sentinellogmanager day2 3 reports
TRANSCRIPT
-
8/23/2019 SentinelLogManager Day2 3 Reports
1/20
Sentinel Log Manager - ReportsAutomated Compliance and Security Management
-
8/23/2019 SentinelLogManager Day2 3 Reports
2/20
Novell, Inc. All rights reserved.2
SLM uses Jasper Reports
Open source Java Reporting Library
Also used in Sentinel RD
Templates are provided for different kinds of reports
All Vendor templates
Event Source specific templates are distributed as collector
packs
Top-n template
Reports
-
8/23/2019 SentinelLogManager Day2 3 Reports
3/20
Novell, Inc. All rights reserved.3
Generate a Report
Templates are run from the report viewer panel on theleft hand side of the web interface
Specify name, language, date range, additional parameters
Backend generates report from template
Blue dot indicates unseen reports
Report is generated in PDF format
Report can be forwarded by email
Runs can be scheduled once, daily, weekly, monthly
-
8/23/2019 SentinelLogManager Day2 3 Reports
4/20
Novell, Inc. All rights reserved.4
Managing Reports
Templates can be marked as favorite so you get quicklinks to them
Templates can be exported for editing
Novell and custom templates can be imported
Reports can be renamed
-
8/23/2019 SentinelLogManager Day2 3 Reports
5/20
Novell, Inc. All rights reserved.5
Generate report from an adhoc query
Tune your query string so that desired events aredisplayed
Klick Save as Report
Choose Visualization
Your query string is ANDed with query from template
Saved as a new template
Choose Event List
Your query string and date range is stored for later reference
-
8/23/2019 SentinelLogManager Day2 3 Reports
6/20
Novell, Inc. All rights reserved.6
Lab Exercise
Generate report from built in template
All Vendors All Product Authentication by Server
Try All Vendors All Products Top 10 Report with differentparameters
Rename report
Create a report from a query
Search for root
Save as report
Use All Vendors All Product Authentication by Servervisualization
Add to Favorite
Schedule run once a week with a week's worth of data
-
8/23/2019 SentinelLogManager Day2 3 Reports
7/20
Custom Reports
-
8/23/2019 SentinelLogManager Day2 3 Reports
8/20
Novell, Inc. All rights reserved.8
Reporting
What should be shown by the report?
Who will be the audience?
Content Layout
Access Control
Distribution
Determine necessary data
-
8/23/2019 SentinelLogManager Day2 3 Reports
9/20
Novell, Inc. All rights reserved.9
Data
How to obtain the necessary data?
Does the Event Source generate the necessaryevents?
Can necessary data be provided by augmenting sourceevents via the mapping service?
Are the events parsed (correctly) by Sentinel?
How is the data represented in a normalized SentinelEvent?
-
8/23/2019 SentinelLogManager Day2 3 Reports
10/20
Novell, Inc. All rights reserved.10
Sentinel Event Schema
Initiator: The thing thatcaused the event to occur
Action: The type ofactivity that is being
described by the event
Target: The thing that isaffected by the event
Observer: The thing that
observed that the eventtook place.
-
8/23/2019 SentinelLogManager Day2 3 Reports
11/20
Novell, Inc. All rights reserved.11
XDAS Taxonomy
Open Group standard for Distributed Audit Service(XDAS)
Taxonomy is a classification that is intended to groupevents of similar type together to ease reporting and
searching Event taxonomy : Classifies the type of activity that the
event describes
Outcome taxonomy : Classifies the type of outcome or
result that was caused by the event
Observertaxonomy : Classifies the type of system thatgenerated the event
-
8/23/2019 SentinelLogManager Day2 3 Reports
12/20
Novell, Inc. All rights reserved.12
Event Taxonomy
Account Management Events
Trust Management Events
Data Item and Resource Element Management Events
Data Item or Resource Element Content Access Events
PeerAssociation Management Events User Session Events
Service and Application Utilization Events
Service or Application Management Events
Exceptional Events Audit Service Management Events
Workflow Events
Attack Events
-
8/23/2019 SentinelLogManager Day2 3 Reports
13/20
Novell, Inc. All rights reserved.13
Best Practices
You need to understand semantics of source events
You need to understand how source events arerepresented in Sentinel (Schema and Taxonomy)
Spell out what the report is supposed to show
Start with a mockup of the report
-
8/23/2019 SentinelLogManager Day2 3 Reports
14/20
Novell, Inc. All rights reserved.14
Templates
JRXML file is the XML template of a report used byJasper
Don't edit it with a source code editor use iReport
Start from scratch or modify existing templates
-
8/23/2019 SentinelLogManager Day2 3 Reports
15/20
Novell, Inc. All rights reserved.15
Custom Templates
Prerequisites
Get Sentinel SDK to develop reports
http://developer.novell.com/wiki/index.php/Sentinel-sdk
Uses ant as build tool. Eclipse includes ant.
http://ant.apache.org, http://www.eclipse.org
iReports open source tool GUI report designer
http://jasperforge.org/projects/ireport
Watch recorded Transfer Training
http://developer.novell.com/wiki/index.php/Reports
http://developer.novell.com/wiki/index.php/Sentinel-sdkhttp://ant.apache.org/http://www.eclipse.org/http://jasperforge.org/projects/ireporthttp://developer.novell.com/wiki/index.php/Reportshttp://developer.novell.com/wiki/index.php/Reportshttp://jasperforge.org/projects/ireporthttp://www.eclipse.org/http://ant.apache.org/http://developer.novell.com/wiki/index.php/Sentinel-sdk -
8/23/2019 SentinelLogManager Day2 3 Reports
16/20
Novell, Inc. All rights reserved.16
Report Data Sources
There are potentially two data sources for reports
Event Data stored on the file system indexed by Lucene
> Need to execute Lucene queries to design report
> Most likely the one you will need
> Novell has created extensions to Lucene Queries just for use with JasperReports
Configuration Data stored in postgreSQL
> Standard SQL can be used to design the report
Currently a report can query only one data source at atime
-
8/23/2019 SentinelLogManager Day2 3 Reports
17/20
Novell, Inc. All rights reserved.17
iReport
iReport is an open source tool handy in creatingreports
Stand alone tool that creates templates for Jasper Reports
Graphical user interface based designer
Some limited knowledge of Java is useful but not necessary
Advanced reports will need good developer skills as in anyreport development
Novell provides a Lucene plugin for iReport
LUCENE_EVENT driver data source
Works with iReport classic 3.0.0 not the newer ones
-
8/23/2019 SentinelLogManager Day2 3 Reports
18/20
Novell, Inc. All rights reserved.18
iReport without Lucene Plugin
iReport may be used to design a report without usingthe Lucene Query plugin
Allows you to use more recent versions of iReport
Export Lucene Query Results as CSV
Use CSV as data source to design report
Edit jrxml file to embed Lucene Query used to generate CSV
Package report for Log Manager per SDK
Upload report and test
-
8/23/2019 SentinelLogManager Day2 3 Reports
19/20
Novell, Inc. All rights reserved.19
Lab Exercise
Instructor lead walkthrough of using iReport
Jrxml overview
Reviewing Lucene Queries in relation to JasperReports
-
8/23/2019 SentinelLogManager Day2 3 Reports
20/20
Novell, Inc. All rights reserved.20
Advanced Customizations
For the power developer support exists in Jasper andin iReport
Scriptlets power of full Java for complex logic in reports
Localization multiple language and character set support