Novell provide a free version of they Log Management solution named Novell Sentinel Log Manager 25.This version is not a trial version. A good occasion to discover this Log Management solution and to better know the provided features and limits of this product. You only need to register on the Novell Website in order to be allowed to download the free version.

From the Novell Download Center, you will be able to download :

  • The latest version of Novell Sentinel Log Manager as ISO, VMWare or Xen image.
  • All Sentinel Collectors how permit you to parse the data from a variety of event sources into the normalized Sentinel event structure.
  • All Sentinel Connectors how permit you to facilitate the connectivity between Sentinel Collectors and event or data sources.
  • Solution Packs, such as “Identity Tracking“, “PCI-DSS“, “SAP” or “Sentinel Core“.
  • Actions Plug-ins how are remediation actions that can be triggered by correlation rules, such as “Generic Event Forwarder“, “Create Remedy Ticket“, etc.
  • Integrators how provide integration with external third-party products that can be easily called from Action Plug-ins, such as “Remedy“, “SMTP“, “SOAP“, etc.
  • Utilities how provide additional functionality for Sentinel and/or are commonly used by several other Plug-ins.
  • The documentations are available online or in PDF format.

Supported Platforms & Browsers

Supported Operating Systems for Novell Sentinel Log Manager installation are :

  • 64-bit SUSE Linux Enterprise Server 11 SP1 for Sentinel Log Manager versions 1.2 and later.
Supported Operating Systems for Collector Managers are :
  • SUSE Linux Enterprise Server 10 SP2 (32-bit and 64-bit)
  • SUSE Linux Enterprise Server 11 (32-bit and 64-bit)
  • SUSE Linux Enterprise Server 11 SP1 (32-bit and 64-bit) for Collector Managers 1.2 and later.
  • Windows Server 2003 (32-bit and 64-bit)
  • Windows Server 2003 SP2 (32-bit and 64-bit)
  • Windows Server 2003 R2 (32-bit and 64-bit)
  • Windows Server 2008 (64-bit)
  • Windows Server 2008 R2 (64-bit)
Supported Virtual Environment are :
  • VMWare ESX/ESXi 3.5/4.0 or higher
  • VMPlayer 3 (for demo only)
  • Xen 3.1.1
I have test this Log Management solution with VMWare Fusion 3.
Supported browsers are :
  • Mozilla Firefox 3.6 for Linux
  • Mozilla Firefox 3 for Windows
  • Microsoft Internet Explorer 8
For Hardware requirement the VMWare and Xen version are pre-configured with :
  • 4 GB RAM, cause SLES is a 64-bit version
  • 48 GB hard disk
  • 1 VCPU

Sentinel Collector Managers

The Collector Managers manage all data collection and data parsing for Novell Sentinel Log Manager. One Collector Manager is installed by default during the Sentinel Log Manager installation. However, you can install multiple Collector Managers in a distributed setup, but take care on the 25 EPS limits. A Collector Manager is communicating with the Novell Sentinel Log Manager on port 61616/TCP. All installed Collectors and Connectors will communicate with the Collector Manager and forward the collected data to Novell Sentinel Log Manager for storage and processing.

Sentinel Connectors

Connectors facilitate the connectivity between Sentinel Collectors and event or data sources. All Collectors should communicate with a determined Connector. Example of Connectors : Novell Audit, Database, File, LEA, IBM Mainframe, Process, Syslog, SNMP, Windows WMI, etc. You can find a complete list of all supported Connectors by registering on Novell Website.

Sentinel Collectors

Collectors are scripts that parse the data from a variety of event sources into the normalized Sentinel event structure, or in some cases collect other forms of data from external data sources. Each Collector should be deployed with a compatible Connector. Novell support around 100 collectors such as Check Point, Cisco, Apache, Microsoft, McAffee, Juniper, etc. All of them are free to use with the 25 EPS version of Novell Sentinel Log Manager. You can find a complete list of all supported Collectors by registering on Novell Website.

Novell Sentinel Log Manager 25 Features, Limitations and Restrictions

Features :

  • Compression rate of 10:1
  • Unlimited number of Collectors. Allows you to use any Collector without any restriction
  • Unlimited EPS Limited Event Store. Provides the ability to persist with the event flow even if the event view is restricted because of the expired or not licensed Event Store feature.
  • Unlimited Embedded Database. Stores the Sentinel Log Manager configuration data.
  • Unlimited usage of the reporting module.
  • Authorized network storage (NFS, CIFS, locally mounted SAN).

Limits :

  • EPS rate limited to a maximum of 25  after 60 days, unlimited before. So you will have a maximum of 2 160 000 events per day (25 * 86 400).
  • With the VMWare or Xen appliance, 48 GB hard disk, how represent 480 GB with a 10:1 compression rate. The storage and the compression rate will permit you to store around 1 717 986 918 events ((480 x 1024 x 1024 x 1024) / 300). If you are fully using the 25 EPS rate, you will have a maximum retention of 795,36 days.
  • Rules limited to 60 days. You can configure rules to filter events based on one or more of the searchable fields. Each rule can be associated with one or more of the configured actions. After the free license expiration the Rules are no more executed.
  • Actions limited to 60 days. You can configure actions to deliver an event to one or more actions when it meets the criteria specified by one of the rules (ex: Email, Log to file, Log to Syslog, Send to Sentinel Link). After the free license expiration the Actions are no more executed.
  • Distributed Searches limited to 60 days. Enables you to search events and report event data not only on your local Sentinel Log Manager server, but also on other Sentinel Log Manager servers distributed across the globe. After the free license expiration you can still add, modify, and delete the search target configurations. However, only the local event store is used for searches and reports while you are using an expired license. This applies to all distributed searches and reports, even if they were scheduled before the license expired.
  • Event Store limited to 60 days. Enables you to view the details of all the events regardless of the EPS rate. The authorized event rate after the license expires is 25 EPS. Any events received while the system averages more than 25 EPS are stored, but the details of those events are not displayed in the search results or reports. These events are tagged with the OverEPSLimit tag.
  • Sentinel Link limited to 60 days. Provides the ability to hierarchically link multiple Sentinel systems, including Sentinel Log Manager and the two Sentinel Security Information Event Management (SIEM) systems, Novell Sentinel and Novell Sentinel Rapid Deployment systems. After the free license expiration the events cannot be sent or received by using Sentinel Link.
Novell Sentinel Log Manager 25 is really a good solution for SMB companies how don’t require a big EPS throughput. Maybe your Log Management scope will not be complete, but you can select different sources du to the available number of Sentinel Collectors.