Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

How to Develop Content Using the Novell Sentinel Software Development Kit


Published on

Novell Sentinel, Novell Sentinel Rapid Deployment and Novell Sentinel Log Manager provide many powerful features. These products enable you to collect data from security devices and applications, and automatically monitor your business's security and compliance status. In complex environments with custom applications and unique reporting needs, users will need to create customized content to get the most out of these products. The Novell Sentinel Software Developer Kit is designed to assist you in developing customized content.

This session will explain the Sentinel Software Developer Kit, how to use it, and will provide examples of customizing collectors and reports.

  • Login to see the comments

How to Develop Content Using the Novell Sentinel Software Development Kit

  1. 1. Novell Sentinel ® ™ Software Development Kit Developing Novell Sentinel Plug-ins David Corlette Product Line Lead
  2. 2. Agenda • Quick Sentinel Intro - Plug-ins ™ • The Sentinel Plug-in SDK • Collector Development • Report Development 2 © Novell, Inc. All rights reserved.
  3. 3. Sentinel Overview ™ 3 © Novell, Inc. All rights reserved.
  4. 4. Inbound / Outbound and Plug-ins • Engine layer – backend routing and processing • Correlation – Custom RuleLG Sentinel event patterns Correlation Core Rule • Reporting – Jasper-based Plug-ins • Script layer – simplified parsing, JS support Action Collector • ITRAC Workflow – remediation Workflow and alerting • Protocol/API connections – Connector Java code Integrator Event Source • Event Source: Applications Server and devices Event Sentinel provides a modular, pluggable architecture so that the Source functionality of the base product can be extended by adding new components. Some of these are user-editable. 4 © Novell, Inc. All rights reserved.
  5. 5. Sentinel Plug-ins ™ Collectors are used to parse data received from endpoint systems via Connectors. They implement JavaScript-based code to extract relevant information from the input and reformat the data into the normalized Sentinel event schema. Actions are attached to correlation rules and are executed when those rules fire. Written in JavaScript they can do many different things, but a common use case is to extract data from the event(s) which caused the rule to fire and take action based on that data (alert, forward, etc). Reports pull data from the Sentinel database and/or text files (via Lucene) and present that data on flexible reports along with summaries, charts, and so forth. Sentinel uses Jasper as its core reporting engine and related tools (iReport) to do the actual report design. 5 © Novell, Inc. All rights reserved.
  6. 6. Sentinel Plug-ins ™ Solution Packs allow you to package related pieces of content into a structured solution broken down into categories and controls. Various plug-ins (Reports, Actions, Integrators) can be included, as well as other native Sentinel content like workflows, correlation rules, filters, and roles (the native content pieces are created within Sentinel itself). The Solution Pack maintains dependencies and versioning for all content components that are included. A simple drag-and-drop tool (Solution Designer) is used to create the Pack, categories, and controls. 6 © Novell, Inc. All rights reserved.
  7. 7. Sentinel Plug-in SDK ™
  8. 8. Sentinel Plug-in SDK ™ • Documentation provided on the Forge wiki • ZIP download and/or SVN repository • Mailing lists and other support resources 8 © Novell, Inc. All rights reserved.
  9. 9. Eclipse-based Development • Each Plug-in type is its own project; Ant scripts drive creation and build of plug-ins • Creating a Plug-in involves copying a functional template and inserting metadata • External tools include: Solution Designer, iReport, OpenOffice 9 © Novell, Inc. All rights reserved.
  10. 10. Ant Targets • Create New Plug-in: copies the template to create a new plug-in • Build Test Plug-in: creates a quick “development” build • Build Release Plug-in: creates a full “release” build • Edit Report: creates temporary editable Report and starts iReport to work on it • Edit Solution Pack: creates temporary editable Pack and starts Solution Designer to work on it • Create Solution Pack Placeholder: creates an empty “placeholder” Report for use in Solution Packs (full Reports are built during final Solution Pack build) • Extract Jasper Parameters: extracts Report parameters from Jasper file for use in web interface 10 © Novell, Inc. All rights reserved.
  11. 11. JavaScript API • JavaScript implementations of Sentinel ™ domain objects: – Event, Record, Identity, Account, Vuln, Customer – Collector, Connector, Action, Integrator, EventSource, EventSourceServer • Utility objects: – DataMap, KeyMap, Session, SQLQuery, File • Extension methods for native JS objects: – String.trim(), String.insert(), String.parseBase64(), String.parseLDAP(), String.parseNVP() – Date (includes full ‘date.js’ library) 11 © Novell, Inc. All rights reserved.
  12. 12. Collector Development
  13. 13. Collector Template 13 © Novell, Inc. All rights reserved.
  14. 14. Development Process 1. Create the new Collector Plug-in 2. Research the device and collect sample data 3. Debug the Collector to get code samples 4. Develop a parsing plan 5. Write parsing logic and mappings 6. Test 7. Finalize metadata and documentation 14 © Novell, Inc. All rights reserved.
  15. 15. Creation, Research, Debug • Use the ‘Create New Plug-in’ target to create the new Plug-in • Collect sample data using the Generic Event Collector – Configure the relevant Connector to the real datasource – Edit the Connector and select “Save raw data to file” • Attach sample data to new Collector using Replay mode • Debug to see input structure, copy to code comments 15 © Novell, Inc. All rights reserved.
  16. 16. Parsing Plan • Structure of input data – Structured (name-value) or freeform? Fixed fields? – Event Ids? – Opaque data values to be translated? • Variability – Is structure always the same or does it vary? – Are there classes of events? – Do field contents vary dramatically? • Optional features – Multiple possible Connection Methods? – Optional fields or output formats? 16 © Novell, Inc. All rights reserved.
  17. 17. Parsing Logic • Input – ‘rec’ object used as input and as temporary output container • Four ways to get data in output event – DataMap that defines transform of input Record to output Event object – Used to set static fields in output Event – Explicit set: Directly set attributes of output Event (discouraged) – Special Event object methods (setTaxonomyKey() and set*Time() • SQLQuery and Session – Advanced topics 17 © Novell, Inc. All rights reserved.
  18. 18. Test • Development builds using ‘Create Test Plug-in’ – No prompted questions – Skips documentation and Collector Pack – Quick import into ESM – Debuggable • Final Release build using ‘Create Release Plug-in’ – Asks some final questions – Builds docs and Pack – Minifies JavaScript template 18 © Novell, Inc. All rights reserved.
  19. 19. Documentation and Metadata • Docs are auto-built from single source – Template doc guides you with themes for each section – ‘plugin.pdf’ is simple help doc embedded in Plug-in – Full doc is external PDF • Plug-in metadata used for deployment, parameters, etc – Parameter list can include template or local parameters – Each parameter defined in separate XML file – Connection methods used to describe Connector interaction – Device support used to drive deployment • Collector Pack – Standard set of controls included, can be extended/trimmed 19 © Novell, Inc. All rights reserved.
  20. 20. Report Development
  21. 21. Report Template • Includes basic report with complete set of relevant files • Covers Sentinel Log Manager (SLM) and Sentinel RD ™ • Localized using standard .properties files • Some custom charting types included 21 © Novell, Inc. All rights reserved.
  22. 22. Development Process 1. Create the new Report Plug-in 2. Determine how to fetch the data using either a SQL or Lucene query 3. Decide on grouping and categorization (colors) 4. Lay out report fields 5. Add summary charts and tables 6. Add parameters 7. Test 8. Finalize metadata and documentation 22 © Novell, Inc. All rights reserved.
  23. 23. Create, Query • Use the same ‘Create New Plug-in’ target but for Reports • Refer to Sentinel documentation (core product docs ™ and developer wiki under “Sentinel Development Topics”) for view, field, and schema details • Refer to Sentinel and database documentation for SQL and Lucene query language details • Run test queries from Sentinel or DB tool • Use ‘Edit Report’ to invoke iReport on temporary Report Plug-in 23 © Novell, Inc. All rights reserved.
  24. 24. Grouping and Categorization • Most reports will group data using one of the returned fields – use relevant Sentinel fields like InitUserDomain, ™ TargetHostName, etc • In general, reports look at a subset of event types or a single type with multiple outcomes. You can use categorization to color-code events according to those types or outcomes. 24 © Novell, Inc. All rights reserved.
  25. 25. Lay Out Report Fields • Our standard is a two-level row with more important data in the top subrow • Typically include domain/container information along with host, user, or data object info • Review input events to find which critical data should be displayed • Account for extra-long values and nulls 25 © Novell, Inc. All rights reserved.
  26. 26. Add Charts • For many reports, quick summary charts, sparklines, and tables can be very useful – For event-based data, reports can run to hundreds of pages – consider a summary table at top to display the per-grouping counts – Sparklines are great for quick trend analysis – Summary counts and pie charts can go at top right • Some useful custom chart formatters are available 26 © Novell, Inc. All rights reserved.
  27. 27. Parameters Parameters for Report Plug-ins is a multi-step process 1. Define and test normal Jasper/iReport parameters as part of the report development process 2. Run ‘Extract Jasper Parameters’ to extract Jasper parameters into Sentinel Plug-in parameters 3. Edit metadata for Sentinel Plug-in parameters ™ 4. Build Report Plug-in and test parameters in web interface 27 © Novell, Inc. All rights reserved.
  28. 28. Test, Docs, and Metadata • Testing can be tricky if the data is rarely seen • Can use fake import data to test basic report layout etc • Docs work the same as other plug-ins • Include a sample output PDF as ‘TemplateReport.pdf’ in dev directory • You can localize the report strings using standard ‘.properties’ files (,, etc) • Make sure supported platforms info is correct 28 © Novell, Inc. All rights reserved.
  29. 29. Demonstration
  30. 30. Question and Answer
  31. 31. Unpublished Work of Novell, Inc. All Rights Reserved. This work is an unpublished work and contains confidential, proprietary, and trade secret information of Novell, Inc. Access to this work is restricted to Novell employees who have a need to know to perform tasks within the scope of their assignments. No part of this work may be practiced, performed, copied, distributed, revised, modified, translated, abridged, condensed, expanded, collected, or adapted without the prior written consent of Novell, Inc. Any use or exploitation of this work without authorization could subject the perpetrator to criminal and civil liability. General Disclaimer This document is not to be construed as a promise by any participating company to develop, deliver, or market a product. It is not a commitment to deliver any material, code, or functionality, and should not be relied upon in making purchasing decisions. Novell, Inc. makes no representations or warranties with respect to the contents of this document, and specifically disclaims any express or implied warranties of merchantability or fitness for any particular purpose. The development, release, and timing of features or functionality described for Novell products remains at the sole discretion of Novell. Further, Novell, Inc. reserves the right to revise this document and to make changes to its content, at any time, without obligation to notify any person or entity of such revisions or changes. All Novell marks referenced in this presentation are trademarks or registered trademarks of Novell, Inc. in the United States and other countries. All third-party trademarks are the property of their respective owners.