Installation and Configuration Guide. NetIQ Sentinel 7.0.1

Similar documents
User Guide. NetIQ Change Guardian. March 2013

This Readme describes the NetIQ Access Manager 3.1 SP5 release.

3 Mobility Pack Installation Instructions

Novell Data Synchronizer 1.2

Novell Data Synchronizer Mobility Pack Overview. Novell. Readme. January 28, 2013

Novell Access Manager

Quick Start Access Manager 3.1 SP5 January 2013

AUTHORIZED DOCUMENTATION. Using ZENworks with Novell Service Desk Novell Service Desk February 03,

Using ZENworks with Novell Service Desk

Novell Access Manager

ZENworks Linux Management Migration Guide

Novell Identity Manager

Configuration Guide Data Synchronizer Mobility Pack Connector for Mobility January 28, 2013

Identity Tracking. 6.1r1 SENTINEL SOLUTION OVERVIEW. Aug 2008

Personality Migration Reference

Novell Open Workgroup Suite Small Business Edition

Novell ZENworks Orchestrator

Novell ZENworks Handheld Management

Update Management ZENworks Mobile Management 3.2.x September 2015

Installation Guide ZENworks Linux Management 7.3 IR4 January 31, 2011

Asset Management Migration Guide

Overview Guide. Sentinel April 2012

3 NetWare/Windows: Software Installation

Server Installation ZENworks Mobile Management 2.6.x January 2013

User Guide SecureLogin 7.0 SP3 April, 2012

Novell Sentinel Novell 1 Overview 1.1 Prerequisites

Novell ZENworks 10 Personality Migration

Novell ZENworks Asset Management 7.5

Driver for edirectory Implementation Guide

ZENworks Reporting Migration Guide

Installation and Configuration Guide

System Performance: Sizing and Tuning

Novell Messenger. Installation Guide 2.0. novdocx (en) 17 September January 15, Messenger 2.0 Installation Guide

System Performance: Sizing and Tuning

AUTHORIZED DOCUMENTATION

Novell PlateSpin Forge

System Performance: Sizing and Tuning

Version is the follow-on release after version 8.1, featuring:

Configuration Guide Data Synchronizer Mobility Pack Connector for GroupWise January 28, 2013

Update Process and Recommendations

Novell Access Manager

Novell Access Manager

NetIQ Secure Configuration Manager Installation Guide. October 2016

Micro Focus File Reporter 3.0 Installation Guide. January 12, 2017

Configuring Google Cloud Messaging Service for Android Devices

Interoperability Guide

Novell Identity Manager

GroupWise Messenger 2 Support Pack 3

iprint Manager Health Monitor for Linux Administration Guide

Novell PlateSpin Protect

Novell Filr 1.2 Administration Guide. November 2015

Novell Kerberos KDC 1.5 Quickstart. novdocx (en) 11 December Novell Kerberos KDC QUICK START.

This Service Pack is mandatory for all users who subscribe to the Advisor data service.

Service Desk 7.2 Installation Guide. March 2016

Pre-Installation ZENworks Mobile Management 2.7.x August 2013

Best Practices Guide Simplifying Filr Deployments with File Reporter and Storage Manager October 5, 2015

Novell ZENworks 10 Patch Management SP3

Novell Identity Manager

Novell ZENworks Endpoint Security Management 4.1 Interim Release 1. 1 Issues Resolved in IR1. Novell. April 16, 2010

Driver for SOAP Implementation Guide

Endpoint Security Policies Reference

Novell ZENworks Handheld Management

NetIQ Aegis: Automated Workflow Magic Lab

1 A product that should be in a device s inventory is not showing up in the inventory

Full Disk Encryption Pre-Boot Authentication Reference

ID Provider Driver Implementation Guide

Migration and Upgrade Guide Access Manager 4.0 SP2

Novell Operations Center

GroupWise Connector for Outlook

SuperLumin Nemesis. Getting Started Guide. February 2011

The issues included in this document were identified in Novell ZENworks 7.3 Linux Management with Interim Release 3 (IR3).

Novell Access Manager

Storage Manager 2018 R1. Installation Guide

Multi-System Administration Guide

Access Manager 3.2 Service Pack 2 IR1 resolves several previous issues.

Online documentation: Novell Documentation Web site. ( documentation/securelogin70/index.html)

Dell Storage Manager 2016 R3 Installation Guide

Installing and Configuring vcloud Connector

ZENworks Reporting Beta System Reference. December 2015

Novell Open Workgroup Suite Small Business Edition

Novell GroupWise Migration Utility for Microsoft * Exchange

Novell ZENworks Application Virtualization

Installation Guide Advanced Authentication Server. Version 6.0

Novell Access Manager

Sentinel 8.0 includes new features, improves usability, and resolves several previous issues.

The Novell Client for SUSE Linux Enterprise 11 Service Pack1(SLE 11 SP1) requires workstations / servers running one of the following:

Log & Event Manager UPGRADE GUIDE. Version Last Updated: Thursday, May 25, 2017

Dell Statistica. Statistica Enterprise Server Installation Instructions

2 Upgrading to Access Manager 3.1 SP4

vcenter CapacityIQ Installation Guide

Access Manager 4.3 Service Pack 2 Release Notes

Installing and Configuring vcloud Connector

NexentaStor VVOL

AUTHORIZED DOCUMENTATION. Installation Guide. Novell Cloud Manager 1.1. December 8,

Acronis Backup & Recovery 11.5

NovellTM Client. for Linux README. October 12, 2005

Driver for SAP Portal Implementation Guide

Driver for Avaya PBX Implementation Guide

Ensure that the server where you install the Primary Server software meets the following requirements: Item Requirements Additional Details

Client TM 2.0 SP2 for Linux

Transcription:

Installation and Configuration Guide NetIQ Sentinel 7.0.1 April 2012

Legal Notices NetIQ Corporation ( NetIQ ) makes no representations or warranties with respect to the contents or use of the online help or other documentation, and specifically disclaims any express or implied warranties of merchantability or fitness for any particular purpose. NetIQ reserves the right to revise this publication and to make changes to its content, at any time, without obligation to notify any person or entity of such revisions or changes. NetIQ makes no representations or warranties with respect to any software, and specifically disclaims any express or implied warranties of merchantability or fitness for any particular purpose. NetIQ reserves the right to make changes to any and all parts of NetIQ software, at any time, without any obligation to notify any person or entity of such changes. Any products or technical information provided under this Agreement may be subject to U.S. export controls and the trade laws of other countries. You agree to comply with all export control regulations and to obtain any required licenses or classification to export, re-export, or import deliverables. You agree not to export or re-export to entities on the current U.S. export exclusion lists or to any embargoed or terrorist countries as specified in the U.S. export laws. You agree to not use deliverables for prohibited nuclear, missile, or chemical biological weaponry end uses. NetIQ assumes no responsibility for your failure to obtain any necessary export approvals. Copyright 2012 Novell, Inc. All rights reserved. No part of this publication may be reproduced, photocopied, stored on a retrieval system, or transmitted without the express written consent of the publisher. All third-party trademarks are the property of their respective owners. For more information, please contact NetIQ at: 1233 West Loop South, Houston, Texas 77027 U.S.A www.netiq.com

Contents About This Guide 7 Part I Installing 9 1 Meeting System Requirements 11 1.1 System Requirements and Supported Platforms........................................ 11 1.1.1 Supported Operating Systems and Platforms.................................. 11 1.1.2 Hardware Requirements...................................................12 1.1.3 Supported Database Platforms.............................................. 14 1.1.4 Supported Browsers...................................................... 14 1.1.5 Data Storage Requirement Estimation........................................ 15 1.1.6 Disk I/O Utilization Estimation............................................... 16 1.1.7 Network Bandwidth Utilization Estimation...................................... 17 1.1.8 Virtual Environment....................................................... 17 1.2 Connector and Collector System Requirements........................................ 17 1.3 Ports Used..................................................................... 17 1.3.1 Sentinel Server.......................................................... 17 1.3.2 Collector Manager........................................................ 19 1.3.3 Correlation Engine........................................................ 20 2 Installing Sentinel 21 2.1 Installation Methods.............................................................. 21 2.1.1 Standard and Custom Installation............................................ 22 2.1.2 Components Installed..................................................... 22 2.2 Before You Begin................................................................ 22 2.3 Installation Options............................................................... 23 2.4 Interactive Installation............................................................ 24 2.4.1 Standard Configuration.................................................... 24 2.4.2 Custom Configuration..................................................... 25 2.5 Silent Installation................................................................ 26 2.6 Installing Sentinel as a Non-root User................................................ 27 2.7 Modifying the Configuration after Installation........................................... 28 3 Installing Additional Collector Managers 31 3.1 Advantages of Additional Collector Managers..........................................31 3.2 Before You Begin................................................................ 31 3.3 Installing an Additional Collector Manager............................................. 32 3.4 Adding a Custom User for a Collector Manager........................................ 33 4 Installing Additional Correlation Engines 35 4.1 Before You Begin................................................................ 35 4.2 Installing an Additional Correlation Engine............................................ 35 4.3 Adding a Custom User for the Correlation Engine....................................... 36 Contents 3

5 Installing the Appliance 39 5.1 Before You Begin................................................................ 39 5.2 Installing the VMware Appliance.................................................... 39 5.2.1 Installing Sentinel......................................................... 40 5.2.2 Installing the Collector Manager............................................. 41 5.2.3 Installing the Correlation Engine.............................................42 5.3 Installing the Xen Appliance........................................................ 42 5.3.1 Installing Sentinel......................................................... 43 5.3.2 Installing the Collector Manager............................................. 44 5.3.3 Installing the Correlation Engine.............................................45 5.4 Installing the Appliance on Hardware................................................. 46 5.4.1 Installing Sentinel......................................................... 46 5.4.2 Installing the Collector Manager............................................. 47 5.4.3 Installing the Correlation Engine.............................................48 5.5 Post-Installation Configuration for the Appliance........................................ 48 5.5.1 Installing VMware Tools.................................................... 49 5.5.2 Logging in to the Appliance Web Interface..................................... 49 5.6 Configuring WebYaST............................................................ 49 5.7 Configuring the Appliance with SMT................................................. 49 5.7.1 Prerequisites............................................................ 50 5.7.2 Configuring the Appliance.................................................. 51 5.8 Stopping and Starting the Server by Using the Web Interface.............................. 51 5.9 Registering for Updates........................................................... 51 6 Troubleshooting the Installation 53 6.1 Failed Installation Because of an Incorrect Network Configuration.......................... 53 6.2 The UUID Is Not Created for Imaged Collector Managers or Correlation Engine............... 53 7 What s Next 55 Part II Configuring 57 8 Accessing the Sentinel Web Interface 59 9 Adding Additional Sentinel Components 61 9.1 Installing Collectors and Connectors................................................. 61 9.1.1 Installing a Collector...................................................... 61 9.1.2 Installing a Connector..................................................... 61 9.2 Adding Additional Collectors and Connectors.......................................... 62 9.2.1 Adding Additional Collectors................................................62 9.2.2 Adding Additional Connectors............................................... 62 10 Managing Data 63 10.1 Directory Structure............................................................... 63 10.2 Storage Consideration............................................................ 63 10.2.1 Using Partition in a Stand-alone Installation.................................... 64 10.2.2 Using Partition in an Appliance Installation..................................... 64 4 NetIQ Sentinel 7.0.1 Installation and Configuration Guide

11 Configuring Out-of-the-box Content 65 12 Configuring Time 67 12.1 Understanding Time in Sentinel..................................................... 67 12.2 Configuring Time in Sentinel....................................................... 69 12.3 Handling Time Zones............................................................. 69 13 License Information 71 13.1 Understanding Sentinel Licenses.................................................... 71 13.1.1 Trial License............................................................ 71 13.1.2 Enterprise Licenses....................................................... 71 13.2 Adding a License Key............................................................ 72 13.2.1 Adding a License Key By Using the Web Interface............................... 72 13.2.2 Adding a License Key through the Command Line............................... 72 14 Configuring Sentinel for High Availability 73 Part III Upgrading Sentinel 75 15 Upgrading the Sentinel Server 77 16 Upgrading the Sentinel Appliance 79 17 Upgrading the Collector Manager 81 18 Upgrading the Correlation Engine 83 19 Upgrading Sentinel Plug-Ins 85 Part IV Migrating 87 20 Supported Migration Scenarios 89 21 What s Next 91 Part V Uninstalling 93 22 Uninstalling Sentinel 95 22.1 Uninstalling the Sentinel Server..................................................... 95 22.2 Uninstalling the Remote Collector Manager or Correlation Engine.......................... 95 23 Post-Uninstallation Tasks 97 23.1 Removing the Sentinel System Settings.............................................. 97 23.1.1 Completing the Uninstallation of the Correlation Engine........................... 97 23.1.2 Completing the Uninstallation of the Collector Manager........................... 98 Contents 5

6 NetIQ Sentinel 7.0.1 Installation and Configuration Guide

About This Guide This guide provides an introduction to NetIQ Sentinel and explains how to install, migrate, and configure Sentinel. Audience This guide is intended for Sentinel administrators and consultants. Feedback We want to hear your comments and suggestions about this manual and the other documentation included with this product. Please use the User Comments feature at the bottom of each page of the online documentation. Documentation Updates For the most recent version of the NetIQ Sentinel 7.0.1 Installation and Configuration Guide, visit the Sentinel documentation Web site (http://www.novell.com/documentation/sentinel70). Additional Documentation Sentinel technical documentation is broken down into several different volumes. They are: Sentinel Overview Guide (http://www.novell.com/documentation/sentinel70/s701_overview/ data/bookinfo.html) Sentinel Quick Start Guide (http://www.novell.com/documentation/sentinel70/s701_quickstart/ data/s701_quickstart.html) Sentinel Administration Guide (http://www.novell.com/documentation/sentinel70/s701_admin/ data/bookinfo.html) Sentinel User Guide (http://www.novell.com/documentation/sentinel70/s701_user/data/ bookinfo.html) Sentinel Link Overview Guide (http://www.novell.com/documentation/sentinel70/ sentinel_link_overview/data/bookinfo.html) Sentinel Internal Audit Events (http://www.novell.com/documentation/sentinel70/ s701_auditevents/data/bookinfo.html) Sentinel SDK (http://www.novell.com/developer/develop_to_sentinel.html) The Sentinel SDK site provides information about building your own plug-ins. Contacting Novell and NetIQ Sentinel is now a NetIQ product, but Novell still handles many support functions. Novell Web site (http://www.novell.com) NetIQ Web site (http://www.netiq.com) About This Guide 7

Technical Support (http://support.novell.com/contact/ getsupport.html?sourceidint=suplnav4_phonesup) Self Support (http://support.novell.com/ support_options.html?sourceidint=suplnav_supportprog) Patch download site (http://download.novell.com/index.jsp) Sentinel Community Support Forums (http://forums.novell.com/netiq/netiq-productdiscussion-forums/sentinel/) Sentinel TIDs (http://support.novell.com/products/sentinel) Sentinel Plug-in Web site (http://support.novell.com/products/sentinel/secure/sentinel61.html) Notification Email List: Sign up through the Sentinel Plug-in Web site Contacting Sales Support For questions about products, pricing, and capabilities, please contact your local partner. If you cannot contact your partner, please contact our Sales Support team. Worldwide: NetIQ Office Locations (http://www.netiq.com/about_netiq/officelocations.asp) United States and Canada: 888-323-6768 Email: info@netiq.com Web site: www.netiq.com 8 NetIQ Sentinel 7.0.1 Installation and Configuration Guide

I Installing Use the following information to install Sentinel: Chapter 1, Meeting System Requirements, on page 11 Chapter 2, Installing Sentinel, on page 21 Chapter 3, Installing Additional Collector Managers, on page 31 Chapter 4, Installing Additional Correlation Engines, on page 35 Chapter 5, Installing the Appliance, on page 39 Chapter 6, Troubleshooting the Installation, on page 53 Chapter 7, What s Next, on page 55 Installing 9

10 NetIQ Sentinel 7.0.1 Installation and Configuration Guide

1 1Meeting System Requirements The following sections describe the hardware, operating system, browser, supported Connectors, and event source compatibility requirements for Sentinel. Section 1.1, System Requirements and Supported Platforms, on page 11 Section 1.2, Connector and Collector System Requirements, on page 17 Section 1.3, Ports Used, on page 17 1.1 System Requirements and Supported Platforms NetIQ supports Sentinel on the operating systems described in this section. NetIQ also supports Sentinel on systems with minor updates to these operating systems, such as security patches or hotfixes. However, running Sentinel on systems with major updates to these operating systems is not supported until NetIQ has tested and certified those updates. Section 1.1.1, Supported Operating Systems and Platforms, on page 11 Section 1.1.2, Hardware Requirements, on page 12 Section 1.1.3, Supported Database Platforms, on page 14 Section 1.1.4, Supported Browsers, on page 14 Section 1.1.5, Data Storage Requirement Estimation, on page 15 Section 1.1.6, Disk I/O Utilization Estimation, on page 16 Section 1.1.7, Network Bandwidth Utilization Estimation, on page 17 Section 1.1.8, Virtual Environment, on page 17 1.1.1 Supported Operating Systems and Platforms The Sentinel server, Collector Manager, and Correlation Engine are supported on the following operating systems and platforms: Category Operating System Requirement Sentinel is supported on the following operating systems: SUSE Linux Enterprise Server (SLES) 11 SP1 64-bit * Red Hat Enterprise Linux for Servers (RHEL) 6 64-bit * Sentinel 7 is not supported on the Open Enterprise Server installs of SLES. Meeting System Requirements 11

Category Virtual Platform Requirement NetIQ provides appliances that install a SLES 11 SP1 64-bit server and Sentinel on the following virtual platforms: VMWare ESX 4.0 Xen 4.0 DVD ISO NetIQ provides a DVD ISO file that installs SLES 11 SP1 64-bit and Sentinel on: Hyper-V Server 2008 R2 Hardware without an operating system installed 1.1.2 Hardware Requirements The hardware recommendations for a Sentinel implementation can vary based on the individual implementation, so you should consult NetIQ Consulting Services or any of the NetIQ Sentinel partners prior to finalizing the Sentinel architecture. Sentinel Server on page 12 Collector Manager on page 13 Correlation Engine on page 13 Sentinel Server This section lists the hardware recommendations for a production system that holds 90 days of online data. The recommendations assume an average event size of 600 bytes. The local and network storage recommendations include a 20% buffer above the actual storage estimates. NetIQ recommends building in a buffer in case estimates are inaccurate or some of the servers become busier over time. Use the following hardware recommendations for running the Sentinel server with all of the Sentinel components installed on a single server: Category 100 EPS 2500 EPS 5000 EPS CPU One Intel Xeon X5570 2.93- GHz (4 CPU cores) Two Intel Xeon X5470 3.33-GHz (4 core) CPUs (8 cores total) Two Intel Xeon X5470 3.33- GHz (4core) CPUs (8 cores total) Local Storage (30 days) 2x256 GB, 7.2k RPM drives (Hardware RAID 1 with 256 MB cache) 8x1.2 TB, 7.2k RPM drives (Hardware RAID 10 with 256 MB cache) 16x1.2 TB, 15k RPM drives, (Hardware RAID 10 with 512 MB cache) or an equivalent storage area network (SAN) Networked Storage (90 days) 2x128 GB 4x1 TB 8x1 TB Memory Other Installations: 4 GB DVD ISO Installation: 4.5 GB 16 GB 24 GB 12 NetIQ Sentinel 7.0.1 Installation and Configuration Guide

NOTE: Sentinel is supported on x86-64-bit Intel Xeon and AMD Opteron processors, but is not supported on pure 64-bit processors like Itanium. Follow these guidelines for optimal system performance: The local storage should have enough space to hold at least 5 days worth of data, which includes both event data and raw data. For more details on calculating the data storage requirements, see Section 1.1.5, Data Storage Requirement Estimation, on page 15. Networked storage contains all 90 days worth of data, including a fully compressed copy of the event data in local storage. A copy of the event data is kept on local storage for search and reporting performance reasons. The local storage size can be decreased if storage cost is a concern. However, due to decompression overhead, there will be an estimated 70% decrease in searching and reporting performance on data that would otherwise be in local storage. You must set up the networked storage location to an external multi-drive SAN or networkattached storage (NAS). The recommended steady state volume is 80% of the maximum licensed EPS. NetIQ recommends that you add additional Sentinel instances if this limit is reached. Collector Manager Use the following hardware requirements for running the Collector Manager on a separate system from the Sentinel Server in a production environment: Category Minimum Recommendation CPU Intel Xeon L5240 3-Ghz (2 core) One Intel Xeon X5570 2.93-GHz (4 CPU cores) Disk Space 10 GB (RAID 1) 20 GB (RAID 1) Memory 1.5 GB 4 GB Estimated Rate (EPS) 500 2000 Correlation Engine Use the following system requirements for running the Correlation Engine on a separate system from the Sentinel Server in a production environment: Category Minimum Recommendation CPU Intel Xeon L5240 3-Ghz (2 core) One Intel Xeon X5570 2.93-GHz (4 CPU cores) Disk Space 10 GB (no RAID required) 10 GB (no RAID required) Memory 1.5 GB 4 GB Estimated Rate (EPS) 500 2500 Meeting System Requirements 13

1.1.3 Supported Database Platforms Sentinel includes an embedded file-based storage system and a database, which is all is necessary to run Sentinel. However, if you use the optional data synchronization feature to copy data to a data warehouse, Sentinel supports using Oracle version 11g R2 or Microsoft SQL Server 2008 R2 as the data warehouse. 1.1.4 Supported Browsers The Sentinel Web interface is optimized for viewing at 1280 x 1024 or higher resolution in the following supported browsers: NOTE: To load the Sentinel client applications properly, you must have Sun Java plug-in installed on your system. Platform Browser Windows 7 Firefox 5, 6, 7, 8, 9, and 10 Internet Explorer 8 and 9 * For information about Internet Explorer 8, see Prerequisites for Internet Explorer on page 14. SLES 11 SP1 and RHEL 6 Firefox 5, 6, 7, 8, 9, and 10 For more information, see Manually Updating Firefox Version on page 14. Prerequisites for Internet Explorer If the Internet Security Level is set to High, a blank page appears after logging in to Sentinel and the file download pop-up might be blocked by the browser. To work around this issue, you need to first set the security level to Medium-high and then change to Custom level as follows: 1 Navigate to Tools > Internet Options > Security tab and set the security level to Medium-high. 2 Make sure that the Tools > Compatibility View option is not selected. 3 Navigate to Tools > Internet Options > Security tab> Custom Level, then scroll down to the Downloads section and select Enable under the Automatic prompting for file downloads option. Manually Updating Firefox Version Sentinel supports Firefox versions 5 through 10; however, the SLES 11 SP1 system is packaged with Firefox version 3.6x. Perform the following steps to manually update a SLES 11 SP1 installation to include a supported version of Firefox: 1 Open YaST. 2 Select Software > Software Repositories to display the Configured Software Repositories window. 3 Click Add to open the Media Type window. 4 Select the Specify URL option, then click Next. This displays the Repository URL window. 14 NetIQ Sentinel 7.0.1 Installation and Configuration Guide

5 Type the Software Repository (http://download.opensuse.org/repositories/mozilla/sle_11/) link in the URL text box, then click Next. The software repository is downloaded. 6 Click OK to refresh the software repository. 7 Click Software Management to open the YaST2 window. 8 Enter Firefox in the Search text box. The list of Firefox packages is displayed. 9 Select the required packages for the supported version of Firefox you want to install. If you select a package that conflicts with the existing version, a Warning dialog box displays. Select the appropriate option, then click the OK Try Again button. 10 Click Accept. 1.1.5 Data Storage Requirement Estimation Sentinel is used to retain raw data for a long period of time to comply with legal and other requirements. Sentinel employs compression to help you make efficient use of local and networked storage space. However, storage requirements might become significant over a long period of time. To overcome cost constraint issues with large storage systems, you can use cost-effective data storage systems to store the data for a long term. Tape-based storage systems are the most common and costeffective solution. However, tape does not allow random access to the stored data, which is necessary to perform quick searches. Because of this, a hybrid approach to long-term data storage is desirable, where the data you need to search is available on a random-access storage system and data you need to retain, but not search, is kept on a cost-effective alternative, such as tape. For instructions on employing this hybrid approach, see Using Sequential-Access Storage for Long Term Data Storage in the NetIQ Sentinel 7.0.1 Administration Guide. To determine the amount of random-access storage space required for Sentinel, first estimate how many days of data you need to regularly perform searches or run reports on. You should have enough hard drive space either locally on the Sentinel machine, or remotely on the Server Message Block (SMB) protocol or CIFS protocol, the network file system (NFS), or a SAN for Sentinel to use for archiving data. You should also have the following additional hard drive space beyond your minimum requirements: To account for data rates that are higher than expected. To copy data from tape and back into the Sentinel in order to perform searching and reporting on historical data. Use the following formulas to estimate the amount of space required to store data: Local event storage (partially compressed): {average byte size per event} x {number of days} x {events per second} x 0.00008 = Total GB storage required Event sizes typically range from 300-1000 bytes. Networked event storage (fully compressed): {average byte size per event} x {number of days} x {events per second} x 0.00001 = Total GB storage required Raw Data Storage (fully compressed on both local and networked storage): {average byte size per raw data record} x {number of days} x {events per second} x 0.000003 = Total GB storage required A typical average raw data size for syslog messages is 200 bytes. Meeting System Requirements 15

Total local storage size (with networked storage enabled): {Local event storage size for desired number of days} + {Raw data storage size for one day) = Total GB storage required If networked storage is enabled, event data is copied to networked storage typically after 2 days. For more information, see Configuring Data Storage in the NetIQ Sentinel 7.0.1 Administration Guide. Total local storage size (with networked storage disabled): {Local event storage size for retention time} + {Raw data storage size for retention time) = Total GB storage required Total networked storage size: {Networked event storage size for retention time} + {Raw data storage size for retention time} = Total GB storage required NOTE: The coefficients in each formula represent ((seconds per day) x (GB per byte) x compression ratio). These numbers are only estimates and depend on the size of the event data as well as on the size of compressed data. Partially compressed means that the data is compressed, but the index of the data is not compressed. Fully compressed means that both the event data and index data is compressed. Event Data compression rates are typically 10:1. Index compression rates are typically 5:1. The index is used to optimize searching through the data. You can also use the above formulas to determine how much storage space is required for a longterm data storage system such as tape. 1.1.6 Disk I/O Utilization Estimation Use the following formulas to estimate the amount of disk utilization on the server at various EPS rates. Data written to Disk (Kilobytes per second): (average event size in bytes + average raw data size in bytes) x (events per second) x.002 compression coefficient = data written per second to disk For example, at 500 EPS, for an average event size of 758 bytes and an average raw data size of 490 bytes in the log file, data written to disk is determined as follows: (758 bytes + 490 bytes) x 500 EPS x.002 = ~1100 KB Number of I/O request to the Disk (transfers per second): (average event size in bytes + average raw data size in bytes) x (events per second) x.00002 compression coefficient = I/O requests per second to disk For example, at 500 EPS, for an average event size of 758 bytes and an average raw data size of 490 bytes in the log file, number of I/O requests per second to the disk is determined as follows: (758 bytes + 490 bytes) x 500 EPS x.00002 = ~10 transfers per second Number of blocks written per second to the disk: (average event size in bytes + average raw data size in bytes) x (events per second) x.003 compression coefficient = Blocks written per second to disk For example, at 500 EPS, for an average event size of 758 bytes and an average raw data size of 490 bytes in the log file, number of blocks written per second to the disk is determined as follows: (758 bytes + 490 bytes) x 500 EPS x.003 = ~1800 blocks per second 16 NetIQ Sentinel 7.0.1 Installation and Configuration Guide

Data read per second from disk when performing a Search: (average event size in bytes + average raw data size in bytes) x (number of events matching query in millions) x.40 compression coefficient = kilobytes read per second from disk For example, at 5 millions of events matching the search query, for an average event size of 758 bytes and an average raw data size of 490 bytes in the log file, data read per second from the disk is determined as follows: (758 bytes + 490 bytes) x 5 x.40 = ~500 KB 1.1.7 Network Bandwidth Utilization Estimation Use the following formulas to estimate the network bandwidth utilization between the Sentinel server and remote Collector Manager at various EPS rates: {average event size in bytes + average raw data size in bytes} x {events per second} x.0003 compression coefficient = network bandwidth in Kbps (kilobits per second) For example, at 500 EPS for an average event size of 758 bytes and an average raw data size of 490 bytes in the log file, the network bandwidth utilization is determined as follows: (758 bytes + 490 bytes} x 500 EPS x.0003 = ~175 Kbps 1.1.8 Virtual Environment Sentinel is extensively tested and fully supported on a VMware ESX server. When you set up a virtual environment, the virtual machines must have 2 or more CPUs. To achieve comparable performance results to the physical-machine testing results on ESX or in any other virtual environment, the virtual environment should provide the same memory, CPUs, disk space, and I/O as the physical machine recommendations. For information on physical machine recommendations, see Section 1.1, System Requirements and Supported Platforms, on page 11. 1.2 Connector and Collector System Requirements Each Connector and Collector has its own set of system requirements and supported platforms. See the Connector and Collector documentation on the Sentinel Plug-ins Web page (http:// support.novell.com/products/sentinel/secure/sentinelplugins.html). 1.3 Ports Used Section 1.3.1, Sentinel Server, on page 17 Section 1.3.2, Collector Manager, on page 19 Section 1.3.3, Correlation Engine, on page 20 1.3.1 Sentinel Server Local Ports Sentinel uses the following ports for internal communication with database and other internal processes: Meeting System Requirements 17

Ports TCP 5432 TCP 27017 TCP 28017 TCP 32000 Description Used for the PostgreSQL database. You do not need to open this port by default. However, if you are developing reports by using the Sentinel SDK, then you must open this port. For more information, see the Sentinel Plugin SDK Web site (http://developer.novell.com/wiki/ index.php?title=develop_to_sentinel). Used for the Security Intelligence configuration database. Used for the Web interface for Security Intelligence database. Used for internal communication between the wrapper process and the server process. Network Ports Sentinel uses different ports for external communication with other components. For the appliance installation, the ports are opened on the firewall by default. However, for the standard installation, you need to configure the operating system on which you are installing Sentinel in order to open the ports on the firewall. For Sentinel to work properly, ensure that the following ports are open on the firewall: Ports TCP 1099 and 2000 TCP 1289 UDP 1514 TCP 8443 TCP 1443 TCP 61616 TCP 10013 TCP 1468 TCP 10014 Description Used together by monitoring tools to connect to Sentinel server process using Java Management Extensions (JMX). Used for Audit connections. Used for syslog messages. Used for HTTPS communication. Used for SSL encrypted syslog messages. Used for communication between Collector Managers and the server. Used by the Sentinel Control Center and Solution Designer. Used for syslog messages. Used by the remote Collector Managers to connect to the server through the SSL proxy. However, this is uncommon. By default, remote Collector Managers use the SSL port 61616 to connect to the server. Sentinel Server Appliance Specific Ports In addition to the above ports, the following ports are open on Sentinel server appliance. 18 NetIQ Sentinel 7.0.1 Installation and Configuration Guide

Ports TCP 22 TCP 54984 TCP 289 UDP 443 UDP 514 TCP 1290 UDP and TCP 40000-41000 Description Used for secure shell access to the Sentinel appliance. Used by the Sentinel Appliance Management Console (WebYaST). Also used by the Sentinel appliance for the update service. Forwarded to 1289 for Audit connections. Forwarded to 8443 for HTTPS communication. Forwarded to 1514 for syslog messages. This is the Sentinel Link port that is allowed to connect through the SuSE Firewall. Ports that can be used when configuring data collection servers, such as syslog. Sentinel does not listen on these ports by default. 1.3.2 Collector Manager Network Ports For Sentinel Collector Manager to work properly, ensure that the following ports are open on the firewall: Ports TCP 1289 UDP 1514 TCP 1443 TCP 1468 TCP 1099 and 2000 Description Used for Audit connections. Used for syslog messages. Used for SSL encrypted syslog messages. Used for syslog messages. Used together by monitoring tools to connect to Sentinel server process using Java Management Extensions (JMX). Collector Manager Appliance Specific Ports In addition to the above ports, the following ports are open on Sentinel Collector Manager appliance. Meeting System Requirements 19

Ports TCP 22 TCP 54984 TCP 289 UDP 514 TCP 1290 UDP and TCP 40000-41000 Description Used for secure shell access to the Sentinel appliance. Used by the Sentinel Appliance Management Console (WebYaST). Also used by the Sentinel appliance for the update service. Forwarded to 1289 for Audit connections. Forwarded to 1514 for syslog messages. This is the Sentinel Link port that is allowed to connect through the SuSE Firewall. Ports that can be used when configuring data collection servers, such as syslog. Sentinel does not listen on these ports by default. 1.3.3 Correlation Engine Network Ports For Sentinel Correlation Engine to work properly, ensure that the following ports are open on the firewall: Ports TCP 1099 and 2000 Description Used together by monitoring tools to connect to Sentinel server process using Java Management Extensions (JMX). Correlation Engine Appliance Specific Ports In addition to the above ports, the following ports are open on Sentinel Correlation Engine appliance. Ports TCP 22 TCP 54984 Description Used for secure shell access to the Sentinel appliance. Used by the Sentinel Appliance Management Console (WebYaST). Also used by the Sentinel appliance for the update service. 20 NetIQ Sentinel 7.0.1 Installation and Configuration Guide

2 2Installing Sentinel Sentinel can be installed either as a stand-alone install or as an appliance install. The stand-alone installer installs Sentinel on an existing SUSE Linux Enterprise Server (SLES) 11 SP1 or Red Hat Enterprise Linux (RHEL) 6 operating system. The appliance installer installs both the SLES 11 SP1 64- bit operating system and Sentinel. This section describes the procedure for a stand-alone installation of the Sentinel server on an existing SLES 11 SP1 system or RHEL 6. For appliance install, see Chapter 5, Installing the Appliance, on page 39. Section 2.1, Installation Methods, on page 21 Section 2.2, Before You Begin, on page 22 Section 2.3, Installation Options, on page 23 Section 2.4, Interactive Installation, on page 24 Section 2.5, Silent Installation, on page 26 Section 2.6, Installing Sentinel as a Non-root User, on page 27 Section 2.7, Modifying the Configuration after Installation, on page 28 2.1 Installation Methods The following methods are available for stand-alone installation: Interactive: The installation proceeds with user inputs. During installation, you can record the installation options (user inputs or default values) to a file, which later can be used for silent installation. Silent: You can use this option if the installation options are pre-recorded. The Silent installation refers to the file that has the recorded installation input and performs the installation with the values captured in the file. The silent install is effective when you want to install many replicas of the same configuration in your environment. For more information, see Section 2.5, Silent Installation, on page 26. Both the interactive and silent installation of Sentinel can be done either as a root user or a non-root user. Section 2.1.1, Standard and Custom Installation, on page 22 Section 2.1.2, Components Installed, on page 22 Installing Sentinel 21

2.1.1 Standard and Custom Installation When you install Sentinel, the following configurations are available: Standard: In this configuration, the installation uses default values for the configuration setup. User input is required only for the password. For more information on installing Sentinel with the standard configuration, see Section 2.4.1, Standard Configuration, on page 24. Custom: In this configuration, the installation prompts you to specify the values for the configuration setup. You can either select the default values or specify the necessary values. For more information on installing Sentinel with a custom configuration, see Section 2.4.2, Custom Configuration, on page 25. Standard Configuration Installs with default 90-day evaluation key. Allows you to specify the admin password and uses the admin password as the default password for both dbauser and appuser. Installs the default ports for all the components. Authenticates users with the internal database. Custom Configuration Allows you to install with the 90-day license key or with a valid license key. Allows you to specify the admin password. For dbauser and appuser, you can either specify new password or use admin password. Allows you to specify ports for different components. Gives the option to authenticate users either with the internal database or LDAP authentication. 2.1.2 Components Installed There are multiple components in Sentinel. All of the following components are installed by default: Sentinel server Correlation Engine Collector Manager Additional Correlation Engines or Collector Managers can be installed on different systems. 2.2 Before You Begin Verify that you have completed the following tasks before you start the installation: Verify that your hardware and software meet the system requirements listed in Section 1.1, System Requirements and Supported Platforms, on page 11. If there was a previous installation of Sentinel, ensure that there are no files or system settings remaining from a previous installation. For more information, see Part V, Uninstalling, on page 93. For optimal performance, stability, and reliability of Sentinel server, use the ext3 file system on SLES and ext4 file system on RHEL. For more information on file systems, see Overview of File Systems in Linux (http://www.novell.com/documentation/sles11/stor_admin/data/ filesystems.html) in the Storage Administration Guide. Configure the network settings such that the system has a valid IP address and a valid hostname. Obtain your license key from the Novell Customer Care Center if you plan to install the licensed version. 22 NetIQ Sentinel 7.0.1 Installation and Configuration Guide

Synchronize time by using the Network Time Protocol (NTP). Ensure that the ports listed in Section 1.3, Ports Used, on page 17 are opened in the firewall. For optimal performance, the memory settings must be appropriate for the PostgreSQL database: The SHMMAX parameter must be greater than or equal to 1073741824. To set the appropriate value, append the following information in the /etc/sysctl.conf file: # for Sentinel Postgresql kernel.shmmax=1073741824 For a minimal or headless installation, the operating system for the Sentinel server must include at least the Base Server components of the SLES server or the RHEL 6 server. Sentinel requires the 64-bit versions of the following RPMs: bash bc coreutils glibc grep libgcc libstdc lsof net-tools openssl python-libs sed zlib 2.3 Installation Options./install-sentinel --help displays the following options: Options Value Description --location Directory Specifies a directory other than the root (/) to install Sentinel. -m, --manifest File name Specifies a product manifest file to use instead of the default manifest file. --no-configure -n, --no-start Specifies to not configure the product after installation. Specifies to not start or restart Sentinel after installation or configuration. -r, --recordunattended Filename Specifies a file to record the parameters that can be used for unattended installation. -u, --unattended Filename Uses the parameters from the specified file in order to install Sentinel on unattended systems. Installing Sentinel 23

Options Value Description -h, --help Displays the options that can be used while installing Sentinel. -l, --log-file Filename Records log messages to a file. --no-banner -q, --quiet -v, --verbose Suppresses the display of banner message. Displays fewer messages. Displays all messages during installation. 2.4 Interactive Installation Section 2.4.1, Standard Configuration, on page 24 Section 2.4.2, Custom Configuration, on page 25 2.4.1 Standard Configuration 1 Download the Sentinel installation file from the Novell Downloads Web page (http:// download.novell.com/index.jsp): 1a In the Product or Technology field, browse to and select SIEM-Sentinel. 1b Click Search. 1c Click the button in the Download column for Sentinel 7.0 Evaluation. 1d Click proceed to download, then specify your customer name and password. 1e Click download for the installation version for your platform. 2 Specify at the command line the following command to extract the installation file. tar zxvf <install_filename> Replace <install_filename> with the actual name of the install file. 3 Change to the directory where you extracted the installer: cd sentinel_server-7.0.0.0.x86_64 4 Specify the following command to install Sentinel:./install-sentinel or If you want to install Sentinel on more than one system, you can record your installation options in a file. You can use this file for an unattended Sentinel installation on other systems. To record your installation options, specify the following command:./install-sentinel -r <response_filename> 5 Specify the number for the language you want to use for the installation, then press Enter. The end user license agreement is displayed in the selected language. 6 Press the Spacebar to read through the license agreement. 7 Enter yes or y to accept the license and continue with the installation. The installation might take a few seconds to load the installation packages and prompt for the configuration type. 24 NetIQ Sentinel 7.0.1 Installation and Configuration Guide

8 When prompted, specify 1 to proceed with the standard configuration. Installation proceeds with the 90-day evaluation license key included with the installer. This license key activates the full set of product features for a 90-day trial period. At any time during or after the trial period, you can replace the evaluation license with a license key you have purchased. 9 Specify the password for the administrator user admin. 10 Confirm the password again. This password is used by admin, dbauser, and appuser. The Sentinel installation finishes and the server starts. It might take few minutes for all services to start after installation because the system performs a one-time initialization. Wait until the installation finishes before you log in to the server. To access the Sentinel Web interface, specify the following URL in your Web browser: https://<ip_address_sentinel_server>:8443. The <IP_Address_Sentinel_server> is the IP address or DNS name of the Sentinel server and 8443 is the default port for the Sentinel server. 2.4.2 Custom Configuration If you are installing Sentinel with a custom configuration, you can specify the license key, change the password for different users, and specify values for different ports that are used to interact with the internal components. 1 Download the Sentinel installation file from the Novell Downloads Web page (http:// download.novell.com/index.jsp): 1a In the Product or Technology field, browse to and select SIEM-Sentinel. 1b Click Search. 1c Click the button in the Download column for Sentinel 7.0 Evaluation. 1d Click proceed to download, then specify your customer name and password. 1e Click download for the installation version for your platform. 2 Specify at the command line the following command to extract the installation file. tar zxvf <install_filename> Replace <install_filename> with the actual name of the install file. 3 Specify the following command in the root of the extracted directory to install Sentinel:./install-sentinel or If you want to use this custom configuration to install Sentinel on more than one system, you can record your installation options in a file. You can use this file for an unattended Sentinel installation on other systems. To record your installation options, specify the following command:./install-sentinel -r <response_filename> 4 Specify the number for the language you want to use for the installation, then press Enter. The end user license agreement is displayed in the selected language. 5 Press the Spacebar to read through the license agreement. Installing Sentinel 25

6 Enter yes or y to accept the license agreement and continue with the installation. The installation might take a few seconds to load the installation packages and prompt for the configuration type. 7 Specify 2 to perform a custom configuration of Sentinel. 8 Enter 1 to use the default 90-day evaluation license key or Enter 2 to enter a purchased license key for Sentinel. 9 Specify the password for the administrator user admin and confirm the password again. 10 Specify the password for the database user dbauser and confirm the password again. The dbauser account is the identity used by Sentinel to interact with the database. The password you enter here can be used to perform database maintenance tasks, including resetting the admin password if the admin password is forgotten or lost. 11 Specify the password for the application user appuser and confirm the password again. 12 Change the port assignments for the Sentinel services by entering the desired number, then specifying the new port number. 13 After you have changed the ports, specify 7 for done. 14 Enter 1 to authenticate users using only the internal database. or If you have configured an LDAP directory in your domain, enter 2 to authenticate users by using LDAP directory authentication. The default value is 1. The Sentinel installation finishes and the server starts. It might take few minutes for all services to start after installation because the system performs a one-time initialization. Wait until the installation finishes before you log in to the server. To access the Sentinel Web interface, specify the following URL in your Web browser: https://<ip_address_sentinel_server>:8443. The <IP_Address_Sentinel_server> is the IP address or DNS name of the Sentinel server and 8443 is the default port for the Sentinel server. 2.5 Silent Installation The silent or unattended installation of Sentinel is useful if you need to install more than one Sentinel server in your deployment. In such a scenario, you can record the installation parameters during the interactive installation and then run the recorded file on all the other servers. You can record the installation parameters while installing Sentinel with the standard configuration or a custom configuration. To perform silent installation, ensure that you have recorded the installation parameters to a file. For information on creating the response file, see Section 2.4.1, Standard Configuration, on page 24 or Section 2.4.2, Custom Configuration, on page 25. 1 Download the installation files from the Novell Downloads Web page (http:// download.novell.com/index.jsp). 2 Log in as root to the server where you want to install Sentinel. 3 Specify the following command to extract the install files from the tar file: 26 NetIQ Sentinel 7.0.1 Installation and Configuration Guide

tar -zxvf <install_filename> Replace <install_filename> with the actual name of the install file. 4 Specify the following command to install Sentinel in silent mode:./install-sentinel -u <response_file> The installation proceeds with the values stored in the response file. The Sentinel installation finishes and the server starts. It might take few minutes for all services to start after installation because the system performs a one-time initialization. Wait until the installation finishes before you log in to the server. To access the Sentinel Web interface, specify the following URL in your Web browser: https://<ip_address_sentinel_server>:8443. The <IP_Address_Sentinel_server> is the IP address or DNS name of the Sentinel server and 8443 is the default port for the Sentinel server. 2.6 Installing Sentinel as a Non-root User If your organizational policy does not allow you to run the full installation of Sentinel as root, you can install Sentinel as another user. In this installation, few steps are performed as a root user, then you proceed to install Sentinel as another user created by the root user. Finally, the root user completes the installation. 1 Download the installation files from the Novell Downloads Web page (http:// download.novell.com/index.jsp) 2 Specify the following command at the command line to extract the install files from the tar file: tar -zxvf <install_filename> Replace <install_filename> with the actual name of the install file. 3 Log in as root to the server where you want to install Sentinel as root. 4 Specify the following command:./bin/root_install_prepare A list of commands to be executed with root privileges is displayed. If you want the non-root user to install Sentinel in non-default location, specify the --location option along with the command. For example:./bin/root_install_prepare --location=/foo The value that you pass to the --location option foo is prepended to the directory paths. This also creates a novell group and a novell user, if they do not already exist. 5 Accept the command list. The displayed commands are executed. 6 Specify the following command to change to the newly created non-root novell user: novell: su novell 7 (Conditional) To do an interactive installation: 7a Specify the following command:./install-sentinel Installing Sentinel 27

To install Sentinel in non-default location, specify the --location option along with the command. For example:../install-sentinel --location=/foo 7b Continue with Step 9. 8 (Conditional) To do a silent installation: 8a Specify the following command:./install-sentinel -u <response_file> The installation proceeds with the values stored in the response file. 8b Continue with Step 12. 9 Specify the number for the language you want to use for the installation. The end user license agreement is displayed in the selected language. 10 Read the end user license and enter yes or y to accept the license and continue with the installation. The installation starts installing all RPM packages. This installation might take a few seconds to complete. 11 You are prompted to specify the mode of installation. If you select to proceed with the standard configuration, continue with Step 8 through Step 10 in Section 2.4.1, Standard Configuration, on page 24. If you select to proceed with the custom configuration, continue with Step 7 through Step 14 in Section 2.4.2, Custom Configuration, on page 25. 12 Log in as a root user and specify the following command to finish installation:./bin/root_install_finish The Sentinel installation finishes and the server starts. It might take few minutes for all services to start after installation because the system performs a one-time initialization. Wait until the installation finishes before you log in to the server. To access the Sentinel Web interface, specify the following URL in your Web browser: https://<ip_address_sentinel_server>:8443. The <IP_Address_Sentinel_server> is the IP address or DNS name of the Sentinel server and 8443 is the default port for the Sentinel server. 2.7 Modifying the Configuration after Installation After installing Sentinel, if you want to enter the valid license key, change the password or modify any of the assigned ports, you can run the configure.sh script to modify them. The script is found in the /opt/novell/sentinel/setup folder. 1 Specify the following command at the command line to run the configure.sh script:./configure.sh 2 Specify 1 to perform a standard configuration or specify 2 to perform a custom configuration of Sentinel. 3 Press the Spacebar to read through the license agreement. 4 Enter yes or y to accept the license agreement and continue with the installation. 28 NetIQ Sentinel 7.0.1 Installation and Configuration Guide

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback