novell sentinel log manager: secure, simple and … white paper security management novell ®...
TRANSCRIPT
Technical White PaperSecuriTy ManageMenT
Novell® Sentinel™ Log Manager: Secure, Simple and Powerful Log Management
Novell Logo1 The registered trademark, ®,
appears to the right and on thesame baseline as the Logo.
Minimum Size RequirementsThe Novell Logo should NOT beprinted smaller than 3 picas(0.5 inches or 12.5 mm) in width.
Clear-space Requirements2 Allow a clean visual separation
of the Logo from all other elements.The height of the "N" is themeasurement for the minimumclear-space requirements aroundthe Logo. This space is flat andunpatterned, free of other designelements and clear from the edgeof the page.
3 picas(0.5 in)
(12.5 mm)
21 3
3
www.novell.com
p. 1
Novell Sentinel Log Manager: Secure, Simple and Powerful Log Management
Table of contents:
2 . . . . . Secure, Simple and Powerful Log Management
3 . . . . . Key Features and Differentiators
3 . . . Advanced and Flexible Log Data Collection
3 . . . Superior Searching and Reporting
3 . . . Role-based Access Controls
3 . . . Secure, Cost-effective Data Storage
4 . . . Simple, Cost-effective Deployment Options
5 . . . Intuitive, Dynamic and Easy-to-Use Interface
6 . . . Building Block for Complete SIEM
6. . . . . . Key Architectural Advantages
8 . . . Message Bus
8 . . . Data Collection Service
11 . . . Data Access Service
11 . . . Sentinel Link
11 . . . Online Event Storage
12 . . . Archive Event Storage
13 . . . Configuration Storage
13 . . . Event Service
16 . . . . . Simplified, Intelligent and Cost-effective Compliance
p. 2
Novell Sentinel Log Manager intelligently collects, aggregates, stores, analyzes and manages all event logs generated from IT systems and applications within an organization.
Today most organizations are required to collect, store and manage log data from all IT systems and applications to effectively manage risk and meet compliance regula-tions. Log management solutions address data collection and retention needs in a way that allows them to inexpensively collect, store and manage large amounts of log data. The collected event data can be stored and queried to provide organizations a trans -par ent historical account of events that have occurred, assist in forensic efforts and generate reports in response to audits or compliance requirements.
As organizations grow and look to become more agile and competitive, they rely on technology innovations to enable them to run their IT infrastructure efficiently and enable their partners, customers and employees to collaborate with them. As new technologies are deployed, organizations are faced with a myriad of difficulties ranging from technology- related challenges such as interoperability, security and compliance to business chal-lenges such as cost, brand credibility and customer confidence. To add to the complex IT infrastructure environment, the proliferation of security vulnerabilities and the sophistica tion of the threat environment has made it even more arduous for organizations to manage the security and compliance requirements.
Log management technologies have become a critical foundation for security management and compliance initiatives. With the rise of the expanded enterprise and the increased level of application and system layer activities from a variety of constituents within the enter-prise, effective monitoring and managing millions of IT events has become a significant
burden and incredible cost for many organi-zations. Government and industry regulations such as PCI-DSS, HIPAA, SOX and GLBA also call for increased scrutiny over the man-agement of event data as well as privileged user access, retention and storage policies. Therefore, organizations are increasingly looking for log management solutions that will enable them to efficiently collect and manage event logs to improve their security posture, manage risk and better prepare them to meet com pliance regulations in a cost effective and proactive way.
Novell® Sentinel™ Log Manager provides organizations with the industry’s most flexible and scalable log management solution. It consists of a software appliance that combines SUSE® Linux Enterprise Server 11 and Sentinel Log Manager with an update service. Sentinel Log manager leverages powerful Novell technology and an integra-tion framework inherent to Novell Sentinel—consisting of expertise in security information and event management (SIEM) and identity management—to deliver a unique log man-agement solution that addresses not only log collection and management challenges, but delivers this solution with a focus on compliance, risk and security.
Novell Sentinel Log Manager allows organizations to:
Proactively manage risk and simplify compliance efforts
Reduce deployment and management costs Leverage existing hardware investments Establish a scalable and flexible enterprise
compliance and security foundation
Secure, Simple and Powerful Log Management
p. 3
Novell Sentinel Log Manager: Secure, Simple and Powerful Log Management www.novell.com
Key Features and Differentiators
Advanced and Flexible Log Data Collection
Novell Sentinel Log Manager provides organizations with the industry’s most flexible and scalable log management solution. Novell Sentinel Log Manager leverages Novell Sentinel technology for advanced and flexible log data collection, including out-of-the-box syslog support and native collection from other protocols. This makes it an ideal solution for collecting data from a wide variety of systems and applications, such as intrusion detection systems, firewalls, operating sys tems, routers, Web servers, databases, switches, mainframes, antivirus event sources and many more. It supports multiple secure communication protocols for data collection to ensure data integrity and also automatically detects log sources. Finally, it offers support for the collection and limited processing of unrecognized log messages. Novell Sentinel Log Manager does all this while providing data collection at a high events-per-second (EPS) rate.
Superior Searching and Reporting
Novell Sentinel Log Manager provides regional data aggregation, as well as simple searching and reporting for a broad range of applications and devices. Its one-click report-ing capability utilizes pre-packaged report format templates to easily convert searches into rich, usable reports, including Windows* health checks, high-level compliance status, login failures, account modifications and more. Queries and searches seamlessly span online and archived data—there is no requirement to bring archived data online to search it. It can quickly search structured or unstructured data, and also provides a distributed search capability that enables administrators to search multiple log man-agers from a single, centralized console.
Sentinel Log Manager’s search results contain hyperlinks that allow users to quickly drill
down and refine search criteria. It provides out-of-the-box reports and ad hoc indexed searching, including ad hoc forensic searches. Additionally, the Web 2.0-based search tools in Novell Sentinel Log Manager automatically and immediately refresh results as additional results are found.
Role-based Access Controls
Sentinel Log Manager also includes user group permissions to provide organizations granular control over user access to data, reports and searches. It can tag the data coming from assets (i.e., individual endpoints, servers, collectors, connectors and events) to specify who can access information related to those tagged assets. It also allows for a global filter rule that will tag all events with certain characteristics (e.g., an IP address) such that those types of events can only be accessed by certain users or groups. This fine-grained access control enables organizations to limit unneeded access to data, while ensuring users have the access required to do their job.
Secure, Cost-effective Data Storage
Novell Sentinel Log Manager allows organi-zations the flexibility to utilize their existing standard hardware and storage investments to deliver high-event-rate storage and long-term data retention. It uses automatic 10:1 data compression to maximize storage capacity, and provides data signatures on collected data logs to ensure their integrity. It supports off-the-shelf online data storage, as well as SAN/NAS connectivity for archive capacity expansion. This enables organiza-tions to reduce the cost of log data storage by pro viding the flexibility to store data on their own hardware. The solution’s customiz-able retention policies enable administrators to determine how long collected data will remain in local storage before being auto-matically migrated to archived storage, as well as how long the data will be held in archived storage before being deleted.
Novell Sentinel Log Manager leverages the proven Novell Sentinel data integration framework with its broad set of data collectors for databases, operating systems, directories, firewalls, intrusion detection/ prevention systems, antivirus applications, mainframes, Web and application servers, and many more.
p. 4
Novell Sentinel Log Manager leverages the expertise of Novell in SIEM to deliver log management that simplifies compliance, reduces cost, and provides a compliance and security foundation to build on as needs change and grow.
Simple, Cost-effective Deployment Options
To simplify deployment and lower costs, Novell Sentinel Log Manager provides two deployment options: a traditional software-based installation on SUSE Linux Enterprise Server 11 and a software appliance option. Since both options let organizations use their existing hardware and infrastructure, Novell Sentinel Log Manager provides significant flexibility, reduced overall cost and manage-ment capabilities, especially when compared to hardware-based solutions.
While hardware appliance solutions might appear to enable easier deployment, they typically require a connection to a separate collector appliance or data parser appliance, as well as a proprietary archive appliance. In reality, this increases the cost and com-plexity of the solutions. Hardware appliances also reduce flexibility and scalability. In order to scale, new hardware must be purchased, even if the current hardware is not taxed. For log management, the added cost of hardware appliances does not add any value since they typically do not leverage any specialized hardware. With Sentinel Log Manager, hardware can be right-sized for deployments, limiting the usage of expensive hardware when it isn’t required.
The software appliance option for Novell Sentinel Log Manager consists of a pre-configured version of the product, along with a hardened “just-enough-operating-system” version of SUSE Linux Enterprise Server 11, optimized for use with Sentinel Log Manager. The software appliance is available in a variety of formats including a VMWare image, XEN image or self-installing ISO image, which can be installed on any hypervisor or bare metal machine.
The Novell Sentinel Log Manager software appliance allows organizations to take advan-tage of their existing virtual environment resources without the need to invest in new hardware. Additionally, the Sentinel Log Manager appliance scales to meet an organ-ization’s growing log management needs without having to buy additional hardware. The appliance also includes an update service that automatically provides updates to both the operating system and Sentinel Log Manager, making it nearly maintenance free. Overall, the Sentinel Log Manager software appliance simplifies deployment, reduces administration hassles, lowers total cost of ownership and provides a faster ROI than other solutions.
Figure 1. Storage Management Dashboard
p. 5
Novell Sentinel Log Manager: Secure, Simple and Powerful Log Management www.novell.com
Intuitive, Dynamic and Easy-to-Use Interface
Novell Sentinel Log Manager leverages Ajax-based Web 2.0 technology to deliver an intuitive, simple-to-use and responsive interface, which provides a superior user experience. Through the interface, users can easily view data usage trends and identify potential problems. It also lets users configure
data collection; schedule and manage reports; create data retention polices; and configure rules for data filtering and actions, such as e-mailing alerts, sending SNMP traps, writing to a file or even forwarding events to Novell Sentinel for real-time processing. The user interface also provides a dynamic and respon -sive interface for search and report operations.
Novell Sentinel Log Manager enables organizations to:
Proactively manage risk and simplify compliance efforts
Reduce deployment and management costs
Leverage existing hardware investments
Establish a scalable and flexible enterprise compliance and security foundation
In addition to the Web 2.0 thin client interface, Novell Sentinel Log Manager provides an on-demand thick client interface for more advanced operations, such as deploying, configuring and managing data collectors. Using a Java* Swing Application, Sentinel Log Manager allows users to load the thick client on the fly from any Web browser, and removes it from memory when the management session ends. As a result, the thick client can be used wherever the user happens to be, providing all the advantages of a powerful, rich client without the need to install a client locally.
Figure 2. Web 2.0 Style User Interface
p. 6
The data indexing and one-click reporting approach employed by Novell Sentinel Log Manager greatly simplifies an organization’s audit and compliance report generation efforts.
Building Block for Complete SIEM
Along with providing a quick and easy way to initially deal with a large number of compli-ance and audit concerns, Novell Sentinel Log Manager is also a solid building block for a complete SIEM implementation. Once Novell Sentinel Log Manager is set up to collect data from devices, it can easily forward that data to Sentinel. This allows an organization to leverage an initial investment in log man-agement to reduce the complexity of a SIEM deployment. Most log management products do not provide integration or an easy path to full SIEM. Sentinel Log Manager delivers easy integration with the real-time monitoring capabilities of Novell Sentinel, as well as with Novell Compliance Management and Novell Identity and Access Management solutions. Novell Sentinel Log Manager provides a clear roadmap to full identity-aware security in a way that lets organizations seamlessly add and integrate new capabilities as their security and compliance monitoring needs change.
Key Architectural AdvantagesWhile Novell Sentinel Log Manager is built on the data collection technologies inherent in Novell Sentinel, Sentinel Log Manager is a flexible standalone log management solution. However, it also has the ability to integrate with the real-time capabilities of Novell Sentinel, forwarding to it events from its data collection feeds utilizing a technology feature called Sentinel Link.
Built on a scalable framework, Sentinel Log Manager can meet the needs of the most taxing environments. To ensure secure communications between its different services, Sentinel Log Manager encrypts all its com-munications across the wire by default.
The following key main services and components comprise the Novell Sentinel Log Manager architecture:
Message bus Data collection service Data access service Sentinel Link Online event storage Archive event storage Configuration storage Event service
p. 7
Novell Sentinel Log Manager: Secure, Simple and Powerful Log Management www.novell.com
The fact that Novell Sentinel Log Manager does not use separate sets of data for searching and reporting is what allows it to easily convert any search into a formatted report.
Figure 3. Novell Sentinel Log Manager Architecture
p. 8
For more information on Novell Sentinel Log Manager, visit: www.novell.com/products/
sentinel-log-manager/
While most log management solutions are heavily dependent on syslog over UDP, the data collection service in Novell Sentinel Log Manager provides out-of-the-box support for syslog as well as native log collection from other protocols.
Message Bus
Novell Sentinel Log Manager leverages the same message bus architecture used in Novell Sentinel. Based on the Sonic Java Message Service (JMS) architecture, the message bus facilitates communication between all Sentinel Log Manager compo-nents as well as communication with Novell Sentinel and other solutions capable of message bus communication, such as Novell Identity Manager.
The design of the message bus architecture is the key to making Novell Sentinel Log Manager a highly scalable system. It enables organizations to scale components of the solution (i.e., collection managers) beyond a single device and run them independently onto multiple distributed servers without having to duplicate the entire system and without add-ing database licenses and costly hardware.
The message bus isolates the different components of Novell Sentinel Log so no single service has to wait for another service to finish before it can begin its work. This delivers significantly quicker response times for queries, reports and other operations compared to competing solutions. It also ensures that there is no single point of failure in the system. A critical piece allowing this higher performance and scalability capability
is the ability of Sentinel Log Manager to make efficient usage of multiprocessor systems.
The message bus allows the solution to separate out the performance workload of its individual components so that different services can run independently on different processor cores. With individual services running on separate cores, the services don’t have to wait on each other to execute and perform their required functions.
Data Collection Service
The data collection service can run on the local server where Novell Sentinel Log Manager is installed, or it can run remotely as a collector manager on a distributed box, making multi-site deployments easy to set up. The data collection service collects event log data from many types of devices, referential sources, operating systems and applications; and then records correlated event log data for future analysis.
While most log management solutions are heavily dependent on syslog over UDP, the data collection service in Novell Sentinel Log Manager provides out-of-the-box support for syslog as well as native log collection from other protocols. In addition to UDP, it supports syslog over the more secure and reliable TCP and TLS/SSL protocols, which include authentication and custom certificate sup-port. Novell Sentinel Log Manager provides auto-detection of different event source types (i.e., PIX, Linux* and Solaris*) and it has a universal syslog collector for unrecognized syslog events.
p. 9
Novell Sentinel Log Manager: Secure, Simple and Powerful Log Management www.novell.com
A significant strength of Novell Sentinel Log Manager over competing solutions is its extensive and flexible ability to collect and manage data from other log sources in addi tion to syslog. While Novell Sentinel Log Manager is optimized to collect from syslog sources right out of the box, it also supports the proven Sentinel data integration frame-work with its broad set of data collectors for databases, operating systems, directories, firewalls, intrusion detection/prevention sys tems, antivirus applications, mainframes, Web and application servers, and more. In addition to the solution’s out-of-the-box pluggable collectors, organizations can con-figure, customize or create their own collectors to address specific organization needs.
These interpretive collectors gather the log data from multiple sources and then normal-ize it into a standard format with common fields that facilitate correlation and reporting efforts. They also parse the data, inserting metatags that add business relevance to the
data set in a way that enriches the analysis, visualization and reporting of events to further facilitate an organization’s security and com-pliance efforts. The collectors also automate the event-filtering process, eliminating irrele-vant data at the point of collection, saving bandwidth and disk space.
Furthermore, Novell Sentinel Log Manager provides customers with a scalable solution that is the most suitable for their specific needs. Through its flexible architecture, Sentinel Log Manager provides customers with the option of selecting the number of events per second collected according to their respective environment requirements. Currently, the three main options consist of Sentinel Log Manager 500 EPS, 2500 EPS and 7500 EPS, where the number corresponds to the events per second collected. This is a key feature that allows customers the flex-ibility to deploy the solution that best fits their environment without overloading or restraining them to one option.
Through its flexible architecture, Sentinel Log Manager provides customers with the option of selecting the number of events per second collected according to their respective environ-ment requirements.
Figure 4. Novell Sentinel Log Manager supports UDP, TCP and SSL
p. 10
Novell Sentinel Log Manager provides a centralized event source management framework that facilitates data source integration. This framework enables all aspects of configuring, deploying, managing and monitoring of data collectors for a broad set of systems.
With the exception of a few systems, such as mainframes, the collectors are agent-less. This enables them to gather data remotely without having to install anything on the monitored system or device.
Event Source ManagementNovell Sentinel Log Manager provides a centralized event source management frame-work that facilitates data source integration. This framework enables all aspects of config-uring, deploying, managing and monitoring of data collectors for a broad set of systems. It allows organizations to manage and monitor all the connections between Novell Sentinel Log manager and its event sources.
The framework utilizes the following com-ponents and capabilities to take data from
source systems, perform transformations and present events for later analysis, visualization and reporting purposes:
Collectors. Parse and normalize events from various systems
Taxonomy. Allows data from disparate sources to be categorized consistently
Filtering. Eliminates irrelevant data at the point of collection, saving bandwidth and disk space
Business relevance. Offers a way to enrich event data with valuable information from an environment, such as asset attributes
Normalization. Uses metatags to place all data in a standard, normalized format that allows for powerful and flexible correlation and reporting
Figure 5. Powerful, thick-client event source management
p. 11
Novell Sentinel Log Manager: Secure, Simple and Powerful Log Management www.novell.com
ChannelsAs part of the data collection service, the message-bus architecture implements an independent, multi-channel environment, which virtually eliminates contention and pro-motes parallel processing of events. These channels and sub-channels work not only for event data transport, but also offer fine-grain process control for scaling and load balancing the system under varying load conditions.
Data Access Service
The data access service resides on the message bus and performs a variety of housekeeping functions, such as ensuring that logged-in users have the appropriate rights to access or run reports on certain portions of data. It also handles the port con-figurations needed to allow the solution to listen for data from the various event sources.
Sentinel Link
Sentinel Link provides the ability to hierarchi-cally link multiple Sentinel systems, including Sentinel Log Manager and the two Sentinel SIEM systems, Novell Sentinel and Novell Sentinel Rapid Deployment (RD). Sentinel Link provides several benefits:
Several Sentinel Log Managers can be linked in a hierarchical manner. Regional or distributed Sentinel Log Manager servers can manage a large volume of data, retaining raw data and event data locally, while also forwarding important events to a central Log Manager for consolidation.
One or more Sentinel Log Managers can forward important data to either Sentinel or Sentinel RD, which are SIEM systems. These systems provide real-time visualization of data, advanced correlation and actions, workflow management, and integration with identity management systems.
Online Event Storage
All the log data collected by Novell Sentinel Log Manager is initially stored in the solu-tion’s online event store. Unlike competing solutions, the online event store in Sentinel Log Manager utilizes off-the-shelf, standard storage systems. It can use the server’s local disk system, or easily connect to a SAN or NAS to facilitate and expand storage capacity. Additionally, to minimize storage requirements, the solution automatically compresses data at a 10:1 ratio.
The majority of log management vendors uti-lize proprietary storage systems that not only increase the cost of storage, but also create a number of other problems, including a dependence on the vendor’s reporting and search tools, the inability to analyze archived data without migrating it back into the vendor’s device and difficulty in proving that data has not been modified. Novell Sentinel Log Manager uses standard storage systems, which eliminate these issues by storing the collected log data on standard storage systems and by providing data signatures to ensure log integrity.
There are three main aspects to the online event store in Novell Sentinel Log Manager:
Raw data Events Event index Retention policies
Novell Sentinel Log Manager uses standard storage systems, which eliminate these issues by storing the collected log data on standard storage systems and by providing data signatures to ensure log integrity.
p. 12
Novell Sentinel Log Manager has the intelligence to transparently detect, based on the search criteria, whether it needs to search the online event store or the archive event store.
Raw DataWhile the collectors enhance collected events by adding additional metadata (event taxo-nomies and business relevance) that helps further identify and classify events, the solution still stores the events’ raw data in online event storage. The format of the raw data will vary based on the connector and event source, but typically it will contain information about the raw data message, raw data record ID, time the raw data was received, event source, collector and collector manager node ID, a SHA-256 hash of the raw data and more.
Novell Sentinel Log Manager stores the raw data in a way that ensures that all logs are intact and unmodified. Storing the data in an untouched format helps organizations meet forensic-related regulatory requirements. Additionally, raw data is compressed to minimize storage space.
EventsTo enhance the usefulness of collected data, Novell Sentinel Log Manager links rich formatting to the raw data, transforming it into an informative event structure. These event structures consist of taxonomy, normalization and business relevance metadata to make it easier for compliance and security managers to better understand and leverage the collec-ted information. Just like the raw data, these event structures are compressed and stored in the online event store.
Event IndexTo facilitate searching and reporting on collected data, the indexing engine in Novell Sentinel Log Manager generates event index tags for all the stored events and stores these as event indices in the online event store. These index tags or indices act as pointers to data so searches can easily retrieve those events with fields that match the supplied search criteria. To ensure that searches exe cute as quickly as possible, Sentinel Log Manager does not compress event indices.
Retention PoliciesNovell Sentinel Log Manager enables admin-istrators to configure data retention policies to determine how long specific events will remain in the online event store before being moved to archive event storage or deleted.
Archive Event Storage
As collected log data ages, it eventually needs to move from the local online event store to long-term archival storage. The archive event store in Novell Sentinel Log Manager utilizes the squashfs compressed file system capability in SUSE Linux Enterprise Server 11 to significantly differentiate itself over competing solutions in two key areas.
First, Novell Sentinel Log Manager and squashfs allow organizations to utilize external data stores that can be mounted using either NFS or CIFS. This means that instead of requiring organizations to invest in expensive archive appliances, they can leverage their existing storage system invest-ments, such as a SAN or NAS.
Second, the solution provides the ability to query or report on data residing in the archive event store. To perform searches on archived data in most other log management solutions, organizations have to first undergo the arduous task of migrating the archived data back to short-term storage before the search can be executed. With the ability in Novell Sentinel Log Manager to mount archive data stores, it can query and report on both online and archived data.
Additionally, Novell Sentinel Log Manager has the intelligence to transparently detect, based on the search criteria, whether it needs to search the online event store or the archive event store. All of these capabilities combine to greatly simplify and speed up an organization’s compliance efforts.
p. 13
Novell Sentinel Log Manager: Secure, Simple and Powerful Log Management www.novell.com
Configuration Storage
While all raw data logs, event structures and event indices are stored in a flat file format in the solution’s online event store or archive event store, Novell Sentinel Log Manager stores its configuration information, user management information, reports and report templates in a PostgreSQL database.
Event Service
The event service in Novell Sentinel Log Manager handles the solution’s search and reporting capabilities.
Search ServicesNovell Sentinel Log Manager provides powerful, full-text search queries against all of the collected event logs, whether they are
stored in the online event store or archive event store. Leveraging the powerful, open source Lucene-based search engine and the Ajax Web browser interface in Sentinel Log Manager, users can generate a search from any of the solution’s screens, which will display the results almost immediately in a new window tab. Unlike other solutions that become unresponsive until the search completely finishes (which can be hours or days, depending on the size of the search sample) or only display a limited of number of searches (requiring users to click through page after page of results), Novell Sentinel Log Manager immediately displays results as they’re found. This immediate responsiveness enables more dynamic interaction between users and the search interface.
Novell Sentinel Log Manager immediately displays results as they’re found. This immediate responsiveness enables more dynamic interaction between users and the search interface.
Figure 6. Distributed Search
p. 14
One of the most powerful aspects of the search service in Novell Sentinel Log Manager is the ability to use and save the results as a basic report, or quickly transform the results of any search into a customized formatted report.
The dynamic aspect of the search interface not only allows a search to be canceled at any time during the query, but users can change the criteria of the search on the fly. For example, if users determine that the search results being displayed are too broad, they can click on an event field that matches the type of information they’re looking for (i.e., IP address, authentication type, OS type, user type, etc.) and immediately the search will add that criteria to the search filter and refresh the screen to display only the further refined search results. While the search is in progress or even after it completes, users can continue to refine the search results by clicking on the fields of other events that contain the specific criteria they’re looking for.
Additionally, since Novell Sentinel Log Manager stores its events and event indices in a flat file format, Novell has been able to optimize the solution’s search engine for flat file searches. This significantly reduces search overhead and increases overall search speed when compared to other log management solutions that rely on database storage for their logged events. The flat file storage of all raw data, events and event indices allows Novell Sentinel to harmo nize the operations of both its search service and reporting service to increase the value, speed and effectiveness of these services.
Users can view event details on any of the returned search results just by clicking the
details link on the search page. The interface also provides the ability to view the raw data associated with a search result event. One of the most powerful aspects of the search service in Novell Sentinel Log Manager is the ability to use and save the results as a basic report, or quickly transform the results of any search into a customized formatted report.
Reporting ServiceWhile all of the reports in Novell Sentinel Log Manager make use of the solution’s flexible and powerful search capabilities, the reporting service offers two types of reports. The first type is a search report, where users simply enter the criteria to be reported on and Novell Sentinel Log Manager returns the results in a straightforward list format. The list format displayed by a search is often sufficient for many basic compliance or audit reporting needs.
The second report type offers a more formal or customized report format. Through the one- click reporting capability in Novell Sentinel Log Manager, search reports can be immediately transformed into a formal report presentation that displays results with the specific fields and parameters needed for the most common compliance and audit reports. Novell Sentinel Log Manager provides a wide variety of formatting templates that can be used to automatically turn the results of any search into the proper format for the different com-pliance and audit requirements.
p. 15
Novell Sentinel Log Manager: Secure, Simple and Powerful Log Management www.novell.com
Figure 7. One-click reporting on search results
Figure 8. Transparent reports cure compliance and security headaches
p. 16
Novell Sentinel Log Manager gives organizations a flexible and easy-to-use log management solution that provides a clear path to complete, real-time SIEM.
Examples of format templates provided by Novell Sentinel Log Manager include reports that show attempts to modify trust attributes, trust provisioning and deprovisioning events, trust association changes, permission changes for trusts, account provisioning and deprovisioning events, attempts to modify user account attributes, user account permission changes, attempts to modify data objects, password changes on users by administrators, authentication attempts by users and more. Novell Sentinel Log Manager also provides the ability to customize existing or create new formatting templates.
Additionally, the one-click reporting in Novell Sentinel Log Manage can interpret data from a wide variety of different data feeds, without spending hours on customization. The fact that Novell Sentinel Log Manager does not use separate sets of data for searching and reporting is what allows it to easily convert any search into a formatted report.
In addition to being able to transform an ad hoc search into a formal report, organiza-tions can schedule reports to run at specific times. Scheduled reports can be configured to automatically e-mail their results to specific individuals or groups. All finished reports—whether ad hoc or scheduled, or in search format or report template format—can be saved for future reference.
This use of format templates against search results gives Novell Sentinel Log Manager a unique and distinct advantage over the pre-canned reporting templates used by other solutions. Other solutions’ templates typically cannot be used without extensive configuring and customizing of criteria and fields. Extensive effort is typically required to get other vendors’ report templates to work with different data feeds or to generate
useful reports that meet specific compliance or audit requirements.
In short, the data indexing and one-click reporting approach employed by Novell Sentinel Log Manager greatly simplifies an organization’s audit and compliance report generation efforts.
Simplified, Intelligent and Cost-effective Compliance
To facilitate an organization’s ability to comply with industry or government regulations, Novell Sentinel Log Manager provides the ability to intelligently collect, aggregate, store, analyze and manage the data logs from all of an organization’s different systems and applications. It leverages the proven Novell Sentinel data integration framework with its broad set of data collectors for databases, operating systems, directories, firewalls, intrusion detection/prevention systems, antivirus applications, mainframes, Web and application servers and more. The solution provides data indexing and one-click reporting to greatly simplify report generation for audit and compliance efforts. Its ability to mount archive data stores enables organizations to seamlessly query and report on both online and archived data, further simplifying and expediting compliance efforts.
Novell Sentinel Log Manager gives organi zations a flexible and easy-to-use log management solution that provides a clear path to complete, real-time SIEM. Novell Sentinel Log Manager leverages the expertise of Novell in SIEM to deliver a log manage-ment solution that simplifies compliance requirements, and enables customers to build a strong foundation for proactive risk management and compliance in a flexible and cost-efficient way.
www.novell.com
Contact your local Novell Solutions Provider, or call Novell at:
1 800 714 3400 U.S./Canada1 801 861 1349 Worldwide1 801 861 8473 Facsimile
novell, inc.404 Wyman Street Waltham, MA 02451 USA
462-002134-002 | 06/10 | © 2010 Novell, Inc. All rights reserved. Novell, the Novell logo, the N logo and SUSE are registered trademarks, and Sentinel is a trademark of Novell, Inc. in the United States and other countries.
*All third-party trademarks are the property of their respective owners.
Novell Logo1 The registered trademark, ®,
appears to the right and on thesame baseline as the Logo.
Minimum Size RequirementsThe Novell Logo should NOT beprinted smaller than 3 picas(0.5 inches or 12.5 mm) in width.
Clear-space Requirements2 Allow a clean visual separation
of the Logo from all other elements.The height of the "N" is themeasurement for the minimumclear-space requirements aroundthe Logo. This space is flat andunpatterned, free of other designelements and clear from the edgeof the page.
3 picas(0.5 in)
(12.5 mm)
21 3
3