The QuestionFrom the Sentinel forums:#

I have managed to configure the IDM Collector, and notice the event has come through the Raw Data Tap. 
However as I go to the Active View, here's the message captured "Event ID not found in LSC file: undefined". 
How can I solve this? 

The Answer:

You'll need to customize the Identity Manager collector.  Probably not
surprising to you the LSC file that Novell ships does not have your own
personal, customized events within it.  Customization of collector is
possible but it will require you to do it, probably using the Sentinel

Good luck.

Another related post (answer):

... you can get IDM
events for all kinds of things including events that you create yourself
and then modify the collector to handle.  If you went with full Identity
Tracking (part of the Novell Compliance Management Platform) you can tie
in IDM in really neat ways with Sentinel 6.1 and IDM 3.6 so that any
account that was provisioned by IDM (to eDir, IDV, MAD, LDAP, JDBC, SIF,
or whatever; literally anything) is seen as the same identity in Sentinel
so you are not figuring out if jsmith and john.smith and j12345 are all
the same user since Sentinel and IDM together know they are or are not the
same identity and can apply logic based on these data.  Creating your own
events does require customizing the collector to handle them (and the
driver config of course to send them) but it means anything you can match
on in IDM can be an event sent to Sentinel like an intruder lockout or an
account disabled, or a password change, or whatever.  The possibilities
with the framework are potentially endless.

Note: "...does require customizing the collector to handle them (and the driver config of course to send them)..."

So to receive custom events into sentinel from IDM you must use an the the Sentinel SDK

So Novell sells the thing and makes it sound so simple. Just add the "code to the diver and send it to Sentinel." But they fail to mention that you need to get an SDK to allow Sentinel to be able to use the custom events?

Well that is sure a great idea.

Yes, this is a correct understanding.  The difference with Audit is that
events did not really mean anything from a SIEM point of view.  The event
could come in, and you could even run queries against the events in Audit,
but they did not really mean anything.  The Audit side of things still
exist and send events to Sentinel but now Sentinel actually gives the data
meaning.  For example you can have actions do something based upon one
type of event but not another.  Identities can be tied to events so
regardless of the username in environments A, B, and C they are all tied
to Jim Willeke the person.  Data can also be added to events within the
collector so, for example, IP addresses can be resolved to DNS names (and
vice versa), additional severities/priorities can be added, and the
administrator can add just about any other tag they want to in
customer-defined fields.

Until recently you could do much like you used to with Audit where you
simply defined an entry in the LSC file and with Audit events I think
there may even be a custom LSC file for custom events (or maybe that's
what's coming soon).  In the aforementioned case where little extra was
needed it was done by allowing Unsupported Events to come through the
collector.  Like Audit, though, those events were fairly dull in that they
lacked severities based on content, ties to anything else in Sentinel, and
could not really be used for anything except verifying that the new types
of events were indeed coming into the system.  In a full SIEM those events
are worthless so the feature was removed now that the SDK is available and
customization is the preferred option.

More Information#

There might be more information for this subject on one of the following:

Add new attachment

Only authorized users are allowed to upload new attachments.
« This page (revision-8) was last changed on 25-May-2011 17:55 by jim