Professional Documents
Culture Documents
David Corlette
Product Line Lead DCorlette@novell.com
Agenda
Quick Sentinel Intro - Plug-ins The Sentinel Plug-in SDK Collector Development Report Development
Sentinel Overview
Protocol/API connections Java code Connector Integrator Event Source: Applications and devices Event Source Server Event Source
4
Sentinel provides a modular, pluggable architecture so that the functionality of the base product can be extended by adding new components. Some of these are user-editable.
Sentinel Plug-ins
Collectors are used to parse data received from endpoint systems via Connectors. They implement JavaScript-based code to extract relevant information from the input and reformat the data into the normalized Sentinel event schema. Actions are attached to correlation rules and are executed when those rules fire. Written in JavaScript they can do many different things, but a common use case is to extract data from the event(s) which caused the rule to fire and take action based on that data (alert, forward, etc). Reports pull data from the Sentinel database and/or text files (via Lucene) and present that data on flexible reports along with summaries, charts, and so forth. Sentinel uses Jasper as its core reporting engine and related tools (iReport) to do the actual report design.
Sentinel Plug-ins
Solution Packs allow you to package related pieces of content into a structured solution broken down into categories and controls. Various plug-ins (Reports, Actions, Integrators) can be included, as well as other native Sentinel content like workflows, correlation rules, filters, and roles (the native content pieces are created within Sentinel itself). The Solution Pack maintains dependencies and versioning for all content components that are included. A simple drag-and-drop tool (Solution Designer) is used to create the Pack, categories, and controls.
Documentation provided on the Forge wiki ZIP download and/or SVN repository Mailing lists and other support resources
Eclipse-based Development
Each Plug-in type is its own project; Ant scripts drive creation and build of plug-ins Creating a Plug-in involves copying a functional template and inserting metadata External tools include: Solution Designer, iReport, OpenOffice
Ant Targets
Create New Plug-in: copies the template to create a new plug-in Build Test Plug-in: creates a quick development build Build Release Plug-in: creates a full release build Edit Report: creates temporary editable Report and starts iReport to work on it Edit Solution Pack: creates temporary editable Pack and starts Solution Designer to work on it Create Solution Pack Placeholder: creates an empty placeholder Report for use in Solution Packs (full Reports are built during final Solution Pack build) Extract Jasper Parameters: extracts Report parameters from
JavaScript API
Event, Record, Identity, Account, Vuln, Customer Collector, Connector, Action, Integrator, EventSource, EventSourceServer DataMap, KeyMap, Session, SQLQuery, File String.trim(), String.insert(), String.parseBase64(), String.parseLDAP(), String.parseNVP() Date (includes full date.js library)
Utility objects:
11
Collector Development
Collector Template
13
Development Process
1) Create the new Collector Plug-in 2) Research the device and collect sample data 3) Debug the Collector to get code samples 4) Develop a parsing plan 5) Write parsing logic and mappings 6) Test 7) Finalize metadata and documentation
14
Use the Create New Plug-in target to create the new Plug-in Collect sample data using the Generic Event Collector
Configure the relevant Connector to the real datasource Edit the Connector and select Save raw data to file
Attach sample data to new Collector using Replay mode Debug to see input structure, copy to code comments
15
Parsing Plan
Structured (name-value) or freeform? Fixed fields? Event Ids? Opaque data values to be translated? Is structure always the same or does it vary? Are there classes of events? Do field contents vary dramatically? Multiple possible Connection Methods? Optional fields or output formats?
Variability
Optional features
16
Parsing Logic
Input
rec object used as input and as temporary output container Rec2Evt.map: DataMap that defines transform of input Record to output Event object protoEvt.map: Used to set static fields in output Event Explicit set: Directly set attributes of output Event (discouraged) Special Event object methods (setTaxonomyKey() and set*Time()) Advanced topics
17
Test
No prompted questions Skips documentation and Collector Pack Quick import into ESM Debuggable Asks some packaging questions Builds docs and Pack Minifies JavaScript template
18
Template document guides you with themes for each section plugin.pdf is simple help document embedded in Plug-in Full document is external PDF Parameter list can include template or local parameters Each parameter defined in separate XML file Connection methods used to describe Connector interaction Device support used to drive deployment Standard set of controls included, can be extended/trimmed
Collector Pack
19
Report Development
Report Template
Includes basic report with complete set of relevant files Covers Sentinel Log Manager (SLM), Sentinel RD, and (new) Identity Manager 4 Localized using standard .properties files Some custom charting types included
21
Development Process
1) Create the new Report Plug-in 2) Determine how to fetch the data using either a SQL or Lucene query 3) Decide on grouping and categorization (colors) 4) Lay out report fields 5) Add summary charts and tables 6) Add parameters 7) Test 8) Finalize metadata and documentation
22
Create, Query
Use the same Create New Plug-in target, but for Reports Refer to Sentinel documentation (core product docs and developer wiki under Sentinel Development Topics) for view, field, and schema details Refer to Sentinel and database documentation for SQL and Lucene query language details Run test queries from Sentinel or DB tool Use Edit Report to invoke iReport on temporary Report Plug-in
23
Most reports will group data using one of the returned fields use relevant Sentinel fields like InitUserDomain, TargetHostName, etc
In general, reports look at a subset of event types or a single type with multiple outcomes. You can use categorization to color-code events according to those types or outcomes.
24
Our standard is a two-level row with more important data in the top subrow
Typically include domain/container information along with host, user, or data object info Review input events to find which critical data should be displayed Account for extra-long values and nulls
25
Add Charts
For many reports, quick summary charts, sparklines, and tables can be very useful
For event-based data, reports can run to hundreds of pages consider a summary table at top to display the per-grouping counts Sparklines are great for quick trend analysis Summary counts and pie charts can go at top right
26
Parameters
Parameters for Report Plug-ins is a multi-step process 1) Define and test normal Jasper/iReport parameters as part of the report development process 2) Run Extract Jasper Parameters to extract Jasper parameters into Sentinel Plug-in parameters 3) Edit metadata for Sentinel Plug-in parameters 4) Build Report Plug-in and test parameters in web interface
27
Testing can be tricky if the data is rarely seen Can use fake import data to test basic report layout etc Docs work the same as other plug-ins Include a sample output PDF as TemplateReport.pdf in dev directory You can localize the report strings using standard .properties files (TemplateReport.properties, TemplateReport_fr.properties, etc) Make sure supported platforms info is correct
28
Demo
Q&A
General Disclaimer
This document is not to be construed as a promise by any participating company to develop, deliver, or market a product. It is not a commitment to deliver any material, code, or functionality, and should not be relied upon in making purchasing decisions. Novell, Inc. makes no representations or warranties with respect to the contents of this document, and specifically disclaims any express or implied warranties of merchantability or fitness for any particular purpose. The development, release, and timing of features or functionality described for Novell products remains at the sole discretion of Novell. Further, Novell, Inc. reserves the right to revise this document and to make changes to its content, at any time, without obligation to notify any person or entity of such revisions or changes. All Novell marks referenced in this presentation are trademarks or registered trademarks of Novell, Inc. in the United States and other countries. All third-party trademarks are the property of their respective owners.