Contents |
A critical part of the Sentinel system is the Event schema. Sentinel uses a large event structure with fields to hold a wide variety of event data - the schema is in part inspired by XDAS, but has significant extensions to support SIEM and customization. This section documents the schema and the data contained in the fields.
Sentinel makes every attempt to classify received events into a standardized taxonomy that help organize and group events for simpler correlation and reporting. Until v6.1, we used a legacy taxonomy that we defined internally; with 6.1 we have introduced support for the open standard XDAS taxonomy. At this time, a new version of XDAS is in development, but we plan to support the new standard once it is completed. Note that in order to transition between the legacy and XDAS taxonomies, we currently support both, but there is a one-to-one mapping between the two. Simply find the entry in the table on the Sentinel Taxonomy page, and add that to your taxonomy.map file.
Sentinel presents internal database views that can be queried for reporting. Sentinel DB Views
Event sources are grouped into common device categories to assist in simplifying queries like "show me only firewall data". The list of Device Categories is published here.
Much of the data that is collected and managed by Sentinel is transformed into portable data objects that make it easier to manipulate. Sentinel uses these data objects heavily internally, and limited APIs are presented to customizable plugins for access to those APIs. The major interfaces are published online.
Sentinel plug-ins are simply ZIP files, some with custom extensions, that include code, helpfiles, and other data along with plug-in meta-information.
© 2009 Novell, Inc. All Rights Reserved.
