Sentinel 7 - Email Notifications for Log Manager Customers

Sentinel 7 - Email Notifications for Log Manager Customers

By configuring Rules and Actions, Sentinel Log Manager 1.x.x notifies (e.g. via email) security team members about any events of interest. The screenshots below show whenever a SSH authentication failure occurs for 'root' account, a Rule “Auth Failure events for root” detects the login failure and will “Send an email” as an action.



01



02



“Send an email” action looks like:



03



04



After the release of Sentinel 7.3, Log Manager and full-fledged SIEM do not come separately but has a Unified Installer that provisions the customer to use their purchased product.



Here comes the tricky part, Sentinel (SIEM) does not provide the “Rules and Actions” options but it has quite an advanced tool to achieve the same, i.e. Correlation Rules(co-rules are not available for Log Manager customers), so you won't find the “Rules and Actions” options in the Sentinel 7.3 (Log Manager and SIEM).



As Log Manager customers are not entitled to use correlation rules, another option to get the notification could be to use Routing Rules. Routing Rules evaluate and filter all incoming events and deliver selected events to designated output actions, but the Send E-mail plugin is not intended to be used as a routing action, therefore you won't find Send E-mail in the list of available actions in the Routing Rules.



But don't worry guys.. it's NetIQ Sentinel, so we can confidently say that "Where there's a will, there is a way". The solution here is to customize the “Send E-mail” action plug-in to be present as the Routing Action and then import the "Customized" plug-in. Below are the step-by-step instructions to do the customization and import of the "Send E-mail" plug-in to make it present as the Routing Action.




  1. Download the Send E-mail action package from Sentinel Plug-ins page

    05



  2. Unpack it (it is .zip package) to some folder.

  3. Navigate to the location where plugin is unpacked and edit the package.xml file.

  4. Find the following line and change value from 'false' to 'true':

    replace



    false



    with



    true




  5. Save the change and compress the folder again as the .zip file.

  6. After that open the SCC console in Sentinel.

    1. Logon to Sentinel WebUI.

      06



    2. Click on 'admin' and select the “Applications” from the drop-down menu.

      07



    3. Click on “Launch control center” to open the SCC console.

      08




  7. Navigate to Configuration -> Action Manager -> Manage Plug-ins and import the newly compressed .zip package.

    1. Click on “Configuration” tab.

      09



    2. Select the “Configuration” menu.

      10



    3. Select the "Action Manager" from the Configuration menu.


      Capture



    4. Click on “Manage Plug-ins”.

      11



    5. Click on “+” sign to import the modified “Send E-mail” plugin.

      12



    6. Click Next then click on Browse to select the modified Send E-mail plugin.

      13



      15



    7. Click on “Finish” to complete the import.

      16



  8. Finally refresh the Sentinel WebUI page and there it is (Send E-mail) on the list of Routing Actions.

    Once you have done the above feel free to create Routing Rules to send an email whenever an event of interest occurs, as you did with Sentinel Log Manager 1.x.x via "Rules and Actions".. Here is a step-by-step example.


  9. In Sentinel WebUI, select “Routing” > “Event Routing Rules” as shown below:

    17



    1. Click on "Create"

      18



      19



    2. Provide a Descriptive name, Criteria(filter) and set Action, as mentioned below:

      20



    3. Once done, click on the Save button to create and enable the Rule.

      21





Up till now a Rule is created to send email, but the Job is not done yet, “SMTP Integrator Configuration” and “Creation of Action to Send emails” has to be done, which is explained in another NetIQ Cool Solution article here: Configuring Sentinel to send Emails when a Correlation Rule fires

DISCLAIMER:

Some content on Community Tips & Information pages is not officially supported by Micro Focus. Please refer to our Terms of Use for more detail.
Comments
Excellent write-up! I especially like the attention to detail, with annotated screendumps!!
Top Contributors
Version history
Revision #:
1 of 1
Last update:
‎2015-05-28 00:10
Updated by:
 
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.