How to determine if Sentinel Advisor is running.

The Advisor component of Novell Sentinel pulls data from a server with information about current exploits as detected by various detection systems. This system then integrates with the other components of a particular Sentinel installation to alert administrators as attacks take place in real-time. Knowing that Advisor is successfully retrieving the data in the feed is important to ensuring the real-time detection of attacks will succeed.

The attackNormalization.csv file in the $ESEC_HOME/data/map_data directory grows as data from Advisor are pulled into the system. Monitoring this growth can help determine when these queries take place and ensure that feeds are still being received. The process is not constant and continual but it should happen fairly regularly. Sufficient rights to the file are required for this test.

In the database there is a table which records all of the feeds pulled to the system via Advisor. The following query should read that table:

SELECT * FROM ADV_FEED;

Getting a count of feeds could be done with the following:

SELECT COUNT(*) FROM ADV_FEED;

The number of rows will grow as new feeds are pulled into the local database. Sufficient rights to the table are required for these queries to work.

If entries are not going into either the table or the attackNormalization.csv file when using Advisor 2 check the advisor log files for errors. It is likely looking for 'SEVERE' errors will yield the best results.