Successfully reported this slideshow.
Mar 24, 2010
Novell Sentinel, Novell Sentinel Rapid Deployment and Novell Sentinel Log Manager provide many powerful features. These products enable you to collect data from security devices and applications, and automatically monitor your business's security and compliance status. In complex environments with custom applications and unique reporting needs, users will need to create customized content to get the most out of these products. The Novell Sentinel Software Developer Kit is designed to assist you in developing customized content.
This session will explain the Sentinel Software Developer Kit, how to use it, and will provide examples of customizing collectors and reports.
Novell Sentinel ®
Software Development Kit
Developing Novell Sentinel Plug-ins
Product Line Lead
• Quick Sentinel Intro - Plug-ins ™
• The Sentinel Plug-in SDK
• Collector Development
• Report Development
2 © Novell, Inc. All rights reserved.
Sentinel Overview ™
3 © Novell, Inc. All rights reserved.
Inbound / Outbound and Plug-ins
• Engine layer – backend routing
• Correlation – Custom RuleLG
Sentinel event patterns
Rule • Reporting – Jasper-based Plug-ins
• Script layer – simplified parsing,
Action Collector • ITRAC Workflow – remediation
• Protocol/API connections –
Connector Java code
Source • Event Source: Applications
Server and devices
Event Sentinel provides a modular, pluggable architecture so that the
Source functionality of the base product can be extended by adding
new components. Some of these are user-editable.
4 © Novell, Inc. All rights reserved.
Sentinel Plug-ins ™
Collectors are used to parse data received from endpoint
code to extract relevant information from the input and reformat
the data into the normalized Sentinel event schema.
Actions are attached to correlation rules and are executed when
things, but a common use case is to extract data from the
event(s) which caused the rule to fire and take action based on
that data (alert, forward, etc).
Reports pull data from the Sentinel database and/or text files
(via Lucene) and present that data on flexible reports along with
summaries, charts, and so forth. Sentinel uses Jasper as its core
reporting engine and related tools (iReport) to do the actual
5 © Novell, Inc. All rights reserved.
Sentinel Plug-ins ™
Solution Packs allow you to package related pieces of content into a
structured solution broken down into categories and controls. Various
plug-ins (Reports, Actions, Integrators) can be included, as well as
other native Sentinel content like workflows, correlation rules, filters,
and roles (the native content pieces are created within Sentinel itself).
The Solution Pack maintains dependencies and versioning for all
content components that are included. A simple drag-and-drop tool
(Solution Designer) is used to create the Pack, categories, and
6 © Novell, Inc. All rights reserved.
Sentinel Plug-in SDK
Sentinel Plug-in SDK ™
• Documentation provided on the Forge wiki
• ZIP download and/or SVN repository
• Mailing lists and other support resources
8 © Novell, Inc. All rights reserved.
• Each Plug-in type is its own project; Ant scripts drive creation and build of plug-ins
• Creating a Plug-in involves copying a functional template and inserting metadata
• External tools include: Solution Designer, iReport, OpenOffice
9 © Novell, Inc. All rights reserved.
• Create New Plug-in: copies the template to create a new plug-in
• Build Test Plug-in: creates a quick “development” build
• Build Release Plug-in: creates a full “release” build
• Edit Report: creates temporary editable Report and starts iReport
to work on it
• Edit Solution Pack: creates temporary editable Pack and starts
Solution Designer to work on it
• Create Solution Pack Placeholder: creates an empty
“placeholder” Report for use in Solution Packs (full Reports are
built during final Solution Pack build)
• Extract Jasper Parameters: extracts Report parameters from
Jasper file for use in web interface
10 © Novell, Inc. All rights reserved.
– Event, Record, Identity, Account, Vuln, Customer
– Collector, Connector, Action, Integrator,
• Utility objects:
– DataMap, KeyMap, Session, SQLQuery, File
• Extension methods for native JS objects:
– String.trim(), String.insert(), String.parseBase64(),
– Date (includes full ‘date.js’ library)
11 © Novell, Inc. All rights reserved.
13 © Novell, Inc. All rights reserved.
1. Create the new Collector Plug-in
2. Research the device and collect sample data
3. Debug the Collector to get code samples
4. Develop a parsing plan
5. Write parsing logic and mappings
7. Finalize metadata and documentation
14 © Novell, Inc. All rights reserved.
Creation, Research, Debug
• Use the ‘Create New Plug-in’ target to create the new
• Collect sample data using the Generic Event Collector
– Configure the relevant Connector to the real datasource
– Edit the Connector and select “Save raw data to file”
• Attach sample data to new Collector using Replay mode
• Debug to see input structure, copy to code comments
15 © Novell, Inc. All rights reserved.
• Structure of input data
– Structured (name-value) or freeform? Fixed fields?
– Event Ids?
– Opaque data values to be translated?
– Is structure always the same or does it vary?
– Are there classes of events?
– Do field contents vary dramatically?
• Optional features
– Multiple possible Connection Methods?
– Optional fields or output formats?
16 © Novell, Inc. All rights reserved.
– ‘rec’ object used as input and as temporary output container
• Four ways to get data in output event
– Rec2Evt.map: DataMap that defines transform of input Record
to output Event object
– protoEvt.map: Used to set static fields in output Event
– Explicit set: Directly set attributes of output Event (discouraged)
– Special Event object methods (setTaxonomyKey() and
• SQLQuery and Session
– Advanced topics
17 © Novell, Inc. All rights reserved.
• Development builds using ‘Create Test Plug-in’
– No prompted questions
– Skips documentation and Collector Pack
– Quick import into ESM
• Final Release build using ‘Create Release Plug-in’
– Asks some final questions
– Builds docs and Pack
18 © Novell, Inc. All rights reserved.
Documentation and Metadata
• Docs are auto-built from single source
– Template doc guides you with themes for each section
– ‘plugin.pdf’ is simple help doc embedded in Plug-in
– Full doc is external PDF
• Plug-in metadata used for deployment, parameters, etc
– Parameter list can include template or local parameters
– Each parameter defined in separate XML file
– Connection methods used to describe Connector interaction
– Device support used to drive deployment
• Collector Pack
– Standard set of controls included, can be extended/trimmed
19 © Novell, Inc. All rights reserved.
• Includes basic report with complete set of relevant files
• Covers Sentinel Log Manager (SLM) and Sentinel RD ™
• Localized using standard .properties files
• Some custom charting types included
21 © Novell, Inc. All rights reserved.
1. Create the new Report Plug-in
2. Determine how to fetch the data using either a
SQL or Lucene query
3. Decide on grouping and categorization (colors)
4. Lay out report fields
5. Add summary charts and tables
6. Add parameters
8. Finalize metadata and documentation
22 © Novell, Inc. All rights reserved.
• Use the same ‘Create New Plug-in’ target but for
• Refer to Sentinel documentation (core product docs
and developer wiki under “Sentinel Development
Topics”) for view, field, and schema details
• Refer to Sentinel and database documentation for SQL
and Lucene query language details
• Run test queries from Sentinel or DB tool
• Use ‘Edit Report’ to invoke iReport on temporary
23 © Novell, Inc. All rights reserved.
Grouping and Categorization
• Most reports will group data using one of the returned
fields – use relevant Sentinel fields like InitUserDomain,
• In general, reports look at a subset of event types or a
single type with multiple outcomes. You can use
categorization to color-code events according to those
types or outcomes.
24 © Novell, Inc. All rights reserved.
Lay Out Report Fields
• Our standard is a two-level row with more important
data in the top subrow
• Typically include domain/container information along
with host, user, or data object info
• Review input events to find which critical data should
• Account for extra-long values and nulls
25 © Novell, Inc. All rights reserved.
• For many reports, quick summary charts, sparklines,
and tables can be very useful
– For event-based data, reports can run to hundreds of pages –
consider a summary table at top to display the per-grouping
– Sparklines are great for quick trend analysis
– Summary counts and pie charts can go at top right
• Some useful custom chart formatters are available
26 © Novell, Inc. All rights reserved.
Parameters for Report Plug-ins is a multi-step process
1. Define and test normal Jasper/iReport parameters as
part of the report development process
2. Run ‘Extract Jasper Parameters’ to extract Jasper
parameters into Sentinel Plug-in parameters
3. Edit metadata for Sentinel Plug-in parameters
4. Build Report Plug-in and test parameters in web
27 © Novell, Inc. All rights reserved.
Test, Docs, and Metadata
• Testing can be tricky if the data is rarely seen
• Can use fake import data to test basic report layout etc
• Docs work the same as other plug-ins
• Include a sample output PDF as ‘TemplateReport.pdf’
in dev directory
• You can localize the report strings using standard
‘.properties’ files (TemplateReport.properties,
• Make sure supported platforms info is correct
28 © Novell, Inc. All rights reserved.
Question and Answer
Unpublished Work of Novell, Inc. All Rights Reserved.
This work is an unpublished work and contains confidential, proprietary, and trade secret information of Novell, Inc.
Access to this work is restricted to Novell employees who have a need to know to perform tasks within the scope
of their assignments. No part of this work may be practiced, performed, copied, distributed, revised, modified,
translated, abridged, condensed, expanded, collected, or adapted without the prior written consent of Novell, Inc.
Any use or exploitation of this work without authorization could subject the perpetrator to criminal and civil liability.
This document is not to be construed as a promise by any participating company to develop, deliver, or market a
product. It is not a commitment to deliver any material, code, or functionality, and should not be relied upon in
making purchasing decisions. Novell, Inc. makes no representations or warranties with respect to the contents
of this document, and specifically disclaims any express or implied warranties of merchantability or fitness for any
particular purpose. The development, release, and timing of features or functionality described for Novell products
remains at the sole discretion of Novell. Further, Novell, Inc. reserves the right to revise this document and to
make changes to its content, at any time, without obligation to notify any person or entity of such revisions or
changes. All Novell marks referenced in this presentation are trademarks or registered trademarks of Novell, Inc.
in the United States and other countries. All third-party trademarks are the property of their respective owners.