This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Just getting Started with Sentinel 8.4

Good day, 

I'm just starting to work more with Sentinel, I currently have version 8.4 installed in a small home production environment, I have a few eDirectory servers, Open Enterprise 2018, and I would like to get some exposure to Sentinel I currently have the 8.4 running on a SLES 12 SP5 server, and I can access the log on page, etc,. I however; am trying to connect to my eDirectory server, and the OES servers to start gathering some logs. 

My first thought is there an agent that is supposed to be installed on the servers that I'm trying to connect too? The environment is all Linux at this time. I did see where the clientless method should be working, however; when I tried to get information from those servers, basically I was getting "No connection detected from the source" so I guess I need to start at square one, 

Thank you, for any assistance offered

-DS 

  • Suggested Answer

    0  

    Hi,

    for eDirectory you don't need an agent. Configure it to send events to Sentinel via Syslog: https://www.netiq.com/documentation/edirectory-92/edir_admin/data/t44e7j6b8ufi.html

    Same for SLES, configure rsyslog for remote forwarding. In /etc/rsyslog.d/remote.conf (https://marketplace.microfocus.com/arcsight/content/suse-linux-enterprise-server):

    #Remote Logging using TCP for reliable delivery
    #remote host is: name/ip:port, e.g. 192.168.0.1:514, port optional
    *.*@@sentinel.example.com:1468
    

    And for OES NSS auditing see https://www.microfocus.com/documentation/open-enterprise-server/2018-SP3/mgmt_nss_vlog_lx/bookinfo.html

    --
    Norbert

  • 0 in reply to   

    Hi,

    Besides configuring rsyslog for remote forwarding, for OES monitoring, you can also use our Unix agent  (marketplace.microfocus.com/.../suse-linux-enterprise-server). I suggest you use at least Unix agent 7.6.3.

    That said, we recently released Sentinel 8.5, and Unix agent 7.6.4.
    Helpful Resources:
    •    Release Notes:  www.microfocus.com/.../security-agent-for-unix-764.html
    •    Download URL: sld.microfocus.com/.../downloadCenter

    Security Agent for UNIX 7.6.4 includes new certified platforms and software fixes. Many of these improvements were made in direct response to suggestions from our customers.

    Thanks,


    Henk

  • 0   in reply to   

    Good day

    I tried to configure the eDirectory source as per the documentation, https://www.netiq.com/documentation/edirectory-92/edir_admin/data/t44e7j6b8ufi.html made the configuration changes to the auditlogconfig.properties file. and started the audit  manually with the command run ndstrace -c "load cefauditds". I did see the event source show up on the Sentinel server, however; I did see an initialization error about port 1289 being in use, that is the port I used, along with .13 which is my Sentinel Server address, log4j.appender.S.Host=localhost and log4j.appender.S.Port=port currently using TCP as I figured I could add SSL later. 

    So it again appears that Sentinel is seeing the server I configured, but it reports error: initializing connector server on port 192.1.x.9:1289 port might be used by other process TCP listener initSocket. 

    Thank you, 

    -DS 

  • 0   in reply to 

    Should I plan on upgrading to 8.5? Would this be a better application to work with than 8.4? So the Unix Security Agent would work on SLES Linux 12 SP5?

  • 0   in reply to   

    Port 1289 is used by the old NAudit protocol.

    Sentinel receives Syslog TCP on port 1468 and Syslog TLS on 1443.

    auditlogconfig.properties should look like this:

    # Set the level of the root logger to DEBUG and attach appenders.
    #log4j.rootLogger=info, S, R
    log4j.rootLogger=info, S
    
    # Defines appender S to be a SyslogAppender.
    log4j.appender.S=org.apache.log4j.net.SyslogAppender
    
    # Defines location of Syslog server.
    log4j.appender.S.Host=sentinel.example.com
    log4j.appender.S.Port=1468
    
    # Specify protocol to be used (UDP/TCP/SSL)
    log4j.appender.S.Protocol=TCP
    
    # Specify SSL certificate file for SSL connection.
    # File path should be given with double backslash.
    #log4j.appender.S.SSLCertFile=/etc/opt/novell/mycert.pem
    
    # Minimum log-level allowed in syslog.
    log4j.appender.S.Threshold=INFO
    
    # Defines the type of facility.
    log4j.appender.S.Facility=USER
    
    # Defines caching for SyslogAppender.
    # Inputs should be yes/no
    log4j.appender.S.CacheEnabled=yes
    
    # Cache location directory
    # Directory should be available for creating cache files
    log4j.appender.S.CacheDir=/var/opt/novell/eDirectory/log
    
    # Cache File Size
    # Cache File size should be in the range of 50MB to 4000MB
    # Cache File size should be set as 0MB to enable infinite growth of cache file
    log4j.appender.S.CacheMaxFileSize=500MB
    

  • 0   in reply to   

    Good afternoon, 

    How did you attach (or add an image) into this thread? I haven't yet been able to do so and I think it would help if I could show you what the error is that I'm seeing. 

    in the Event Source Management - Live View - I see an icon for the Audit Server- there is a red "x" on top and a green arrow on the bottom, there is a line that connects to the Audit Event Source which is my eDirectory server, which has the same thing Red x on top and Green arrow on the bottom of the icon. 

    I see an Error message which shows a similar initialization error: Error initializing connector server on port 1xx.1xx.x.9:1289 port might be used by other process) : TCP listener init Socket. I did unload the process ndstrace -c "unload cefauditds" 

    Please see the below as well 

    Good day,

    First I made the changes to the auditlogconfig.properties file on the eDirectory server that I'm attempting to observe from Sentinel
    that server is 1xx.1xx.x.9 and I do have port 1468 specified. I unloaded ndstrace -c "unload cefauditds" and loaded the process again
    ndstrace -c "load cefauditds" when I look at the Event Source management Live view I see the Audit Server at the center of the screen
    It has a Red "x" at the top and a Green arrow at the bottom this connects with the Audit event source 1xx.1xx.x.9 which has an icon
    showing a similar issue a red "x" on top and a green arrow on the bottom The error message states: Error initializing connector server
    on port 1xx.1xx.x.9:1289 (port might be used by other process) TCP listener init Socket.

    I do have to ask how were you able to copy/insert an image into this thread? I've tried in the past and it might help if I could
    show you the error I'm seeing.

  • 0   in reply to   
    I do have to ask how were you able to copy/insert an image into this thread? I've tried in the past and it might help if I could
    show you the error I'm seeing.

    I just take a screenshot, copy it to the clipboard and then insert it here (right mouse button - paste)

  • 0   in reply to   
    First I made the changes to the auditlogconfig.properties file on the eDirectory server

    Have you restarted eDirectory since then?

    In ndsd.log you should see a

    Oct 16 15:25:37  log4cxx: Connection to TCP host established successfully: sentinel.example.com

    followed by


    Oct 16 15:25:38  NetIQ eDirectory CEF Instrumentation module started

  • 0   in reply to   

    Audit event source is 192.168.1.9 and has the red and green as does the Audit server

  • 0   in reply to   

    The error message seems to show that it's not getting a response from the eDirectory server. I saw your prior message should I restart eDirectory on that server?

    -DS