SentinelLogManager Day2 3 Reports

8/23/2019 SentinelLogManager Day2 3 Reports

1/20

Sentinel Log Manager - ReportsAutomated Compliance and Security Management


2/20

Novell, Inc. All rights reserved.2

SLM uses Jasper Reports

Open source Java Reporting Library

Also used in Sentinel RD

Templates are provided for different kinds of reports

All Vendor templates

Event Source specific templates are distributed as collector

packs

Top-n template

Reports


3/20


Generate a Report

Templates are run from the report viewer panel on theleft hand side of the web interface

Specify name, language, date range, additional parameters

Backend generates report from template

Blue dot indicates unseen reports

Report is generated in PDF format

Report can be forwarded by email

Runs can be scheduled once, daily, weekly, monthly


4/20


Managing Reports

Templates can be marked as favorite so you get quicklinks to them

Templates can be exported for editing

Novell and custom templates can be imported

Reports can be renamed


5/20


Generate report from an adhoc query

Tune your query string so that desired events aredisplayed

Klick Save as Report

Choose Visualization

Your query string is ANDed with query from template

Saved as a new template

Choose Event List

Your query string and date range is stored for later reference


6/20


Lab Exercise

Generate report from built in template

All Vendors All Product Authentication by Server

Try All Vendors All Products Top 10 Report with differentparameters

Rename report

Create a report from a query

Search for root

Save as report

Use All Vendors All Product Authentication by Servervisualization

Add to Favorite

Schedule run once a week with a week's worth of data


7/20

Custom Reports


8/20


Reporting

What should be shown by the report?

Who will be the audience?

Content Layout

Access Control

Distribution

Determine necessary data


9/20


Data

How to obtain the necessary data?

Does the Event Source generate the necessaryevents?

Can necessary data be provided by augmenting sourceevents via the mapping service?

Are the events parsed (correctly) by Sentinel?

How is the data represented in a normalized SentinelEvent?


10/20


Sentinel Event Schema

Initiator: The thing thatcaused the event to occur

Action: The type ofactivity that is being

described by the event

Target: The thing that isaffected by the event

Observer: The thing that

observed that the eventtook place.


11/20


XDAS Taxonomy

Open Group standard for Distributed Audit Service(XDAS)

Taxonomy is a classification that is intended to groupevents of similar type together to ease reporting and

searching Event taxonomy : Classifies the type of activity that the

event describes

Outcome taxonomy : Classifies the type of outcome or

result that was caused by the event

Observertaxonomy : Classifies the type of system thatgenerated the event


12/20


Event Taxonomy

Account Management Events

Trust Management Events

Data Item and Resource Element Management Events

Data Item or Resource Element Content Access Events

PeerAssociation Management Events User Session Events

Service and Application Utilization Events

Service or Application Management Events

Exceptional Events Audit Service Management Events

Workflow Events

Attack Events


13/20


Best Practices

You need to understand semantics of source events

You need to understand how source events arerepresented in Sentinel (Schema and Taxonomy)

Spell out what the report is supposed to show

Start with a mockup of the report


14/20


Templates

JRXML file is the XML template of a report used byJasper

Don't edit it with a source code editor use iReport

Start from scratch or modify existing templates


15/20


Custom Templates

Prerequisites

Get Sentinel SDK to develop reports

http://developer.novell.com/wiki/index.php/Sentinel-sdk

Uses ant as build tool. Eclipse includes ant.

http://ant.apache.org, http://www.eclipse.org

iReports open source tool GUI report designer

http://jasperforge.org/projects/ireport

Watch recorded Transfer Training

http://developer.novell.com/wiki/index.php/Reports
http://developer.novell.com/wiki/index.php/Sentinel-sdkhttp://ant.apache.org/http://www.eclipse.org/http://jasperforge.org/projects/ireporthttp://developer.novell.com/wiki/index.php/Reportshttp://developer.novell.com/wiki/index.php/Reportshttp://jasperforge.org/projects/ireporthttp://www.eclipse.org/http://ant.apache.org/http://developer.novell.com/wiki/index.php/Sentinel-sdk


16/20


Report Data Sources

There are potentially two data sources for reports

Event Data stored on the file system indexed by Lucene

> Need to execute Lucene queries to design report

> Most likely the one you will need

> Novell has created extensions to Lucene Queries just for use with JasperReports

Configuration Data stored in postgreSQL

> Standard SQL can be used to design the report

Currently a report can query only one data source at atime


17/20


iReport

iReport is an open source tool handy in creatingreports

Stand alone tool that creates templates for Jasper Reports

Graphical user interface based designer

Some limited knowledge of Java is useful but not necessary

Advanced reports will need good developer skills as in anyreport development

Novell provides a Lucene plugin for iReport

LUCENE_EVENT driver data source

Works with iReport classic 3.0.0 not the newer ones


18/20


iReport without Lucene Plugin

iReport may be used to design a report without usingthe Lucene Query plugin

Allows you to use more recent versions of iReport

Export Lucene Query Results as CSV

Use CSV as data source to design report

Edit jrxml file to embed Lucene Query used to generate CSV

Package report for Log Manager per SDK

Upload report and test


19/20


Lab Exercise

Instructor lead walkthrough of using iReport

Jrxml overview

Reviewing Lucene Queries in relation to JasperReports


20/20


Advanced Customizations

For the power developer support exists in Jasper andin iReport

Scriptlets power of full Java for complex logic in reports

Localization multiple language and character set support

SentinelLogManager Day2 3 Reports

Documents

Transcript of SentinelLogManager Day2 3 Reports