8.1
Creating an Event Routing Rule
You can create a filter-based event routing rule and then assign one or more configured actions that are executed to handle or output the events that meet the event routing rule criteria.
1 Log in to the Sentinel Web interface as a user in the administrator role.
2 Click Routing in the toolbar.
The Event Routing Rules tab is displayed.
3 Click Create, then use the following information to create a new event routing rule:
Name: Specify a unique name for the event routing rule.
Filter: Select a saved filter to use in creating event routing rule. This filter determines which events are stored in the event store. For more information, see “Configuring Filters” in the NetIQ Sentinel 7.1 User Guide.
Select tag: (Optional) Select a tag for tagging the filter. The tag makes the filter more specific. For more information, see “Configuring Tags” in the NetIQ Sentinel 7.1 User Guide.
Route to the following services: Select where the information is routed. The options are:
All: Routes the event to all services including Correlation, Security Intelligence, and Anomaly Detection.
Event store only: Routes the event to the event store only.
None (drop): Drops or ignores the events.
Perform the following actions: (Optional) Select an action to be performed on every event that meets the filter criteria. The following default actions are available for event routing rules:
Log to File: For configuration information, see “Configuring the File Integrator” on page 164.
Log to Syslog: For configuration information, see “Configuring the Syslog Integrator” on page 167
Send Events via Sentinel Link: For configuration information, see “Configuring the Sentinel Link Integrator” on page 164.
Send SNMP Trap: For configuration information, see “Configuring the SNMP Integrator” on page 166.
NOTE: When you associate an action with routing rules, ensure that you write rules that match a small percentage of events, if the rule triggers a Javascript action. If the rules trigger actions frequently, the system might backlog the actions framework. This can slow down the EPS and might affect the performance of the Sentinel system. If the rule triggers non-Javascript actions like Sentinel Link, then there is no limitation.
For the actions to work, you must have configured the Integrator associated with each action for your environment.
The actions listed here are different than the actions displayed in the Event Actions tab in the Sentinel Web interface, and are distinguished by the <EventRouting> attribute in the package.xml file created by the developer.
Adding or Removing Actions: You can add more than one action to perform on the events that meet the filter criteria:
Click to select additional actions to be performed.
Click to remove the selected action for this event routing rule.
4 Click Save to save the event routing rule.
The newly created event routing rule appears at the end of the rules list under the Event Routing Rules
tab. By default, this new event routing rule is active.
8.2
Editing an Event Routing Rule
1 Log in to the Sentinel Web interface as a user in the administrator role.
2 Click Routing in the toolbar.
The Event Routing Rules tab is displayed.
The existing event routing rules appear on the page.
3 Click the Edit next to the event routing rule to change its definition.
4 Make the changes you want.
5 Click Save to save the changes.
8.3
Ordering Event Routing Rules
When there is more than one event routing rule, the event routing rules can be reordered by dragging them to a new location. Events are evaluated by event routing rules in the specified order until a match is made, so you should order the event routing rules accordingly. More narrowly defined event routing rules and more important event routing rules should be placed at the beginning of the list.
The first routing rule that matches the event based on the filter is processed. For example, if an event passes the filter for two routing rules, only the first rule is applied. The default routing rule cannot be reordered. It always appears at the end.
1 Log in to the Sentinel Web interface as a user in the administrator role.
2 Click Routing in the toolbar.
The Event Routing Rules tab is displayed. Existing event routing rules appear on the page.
3 Mouse over the icon to the left of the event routing rule numbering to enable drag-and-drop. The cursor changes.
4 Drag the event routing rule to the correct place in the ordered list.
When the event routing rules are ordered, a success message is displayed.
8.4
Deleting an Event Routing Rule
1 Log in to the Sentinel Web interface as a user in the administrator role.
2 Click Routing in the toolbar.
The Event Routing Rules tab is displayed. Existing event routing rules appear on the page.
3 Click the Delete link next to the event routing rule to delete an event routing rule definition.
4 Click the Delete button to delete the selected event routing rule. When the event routing rule is deleted, a success message is displayed.
8.5
Activating or Deactivating an Event Routing Rule
New event routing rules are activated by default. If you deactivate an event routing rule, incoming events are no longer evaluated according to that event routing rule. If there are already events in the queue for one or more actions, it might take some time to clear the queue after the event routing rule is deactivated. If the On check box next to the event routing rule is selected, the event routing rule is activated. If the On check box is not selected, the event routing rule is deactivated.
1 Log in to the Sentinel Web interface as a user in the administrator role.
2 Click Routing in the toolbar.
The Event Routing Rules tab is displayed. Existing event routing rules appear on the page.
3 To activate the event routing rule, select the check box next to each event routing rule in the
Enabled column.
4 To deactivate the event routing rule, select the check box next to each event routing rule in the
Enabled column.
9
9Configuring Actions
An Action is a configured instance of an Action plug-in. Actions are used to execute some type of action in Sentinel, either manually or automatically. Actions can be triggered by routing rules, by manually executing an event or incident operation, and by correlation rules.
Section 9.1, “Overview,” on page 153