Anonymous_User Absent Member.
Absent Member.
446 views

Sentinel Log Manager Average EPS


Hi,
We have several SLMs connected to a Sentinel 7.
I need to wrie a corelation rule that fires whenever the EPS value of
any SLM exceeds a treshold value (say 4000 EPS).
How can I obtain the average EPS value from the SLM?
Something like the REST API "Collection - Get Average EPS" of Sentinel
7.
Thanks,
Hakan


--
hkalyoncu
------------------------------------------------------------------------
hkalyoncu's Profile: https://forums.netiq.com/member.php?userid=3117
View this thread: https://forums.netiq.com/showthread.php?t=46461

0 Likes
7 Replies
Anonymous_User Absent Member.
Absent Member.

Re: Sentinel Log Manager Average EPS

I do not think this capability exists within Log Manager. Correlation
Rules could potentially do it, but not in Log Manager (only in Sentinel).

Why do you need to do this? If these systems are all part of the same
license, why not set them all up as Sentinel 7 since things are EPS-based
anyway?

Good luck.
0 Likes
Anonymous_User Absent Member.
Absent Member.

Re: Sentinel Log Manager Average EPS


ab;223771 Wrote:
> I do not think this capability exists within Log Manager. Correlation
> Rules could potentially do it, but not in Log Manager (only in
> Sentinel)..


It is not a requirement. If I can obtain the EPS value of the SLM
externally (that is, using a script and either accessing to the REST API
and/or getting the value from the Postgresql database) I can easily
generate a log with this data and make Sentinel 7 to handle the
remaining.

ab;223771 Wrote:
> Why do you need to do this? If these systems are all part of the same
> license, why not set them all up as Sentinel 7 since things are
> EPS-based
> anyway?.


Yes these systems are all part of the same license, but at present there
are thousands of event sources that are already connected to the SLMs
and those SLMs are actively collecting event logs. And we have a
requirement to monitor each SLM for the EPS value.

Is there a straightforward way to upgrade SLM to Sentinel 7, without
loosing log data and also without the need to re-do the event source
connections.
Additionally, is it possible to re-connect a CM from SLM to Sentinel 7
without reinstalling the CM?

Thanks.


--
hkalyoncu
------------------------------------------------------------------------
hkalyoncu's Profile: https://forums.netiq.com/member.php?userid=3117
View this thread: https://forums.netiq.com/showthread.php?t=46461

0 Likes
Anonymous_User Absent Member.
Absent Member.

Re: Sentinel Log Manager Average EPS

> It is not a requirement. If I can obtain the EPS value of the SLM
> externally (that is, using a script and either accessing to the REST API
> and/or getting the value from the Postgresql database) I can easily
> generate a log with this data and make Sentinel 7 to handle the
> remaining.


Perhaps you can use Distributed Search for this. Both Sentinel 7 and Log
Manager support this and can search eachother. Set it up so that your
Sentinel 7 system can search a Log Manager box. Once done go to the
'About' section, then 'Licenses', and then see if it reports the EPS
across all systems properly (it should, I believe, assuming you check the
checkboxes next to each source for which you want the numbers reported).
This is not going to alert you on the fly, but you can run this whenever
you want and it's pretty fast. I've run this report with multiple
Sentinel 7 systems, but not with Log Manager (yet), though I have setup
distributed search between Sentinel 7 and Log Manager in the past; see the
docs for details, but it's a five minute process at most.

> ab;223771 Wrote:
>> Why do you need to do this? If these systems are all part of the same
>> license, why not set them all up as Sentinel 7 since things are
>> EPS-based
>> anyway?.

>
> Yes these systems are all part of the same license, but at present there
> are thousands of event sources that are already connected to the SLMs
> and those SLMs are actively collecting event logs. And we have a
> requirement to monitor each SLM for the EPS value.


K... see above.

> Is there a straightforward way to upgrade SLM to Sentinel 7, without
> loosing log data and also without the need to re-do the event source
> connections.
> Additionally, is it possible to re-connect a CM from SLM to Sentinel 7
> without reinstalling the CM?


How "straight forward" it is depends on the types of event sources. Can
you reuse an old CM? No, and it wouldn't make sense to try because CMs
don't know anything without the central server (Log Manager or Sentinel 7)
anyway; once you point a CM at a new system (for example, a different Log
Manager environment in your case) it is basically brand new as far as
event sources are concerned.

So how hard could this be? Well, if you are using all
syslog/snmp/Audit-based connections you could probably just reinstall a
Sentinel 7 CM on the same box (assuming you have Linux CMs as you should)
and then point those to the main Sentinel 7 system, and event sources
would auto-start because those types of connections are all "push" vs.
"pull". On the other hand, if you have a bunch of file/JDBC/WMI/WMS
connections it may be more work because those are usually configured
manually. Exporting a CM's configuration via ESM and then importing it
into a new Sentinel 7 CM in the Sentinel 7 version of ESM MAY work, but
it's not something intended to work.

Anyway, I am hoping all of this is unnecessary since once you setup
Distributed Search I hope you'll have what you want, at least on an
as-needed basis.

Good luck.
0 Likes
Anonymous_User Absent Member.
Absent Member.

Re: Sentinel Log Manager Average EPS


ab;223774 Wrote:
> >Perhaps you can use Distributed Search for this. Both Sentinel 7 and

> Log
> Manager support this and can search eachother. Set it up so that your
> Sentinel 7 system can search a Log Manager box. Once done go to the
> 'About' section, then 'Licenses', and then see if it reports the EPS
> across all systems properly (it should, I believe, assuming you check
> the
> checkboxes next to each source for which you want the numbers
> reported).
> This is not going to alert you on the fly, but you can run this
> whenever
> you want and it's pretty fast. I've run this report with multiple
> Sentinel 7 systems, but not with Log Manager (yet), though I have setup
> distributed search between Sentinel 7 and Log Manager in the past; see
> the
> docs for details, but it's a five minute process at most.


We already have set-up for distributed search. I should check if all EPS
values are shown on the licenses tab.

Is there a way to automatize this reporting (that is to have a report
definition where EPS values are listed) ?
This way, I can periodically send the report with e-mail to a special
e-mail account where a script processes the report and then feeds the
EPS values back to Sentinel 7 as events for correlation.

Thanks.


--
hkalyoncu
------------------------------------------------------------------------
hkalyoncu's Profile: https://forums.netiq.com/member.php?userid=3117
View this thread: https://forums.netiq.com/showthread.php?t=46461

0 Likes
Anonymous_User Absent Member.
Absent Member.

Re: Sentinel Log Manager Average EPS

Well, there is the Sentinel Core Event Count Trend report which you could
run over a period of time; I know this can be run within a Sentinel 7
system but it looks like it cannot query remote systems; perhaps Log
Manager also has this report available to be run locally, but I do not
know that is the case.

You could run the Sentinel Core Event Summary report regularly and parse
that output (both this and the previous one are PDFs, though, so parsing
may be painful other than by a human).

Creating a custom report to grab events in a period of time, or maybe
report on their counts, may be an option but I'm not sure exactly how to
do that other than by getting the events themselves and then counting the
number of rows in the output (CSV) file. Easy, doable right now, but it
will probably create big files to be handled.

You could perhaps setup a Security Intelligence dashboard for all events
(I always have one of these anyway), but that will only show you the
numbers for the local Sentinel 7 system (Security Intelligence does not
query external targets).

Manual options include running the Licensing tools (LMS) against Sentinel
when needed to see what that reports, or manually exporting the report
from Sentinel 7 (which can query external targets), but manual steps are
not fun.

Good luck.
0 Likes
Anonymous_User Absent Member.
Absent Member.

Re: Sentinel Log Manager Average EPS


ab;223786 Wrote:
> Manual options include running the Licensing tools (LMS) against
> Sentinel
> when needed to see what that reports, or manually exporting the report
> from Sentinel 7 (which can query external targets), but manual steps
> are
> not fun..


When I try the Licenses tab for EPS values I get the following message:
"Targets [10.201.94.32, 10.201.94.38, 10.201.94.44, 10.201.94.36,
10.201.94.48] does not support Operation EPS".
All of those targets are SLM appliance 1.2.0.2.

Do you have any idea on how to make them support Operation EPS?

Thanks.


--
hkalyoncu
------------------------------------------------------------------------
hkalyoncu's Profile: https://forums.netiq.com/member.php?userid=3117
View this thread: https://forums.netiq.com/showthread.php?t=46461

0 Likes
Anonymous_User Absent Member.
Absent Member.

Re: Sentinel Log Manager Average EPS

K, that must be a new function in Sentinel 7.0. Maybe the next patch of
Log Manager will add that function; if not, the only way will be to make
them run Sentinel 7.0 or do the calculations manually. If I can find out
when Log Manager will have that functionality I'll post back with that
information.

Good luck.
0 Likes
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.