The QuestionFrom the Sentinel forums:#
I have managed to configure the IDM Collector, and notice the event has come through the Raw Data Tap. However as I go to the Active View, here's the message captured "Event ID not found in LSC file: undefined". How can I solve this?
The Answer:
You'll need to customize the Identity Manager collector. Probably not surprising to you the LSC file that Novell ships does not have your own personal, customized events within it. Customization of collector is possible but it will require you to do it, probably using the Sentinel SDK: http://developer.novell.com/wiki/index.php?title=Develop_to_Sentinel Good luck.
Another related post (answer):
... you can get IDM events for all kinds of things including events that you create yourself and then modify the collector to handle. If you went with full Identity Tracking (part of the Novell Compliance Management Platform) you can tie in IDM in really neat ways with Sentinel 6.1 and IDM 3.6 so that any account that was provisioned by IDM (to eDir, IDV, MAD, LDAP, JDBC, SIF, or whatever; literally anything) is seen as the same identity in Sentinel so you are not figuring out if jsmith and john.smith and j12345 are all the same user since Sentinel and IDM together know they are or are not the same identity and can apply logic based on these data. Creating your own events does require customizing the collector to handle them (and the driver config of course to send them) but it means anything you can match on in IDM can be an event sent to Sentinel like an intruder lockout or an account disabled, or a password change, or whatever. The possibilities with the framework are potentially endless.
Note: "...does require customizing the collector to handle them (and the driver config of course to send them)..."
So to receive custom events into sentinel from IDM you must use an the the Sentinel SDK
So Novell sells the thing and makes it sound so simple. Just add the "code to the diver and send it to Sentinel." But they fail to mention that you need to get an SDK to allow Sentinel to be able to use the custom events?
Well that is sure a great idea.
Yes, this is a correct understanding. The difference with Audit is that events did not really mean anything from a SIEM point of view. The event could come in, and you could even run queries against the events in Audit, but they did not really mean anything. The Audit side of things still exist and send events to Sentinel but now Sentinel actually gives the data meaning. For example you can have actions do something based upon one type of event but not another. Identities can be tied to events so regardless of the username in environments A, B, and C they are all tied to Jim Willeke the person. Data can also be added to events within the collector so, for example, IP addresses can be resolved to DNS names (and vice versa), additional severities/priorities can be added, and the administrator can add just about any other tag they want to in customer-defined fields. Until recently you could do much like you used to with Audit where you simply defined an entry in the LSC file and with Audit events I think there may even be a custom LSC file for custom events (or maybe that's what's coming soon). In the aforementioned case where little extra was needed it was done by allowing Unsupported Events to come through the collector. Like Audit, though, those events were fairly dull in that they lacked severities based on content, ties to anything else in Sentinel, and could not really be used for anything except verifying that the new types of events were indeed coming into the system. In a full SIEM those events are worthless so the feature was removed now that the SDK is available and customization is the preferred option.