Novell® Sentinel™ Log Manager: Secure, Simple and Powerful Log ...

boreddizzyΔιαχείριση Δεδομένων

16 Δεκ 2012 (πριν από 4 χρόνια και 4 μήνες)

253 εμφανίσεις

Technical White Paper
SecuriTy ManageMenT
Novell
®
Sentinel

Log Manager:
Secure, Simple and Powerful
Log Management
Novell Logo
1 The registered trademark, ®,
appears to the right and on the
same baseline as the Logo.
Minimum Size Requirements
The Novell Logo should NOT be
printed smaller than 3 picas
(0.5 inches or 12.5 mm) in width.
Clear-space Requirements
2 Allow a clean visual separation
of the Logo from all other elements.
The height of the "N" is the
measurement for the minimum
clear-space requirements around
the Logo. This space is flat and
unpatterned, free of other design
elements and clear from the edge
of the page.
3 picas
(0.5 in)
(12.5 mm)
21 3
3
www.novell.com
p.
1
Novell Sentinel Log Manager: Secure, Simple and Powerful Log Management
Table of contents:

2
.....

Secure, Simple and Powerful

Log Management
3

.....

Key Features and
Differentiators

3
. . . Advanced and Flexible

Log Data Collection

3
. . . Superior Searching
and
Reporting

3
. . . Role-based Access Controls

3
. . . Secure, Cost-effective

Data Storage

4
. . . Simple, Cost-effective

Deployment Options

5
. . . Intuitive, Dynamic and

Easy-to-Use Interface

6
. . . Building Block for Complete

SIEM
6
. . . . . .Key Architectural Advantages

8
. . . Message Bus

8
. . . Data Collection Service

11
. . . Data Access Service

11
. . . Sentinel Link

11
. . . Online Event Storage

12
. . . Archive Event Storage

13
. . . Configuration Storage

13
. . . Event Service
16
.....

Simplified, Intelligent and

Cost-effective Compliance
p.
2
Novell Sentinel Log

Manager intelligently

collects, aggregates,
stores, analyzes and
manages all event logs
generated from IT systems
and applications within
an organization.
Today most organizations are required to

collect, store and manage log data from

all IT systems and applications to effectively
manage risk and meet compliance regula-
tions. Log management solutions address
data collection and retention needs in a way
that allows them to inexpensively collect,
store and manage large amounts of log data.
The collected event data can be stored and
queried to provide organizations a trans -
par ent historical account of events that
have occurred, assist in forensic efforts and
generate reports in response to audits or
compliance requirements.
As organizations grow and look to become
more agile and competitive, they rely on
technology innovations to enable them to run
their IT infrastructure efficiently and enable
their partners, customers and employees to
collaborate with them. As new technologies
are deployed, organizations are faced with a
myriad of difficulties ranging from technology-
related challenges such as interoperability,
security and compliance to business chal-
lenges such as cost, brand credibility and
customer confidence. To add to the complex
IT infrastructure environment, the proliferation
of security vulnerabilities and the sophistica tion

of the threat environment has made it even
more arduous for organizations to manage
the security and compliance requirements.
Log management technologies have become
a critical foundation for security management
and compliance initiatives. With the rise of the
expanded enterprise and the increased level
of application and system layer activities
from a variety of constituents within the enter-
prise, effective monitoring and managing
millions of IT events has become a significant
burden and incredible cost for many organi-
zations. Government and industry regulations
such as PCI-DSS, HIPAA, SOX and GLBA
also call for increased scrutiny over the man-
agement of event data as well as privileged
user access, retention and storage policies.
Therefore, organizations are increasingly
looking for log management solutions that
will enable them to efficiently collect and
manage event logs to improve their security
posture, manage risk and better prepare
them to meet com pliance regulations in a
cost effective and proactive way.
Novell
®
Sentinel

Log Manager provides
organizations with the industry’s most flexible
and scalable log management solution.
It consists of a software appliance that
combines SUSE
®
Linux Enterprise Server 11
and Sentinel Log Manager with an update
service. Sentinel Log manager leverages
powerful Novell technology and an integra-
tion framework inherent to Novell Sentinel—
consisting of expertise in security information
and event management (SIEM) and identity
management—to deliver a unique log man-
agement solution that addresses not only
log collection and management challenges,
but delivers this solution with a focus on
compliance, risk and security.
Novell Sentinel Log Manager allows
organizations to:

Proactively manage risk and simplify

compliance efforts

Reduce deployment and management costs

Leverage existing hardware investments

Establish a scalable and flexible enterprise
compliance and security foundation
Secure, Simple and Powerful
Log Management
p.
3
Novell Sentinel Log Manager: Secure, Simple and Powerful Log Management
www.novell.com
Key Features and Differentiators
Advanced and Flexible
Log Data Collection
Novell Sentinel Log Manager provides
organizations with the industry’s most flexible
and scalable log management solution.
Novell Sentinel Log Manager leverages
Novell Sentinel technology for advanced and
flexible log data collection, including out-of-
the-box syslog support and native collection
from other protocols. This makes it an ideal
solution for collecting data from a wide variety
of systems and applications, such as intrusion
detection systems, firewalls, operating
sys tems, routers, Web servers, databases,
switches, mainframes, antivirus event sources
and many more. It supports multiple secure
communication protocols for data collection
to ensure data integrity and also automatically
detects log sources. Finally, it offers support
for the collection and limited processing of
unrecognized log messages. Novell Sentinel
Log Manager does all this while providing
data collection at a high events-per-second
(EPS) rate.
Superior Searching and Reporting
Novell Sentinel Log Manager provides
regional data aggregation, as well as simple
searching and reporting for a broad range of
applications and devices. Its one-click report-
ing capability utilizes pre-packaged report
format templates to easily convert searches
into rich, usable reports, including Windows*
health checks, high-level compliance status,
login failures, account modifications and
more. Queries and searches seamlessly
span online and archived data—there is no
requirement to bring archived data online to
search it. It can quickly search structured
or unstructured data, and also provides a
distributed search capability that enables
administrators to search multiple log man-
agers from a single, centralized console.
Sentinel Log Manager’s search results contain
hyperlinks that allow users to quickly drill
down and refine search criteria. It provides
out-of-the-box reports and ad hoc indexed
searching, including ad hoc forensic searches.
Additionally, the Web 2.0-based search tools
in Novell Sentinel Log Manager automatically
and immediately refresh results as additional
results are found.
Role-based Access Controls
Sentinel Log Manager also includes user
group permissions to provide organizations
granular control over user access to data,
reports and searches. It can tag the data
coming from assets (i.e., individual endpoints,
servers, collectors, connectors and events)
to specify who can access information related
to those tagged assets. It also allows for a
global filter rule that will tag all events with
certain characteristics (e.g., an IP address)
such that those types of events can only
be accessed by certain users or groups.
This fine-grained access control enables
organizations to limit unneeded access to
data, while ensuring users have the access
required to do their job.
Secure, Cost-effective Data Storage
Novell Sentinel Log Manager allows organi-
zations the flexibility to utilize their existing
standard hardware and storage investments
to deliver high-event-rate storage and long-
term data retention. It uses automatic 10:1
data compression to maximize storage
capacity, and provides data signatures on
collected data logs to ensure their integrity.
It supports off-the-shelf online data storage,
as well as SAN/NAS connectivity for archive
capacity expansion. This enables organiza-
tions to reduce the cost of log data storage
by pro viding the flexibility to store data on
their own hardware. The solution’s customiz-
able retention policies enable administrators
to determine how long collected data will
remain in local storage before being auto-
matically migrated to archived storage,
as well as how long the data will be held
in archived storage before being deleted.
Novell Sentinel Log
Manager leverages

the proven Novell

Sentinel data integration
framework with its broad
set of data collectors for
databases, operating
systems, directories,
firewalls, intrusion
detection/ prevention
systems, antivirus

applications, mainframes,
Web and application

servers, and many more.
p.
4
Novell Sentinel Log

Manager leverages the
expertise of Novell in
SIEM to deliver log

management that

simplifies compliance,

reduces cost, and

provides a compliance
and security foundation
to build on as needs
change and grow.
Simple, Cost-effective
Deployment Options
To simplify deployment and lower costs,
Novell Sentinel Log Manager provides two
deployment options: a traditional software-
based installation on SUSE Linux Enterprise
Server 11 and a software appliance option.
Since both options let organizations use their
existing hardware and infrastructure, Novell
Sentinel Log Manager provides significant
flexibility, reduced overall cost and manage-
ment capabilities, especially when compared
to hardware-based solutions.
While hardware appliance solutions might
appear to enable easier deployment, they
typically require a connection to a separate
collector appliance or data parser appliance,
as well as a proprietary archive appliance.
In reality, this increases the cost and com-
plexity of the solutions. Hardware appliances
also reduce flexibility and scalability. In order
to scale, new hardware must be purchased,
even if the current hardware is not taxed.
For log management, the added cost of
hardware appliances does not add any
value since they typically do not leverage
any specialized hardware. With Sentinel Log
Manager, hardware can be right-sized for
deployments, limiting the usage of expensive
hardware when it isn’t required.
The software appliance option for Novell
Sentinel Log Manager consists of a pre-
configured version of the product, along with
a hardened “just-enough-operating-system”
version of SUSE Linux Enterprise Server 11,
optimized for use with Sentinel Log Manager.
The software appliance is available in a variety
of formats including a VMWare image, XEN
image or self-installing ISO image, which
can be installed on any hypervisor or bare
metal machine.
The Novell Sentinel Log Manager software
appliance allows organizations to take advan-
tage of their existing virtual environment
resources without the need to invest in new
hardware. Additionally, the Sentinel Log
Manager appliance scales to meet an organ-
ization’s growing log management needs
without having to buy additional hardware.
The appliance also includes an update
service that automatically provides updates
to both the operating system and Sentinel
Log Manager, making it nearly maintenance
free. Overall, the Sentinel Log Manager
software appliance simplifies deployment,
reduces administration hassles, lowers total
cost of ownership and provides a faster
ROI than other solutions.
Figure 1.
Storage Management Dashboard
p.
5
Novell Sentinel Log Manager: Secure, Simple and Powerful Log Management
www.novell.com
Intuitive, Dynamic and

Easy-to-Use Interface
Novell Sentinel Log Manager leverages
Ajax-based Web 2.0 technology to deliver
an intuitive, simple-to-use and responsive
interface, which provides a superior user
experience. Through the interface, users can
easily view data usage trends and identify
potential problems. It also lets users configure
data collection; schedule and manage reports;
create data retention polices; and configure
rules for data filtering and actions, such as
e-mailing alerts, sending SNMP traps, writing
to a file or even forwarding events to Novell
Sentinel for real-time processing. The user
interface also provides a dynamic and respon -
sive interface for search and report operations.
Novell Sentinel Log
Manager enables

organizations to:

Proactively manage
risk and simplify
compliance efforts

Reduce deployment
and management costs

Leverage existing
hardware investments

Establish a scalable
and flexible enterprise
compliance and
security foundation
In addition to the Web 2.0 thin client interface, Novell Sentinel Log Manager provides an

on-demand thick client interface for more advanced operations, such as deploying, configuring
and managing data collectors. Using a Java* Swing Application, Sentinel Log Manager allows
users to load the thick client on the fly from any Web browser, and removes it from memory
when the management session ends. As a result, the thick client can be used wherever the user
happens to be, providing all the advantages of a powerful, rich client without the need to install
a client locally.
Figure 2. Web 2.0 Style User Interface
p.
6
The data indexing

and one-click reporting
approach employed
by Novell Sentinel Log
Manager greatly simplifies
an organization’s audit
and compliance report
generation efforts.
Building Block for Complete SIEM
Along with providing a quick and easy way
to initially deal with a large number of compli-
ance and audit concerns, Novell Sentinel Log
Manager is also a solid building block for a
complete SIEM implementation. Once Novell
Sentinel Log Manager is set up to collect
data from devices, it can easily forward that
data to Sentinel. This allows an organization
to leverage an initial investment in log man-
agement to reduce the complexity of a SIEM
deployment. Most log management products
do not provide integration or an easy path
to full SIEM. Sentinel Log Manager delivers
easy integration with the real-time monitoring
capabilities of Novell Sentinel, as well as with
Novell Compliance Management and Novell
Identity and Access Management solutions.
Novell Sentinel Log Manager provides a clear
roadmap to full identity-aware security in a
way that lets organizations seamlessly add and
integrate new capabilities as their security
and compliance monitoring needs change.
Key Architectural Advantages
While Novell Sentinel Log Manager is built
on the data collection technologies inherent
in Novell Sentinel, Sentinel Log Manager is a
flexible standalone log management solution.
However, it also has the ability to integrate with
the real-time capabilities of Novell Sentinel,
forwarding to it events from its data collection
feeds utilizing a technology feature called
Sentinel Link.
Built on a scalable framework, Sentinel
Log Manager can meet the needs of the
most taxing environments. To ensure secure
communications between its different services,
Sentinel Log Manager encrypts all its com-
munications across the wire by default.
The following key main services and
components comprise the Novell Sentinel
Log Manager architecture:

Message bus

Data collection service

Data access service

Sentinel Link

Online event storage

Archive event storage

Configuration storage

Event service
p.
7
Novell Sentinel Log Manager: Secure, Simple and Powerful Log Management
www.novell.com
The fact that Novell

Sentinel Log Manager
does not use separate
sets of data for searching
and reporting is what
allows it to easily convert

any search into a

formatted report.
Figure 3.
Novell Sentinel Log Manager Architecture
p.
8
For more information on Novell Sentinel Log
Manager, visit: www.novell.com/products/
sentinel-log-manager/
While most log

management solutions

are heavily dependent
on syslog over UDP,
the data collection
service in Novell Sentinel
Log Manager provides
out-of-the-box support
for syslog as well as
native log collection
from other protocols.
Message Bus
Novell Sentinel Log Manager leverages
the same message bus architecture used
in Novell Sentinel. Based on the Sonic Java
Message Service (JMS) architecture, the
message bus facilitates communication
between all Sentinel Log Manager compo-
nents as well as communication with Novell
Sentinel and other solutions capable of
message bus communication, such as
Novell Identity Manager.
The design of the message bus architecture
is the key to making Novell Sentinel Log
Manager a highly scalable system. It enables
organizations to scale components of the
solution (i.e., collection managers) beyond
a single device and run them independently
onto multiple distributed servers without having
to duplicate the entire system and without add-
ing database licenses and costly hardware.
The message bus isolates the different
components of Novell Sentinel Log so

no single service has to wait for another

service to finish before it can begin its work.
This delivers significantly quicker response
times for queries, reports and other operations
compared to competing solutions. It also
ensures that there is no single point of failure
in the system. A critical piece allowing this
higher performance and scalability capability
is the ability of Sentinel Log Manager to make

efficient usage of multiprocessor systems.
The message bus allows the solution to
separate out the performance workload of
its individual components so that different
services can run independently on different
processor cores. With individual services
running on separate cores, the services

don’t have to wait on each other to execute
and perform their required functions.
Data Collection Service
The data collection service can run on
the local server where Novell Sentinel Log
Manager is installed, or it can run remotely
as a collector manager on a distributed box,
making multi-site deployments easy to set
up. The data collection service collects
event log data from many types of devices,
referential sources, operating systems and
applications; and then records correlated
event log data for future analysis.
While most log management solutions
are heavily dependent on syslog over UDP,
the data collection service in Novell Sentinel
Log Manager provides out-of-the-box support
for syslog as well as native log collection from
other protocols. In addition to UDP, it supports
syslog over the more secure and reliable
TCP and TLS/SSL protocols, which include
authentication and custom certificate sup-
port. Novell Sentinel Log Manager provides
auto-detection of different event source types
(i.e., PIX, Linux* and Solaris*) and it has a
universal syslog collector for unrecognized
syslog events.
p.
9
Novell Sentinel Log Manager: Secure, Simple and Powerful Log Management
www.novell.com
A significant strength of Novell Sentinel
Log Manager over competing solutions is
its extensive and flexible ability to collect
and manage data from other log sources in
addi tion to syslog. While Novell Sentinel Log
Manager is optimized to collect from syslog
sources right out of the box, it also supports
the proven Sentinel data integration frame-
work with its broad set of data collectors for
databases, operating systems, directories,
firewalls, intrusion detection/prevention
sys tems, antivirus applications, mainframes,

Web and application servers, and more.
In addition to the solution’s out-of-the-box
pluggable collectors, organizations can con-
figure, customize or create their own collectors
to address specific organization needs.
These interpretive collectors gather the log
data from multiple sources and then normal-
ize it into a standard format with common
fields that facilitate correlation and reporting
efforts. They also parse the data, inserting
metatags that add business relevance to the
data set in a way that enriches the analysis,
visualization and reporting of events to further
facilitate an organization’s security and com-
pliance efforts. The collectors also automate
the event-filtering process, eliminating irrele-
vant data at the point of collection, saving
bandwidth and disk space.
Furthermore, Novell Sentinel Log Manager
provides customers with a scalable solution
that is the most suitable for their specific
needs. Through its flexible architecture,
Sentinel Log Manager provides customers
with the option of selecting the number of
events per second collected according to
their respective environment requirements.
Currently, the three main options consist of
Sentinel Log Manager 500 EPS, 2500 EPS and
7500 EPS, where the number corresponds
to the events per second collected. This is
a key feature that allows customers the flex-
ibility to deploy the solution that best fits
their environment without overloading or
restraining them to one option.
Through its flexible
architecture, Sentinel
Log Manager provides
customers with the option
of selecting the number
of events per second
collected according to
their respective environ-
ment requirements.
Figure 4.
Novell Sentinel Log Manager supports UDP, TCP and SSL
p.
10
Novell Sentinel Log

Manager provides a
centralized event source
management framework
that facilitates data
source integration.
This framework enables
all aspects of configuring,
deploying, managing
and monitoring of data
collectors for a broad
set of systems.
With the exception of a few systems, such
as mainframes, the collectors are agent-less.
This enables them to gather data remotely
without having to install anything on the
monitored system or device.
Event Source Management
Novell Sentinel Log Manager provides a
centralized event source management frame-
work that facilitates data source integration.
This framework enables all aspects of config-
uring, deploying, managing and monitoring
of data collectors for a broad set of systems.
It allows organizations to manage and monitor
all the connections between Novell Sentinel
Log manager and its event sources.
The framework utilizes the following com-
ponents and capabilities to take data from
source systems, perform transformations and
present events for later analysis, visualization
and reporting purposes:

Collectors. Parse and normalize events
from various systems

Taxonomy. Allows data from disparate
sources to be categorized consistently

Filtering. Eliminates irrelevant data at the
point of collection, saving bandwidth and
disk space

Business relevance. Offers a way to

enrich event data with valuable information

from an environment, such as asset

attributes

Normalization. Uses metatags to place all
data in a standard, normalized format that
allows for powerful and flexible correlation
and reporting
Figure 5.

Powerful, thick-client event source management
p.
11
Novell Sentinel Log Manager: Secure, Simple and Powerful Log Management
www.novell.com
Channels
As part of the data collection service, the
message-bus architecture implements an
independent, multi-channel environment,
which virtually eliminates contention and pro-
motes parallel processing of events. These
channels and sub-channels work not only for
event data transport, but also offer fine-grain
process control for scaling and load balancing
the system under varying load conditions.
Data Access Service
The data access service resides on the
message bus and performs a variety of
housekeeping functions, such as ensuring
that logged-in users have the appropriate
rights to access or run reports on certain
portions of data. It also handles the port con-
figurations needed to allow the solution to
listen for data from the various event sources.
Sentinel Link
Sentinel Link provides the ability to hierarchi-
cally link multiple Sentinel systems, including
Sentinel Log Manager and the two Sentinel
SIEM systems, Novell Sentinel and Novell
Sentinel Rapid Deployment (RD). Sentinel
Link provides several benefits:

Several Sentinel Log Managers can be
linked in a hierarchical manner. Regional or
distributed Sentinel Log Manager servers
can manage a large volume of data,
retaining raw data and event data locally,
while also forwarding important events to
a central Log Manager for consolidation.

One or more Sentinel Log Managers can
forward important data to either Sentinel
or Sentinel RD, which are SIEM systems.
These systems provide real-time visualization
of data, advanced correlation and actions,
workflow management, and integration
with identity management systems.
Online Event Storage
All the log data collected by Novell Sentinel
Log Manager is initially stored in the solu-
tion’s online event store. Unlike competing
solutions, the online event store in Sentinel
Log Manager utilizes off-the-shelf, standard
storage systems. It can use the server’s
local disk system, or easily connect to a
SAN or NAS to facilitate and expand storage
capacity. Additionally, to minimize storage
requirements, the solution automatically
compresses data at a 10:1 ratio.
The majority of log management vendors uti-
lize proprietary storage systems that not only
increase the cost of storage, but also create
a number of other problems, including a
dependence on the vendor’s reporting and
search tools, the inability to analyze archived
data without migrating it back into the vendor’s
device and difficulty in proving that data
has not been modified. Novell Sentinel Log
Manager uses standard storage systems,
which eliminate these issues by storing
the collected log data on standard storage
systems and by providing data signatures

to ensure log integrity.
There are three main aspects to the online
event store in Novell Sentinel Log Manager:

Raw data

Events

Event index

Retention policies
Novell Sentinel Log Manager uses standard
storage systems, which eliminate these
issues by storing the collected log data on
standard storage systems and by providing
data signatures to ensure log integrity.
p.
12
Novell Sentinel
Log Manager has
the intelligence to

transparently detect,
based on the search
criteria, whether it needs
to search the online
event store or the
archive event store.
Raw Data
While the collectors enhance collected events
by adding additional metadata (event taxo-
nomies and business relevance) that helps
further identify and classify events, the solution
still stores the events’ raw data in online event
storage. The format of the raw data will vary
based on the connector and event source,
but typically it will contain information about
the raw data message, raw data record ID,
time the raw data was received, event source,
collector and collector manager node ID,
a SHA-256 hash of the raw data and more.
Novell Sentinel Log Manager stores the raw
data in a way that ensures that all logs are
intact and unmodified. Storing the data in an
untouched format helps organizations meet
forensic-related regulatory requirements.
Additionally, raw data is compressed to

minimize storage space.
Events
To enhance the usefulness of collected
data, Novell Sentinel Log Manager links rich
formatting to the raw data, transforming it into
an informative event structure. These event
structures consist of taxonomy, normalization
and business relevance metadata to make it

easier for compliance and security managers
to better understand and leverage the collec-
ted information. Just like the raw data, these
event structures are compressed and stored
in the online event store.
Event Index
To facilitate searching and reporting on
collected data, the indexing engine in Novell
Sentinel Log Manager generates event index
tags for all the stored events and stores these
as event indices in the online event store.
These index tags or indices act as pointers
to data so searches can easily retrieve those
events with fields that match the supplied
search criteria. To ensure that searches
exe cute as quickly as possible, Sentinel Log
Manager does not compress event indices.
Retention Policies
Novell Sentinel Log Manager enables admin-
istrators to configure data retention policies
to determine how long specific events will
remain in the online event store before being
moved to archive event storage or deleted.
Archive Event Storage
As collected log data ages, it eventually
needs to move from the local online event
store to long-term archival storage. The
archive event store in Novell Sentinel Log
Manager utilizes the squashfs compressed
file system capability in SUSE Linux Enterprise
Server 11 to significantly differentiate itself
over competing solutions in two key areas.
First, Novell Sentinel Log Manager and
squashfs allow organizations to utilize
external data stores that can be mounted
using either NFS or CIFS. This means that
instead of requiring organizations to invest
in expensive archive appliances, they can
leverage their existing storage system invest-
ments, such as a SAN or NAS.
Second, the solution provides the ability
to query or report on data residing in the
archive event store. To perform searches on
archived data in most other log management
solutions, organizations have to first undergo
the arduous task of migrating the archived
data back to short-term storage before the
search can be executed. With the ability in
Novell Sentinel Log Manager to mount archive
data stores, it can query and report on both
online and archived data.
Additionally, Novell Sentinel Log Manager
has the intelligence to transparently detect,
based on the search criteria, whether it
needs to search the online event store or the
archive event store. All of these capabilities
combine to greatly simplify and speed up
an organization’s compliance efforts.
p.
13
Novell Sentinel Log Manager: Secure, Simple and Powerful Log Management
www.novell.com
Configuration Storage
While all raw data logs, event structures and
event indices are stored in a flat file format
in the solution’s online event store or archive
event store, Novell Sentinel Log Manager
stores its configuration information, user
management information, reports and report
templates in a PostgreSQL database.
Event Service
The event service in Novell Sentinel Log
Manager handles the solution’s search and
reporting capabilities.
Search Services
Novell Sentinel Log Manager provides
powerful, full-text search queries against all
of the collected event logs, whether they are
stored in the online event store or archive
event store. Leveraging the powerful, open
source Lucene-based search engine and
the Ajax Web browser interface in Sentinel
Log Manager, users can generate a search
from any of the solution’s screens, which
will display the results almost immediately
in a new window tab. Unlike other solutions
that become unresponsive until the search
completely finishes (which can be hours or
days, depending on the size of the search
sample) or only display a limited of number
of searches (requiring users to click through
page after page of results), Novell Sentinel
Log Manager immediately displays results as
they’re found. This immediate responsiveness
enables more dynamic interaction between
users and the search interface.
Novell Sentinel Log
Manager immediately
displays results as they’re
found. This immediate
responsiveness enables
more dynamic interaction
between users and the
search interface.
Figure 6.
Distributed Search
p.
14
One of the most powerful

aspects of the search
service in Novell Sentinel
Log Manager is the ability
to use and save the
results as a basic report,
or quickly transform the
results of any search
into a customized
formatted report.
The dynamic aspect of the search interface
not only allows a search to be canceled at
any time during the query, but users can
change the criteria of the search on the fly.
For example, if users determine that the
search results being displayed are too broad,
they can click on an event field that matches
the type of information they’re looking for
(i.e., IP address, authentication type, OS type,
user type, etc.) and immediately the search
will add that criteria to the search filter and
refresh the screen to display only the further
refined search results. While the search is in
progress or even after it completes, users
can continue to refine the search results
by clicking on the fields of other events that
contain the specific criteria they’re looking for.
Additionally, since Novell Sentinel Log
Manager stores its events and event indices
in a flat file format, Novell has been able to
optimize the solution’s search engine for
flat file searches. This significantly reduces
search overhead and increases overall
search speed when compared to other log
management solutions that rely on database
storage for their logged events. The flat file
storage of all raw data, events and event
indices allows Novell Sentinel to harmo nize
the operations of both its search service
and reporting service to increase the value,
speed and effectiveness of these services.
Users can view event details on any of the
returned search results just by clicking the
details link on the search page. The interface
also provides the ability to view the raw data
associated with a search result event. One of
the most powerful aspects of the search
service in Novell Sentinel Log Manager is the
ability to use and save the results as a basic
report, or quickly transform the results of any
search into a customized formatted report.
Reporting Service
While all of the reports in Novell Sentinel
Log Manager make use of the solution’s
flexible and powerful search capabilities, the
reporting service offers two types of reports.
The first type is a search report, where users
simply enter the criteria to be reported on
and Novell Sentinel Log Manager returns
the results in a straightforward list format.
The list format displayed by a search is often
sufficient for many basic compliance or audit
reporting needs.
The second report type offers a more formal
or customized report format. Through the one-
click reporting capability in Novell Sentinel Log
Manager, search reports can be immediately
transformed into a formal report presentation
that displays results with the specific fields
and parameters needed for the most common
compliance and audit reports. Novell Sentinel
Log Manager provides a wide variety of
formatting templates that can be used to
automatically turn the results of any search
into the proper format for the different com-
pliance and audit requirements.
p.
15
Novell Sentinel Log Manager: Secure, Simple and Powerful Log Management
www.novell.com
Figure 7.
One-click reporting on search results
Figure 8.
Transparent reports cure compliance and security headaches
p.
16
Novell Sentinel

Log Manager gives

organizations a flexible

and easy-to-use log
management solution
that provides a clear
path to complete,
real-time SIEM.
Examples of format templates provided by
Novell Sentinel Log Manager include reports
that show attempts to modify trust attributes,
trust provisioning and deprovisioning events,
trust association changes, permission
changes for trusts, account provisioning
and deprovisioning events, attempts to
modify user account attributes, user account
permission changes, attempts to modify
data objects, password changes on users
by administrators, authentication attempts by
users and more. Novell Sentinel Log Manager
also provides the ability to customize existing
or create new formatting templates.
Additionally, the one-click reporting in Novell
Sentinel Log Manage can interpret data from
a wide variety of different data feeds, without
spending hours on customization. The fact
that Novell Sentinel Log Manager does not
use separate sets of data for searching and
reporting is what allows it to easily convert
any search into a formatted report.
In addition to being able to transform an
ad hoc search into a formal report, organiza-
tions can schedule reports to run at specific
times. Scheduled reports can be configured
to automatically e-mail their results to specific
individuals or groups. All finished reports—
whether ad hoc or scheduled, or in search
format or report template format—can be
saved for future reference.
This use of format templates against search
results gives Novell Sentinel Log Manager
a unique and distinct advantage over the
pre-canned reporting templates used by
other solutions. Other solutions’ templates
typically cannot be used without extensive
configuring and customizing of criteria and
fields. Extensive effort is typically required
to get other vendors’ report templates to
work with different data feeds or to generate
useful reports that meet specific compliance
or audit requirements.
In short, the data indexing and one-click
reporting approach employed by Novell
Sentinel Log Manager greatly simplifies an
organization’s audit and compliance report
generation efforts.
Simplified, Intelligent and
Cost-effective Compliance
To facilitate an organization’s ability to comply
with industry or government regulations,
Novell Sentinel Log Manager provides the
ability to intelligently collect, aggregate, store,
analyze and manage the data logs from all
of an organization’s different systems and
applications. It leverages the proven Novell
Sentinel data integration framework with its
broad set of data collectors for databases,
operating systems, directories, firewalls,
intrusion detection/prevention systems,
antivirus applications, mainframes, Web and
application servers and more. The solution
provides data indexing and one-click reporting
to greatly simplify report generation for audit
and compliance efforts. Its ability to mount
archive data stores enables organizations to
seamlessly query and report on both online
and archived data, further simplifying and
expediting compliance efforts.
Novell Sentinel Log Manager gives
organi zations a flexible and easy-to-use log
management solution that provides a clear
path to complete, real-time SIEM. Novell
Sentinel Log Manager leverages the expertise
of Novell in SIEM to deliver a log manage-
ment solution that simplifies compliance
requirements, and enables customers to
build a strong foundation for proactive risk
management and compliance in a flexible
and cost-efficient way.

www.novell.com
Contact your local Novell
Solutions Provider, or call
Novell at:
1 800 714 3400 U.S./Canada
1 801 861 1349 Worldwide
1 801 861 8473 Facsimile
novell, inc.
404 Wyman Street
Waltham, MA 02451 USA
462-002134-002 | 06/10 | © 2010 Novell, Inc. All rights reserved. Novell, the Novell logo, the N logo and SUSE are registered trademarks,
and Sentinel is a trademark of Novell, Inc. in the United States and other countries.
*All third-party trademarks are the property of their respective owners.
Novell Logo
1 The registered trademark, ®,
appears to the right and on the
same baseline as the Logo.
Minimum Size Requirements
The Novell Logo should NOT be
printed smaller than 3 picas
(0.5 inches or 12.5 mm) in width.
Clear-space Requirements
2 Allow a clean visual separation
of the Logo from all other elements.
The height of the "N" is the
measurement for the minimum
clear-space requirements around
the Logo. This space is flat and
unpatterned, free of other design
elements and clear from the edge
of the page.
3 picas
(0.5 in)
(12.5 mm)
21 3
3