In order to edit a Collector, you need to use the ESM Debugger Download button, which copies the Collector to the local Collector workspace on the client machine (the machine where you are running Sentinel Control Center). Location: sentinel/data/collector_mgr.cache/collector_instances on each Collector Manager.
Any pre-existing instance of the Collector code on that Collector Manager is overwritten. When a Collector is actually started in the Collector Manager, the Collector plug-in is deployed to the Collector Manager, the runtime configuration is applied, and the code is started. The runtime configuration for the Collector (when it is configured to run on a particular Collector Manager) is stored separately in the Sentinel database. Location: sentinel/data/plugin_repository on the Sentinel server. The code for all Collectors is stored in a plug-in repository on the central Sentinel server when the Collectors are imported.
Use the following information to select how to mange the event source connection, then proceed to Step 10.
You can click Install More Connectors to install additional Connectors.įor more information, see Installing a Connector Plug-In to install connectors. Depending on the type of Connector you select, there are additional configuration screens. There are many different types of Connectors. Select a connection method from the list. You can click Install More Scripts to install additional Collector scripts that support your Event Source.įor more information on installing a Collector script, see Installing a Collector Plug-In. You can click Add More to import an event source not listed.Īfter the event source is selected, click Next. The event source types are for the compatible Collector parsing scripts are listed here. In the toolbar, click Tools > Connect to Event Source. This Add Event Source Server Wizard can also be initiated from within the Add Connector Wizard if a compatible Event Source Server has not yet been added. In the Health Monitor Display frame, the Event Source Server is displayed with a dashed line showing which the Collector Manager it is associated with.
(Optional) If you want this server to run, select Run. Specify a name for the Event Source Server. For details, see the specific Connector documentation at the Sentinel Plug-ins Web page. These parameters are unique for each Connector. For example, Syslog Connector, NAudit Connector, and so on. For more information on installing a Connector plug-in, see Installing a Collector Plug-In.Ĭonfigure the various parameters for the server that is associated with the selected Connector. If you do not have any connectors in the list that supports your device, click Install More Connectors. Select a Connector that supports your device, then click Next. Right-click the Collector Manager, then select Add Event Source Server. In some cases a single event source can represent many real sources of event data, such as if multiple devices are writing to a single file.įor more information, see Accessing Event Source Management. Unlike other components, this is not a plug-in, but is a container for metadata, including runtime configuration about the event source. The event source represents the actual source of data for Sentinel. The Connector requests only the data from its configured event source (defined in the metadata for the event source) that matches additional filters. The ESS caches the received data, and one or more Connectors connect to the ESS to retrieve a set of data for processing. The ESS represents the daemon or server that listens for these inbound connections. Each instance of a Connector icon in ESM represents the Connector code as well as the runtime configuration of that code.Īn Event Source Server (ESS) is considered part of a Connector, and is used when the data connection with an event source is inbound rather than outbound. Each Collector icon in ESM refers to a deployed Collector script as well as the runtime configuration of a set of parameters for that Collector.Ĭonnectors are used to provide the protocol-level communication with an event source, using industry standards like Syslog, JDBC, and so forth.
As each Collector Manager process connects to Sentinel, the objects are automatically created in ESM.Ĭollectors instantiate the parsing logic for data from a particular event source. Multiple Collector Manager processes can be installed throughout the enterprise. The Collector Manager display name in the ESM is Sentinel Server.Įach icon represents another instance of a Collector Manager process. The Sentinel object is installed automatically through the Sentinel installer. The single Sentinel icon represents the main Sentinel Server that manages all events collected by the Sentinel system. Table 6-1 Components of the ESM Hierarchy