanager11/log_manager_install/data/bookinfo.html).
3 Installing Novell Sentinel Log Manager 1.1
To install Novell Sentinel Log Manager 1.1, see the Novell Sentinel Log Manager 1.1 Installation Guide (http://www.novell.com/documentation/novelllogmanager11/log_manager_install/?page=/ documentation/novelllogmanager11/log_manager_install/data/bookinfo.html).
4 Upgrading to Novell Sentinel Log Manager 1.1.0.2
To upgrade Novell Sentinel Log Manager to the latest patch, see Upgrading Sentinel Log Manager in the Novell Sentinel Log Manager 1.1 Installation Guide (http://www.novell.com/documentation/ novelllogmanager11/log_manager_install/?page=/documentation/novelllogmanager11/ log_manager_install/data/bookinfo.html).
5 Verifying Version Numbers After Upgrading
After upgrading the Sentinel Log manager to 1.1.0.2, the components display the following version numbers:
Table 1 Version Numbers After Upgrading

Components

Version Numbers
Sentinel Log Manager Server Collector Manager
1.1.0.2_783 1.1.0.0 (No changes in this patch)

6 Defects Fixed

Section 6.1, Defects Fixed in Sentinel Log Manager 1.1.0.2, on page 6 Section 6.2, Defects Fixed in Sentinel Log Manager 1.1.0.1, on page 6 Section 5, Defects Fixed in Sentinel Log Manager 1.1, on page 5 Section 6.4, Issues Fixed in Sentinel Log Manager 1.0.0.5 Release, on page 7
6.1 Defects Fixed in Sentinel Log Manager 1.1.0.2

Bug Number Description

622002
The search result in Web UI now displays correct number of events in the correct order. Also, expected events are displayed when the search result is exported. Added additional checks to the code to protect the files owned by user who owns the Sentinel Log Manager install (usually novell) from access by unauthenticated users.

621236

6.2 Defects Fixed in Sentinel Log Manager 1.1.0.1

617918

Fixed an issue with the EventRouter that was causing duplicate events to be stored sporadically.
6.3 Defects Fixed in Sentinel Log Manager 1.1

524575

The Top 10 report for Intrusion Detection Systems can now be created as the DeviceAttackName field and is now included in the Events fields. The TargetUserName and InitiatorIP fields are now populating values as expected when the password for a user is changed. The InitiatorIP field is now populating values as expected when a user logs in to Sentinel Log Manager. New reports have been created that can be used to perform audits on internal events. You can now perform a wildcard search on events that contain uppercase characters. Additional search queries that you add in the Refine panel now displays appropriate results. The Refine panel now displays the count of events for the CustomerVar22 field, when it is added as an extra field to be displayed. Users with non-standard characters in their passwords can now log in to the Web user interface and ESM interface as expected. The Trust Management report now includes DEASSOC_TRUST events, which are generated when a user account is removed. The Configuration link in the Web user interface is now replaced with a gear icon, which indicates that the links next to it are configuration links. All JavaScript pop-up windows such as Search Tips, Run, and Delete now appear as expected on Internet Explorer 8 in French, Spanish, and Italian languages.

Bug Number

Description

503808 545436

ESM now launches as expected the first time Sentinel Log Manager is installed on a server on which it was never installed before. Internal audit event fields such as initUserName, initIP, and targetUserNamedetails are now populated with appropriate values and are displayed in the search results.
6.4 Issues Fixed in Sentinel Log Manager 1.0.0.5 Release
This section lists the issues fixed in Novell Sentinel Log Manager 1.0.0.5 release.
Table 2 Issues Fixed in Sentinel Log Manager 1.0.0.5 Release

Tracking Number

581698
The latest version of agent-manager.jar file is bundled with the hot fix 5 to enable legacy collectors to send event data. The latest version of libuuid.jar file is now bundled with the hot fix 5 build, to enable the collector debugger to function properly. The installer now checks for the jre64 directory name. Upgrading on a remote 64 bit Linux Collector Manager now works fine. The All Vendors All Products Top 10 Report is now installed when a user upgrades from versions older than Hot Fix 3. The start_tomcat.sh script now attempts to read the user specified SERVER_IP value from the ipaddress.conf file. If the ipaddress.conf file is not present or if the IP address is not set in the file, then the script determines the IP address automatically. To enable the script to read the SERVER_IP value from the configuration file, create the ipaddress.conf file in the $ESEC_HOME/config directory and specify the IP address in the following format:
SERVER_IP=<ip address value>
For example, SERVER_IP=10.0.0.583775 Users can now download raw data files with double byte characters in their names. Now, when a non-admin user clicks the Get Raw Data link, the following error message is displayed in the resulting page:
Must be an Administrator to download Raw Data
563886 The Collector framework now does not overwrite the event fields other than the rv21-rv25 fields. However, the Sentinel Link collector 6.1r3 still contains a known issue (bug 536119), which causes the Event ID field and the Port fields to be overwritten. Removed the extra / added to the URL so that if you click the Help button from Web UI, the Novell Sentinel Log Manager documentation page opens.

580749

586957 591055, 591059
Clicking details+ in Web UI now expands even for events with empty rv32 field. Issue: Fixed an issue so that after upgrading to Hot fix 4, the data parsed by Collectors is displayed in the generated report.

7 Known Issues

666893
Issue: Installing any version of Sentinel Log Manager 1.1 on SLES 11 SP1 causes an incompatibility issue between the mksquashfs tool version 3.4 used by Sentinel Log Manager to archive compressed data and the squashfs kernel module version shipped with SLES 11 SP1 (version 4.0). The squashfs version 4.0 is not backward compatible and cannot open a squashed file system created with previous versions. This incompatibility results in issues while searching and running reports on the event data in the networked storage. Workaround: None. If you have already upgraded the system to SLES 11 SP1, contact Novell Technical Support (http://support.novell.com/contact/ getsupport.html?sourceidint=suplnav4_phonesup) for support.

620681

Issue: In ESM, the Collector nodes are incorrectly being set to the stopped state during a restart of the server. However, this is a sporadic issue. Workaround: After restarting the server, log in to ESM and ensure that Collectors that are supposed to be running are set to the start state.

620100

Issue: Legacy Collectors do not work on remote Collector Managers. Workaround: Modify the ESEC_HOME/config/collector_mgr.xml file in the remote Collector Manager machine. 1. Open the ESEC_HOME/config/collector_mgr.xml file in any editor. 2. Change the following lines:
<property name="workbench.home">.</property> <property name="properties.file">./config/ collector_mgr.properties</property> <property name="esecurity.home">.</property>
<property name="workbench.home">${user.dir}/.</property> <property name="properties.file">./config/ collector_mgr.properties</property> <property name="esecurity.home">${user.dir}/.</property>
3. Restart the remote Collector Manager services.

617318

Issue: After you upgrade an earlier version of Sentinel Log Manager to Sentinel Log Manager 1.1, the Save as Report > Visualization drop-down list should include only report templates. However, a few Collector-specific reports might still appear in the Visualization list because they might not be deleted during the upgrade if they were in use prior to the upgrade. Workaround: This happens because the Collector-specific reports that appear in the list were not automatically updated during the upgrade. Download the updated Collector Pack from the Sentinel 6.1 Content Web site (http://support.novell.com/products/sentinel/ sentinel61.html) and upload the pack by using the Sentinel Log Manager report upload option.

617663

Issue: On the Collections > Event Source Servers page, when you modify more than one field of an event source and click Save to refresh the page, only one field is updated and the other fields show the old values. Workaround: Change the values for the fields one at a time. Click Save after modifying each field.

617477

Issue: Clicking alt+left on an event field in the search results to add a NOT clause to an empty query does not work as expected because purely NOT criteria queries are not allowed. Workaround: alt+left clicking works as expected if you begin the search with a sev:[0 TO 5] query instead of an empty query. The events that are retrieved are same for both the queries.

618294

Issue: The Event Summary, Top 10 Report, and Top 10 Dashboard base reports display events with -0- value instead of blank values when the Primary field is null. Workaround: For the Event Summary and Top 10 reports, do not select the Primary fields that have no data (is null). For the Top 10 Dashboard reports, ignore the graphs of the fields that have -0- as the value in the X axis.

617103

Issue: Exceptions are logged in the server_wrapper.log file, when large reports are run with NFS archiving configured. Workaround: Run large reports when the EPS is at its lowest (e.g. at night or on weekends). More disks in the local storage RAID array might also help.

614686

Issue: Search query times out and exceptions are logged while large reports are run on systems that have about 200 million events. Workaround: Avoid running large reports when performing large searches.

613960

Issue: The remote Collector Manager Installshield Wizard displays Sentinel 6.1 instead of Sentinel Log Manager. Workaround: None. This is a user interface issue.

608905

Issue: The Sentinel Log Manager user interface does not prompt to restart Sentinel services after you add a license key and does not perform some operations as expected. Workaround: Restart the Sentinel Log Manager server after adding the license key.

606567

Issue: On the appliance, the platform version is logged for every two minutes via kernel message to syslog at /var/log/messages. Workaround: These messages are sent purposely so that the operating system can inform Sentinel Log Manager what version it is. If these messages cause problems for some reason, disable the wtmpmon script to prevent them from being generated.

593435

Issue: The Sentinel Log Manager server does not function as expected if the Sentinel Log Manager 1.1 installation is relocated to a base directory that has spaces in its path. For example, /home/user/Sentinel Log Manager. Workaround: Ensure that directory does not include spaces in its path.

560966

Issue: While configuring the File Connector, when you click Browse to add an event source, the file browser does not appear and exceptions are logged in the control center log file. Workaround: Specify or copy/paste the desired file path into the field rather than using the Browse button.

577073

With about 3000 event sources, when the raw data partitioning goes from open > log state, the EPS rate goes down to 0. Workaround: Install additional instances of Sentinel Log Manager so that the total number of event sources per instance is fewer than the recommended device limits as given in the System Requirements. For more information, see System Requirements (http:// www.novell.com/documentation/novelllogmanager11/log_manager_install/?page=/ documentation/novelllogmanager11/log_manager_install/data/bjx8zq7.html) in the Novell Sentinel Log Manager 1.1 Installation Guide.

617350

Issue: WebYaST reports a DBus.Error.LimitsExceeded error when patch updates are being installed. Workaround: Restart the yastws service:
/etc/init.d/yastws restart
Alternatively, click Reboot in the Control Panel to restart the machine. 607684 Issue: When you boot the machine from an ISO appliance image i.e run the ISO as live CD/DVD, if you run patch updates through WebYast > Updates, the system goes to a nonresponsive state. Workaround: Install the Live DVD to the hardware and then run the patch updates. 609187 Issue: On systems that have more than a million events, after you initiate report generation and click Cancel to cancel the report generation, report generation is still in progress and does not cancel. Workaround: None. 593788 Issue: Sentinel Log Manager takes approximately 5 minutes to log in to the Web User Interface the first time after installation. Workaround: None. 510824 Issue: After you click the details++ link for the individual search results, the all details++ and all details-- links do not work as intended for the first 25 events. Workaround: None.

548515

Issue: The sample reports in Sentinel Log Manager show user data such as Full Name, Department, and Workforce ID that are not available in Sentinel Log Manager. Workaround: None.

509549

Issue: In the Search Results page with more than 75,000 events, when you scroll down to view the events, the scroll bar does not stop at the scrolled point and changes its location frequently. Workaround: None.

615572

Issue: Sentinel Log Manager allows you to change the IP address of the target server while editing the target server details and does not display any message saying that the specified IP address is different. Workaround: None.

545436

Issue: When you stop a Collector, the stopcollector internal event is generated twice in the event logs. The second stopcollector event that is generated does not show proper values for initUserName, initIP, and targetUserNamedetails event fields. Workaround: None.

612557

Issue: The SentinelLogManager tag, which is a default tag to tag the internal events, can be deleted. However, the internal events are still tagged with the SentinelLogManager tag, even after the tag is deleted. Workaround: As this is a default tag, do not delete it.

622213

Issue: After upgrading Sentinel Log Manager 1.1.0.1, exceptions are logged in the server0.0.log file. Workaround: You can ignore these exceptions as they do not cause any loss of functionality.

619920

Issue: After upgrading, the dbconfig command does not modify the objcomponent.ConnectionManager.properties file. Workaround: You must manually modify the objcomponent.ConnectionManager.properties file.

623885

Issue: After upgrading, the syslog event source server configured on the remote Collector Manager appears with a red cross mark. Workaround: Restart the remote Collector Manager service.

8 Documentation

The updated documentation and release notes are available at the Sentinel Log Manager documentation site (http://www.novell.com/documentation/novelllogmanager11/).

9 Legal Notices

Novell, Inc. makes no representations or warranties with respect to the contents or use of this documentation, and specifically disclaims any express or implied warranties of merchantability or fitness for any particular purpose. Further, Novell, Inc. reserves the right to revise this publication and to make changes to its content, at any time, without obligation to notify any person or entity of such revisions or changes. Further, Novell, Inc. makes no representations or warranties with respect to any software, and specifically disclaims any express or implied warranties of merchantability or fitness for any particular purpose. Further, Novell, Inc. reserves the right to make changes to any and all parts of Novell software, at any time, without any obligation to notify any person or entity of such changes. Any products or technical information provided under this Agreement may be subject to U.S. export controls and the trade laws of other countries. You agree to comply with all export control regulations and to obtain any required licenses or classification to export, re-export, or import deliverable. You agree not to export or re-export to entities on the current U.S. export exclusion lists or to any embargoed or terrorist countries as specified in the U.S. export laws. You agree to not use deliverables for prohibited nuclear, missile, or chemical biological weaponry end uses. Please refer to the Novell International Trade Services Web page (http://www.novell.com/info/exports/) for more information on exporting Novell software. Novell assumes no responsibility for your failure to obtain any necessary export approvals. Copyright 2010 Novell, Inc. All rights reserved. No part of this publication may be reproduced, photocopied, stored on a retrieval system, or transmitted without the express written consent of the publisher. For Novell trademarks, see the Novell Trademark and Service Mark list (http://www.novell.com/ company/legal/trademarks/tmlist.html). All third-party trademarks are the property of their respective owners.

4.4 4.5

5 Searching
5.1 Running an Event Search. 5.1.1 Running a Basic Search. 5.1.2 Running an Advanced Search. 5.1.3 Search Expression History. Viewing Search Results. 5.2.1 Basic Event View. 5.2.2 Event View with Details. Refining Search Results. Searching for Events with Empty or Non-Empty Fields. 5.4.1 Searching for Events with a Non-Empty Field. 5.4.2 Searching For Empty Fields. 5.4.3 Disabling the notnull Field Storage. Exporting Search Results. Saving a Search Query. 5.6.1 Saving a Search Query as a Report Template. 5.6.2 Saving a Search Query as a Rule. 5.6.3 Saving a Search Query as a Retention Policy. Sending Search Results to an Action.

5.3 5.4

5.5 5.6

6 Reporting

6.1 6.2

6.3 6.4

Running Reports. 95 Viewing the Reports. 98 6.2.1 Viewing the Report Result in PDF Format. 98 6.2.2 Drilling Down into Report Results. 99 6.2.3 Viewing Report Parameters. 100 Scheduling a Report. 100 Adding Report Definitions. 101

6.5 6.6

6.4.1 Extracting Reports from Collector Packs. 6.4.2 Adding or Uploading a Report. Renaming a Report Result. Marking Report Results as Read or Unread. 6.6.1 Marking a Single Report Result as Read or Unread. 6.6.2 Marking Multiple Report Results as Read or Unread. Managing Favorite Reports. 6.7.1 Adding Reports as Favorites. 6.7.2 Removing Favorite Reports. Exporting Report Definitions and Report Results. 6.8.1 Exporting a Single Report Definition. 6.8.2 Exporting Selected Report Definitions. 6.8.3 Exporting All Report Definitions. 6.8.4 Exporting a Report Result. Deleting Reports. 6.9.1 Deleting a Report Definition. 6.9.2 Deleting Multiple Report Definitions. 6.9.3 Deleting a Report Result. 6.9.4 Deleting Multiple Report Results.
7 Searching and Reporting Events in a Distributed Environment
7.1 7.2 Overview. Configuring Servers for Distributed Searching and Reporting. 7.2.1 Enabling Distributed Search. 7.2.2 Adding a Search Target Server by Using the Administrator Credentials. 7.2.3 Adding a Search Target Server by Using the Opt-in Password. Searching for Events. Managing the Distributed Search Results. Viewing the Search Activities. Running Reports. Managing the Distributed Setup Configuration. 7.7.1 Editing the Search Target Server Details. 7.7.2 Disabling or Deleting a Search Target Server. 7.7.3 Editing the Search Initiator Server Details. 7.7.4 Disabling or Deleting a Search Initiator Server. Troubleshooting. 7.8.1 Permission Denied. 7.8.2 Connection Down. 7.8.3 Unable to View Raw Data. 7.8.4 Problems Adding Search Target. 7.8.5 Certain Events Are Only Visible from the Local System. 7.8.6 Cannot Run Reports on the Target Servers. 7.8.7 Different Users Might Get Different Results. 7.8.8 Cannot Set the Admin Role as the Search Proxy Role. 7.8.9 Error Logs.

3.3 Configuring Data Retention Policies
The data retention policies control when data is deleted from the system. A retention policy contains a filter that is used to identify the events for which the retention policy applies and the minimum and maximum number of days these events should be kept in the system. You can configure one or more data retention policies to control the duration for which specific types of events are retained in Sentinel Log Manager. Except for the Raw Data Retention policy, all of the configured policies apply to the event data. The configured retention policies are displayed in the data retention policy table. By default, the data retention policy table is refreshed every 30 seconds to reflect the changes made by multiple administrators.
Section 3.3.1, Raw Data Retention Policy, on page 42 Section 3.3.2, Event Data Retention Policies, on page 43 Section 3.3.3, Rules for Applying a Retention Policy, on page 45
3.3.1 Raw Data Retention Policy
The Raw Data Retention policy controls the duration for which the raw data is kept in the system before it is deleted.The Raw Data Retention policy cannot be deleted or disabled. However, you can modify the Keep at most and Keep at Least values, which determine the maximum number of days after which the raw data file is deleted and the minimum number of days for which a raw data file is kept. The process to delete raw data files runs every time the server is started, every hour because that is when the raw data files are closed, and whenever the Keep at most value is changed. All the files exceeding the retention time are removed permanently from the local and networked storage locations.
3.3.2 Event Data Retention Policies
The event data retention policies control the duration for which different types of event data are kept in the system before being deleted.
Adding a Data Retention Policy on page 43 Activating or Deactivating a Data Retention Policy on page 44 Modifying a Data Retention Policy on page 44 Deleting a Data Retention Policy on page 45
Adding a Data Retention Policy 1 Log in to Sentinel Log Manager as an administrator. 2 Click the storage link in the upper left corner of the page. 3 Click the Configuration tab. 4 In the Data Retention section, click the Add a policy option located at the top right corner of the policy table.

3.4 Configuring Disk Space Usage
If networked storage is enabled, the event data is copied to the networked storage location after two days, and a local copy remains until space is available. Raw data is moved to the networked storage location after approximately one hour. 1 Log in to Sentinel Log Manager as an administrator. 2 Click the storage link in the upper left corner of the page. 3 Click the Configuration tab. In the Disk Space Usage section, the Local Storage Size field displays the total storage size currently used by Sentinel Log Manager.
4 Specify the local storage utilization value:
Specify a value to start the data storage from local storage when the specified value is

reached.

Specify a value to stop the data storage from local storage when the specified value is
reached. These settings are the settings at which Sentinel Log Manager starts (and stops) deleting the duplicate data files that are in local storage. These copies are kept in the local storage until this disk usage threshold is reached in order to speed up searches and reports. When the threshold is reached and files are deleted, the networked storage becomes the sole location for the data. Networked storage size specifies the value of the networked storage space. 5 Specify the maximum archive size to be used as part of the total available archive size.
3.5 Verifying and Downloading Raw Data Files
The raw data files for each event source are compressed and moved to networked storage every hour and the file hash is computed for networked storage files. The file hash is used to check the integrity of the files in the networked storage. 1 Log in to Sentinel Log Manager as an administrator. 2 Click the storage link in the upper left corner of the page. 3 Click the Raw Data tab. 4 In the Raw Data section, select the desired Collector and Connector combination from the Event Source hierarchy drop-down list. 5 The Event Source field displays the list of associated event sources (hostnames or IP addresses). Select the event source from the drop-down list. The table displays the list of local and networked storage raw data files for the selected event source. 6 Click Select All to select all the files in the table. 7 To select a raw data file, select the check box next to the raw data file. The Verify Integrity and Download options are only enabled when you select a file from the table. 8 Click Verify Integrity to verify the integrity of the selected files in the networked storage by comparing the hash values for the selected files in the networked storage. If integrity verification is successful, a green icon is displayed next to the filename in the Integrity Ok? column. If it fails, a red icon is displayed. The hash is computed and updated in database only for the files in the networked storage, but not for the local raw data files. Because the raw data files are updated until they are moved to networked storage, the hash value cannot be computed or updated for these files. It is not possible to check the integrity of the local raw data files.

Figure 5-1 Search Expression History Llist
When you enter a text value in Search, the closely matched search expressions appear in the
recently used search expression list.
When the text is not entered in Search, the search history displays all the recently used search
expressions. The most recent search expression appears at the top of the list.
For each user, a maximum of 250 search expressions is stored. If the number of search
expressions exceeds 250, the oldest expressions are deleted from the list.
5.2 Viewing Search Results
Searches return a set of events. You can view the search results in the basic view or in the advanced view. When results are sorted by relevance, only the top 50,000 events can be viewed. When they are sorted by time, all the events in the system are displayed.
Section 5.2.1, Basic Event View, on page 82 Section 5.2.2, Event View with Details, on page 83

5.2.1 Basic Event View

The information in each event is grouped into General Event information, Initiator information, Target information, Observer Information, Reporter information, and Customer values and retention policy information. To view the raw data information: 1 Launch the Event Source Management (Live View) window. 2 Select the Open Raw Data Tap option to display the Raw Data window. You can view the detailed information in the Raw Data Details section. NOTE: You must have the necessary permissions to view all data. For more information, see Section 10.1.3, Setting Permissions, on page 161.
Occasionally, the search engine might index events faster than they are inserted into the data directory. If you run a search that returns events that were not added the data directory, you get a message indicating that some events match the search query, but they are not found in the data directory. If you run the search again later, the events are added to the data directory and the search is shown as successful.
5.2.2 Event View with Details
1 To view details about all events, click the all details link at the top of the search results page. You can expand or collapse the details for all events on a page by using the all details++ or all details-- link.
2 To view details such as the Message, Event ID, and default data retention duration information for any individual event, click the details+ link next to the event. You can expand or collapse the information for the events by clicking the details+ or detailslink.

If the report includes time period parameters, choose the date range. All time periods are based on the local time for the browser.
Current Day: Shows events from midnight of the current day
until 11:59:00 p.m. of the current day. If the current time is 8:00:00 AM, the report shows 8 hours of data.
Previous Day: Shows events from midnight yesterday until

11:59:00 p.m. yesterday.

Week To Date: Shows events from midnight Sunday of the
Previous Week: Shows events for the last seven days. Month to Date: Shows events from midnight the first day of
the current month until the end of the selected day.
Previous Month: Shows events for a month, from midnight
of the first day of the previous month until 11:59:00 p.m. of the last day of the previous month.
Custom Date Range: Shows events for a period whose start
and end date are chosen. Primary Top N Primary Event Field Event Field Minimum Severity Maximum Severity Specify a maximum number of value for the search event. Specify the primary event tag for primary grouping. Specify the secondary event tag. Specify the minimum severity value of the events to be displayed. The default value is 0. Specify the maximum severity value of the events to be displayed. The default value is 5.
8 Specify the e-mail address in the Email Report to field. If you want to mail the report to more than one user, specify the e-mail addresses separated by a comma. To enable mailing reports, configure the mail relay under Rules > Configuration. 9 Click Run. A report results entry is created and mailed to the chosen recipients.

6.2 Viewing the Reports

Novell Sentinel Log Manager users can view the report template and report results that are in the system. The reports are loaded and displayed in the left pane of the page. Click More > Show All Reports to view all reports or click More > Only Show Scheduled Reports to show only the scheduled reports. The report results for each users varies depending on the data security settings configured for the role of that user. All the report results are ordered by the creation time. If there is more than one report, the show more link displays the other report results. In the Report Viewer, the Favorites and Other sections show the number of unread reports with a blue dot next to them. The count next to Favorite and Other shows the number of report definitions under the Favorite and Other sections. A blue dot next to the report result indicates that the report result is unread. For more information, see Marking Report Results as Read or Unread on page 103.

JasperForge iReport: You can modify or write reports by using JasperForge iReport, which is
a graphical report designer for JasperReports. iReport is an open source report development tool that is available for download from JasperForge.org (http://jasperforge.org/plugins/project/ project_home.php?group_id=83) (as of the time of this publication). New or modified reports can include additional database fields that are not presented in the Sentinel Log Manager interface. They must adhere to the file and format requirements of the report plug-ins. For more information about database fields and file and format requirements for report plug-ins, see the Sentinel SDK Web site (http://developer.novell.com/wiki/ index.php?title=Develop_to_Sentinel). This section has the following information:
Section 6.4.1, Extracting Reports from Collector Packs, on page 101 Section 6.4.2, Adding or Uploading a Report, on page 102
6.4.1 Extracting Reports from Collector Packs
Collector Packs contain the event source setup instructions, associated scripts, utilities, and the Sentinel Log Manager reports specific to the data of the associated Collector. The Collector Pack Extractor utility allows you to extract the Collector packs. You can use the instructions and scripts to configure the associated event sources. The reports that are extracted from the new Collector can be uploaded to the Sentinel Log Manager. These Collector Packs are available on the Sentinel Plug-ins Web site (http://support.novell.com/ products/sentinel/sentinel61.html).

Reporting 101

To extract the reports from the Collector Packs: 1 Copy the Collector Packs from where you want to extract the event source setup instructions, associated scripts and utilities, and Sentinel Log Manager reports to a temporary directory. 2 Download the Collector Pack Extractor from the Sentinel Plug-ins Web site (http:// support.novell.com/products/sentinel/sentinel61.html). It is available under the Utilities tab. 3 Copy the cpextractor.jar file to the directory. where you copied the Collector Packs. 4 Execute the jar file in one of the following ways, depending on your operating software:
On Windows: Double-click the jar file (if the Java environment is properly configured) On Linux: Run the java -jar cpextractor.jar command.
For each Collector Pack, a new directory is created with the same base name of the Collector. The newly created directory contains the following:
jasperreports: A subdirectory that contains all the extracted Sentinel Log Manager

reports.

instructions.txt: (Optional) A text file with the required instructions to configure the
event source. This directory can also contain additional files required for the event source configuration. 5 To proceed with event source configuration, follow the instructions provided in Section 4.4, Configuring Data Collection for Other Event Sources, on page 65. 6 For any additional steps required to configure event source, follow the steps given in the instructions.txt file. To add a report, see Adding Report Definitions on page 101.

IP Address/DNS Name: IP address or the DNS name of the target server. Port: Port number of the target server. The default port number is 8443. The target server
and search initiator do not need to be on the same port.
User Name: User name to log in to the target server. This must be a user with
administrator privileges.
Password: Password associated with the user name.
5 Click Login. The Confirm Certificate page is displayed. 6 Verify the Certificate information, then click Accept. The Add Search Target page is displayed. It lists the various proxy roles on target server.
116 Sentinel Log Manager 1.2 Administration Guide
7 In the Name field, specify a descriptive name that you want to give to the search target. This helps you to easily identify the target server by a name instead of by its IP address or DNS name. 8 Select a search proxy role that you want to assign to the search initiator. When the search initiator makes search requests to the target server, the proxy role's security filter is used when performing the search. Only events that pass the proxy role's security filter are returned to the search initiator server. Only roles that have the Proxy for Authorized Search Initiators permission are listed. This permission is required for the target server to accept and process incoming search requests from the search initiator server. 9 Click OK.
The server information is listed in the Search Targets list.
You can now search events or view event reports from the target server. For more information, see Section 7.3, Searching for Events, on page 121 and Section 7.6, Running Reports, on page 125.
7.2.3 Adding a Search Target Server by Using the Opt-in Password
In organizations where administrative control of Sentinel Log Manager servers is decentralized, it might violate the security policy to share administrator passwords. However, Sentinel Log Manager allows you to share a limited-purpose opt-in password to add target servers, which is more secure than requiring full administrator credentials. If you are not the administrator of the target server, you can set an opt-in password in the search initiator server, then provide the opt-in password to the target server administrators to allow them to opt in to the search initiator server. When a target server opts in to the search initiator, a message is sent to the search initiator server requesting that it be added to the list of target servers maintained by the search initiator server. The request authorizes the search initiator to access event data on the target server. The search initiator requires an opt-in password to verify that the opt-in request has originated from a valid target server. During the opt-in process, the search initiator and the target server exchange the appropriate password, which allows the target server to authenticate the search requests from the search initiator. This procedure is similar to adding a target server, but it is done from the target server instead of the search initiator server.

NERC NETD Network Network Security NISPOM O OS OverEPSLimit PCI SentinelLogManager SOX VPN
134 Sentinel Log Manager 1.2 Administration Guide

Windows

Tag for Windows related data

8.2 Creating a Tag

1 Log in to Sentinel Log Manager. 2 Select Tags in the left-hand pane. The Tag display panel is displayed.
3 Click Create to add a tag. The Create Tag window is displayed.
4 Specify a name for the tag. This is a mandatory field. Tags have the following naming conventions and you are warned if the name you are specifying does not comply with these conventions:
Tag names should not be more than 20 characters. There should not be any white space as part of the tag name. Tag name is case-insensitive. You cannot create two tags with identical names except for
capitalization. For example, you cannot have two tag names IDM and idm, because both are perceived as same names.
Articles such as a and the cannot be tag names.
5 Specify a description for the tag. This is an optional field. If the tag name is available, a message is displayed. If a tag with the same name already exists, then you are informed of the same so that you can create a tag with a different name. 6 Click Save.

Configuring Tags 135

8.3 Managing Tags
You can sort, search, or find tags by using the UI. This section has the following information:
Section 8.3.1, Using the Tag Selector Widget, on page 136 Section 8.3.2, Sorting Tags, on page 136 Section 8.3.3, Adding and Removing Tags from Favorites, on page 136 Section 8.3.4, Viewing and Modifying Tag Description, on page 137
8.3.1 Using the Tag Selector Widget
The tag widgets are an useful feature, which allows you to quickly add tags to data collection, object, reports and report templates or search for events with a particular tag.
To tag reports and report templates with a particular tag, click the

icon, then select the

name of the tag from the dialog box that opens.
To search events with a particular tag, click the
icon next to the Search field, then select the
tags from the dialog box that opens.

8.3.2 Sorting Tags

You can sort tags either based on their names or based on the number of objects associated with the tags.To sort tags: 1 Log in to Sentinel Log Manager. 2 Select Tags in the left-pane. 3 Select Sort by Name in the drop-down list, to sort the tags in the alphabetical order, based on the tag name, 4 Select Sort by Count in the More drop-down list, to sort based on the number of objects associated with them. 5 Click OK.
8.3.3 Adding and Removing Tags from Favorites
You can add the frequently used tags to the Favorites section so that it is easier to locate them and associate them with objects. When a tag is added to the Favorite section, it is removed from the Other section. To add a tag to the Favorites section: 1 Log in to Sentinel Log Manager. 2 Select Tags in the left-hand pane. 3 To add a tag to the Favorites section, select the tag, then select Add to Favorites from the More drop-down list. The selected tag is displayed in the Favorites section. 4 To delete a tag from the Favorites section, select the tag, then select Remove From Favorites from the More drop-down list.

6 Click Delete to delete the selected rule. If the rule is deleted, a Successfully Deleted Rule message is displayed.
9.1.5 Activating or Deactivating a Rule
New rules are activated by default. If you deactivate a rule, incoming events are no longer evaluated according to that rule. If there are already events in queue for one or more actions, it might take some time to clear the queue after the rule is deactivated. If the On check box beside the rule is selected, it indicates that the rule is activated. If the On check box is not selected, then it indicates that the rule is deactivated. 1 Log in to the Sentinel Log Manager as an administrator. 2 Click rules in the upper left corner of the page. 3 The Rules tab is displayed on the right pane of the page. Existing rules appear on the page. 4 To activate the rule, select the check box next to each rule, in a column headed On. If the rule is activated, a Successfully activated the rule message is displayed. 5 To deactivate the rule, select the check box next to each rule, in a column headed On. If the rule is deactivated, a Successfully deactivated the rule message is displayed.
Configuring Rules and Actions 145

9.2 Configuring Actions

You can configure actions to deliver an event to one or more actions when it meets the criteria specified by one of the rules. An incoming event is evaluated against each filtering rule in the specified order until a match is found, then the delivery actions associated with that rule are executed. Actions are added, deleted, and modified independent of the rules that use them. However, an action that is associated with one or more rules cannot be deleted. NOTE: Events are processed by the associated actions one at a time. You should therefore consider performance implications when selecting the output action to which events are sent. For example, the Log to File action is the least resource-intensive, so it can be used to test rule criteria to determine the data volume before sending a flood of events to e-mail or syslog. Also, when you set up the Send to e-mail action, you should consider how many events the recipient can effectively handle, and adjust the filtering on the rule accordingly. Event output is in JavaScript Object Notation (JSON) format, which is a lightweight data exchange format. Events consist of field names (such as evt for Event Name) followed by a colon and a value (such as Start), separated by commas. For example:
{"st":"I","evt":"Start","sev":"1","sres":"Collector","res":"CollectorManager" ,"rv99":"0","rv1":"0","repassetid":"0","rv77":"0","agent":"Novell SecureLogin","obsassetid":"0","vul":"0","port":"Novell SecureLogin","msg":"Processing started for Collector Novell SecureLogin (ID D892E9F0-3CA7-102B-B5A1-005056C00005).","dt":"1224204655689","id":"751D97B07E13-112B-B933-000C29E8CEDE","src":"D892E9F0-3CA7-102B-B5A2-005056C00004"}

Action Name: Specify an action name. Make sure that the action name is unique. SMTP Server: Specify the hostname or IP address of an available SMTP server. Port: Specify the port number of an available SMTP server. Port: (Optional) Click Test to validate the hostname or IP address, port, username, and

password fields.

Username: If the SMTP server requires authentication, specify a username. Password: Specify the password for SMTP server. Send To: Specify one or more e-mail addresses for recipients, separated by commas. From: Specify an address from where the e-mail messages are sent.
Configuring Rules and Actions 149
Subject: Specify the subject line for the e-mail.
9.2.5 Sending the SNMP Traps
All Sentinel Log Manager events that meet the filter criteria for which the Send SNMP Traps action is defined are sent to the specified SNMP addresses. To configure the Send SNMP Traps action, you need the connection information for an SNMP server, including the IP address and the port number. 1 Log in to the Sentinel Log Manager as an administrator. 2 Select rules > Actions, then click Add Action. 3 Select the Send SNMP Trap action type. The SNMP screen appears.
Action Name: Specify an action name. Make sure that the action name is unique. Destination: Specify the IP address or hostname of the SNMP server you want to send the
Port: Specify the port number for the SNMP server. The default port is 162. Test: (Optional) Click Test to validate the hostname or IP address and port number. Community String: Specify the community string (password) to access the SNMP
management system. If no community string is specified, the Integrator sets the default value to public.
OID: Specify the desired asnl object ID you want to associate with this message. If no
Object ID is specified, the Novell Audit internal OID is used (2.16.840.1.113719.1.347.3.1). 5 Click Save. If the action is configured, a Successfully Added Action message is displayed.
150 Sentinel Log Manager 1.2 Administration Guide
9.2.6 Sending the Events to a Sentinel Link
Sentinel Link provides the ability to hierarchically link multiple Sentinel systems, including Sentinel Log Manager and the two Sentinel SIEM (Security Information Event Management) systems, Novell Sentinel and Novell Sentinel Rapid Deployment (RD) systems. Sentinel Link provides several benefits:
Several Sentinel Log Managers can be linked in a hierarchical manner. Regional or distributed

To allow a user to view system events, select View System Events.
10.1.3 Setting Permissions
You can assign the following permissions to the role:
Manage Reports: When this permission is set on a role, all members of that role can run
reports, view, rename and delete report results, add and delete report templates and results. For more information on reports, see Chapter 6, Reporting, on page 95.
Manage Tags: When this permission is set on a role, all members of that role can create, delete
and modify tags, and associate tags to different event sources. For more information on tags, seeChapter 8, Configuring Tags, on page 133.
Search Remote Targets: When this permission is set on a role, all members of that role can
perform searches on event sources that are in a distributed location. For more information on distributed searching and reporting, see Chapter 7, Searching and Reporting Events in a Distributed Environment, on page 113.
Proxy for Authorized Search Initiators: When this permission is set on a role, the members
of this role can accept searches from remote targets.
Configuring Users and Roles 161
10.2 Creating Roles and Users
Section 10.2.1, Creating Roles, on page 162 Section 10.2.2, Creating Users, on page 163

10.2.1 Creating Roles

1 Log in to the Sentinel Log Manager as an administrator. 2 Click the users link in the upper left corner of the page. The Users tab is displayed in the right pane of the page. 3 Click Add in the Roles section to create a new role. The New Role creation form is displayed.
4 Specify a name for the role and a brief description about the role. A role name can not exceed 40 characters. 5 Specify the values to filter events that a user can view. For more information on filters, see Section 10.1.2, Filtering Data, on page 161. 6 Select the permissions that you want to set for the users of the role. For more information, see Section 10.1.3, Setting Permissions, on page 161. 7 Click Save. 8 To create users for this role, continue with Section 10.2.2, Creating Users, on page 163.
162 Sentinel Log Manager 1.2 Administration Guide

LDAP Authentication 171

Description/Action

Base DN

If Anonymous Search is Yes: The root node in the LDAP directory
under which to search for users. This is optional for eDirectory, and mandatory for Active Directory. For eDirectory, if the Base DN is not specified, the entire directory is searched to locate the users.
If Anonymous Search is No: The root node in the LDAP directory that
contains the users. This is mandatory if you are using Active Directory and if you set a domain name. For all other cases, this is optional. The following are examples for specifying the Base DN:

eDirectory:

o=novell

Active Directory:

cn=users,dc=example,dc=com
Search Attribute The attribute in LDAP holding the user login name, which is used to search for users. For example:

sAMAccountName

This field is available only if you had selected Yes for Anonymous Search. Domain Name The name of the Active Directory domain. There is an additional approach applicable only for Active Directory for performing LDAP authentication without using Anonymous search: When you specify the Domain Name, username@domainname (userPrincipalName) is used to authenticate the user before searching for the LDAP user object. For example, test.example.com This field is applicable only for ActiveDirectory and is available only if you selected No for Anonymous Search.
NOTE: If Base DN is set and Domain Name is not set, the Base DN is appended to the relative user DN to construct the absolute user DN. For example, if the Base DN is set to o=novell and the absolute user DN is cn=sentinel_ldap_user,o=novell while creating LDAP user accounts, only the relative user DN i.e cn=sentinel_ldap_user can be specified. 5 Click Test Connection to test whether the LDAP connection is successful.
172 Sentinel Log Manager 1.2 Administration Guide
The Test the LDAP Connection page is displayed. 5a Specify the test credentials to connect to the LDAP server:
If Anonymous Search is Yes: Specify the username and password. If Anonymous Search is No: Specify the user DN and password. The user DN can
be relative to the Base DN. 5b Click Test to test the LDAP connection. A message is displayed that indicates whether the connection is successful.
If there is any error, review the configuration details you provided and test the connection again.You can determine the cause of the failure by examining the /var/opt/novell/ sentinel_log_mgr/log/server0.0 log file. You must ensure that the test connection is successful before saving the LDAP settings. 6 Click Save to save the LDAP settings. On successful configuration:

The LdapLogin section of the /etc/opt/novell/sentinel_log_mgr/config/ auth.login file is updated. For example:
LdapLogin { com.sun.security.auth.module.LdapLoginModule required java.naming.ldap.factory.socket="com.esecurity.common.communication.P roxyLdapSSLSocketFactory" userProvider="ldap://10.0.0.1:636/o=novell" userFilter="(&(uid={USERNAME})(objectclass=user))" useSSL=true; };
The LDAP server CA certificate, if provided, is added to a keystore named /etc/opt/ novell/sentinel_log_mgr/config/.activemqkeystore.jks
After saving the LDAP settings successfully, you can create LDAP user accounts to enable users to log in to Sentinel Log Manager by using their LDAP directory credentials. NOTE: You can also configure the Sentinel Log Manager server for LDAP authentication by running the ldap_auth_config.sh script in the /opt/novell/sentinel_log_mgr/setup directory. The script also supports command line options. To view the command line options, run the script as follows:

LDAP Authentication 173

/opt/novell/sentinel_log_mgr/setup/ldap_auth_config.sh --help
11.4 Creating an LDAP User Account
For information on creating LDAP user accounts, see Section 10.2, Creating Roles and Users, on page 162.
11.5 Configuring Multiple LDAP Servers for Failover
To configure one or more LDAP servers as failover servers for LDAP authentication: 1 Log in to the Sentinel Log Manager server as root user. 2 Switch to novell user.

su - novell

3 Change to the /etc/opt/novell/sentinel_log_mgr/config directory:
cd /etc/opt/novell/sentinel_log_mgr/config/
4 Open the auth.login file for editing.

vi auth.login

5 Update the userProvider in the LdapLogin section to specify multiple LDAP URLs. Separate each URL by a blank space. For example:
userProvider="ldap://primary_server_IP:port/BaseDN ldap:// failover_server_IP:port/BaseDN"
NOTE: For Active Directory, ensure that the BaseDN in the LDAP URL is not blank. For more information on specifying multiple LDAP URLs, see the description of the
userProvider option in Class LdapLogin Module (http://java.sun.com/javase/6/docs/jre/api/
security/jaas/spec/com/sun/security/auth/module/LdapLoginModule.html). 6 Save the changes. If you are using an SSL connection to the LDAP server and if the LDAP server certificate is not signed by a well-known CA, you must perform the following additional steps: 1 Export the certificate of each failover LDAP server and copy the certificate file to the /etc/ opt/novell/sentinel_log_mgr/config directory on the Sentinel Log Manager server. For more information, see Section 11.2.1, Exporting the LDAP Server CA Certificate, on page 170. 2 Ensure that you set the necessary ownership and permissions of the certificate file for each LDAP sever.