Oracle Database 6.1r2

8/2/2019 Oracle Database 6.1r2

1/20

Oracle

Database

6.1r2

SENTINEL COLLECTOR GUIDE

www.novell.com

Mar 2011


2/20

Legal Notices

Novell, Inc. makes no representations or warranties with respect to the contents or use of this documentation, and specifically disclaims any expres

or implied warranties of merchantability or fitness for any particular purpose. Further, Novell, Inc. reserves the right to revise this publication and tomake changes to its content, at any time, without obligation to notify any person or entity of such revisions or changes.

Further, Novell, Inc. makes no representations or warranties with respect to any software, and specifically disclaims any express or implied warrantieof merchantability or fitness for any particular purpose. Further, Novell, Inc. reserves the right to make changes to any and all parts of Novel

software, at any time, without any obligation to notify any person or entity of such changes.Any products or technical information provided under this Agreement may be subject to U.S. export controls and the trade laws of other countriesYou agree to comply with all export control regulations and to obtain any required licenses or classification to export, re-export or impordeliverables. You agree not to export or re-export to entities on the current U.S. export exclusion lists or to any embargoed or terrorist countries as

specified in the U.S. export laws. You agree to not use deliverables for prohibited nuclear, missile, or chemical biological weaponry end uses. See thNovell International Trade Services Web page (http://www.novell.com/info/exports/) for more information on exporting Novell software. Novelassumes no responsibility for your failure to obtain any necessary export approvals.

Copyright 2008 Novell, Inc. All rights reserved. No part of this publication may be reproduced, photocopied, stored on a retrieval system, o

transmitted without the express written consent of the publisher.

Novell, Inc. has intellectual property rights relating to technology embodied in the product that is described in this document. In particular, an

without limitation, these intellectual property rights may include one or more of the U.S. patents listed on the Novell Legal Patents Web pag(http://www.novell.com/company/legal/patents/) and one or more additional patents or pending patent applications in the U.S. and in other countries.

Novell, Inc.404 Wyman Street, Suite 500Waltham, MA 02451U.S.A.www.novell.com

Online Documentation

To access the latest online documentation for this and other Novell products, see the Novell Documentation Web pag

(http://www.novell.com/documentation).

Novell Trademarks

For a list of Novell trademarks, see theNovell Trademark and Service Mark List (http://www.novell.com/company/legal/trademarks/tmlist.html).

Third-Party Materials

All third-party trademarks are the property of their respective owners.

2 Oracle Database Sentinel Collector Guide
http://www.novell.com/info/exports/http://www.novell.com/info/exports/http://www.novell.com/http://www.novell.com/documentationhttp://www.novell.com/documentationhttp://www.novell.com/company/legal/trademarks/tmlist.htmlhttp://www.novell.com/company/legal/trademarks/tmlist.htmlhttp://www.novell.com/company/legal/trademarks/tmlist.htmlhttp://www.novell.com/info/exports/http://www.novell.com/http://www.novell.com/documentationhttp://www.novell.com/documentationhttp://www.novell.com/company/legal/trademarks/tmlist.html


3/20

Contents

1 About This Guide 41.1 Audience.......................................................................................................................................................................................1.2 Feedback......................................................................................................................................................................................1.3 Documentation Updates...............................................................................................................................................................41.4 Additional Documentation.............................................................................................................................................................41.5 Documentation Conventions.........................................................................................................................................................4

2 Collector Information2.1 Supported Data Sources...............................................................................................................................................................2.2 Connection Methods.....................................................................................................................................................................

3 Configuration3.1 Data Source Configuration............................................................................................................................................................

3.1.1 Quickstart Configuration.......................................................................................................................................................3.1.2 Configuration Options...........................................................................................................................................................3.1.3 ESM Component Configuration..........................................................................................................................................13.1.4 Quickstart Collector Configuration......................................................................................................................................103.1.5 Collector Configuration Options..........................................................................................................................................13.1.6 Oracle Database Collector Pack........................................................................................................................................1

3.2 Integration Testing.......................................................................................................................................................................13.2.1 Quickstart Integration Testing.............................................................................................................................................13.2.2 Integration Testing Details..................................................................................................................................................14

4 Collector Parsing 14.1 Collector Data Parsing Examples...............................................................................................................................................1

5 Revision History 1 Release Notes...............................................................................................................................................................................1 Known Issues.................................................................................................................................................................................1



4/20

1 About This Guide

This Novell Sentinel Collector Guide will help you, the Sentinel administrator, to integrate data collection for OracleDatabase* and other similar products into Sentinel.

1.1 AudienceThis guide is intended to introduce a Sentinel Administrator to the process of integrating the associated data source withSentinel to provide data collection for that source.

1.2 Feedback

We want to hear your comments and suggestions about this manual and the other documentation included with thisproduct, as well as requests for other Sentinel content. Please submit all comments and suggestions via the web form at

http://support.novell.com/products/sentinel/secure/survey.html

1.3 Documentation Updates

For the most recent version of this Sentinel Collector Guide, visit the Sentinel Collector website at:http://support.novell.com/products/sentinel/index.html

and select the links to your version of Sentinel at the bottom of the webpage.

1.4 Additional Documentation

For additional documentation about the Sentinel platform, please view the Sentinel Product Documentation:

http://www.novell.com/documentation/

1.5 Documentation Conventions

In Novell documentation, a greater-than symbol (>) is used to separate actions within a step and items in a cross

reference path.

A trademark symbol (, TM, etc.) denotes a Novell trademark. An asterisk (*) denotes a third-party trademark or Noveproducts that Sentinel is integrating with.

When a single pathname can be written with a backslash for some platforms or a forward slash for other platforms, thepathname is presented with a forward slash. Users of platforms that require a backward slash, such as Windows*, shoulduse backward slashes as required by your software.

Typed commands appear in Courier font. For example:

# useradd g dba d /export/home/mysql m s /bin/csh mysql

http://support.novell.com/products/sentinel/secure/survey.htmlhttp://support.novell.com/products/sentinel/index.htmlhttp://www.novell.com/documentation/#ohttp://support.novell.com/products/sentinel/secure/survey.htmlhttp://support.novell.com/products/sentinel/index.htmlhttp://www.novell.com/documentation/#o


5/20

2 Collector Information

This Collector is designed to provide data collection services for Oracle Database* and related products. The Collectoitself parses, normalizes, and enhances data received from a data source; other Event Source Management [ESMcomponents like Connectors and Collector Managers perform functions such as remote protocol connections and datamapping (see the Sentinel product documentation for details).

2.1 Supported Data Sources

The following data sources are supported by this Collector:

Oracle Database 10g, Database 11g

Other related data sources that produce similar types of data may also work depending on how close the format of thedata produced is to one of the supported sources. For example, later revisions of software for these data sources andother types of products based on these data sources may function without modification.

Also note that Sentinel Collectors are open source scripts that anyone can modify. This allows you to add support for newdata sources or to customize the Collector output to suit the local environment.

The primary function of this Collector is to parse audit events received from the data source and to send that information tothe real-time iSCALE Message Bus for processing by Sentinel. This Collector supports standard Oracle Databaseauditing, which does not include fine-grained auditing.

The Collector is written to support all events in the versions of Oracle Database listed as supported, except when theACTION_NAME column is empty.

NOTE: This version of the Collector is written specifically to support Identity integration and is supported for the versionsof Database listed above. Event data from older versions should parse correctly as the event format has remained quitestable, but Novell recommends upgrading to the latest version to take advantage of the many new features.

2.2 Connection Methods

This Collector supports gathering data from the data sources listed above using the following connection methods anmodes (expressed as :):

Database:SQL Query,Database:Stored Procedure,File:Connector Dump

NOTE: The Database:SQL Query mode is the default mode and should be used in most circumstances. TheDatabase:Stored Procedure mode is an optional mode and should be used when the Collector parameter Mode oRetrieval is Stored Procedure. The FILE:Connector Dump mode is provided primarily to support debugging: othe

Connectors can be configured to send a copy of received raw data to local files (a Connector Dump) which can then bereplayed via this mode.

Refer to the documentation included with each Connector for more information on functionality and configuration.



6/20

3 Configuration

To configure proper data collection within Sentinel, you must ensure that all components that generate, deliver, andprocess data are properly set up. This will include the data source itself as well as any intervening data aggregation pointsthe Sentinel ESM components (Event Source, Connector, Collector, and Collector Manager), and any filters within Sentineitself.

3.1 Data Source Configuration

The Oracle Database* system that is the source of data must be configured to report data of interest and deliver that datato Sentinel's ESM. This section will describe the commonly-used options and best practices for setting up the sourceproperly.

NOTE:All data sources should be configured to synchronize time with an absolute reference time source using NTP oother timesync protocol. Failure to synchronize time can prevent real-time data from being displayed in Active Views, cancause correlation rules to fail to match event sequences dependent on time, and can prevent reports from presenting anaccurate picture of enterprise activity.

3.1.1 Quickstart Configuration

Before configuring Sentinel to work with Oracle you need to know:

1. The server name on which the Oracle database resides.

2. The port on which the database server is listening for inbound connections.

3. A user credential set that will be allowed to access the Oracle database (specifically, read access to the audtables see below)

NOTE: See the Configuration Options section for alternative methods for gathering event data from Oracle.

Enable Oracle Auditing

NOTE: The use of Oracle Auditing requires knowledge of auditing and its potential impact on the performance of thedatabase. It is recommended that a knowledgeable Oracle DBA should configure the auditing options.

1. Logon to the Oracle database as a user who has AUDIT SYSTEM privilege.

2. Check for the availability ofuser_obj_audit_optsview by using the following command at the SQL prompt:

desc user_obj_audit_opts;

3. If the above view is available, then go to step 5.

4. If the above view is not available, run the cataudit.sql command from ORACLE_HOME/rdbms/admin folder at thecommand prompt with the following command:

sqlplus "/as sysdba" @ cataudit.sql

5. After the execution of the above command, all the tables, views, synonyms and triggers related to the audit arecreated.



7/20

6. Set the option audit_trail=db in the file ORACLE_HOME/dbs/init.ora using the text editor. If it is nopresent, add it to the file under the section Security and Auditing and restart the database.

7. At the console enter:

export ORACLE_SID=

8. To restart the database:

a)From a console on the database machine execute

sqlplus /nolog

b)At the SQLPLUS prompt, enter

connect as SYSDBA

c)Enter a System DBA privileged username and password

d)At the SQLPLUS prompt, enter

shutdown immediate

e)At the SQLPLUS prompt, enter

startup

f)From the SQL command prompt type

Audit All;

g)If successful, you will get an Audit succeeded message. Oracle will be configured to audit all events.

9. To ensure the auditing is enabled, execute the following query:

select * from sys.dba_audit_trail;

10. Grant the privileges CREATE SESSION and SELECT on v_$session, v_$version and SYS.DBA_AUDIT_TRAIL toa user account; this account will be used by Sentinel to query the audit trail. Execute the following queries to granprivileges:

grant CREATE SESSION to ;

grant select on v_$session to ;

grant select on v_$version to ;

grant select on SYS.DBA_AUDIT_TRAIL to ;

3.1.2 Configuration Options

Connection Modes

Novell provides two different methods by which audit data can be captured from Oracle Database:

1. Normal JDBC read of the audit tables: with this method, the Sentinel Collector Manager host will initiate a JDBC

connection to the database, issue a standard SQL query, and process the results.2. Invocation of a stored procedure to read the audit tables: with this method, the Sentinel Collector Manager hos

will initiate a JDBC connection to the database, but will invoke a stored procedure which must be pre-installed inthe database; this stored procedure will read the audit tables and return records to Sentinel for processing.

NOTE: Usage of a stored procedure is considered to be slightly safer than the direct query, as free-form queries can nobe injected into the system. Certain compliance regulations are beginning to require the use of stored procedures for mosdatabase access on secure systems.



8/20

The procedure for implementing the first type of connection was detailed in the previous Quickstart section on configuringthe event source. Essentially, the database must be configured to audit events, a user must be granted access to the auditables, and then Sentinel must be configured to use that account to access the audit tables.

Stored Procedure Configuration

To configure the stored procedure to read the audit tables and return records to Sentinel, use the following procedure:

1. Install the stored procedure in the Oracle Database. Novell provides a standard SQL script, included in theassociated Collector Pack, for this purpose. Import the Collector Pack and follow the instructions under the EvenSource Setup control.

2. Follow the below listed steps to enable Oracle Auditing,

1. Logon to the Oracle database as a user who has AUDIT SYSTEM privilege.

2. Check for the availability ofuser_obj_audit_optsview by using the following command at the SQL prompt:

desc user_obj_audit_opts;

3. If the above view is available, then go to step 5.

4. If the above view is not available, run the cataudit.sql command from ORACLE_HOME/rdbms/admin foldeat the command prompt with the following command:

sqlplus "/as sysdba" @ cataudit.sql

5. After the execution of the above command, all the tables, views, synonyms and triggers related to the audare created.

6. Set the option audit_trail=db in the file ORACLE_HOME/dbs/init.ora using the text editor. If it is nopresent, add it to the file under the section Security and Auditing and restart the database.

7. At the console enter:

export ORACLE_SID=

8. To restart the database:

a) From a console on the database machine execute

sqlplus /nolog

b) At the SQLPLUS prompt, enter

connect as SYSDBA

c) Enter a System DBA privileged user name and password

d) At the SQLPLUS prompt, enter

shutdown immediate

e) At the SQLPLUS prompt, enter

startup

f) From the SQL command prompt type

Audit All;

g) If successful, you will get an Audit succeeded message. Oracle will be configured to audit all events.

3. For Performance reasons create an index on TIMESTAMP column ofSYS.AUD$table.


sqlplus /nolog

b) Connect to Oracle Database as "SYS" administrator



9/20

c) Create an index on TIMESTAMP column of SYS.AUD$ table with the following command.

create index aud$_ix1 on aud$(TIMESTAMP#);

d) After index creation,check the status of "DBA_AUDIT_TRAIL" with the following command

select status from dba_objects where object_name = 'DBA_AUDIT_TRAIL';

If the status is Invalid,compile the view with the following command

alter view 'DBA_AUDIT_TRAIL' compile;4. Follow the below steps to grant permissions to the user who will create a stored procedure:


sqlplus /nolog

b) Connect to Oracle Database as DB administrator

c) Create a user who has to create stored procedure

create user identified by "


10/20

The specific commands used to configure each version of Oracle vary slightly from version to version; refer to thedocumentation for the AUDIT command for your specific version. Once you have selected an audit configurationconfigure the database to apply that configuration on startup.

3.1.3 ESM Component Configuration

Once the data source (known as an "Observer") and any aggregation points (Reporters") are configured to properlydeliver data to Sentinel, the corresponding ESM components must be configured to gather that data and parse it properlySentinel's ESM framework includes software components to represent the data source (Event Source) itself, theConnector that captures the data from that source, the Collector that parses and normalizes that data, and the CollectorManager that filters and provides data mapping.

Before beginning the configuration of any of the ESM components, ensure that you have downloaded the latest versionsof this Collector and the selected Connector from the Sentinel content page for your version of Sentinel:

http://support.novell.com/products/sentinel/index.html

3.1.4 Quickstart Collector Configuration

1. Log in to the Sentinel Control Center as a user with rights to configure event sources.

2. Start the Event Source Management (ESM) Live Viewfrom the ESM toolbar menu.

3. In ESM, select the Add button in the Scripts panel.

4. Browse to select the Oracle Database Collector file that you downloaded; clickNext.

5. Review the summary details and click Finish to import the plug-in.

6. Repeat this process from step 3, this time selecting the Connector database.

7. Select the Connect to Event Source button.

8. Select @VENDOR@ from the list of vendors at left, then select Database from thelist of supported products at right (or select the specific product you are integrating); click Next.

9. Make sure the Oracle Database Collector is selected as the script to use, then click Next.

10. Select Database from the list of connection methods, then click Next.

11. Click Nextagain to create a new set of components.

12. Select which Collector Manager you wish to run these components on, then click Next; the Collector Manager youselect should have network access to/from the event source.

13. Click Nextto accept the default Collector properties (parameters).

14. Click Nextto accept the default Collector runtime configuration.

15. Click Nextto accept the default Connector runtime configuration.

16. Select the Database Type as Oracle from the listed databases in the Connector configuration and upload theJDBC jar file for the selected database.

17. Provide the connection parameters for your database including Host Name, Port, Database Name, User Nameand Password (use the user account for which you granted permissions to the audit trail) then click Nextto accepthese settings.

18. Click Nextto accept the Auto Reconnect configuration settings.

19. Click Nextto accept the Start Behavior and Offset settings.

20. Click Nextto accept the Connection Mode settings.

21. Click Nextto accept the default General settings (see Connector documentation).

http://support.novell.com/products/sentinel/index.htmlhttp://support.novell.com/products/sentinel/index.html


11/20

22. Click Finish. Right-click on the Event Source and select Start.

NOTE: Make sure that for Oracle 10g, the JAR file ojdbc14.jaris placed in the location below:

%ESEC_HOME%\lib\ for Sentinel 6.1 and Sentinel 6.1 RD

%APP_HOME%\lib\ for Sentinel Log Manager

3.1.5 Collector Configuration Options

Sentinel Collectors can often be configured in a wide variety of ways to handle different environmental scenarios that anygiven customer might face. This section will detail the pre-defined configuration parameters and also discuss setting upspecific features that can be enabled.

Manual Event Source Configuration

The procedure for configuring a new Oracle Database event source has been previously documented in the Quickstarsection. If additional databases must be audited, simply add additional Event Source nodes to ESM by right-clicking on theDatabase Connector associated with this Collector and select Add Event Source.

NOTE: The same retrieval method (SQL Query versus Stored Procedure, see below) must be used for all event sourcesconnected to a single Collector. If you wish to mix retrieval methods, deploy a second copy of this Collector.

You may also fine-tune various operational parameters of the Collector and other nodes by editing the relevant nodes inESM. For example, in order to use a stored procedure for auditing, you must edit the Event Source node as describedabove.

Pre-defined Collector Parameters

The following table details the configurable parameters of this Collector, the default settings, and a description of how thaparameter modifies the operation of the Collector.

Parameter Name Default Value Description

Execution Mode release This parameter defines an operational mode for Collector operation.release - normal operationcustom - apply customizations added by the customerdebug - generate debug trace files during operation

Resolve IP and Hostname no Defines whether the Collector will attempt to translate any receivedIP information into hostnames and vice versa. Given the high datarates handled by the Sentinel environment, interactive DNS lookupsare not performed; see the Collector Configuration Options sectionfor details on how to configure this functionality.

Report Unparsed Events yes Collectors are normally developed to parse specific known eventsfrom event sources.no - silently drop events which Sentinel does not supportyes - generate a generic unparsed event for events which Sentineldoes not include native support



12/20

Parameter Name Default Value Description

Unparsed Events Severity 1 When generic unparsed events are generated for unsupportedevents, the selected Severity is applied to those events.

MSSP Customer Name unknown Name or numeric code for a specific customer in an MSSPenvironment; all received data is flagged with this value so that datasegregation can be maintained.

Mode of Retrieval SQL Query Collector is designed to support both normal queries and a storedprocedure to retrieve data from databaseSQL Query - use normal SQL queryStored Procedure - use the stored procedure

Maximum Rows to Return 200 When performing a database query, Sentinel will request up to thismany rows from the source database.

Custom Parameter: Mode of Retrieval

This parameter is provided to allow for switching between using standard SQL queries and a stored procedure for fetchingaudit records from Oracle Database. This parameter must be kept in sync with the Connection Mode selected for all EvenSource nodes that are children of this Collector node. To switch modes, edit the Collector parameter by right-clicking on

the Collector node and selecting Edit, then selecting the Parameters tab. Then also edit each Event Source node byright-clicking on them, selecting Edit, and selecting the Connection Mode (Advanced) tab.

Report Unparsed Events

The Report Unparsed Events parameter is used to determine whether an event for which this Sentinel Collector does noinclude native support needs to be reported by the Collector or simply ignored. When this parameter is set to yesunrecognized events will be passed through the Collector unparsed; the raw data will be placed in the Message field; andthe EventName for such events will be populated as Oracle Database Event. Certain Connectors that pre-parseevent records may insert additional detail as .

Resolve IP and Hostname

Collectors can easily support translation of hostnames to IP addresses and vice versa, but there is some additional setuprequired. We do not support using DNS interactively to perform name resolution as Collector parsing occurs at a muchfaster rate than DNS lookups can be performed.

To configure name resolution for 6.1 Collectors:

1. Download the Generic Hostname Resolution Service Collector from the Sentinel 6.1 support site.

2. Install and configure that collector according to the documentation included (you need to do this on each CollectoManager in your environment).

3. Configure this Collector to set the Resolve IP and Hostname parameter to yes.

Once all the components are restarted, the system will begin resolving names. Note that because of network delaysinvolved in DNS, resolution will be deferred, e.g. the first time a new name or IP is seen which does not have a knownmatch, it will not be resolved. The Generic Hostname Resolution Service Collector will perform name-IP resolution in thebackground so that the next time that new name or IP is seen, it will be resolved.

Resolve IP to Country

The ability to automatically indicate which country an IP address resides in is also included by default with our CollectorsTo use this feature:

1. Download the Generic IP Geolocation Service Collector from the Sentinel 6.1 support site.



13/20

2. Install and configure that Collector according to the documentation included (you need to do this on the mainSentinel server in your environment).

Once all the components are restarted, the system will begin looking up IP addresses and converting them to theregistered country for that IP subnet.

MSSP Customer Name

Sentinel provides support for Managed Security Service Providers and other large enterprises by allowing data that entersthe Sentinel database to be flagged as belonging to a particular customer or other organizational unit. This is enabled bysetting the MSSP Customer Name parameter to an assigned name for each organization. You should ensure that eachorganization's data is only parsed by Collectors that have been properly configured with the correct ID for that customer.

As mentioned this feature is used to provide data-segregation capabilities so that multiple customers' data can be storedin a single instance of Sentinel; it can also be used to prevent IP overlapping in cases where IP address translation is inuse. Identities, Assets, and Vulnerabilities are all stored with associated MSSP Customer IDs, which will ensure that dataconsistency is maintained.

3.1.6 Oracle Database Collector Pack

The Oracle Database Collector ships with a set of content in a Collector Pack that provides supporting real-time rulesdata mapping, and reports in an easy-to-deploy control framework. To deploy this Collector Pack for Sentinel and SentineRapid Deployment:

1. Download the Oracle Database Collector Pack from the Sentinel 6.1 support website.

2. Open the Solution Managertool in the Sentinel Control Center.

3. Import the Collector Pack into the Solution Manager.

4. Follow the included instructions for implementing and testing each control that you want to deploy in youenvironment (the full set of instructions can be exported as a PDF or read directly in the Solution Manager interface)

For Sentinel Log Manager prior to 1.1:


2. Download the Collector Pack Extractorutility from the Utilities tab on the same website.

3. Following the instruction in the Collector Pack Extractordocumentation, extract the reports and documentation fromthe Collector Pack into a temporary directory.

4. Use the Sentinel Log Manager report upload capability to import each report (unlike the full Solution Managemenframework in Sentinel, Sentinel Log Manager does not have control-based Solution Management capabilities).

Sentinel Log Manager 1.1 or higher:


2. Use the Sentinel Log Manager Upload Report Definition capability to import the Oracle Database Collector Pack this will install the reports only from the Collector Pack (unlike the full Solution Management framework in SentinelSentinel Log Manager does not have control-based Solution Management capabilities).

3.2 Integration Testing

In order to ensure that data is being properly captured by Sentinel, some integration testing should be performed on theend-to-end system.

3.2.1 Quickstart Integration Testing



14/20

1. In ESM, right-click on the Event Source node representing your Database and select Raw Data Tap.

2. Connect to the event source device, and perform LOGIN/LOGOUT operations.

3. Verify that the data generated appears in the raw data tap.

4. Close the raw data tap and repeat the activity-generating step; verify that the data is parsed and appears in theSentinel Control Center in a PUBLIC:ALL Active View.

3.2.2 Integration Testing Details

Validating Specific Events

Oracle Database can be configured in various ways and as a result will generate different sets of data depending on thatconfiguration. In general, the Collector supports only a specific set of configuration options, as detailed in section 3.1.2Configuration Options. If the data you receive from the event source does not appear to parse correctly, it might be thayou have enabled an unparsed option that has modified the output data format. See the section 4.1 Collector DataParsing Examples below for a sample of what the Collector expects to receive and how it should be parsed, and comparethat with a Raw Data Tap if necessary.

Collector Pack Testing

This Collector ships with a Collector Pack which includes several controls that will help manage and analyze the datacoming from this Collector. Refer to the Collector Pack documentation (can be exported as a PDF once the Pack isimported into Sentinel) for details regarding the specific controls included in the Pack.

All Collector Packs include a basic set of reports to show management activity for the Collector Pack itself, as well asbasic information about the operation of the Collector. In particular, after you have used the Collector for a while andworked with the controls from the Collector Pack a little bit, check the following:

1. The Collector Pack Controls\Dashboard Status control contains a report called Collector Pack Status DashboardReview the implementation and testing steps contained in the Collector Pack to test this control and ensure that itproperly reports data from the Solution Pack framework. You should see an overview of the controls you havedeployed, implemented, and tested from this Collector Pack.

2. The Collector Pack Controls\Implementation Audit Trail control contains a report called Collector Pack Audit TrailReview the implementation and testing steps contained in the Collector Pack to test this control and ensure that itproperly reports data from the Solution Pack framework. You should see an audit trail of who has been working withthe controls in this Collector Pack.

3. The Collector Controls\Event Trends control contains a report called Event Count Trends. Review theimplementation and testing steps contained in the Collector Pack to test this control and ensure that it properlyreports data from the Collector. You should see graphs showing trends in the events received by the Collector.

4. The Collector Controls\Collector Management control contains a report called Collector Management. Review theimplementation and testing steps contained in the Collector Pack to test this control and ensure that it properlyreports data from the Collector. You should see an audit trail of who has been managing (starting and stoppingprimarily) this Collector.

Once you have tested these controls, you can proceed with implementing and testing the other controls in the Collector

Pack.

Troubleshooting

If you experience difficulty in getting properly-parsed events to flow from your event sources into Sentinel, there arevarious troubleshooting steps you can take to analyze whether the problem is with the configuration of your event source



15/20

the ESM components, or something else. A full description of troubleshooting and debugging steps is available athttp://www.novell.com/developer/collector_debug.html

http://www.novell.com/developer/collector_debug.htmlhttp://www.novell.com/developer/collector_debug.html


16/20

4 Collector Parsing

Sentinel Collectors parse data passed to them by Connectors within the ESM architecture. By separating the functions odata capture (the Connector) and data parsing/normalization (the Collector), the development of the Collector is simplified

Today two Collector languages are supported by the ESM framework: a proprietary legacy language, and the commonly-

used ECMAScript (JavaScript) language. In all cases Collectors are open source parsing logic is stored in simple texfiles in a Collector ZIP file. The structure of the Collector code is designed specifically to make it easy for customers andpartners to make simple changes and customize the data output for the local environment. Note however thamodifications to the generally available [GA] Collectors on the Novell website will render them unsupported: NovelTechnical Support [NTS] will fully support unmodified GA Collectors and will support the ESM infrastructure on whichcustom code can be built, but will not support the custom code itself.

Novell provides a complete Collector SDK that describes the internal API of the Collectors so that customers and partnercan learn to develop their own Collectors for in-house applications and to modify existing Collectors. The SDK is availableon the Novell Developer website:

http://developer.novell.com/wiki/index.php?title=Develop_to_Sentinel

Provided below are illustrative examples of how Sentinel will parse data received from the data source. These examplesshould be taken as guidelines only parsing of individual datasets may vary depending on a variety of factors such as the

specific contents of the received dataset, specific configuration of the data source, and Collector parameter settings.Some data sources can produce thousands of different types of data, varying in importance from mission-critical to debuglevel information. To provide the most value while conserving processing power, Collector development is focused onparsing the highest value data as identified by our customers and partners. Parsing for additional types of received data(custom mode) can easily be added as needed using the guidelines in the Collector SDK.

A Collector can do a variety of different things with the data it receives, including generating real-time events that are sento the iSCALE Message Bus, storing Asset, Vulnerability, or Identity data for reference, or causing a variety of other sideeffects. Most collectors parse or generate real-time events based on the data they receive.

Events that are fully parsed by Sentinel Collectors will have an event taxonomy applied to them to classify them intogeneral categories. The taxonomy.map file included in the Collector ZIP file lists each event by name or ID that will havetaxonomy applied; as a result, that file is also a good guide to which event data is currently supported by this Collector.

Novell encourages our customers and partners to share suggested enhancements, additions, and any minor issues withparsing logic that are discovered. We provide forums for this purpose at:

http://forums.novell.com/novell-product-support-forums/sentinel/

More serious issues should be brought to the attention of NTS.

http://developer.novell.com/http://forums.novell.com/novell-product-support-forums/sentinel/http://developer.novell.com/http://forums.novell.com/novell-product-support-forums/sentinel/


17/20

4.1 Collector Data Parsing Examples

Collector Parsing Examples

esecadm,ESECAPP,testmachine.novell,unknown,2009/07/07

17:05:51.872812,100,LOGON,,Authenticated by: DATABASE; Client address:

(ADDRESS=(PROTOCOL=tcp)(HOST=127.0.0.1)(PORT=52759)),51563,1,1,0,,,,3669,,,,testmachine

Output Samples

Each type of dataset received from the data source has different parsing rules applied depending on the exact meaning othe information contained in the dataset.


DeviceEventTimeTargetHostName

VendorEventCodeTargetUserName

EventName


18/20

Many of the fields shown above are normalized into the standard Sentinel event schema and/or business relevanceschema format refer to the Sentinel core product documentation and the Collector SDK for details.



19/20

5 Revision History

Release Notes

6.1r2

Bug# 609096: Enhanced the Collector to support Stored Procedure to increase the performance.

Bug# 603962: Documented all the permissions required by the user to be able to collect logs.

Bug# 635163: Fixed an issue to display database name in the DataContext event tag, rv36.

Bug# 587688: Modified the Collector SQL Query to sort correctly when number of events are greater than 200.

Bug# 627068: Fixed an issue to display user as unknown for Logon events in Oracle reports.

Bug# 649536: Fixed an issue where a critical error was thrown when the Collector is stopped.

Bug# 573921: Added logic to support falloff on the timing of database queries to prevent excessive resource usage.

Bug# 582547: Fixed an issue where the DeviceEventTimeString field was not being properly set.

Bug# 576172: Enhanced reporting of EventName for unrecognized or unsupported events. Bug# 550659: Corrected an issue with Custom execution mode which prevented proper initialization of custom code.

Bug# 649519: Fixed an issue where large JSON files are created on the server.

Bug# 622912: Modified report queries to optimize performance.

6.1r1

Converted the legacy Collector to Javascript and updated to the 6.1 template.

Known Issues

The Collector Management report shipped with the Collector Pack will not display any data on Sentinel versions prior to6.1 HotFix 1 because of bug# 487178, https://bugzilla.novell.com/show_bug.cgi?id=487178in the JS Engine.

The Collector will not capture LOGOFF BY CLEANUP events generated by Oracle 10g due to limitations at the evensource. The current implementation of these features does not add a new record to the audit table when they occurhence capturing them is extremely difficult and expensive.

The Collector will not capture LOGOFF BY CLEANUP events, as Oracle 11g will not produce LOGOFF BY CLEANUPevents.

This release of the Collector has modified the SQL query that is used to capture data from the database. As a result, thedatabase offset that we previously used as part of the query needs to be updated when this Collector is upgraded.

1. Stop the Collector, Connector, and Event Source in ESM.2. Upgrade the Oracle Database 6.1r2 Collector and start it.

Any Jasper Report is displayed in English language when Traditional Chinese language is selected. Refer tobug#622887, https://bugzilla.novell.com/show_bug.cgi?id=622887

Message was not displaying while importing the Collector Pack controls on RD platform. Refer to bug#671288https://bugzilla.novell.com/show_bug.cgi?id=671288

https://bugzilla.novell.com/show_bug.cgi?id=609096https://bugzilla.novell.com/show_bug.cgi?id=609096https://bugzilla.novell.com/show_bug.cgi?id=603962https://bugzilla.novell.com/show_bug.cgi?id=603962https://bugzilla.novell.com/show_bug.cgi?id=635163https://bugzilla.novell.com/show_bug.cgi?id=635163https://bugzilla.novell.com/show_bug.cgi?id=587688https://bugzilla.novell.com/show_bug.cgi?id=587688https://bugzilla.novell.com/show_bug.cgi?id=627068https://bugzilla.novell.com/show_bug.cgi?id=627068https://bugzilla.novell.com/show_bug.cgi?id=649536https://bugzilla.novell.com/show_bug.cgi?id=649536https://bugzilla.novell.com/show_bug.cgi?id=573921https://bugzilla.novell.com/show_bug.cgi?id=573921https://bugzilla.novell.com/show_bug.cgi?id=582547https://bugzilla.novell.com/show_bug.cgi?id=582547https://bugzilla.novell.com/show_bug.cgi?id=576172https://bugzilla.novell.com/show_bug.cgi?id=576172https://bugzilla.novell.com/show_bug.cgi?id=550659https://bugzilla.novell.com/show_bug.cgi?id=550659https://bugzilla.novell.com/show_bug.cgi?id=649519https://bugzilla.novell.com/show_bug.cgi?id=649519https://bugzilla.novell.com/show_bug.cgi?id=622912https://bugzilla.novell.com/show_bug.cgi?id=622912https://bugzilla.novell.com/show_bug.cgi?id=487178https://bugzilla.novell.com/show_bug.cgi?id=622887https://bugzilla.novell.com/show_bug.cgi?id=671288https://bugzilla.novell.com/show_bug.cgi?id=609096https://bugzilla.novell.com/show_bug.cgi?id=603962https://bugzilla.novell.com/show_bug.cgi?id=635163https://bugzilla.novell.com/show_bug.cgi?id=587688https://bugzilla.novell.com/show_bug.cgi?id=627068https://bugzilla.novell.com/show_bug.cgi?id=649536https://bugzilla.novell.com/show_bug.cgi?id=573921https://bugzilla.novell.com/show_bug.cgi?id=582547https://bugzilla.novell.com/show_bug.cgi?id=576172https://bugzilla.novell.com/show_bug.cgi?id=550659https://bugzilla.novell.com/show_bug.cgi?id=649519https://bugzilla.novell.com/show_bug.cgi?id=622912https://bugzilla.novell.com/show_bug.cgi?id=487178https://bugzilla.novell.com/show_bug.cgi?id=622887https://bugzilla.novell.com/show_bug.cgi?id=671288


20/20

In the reports Top 10 Dashboard and Event Count Trend of Crystal, color coding for Severity 0 events is set to whiteinstead of gray. Refer to bug #620878,https://bugzilla.novell.com/show_bug.cgi?id=620878

https://bugzilla.novell.com/show_bug.cgi?id=620878https://bugzilla.novell.com/show_bug.cgi?id=620878https://bugzilla.novell.com/show_bug.cgi?id=620878

Date post:	05-Apr-2018
Category:	Documents
Upload:	iurii-milovanov
View:	217 times
Download:	0 times

Oracle Database 6.1r2

Documents