Environment
Novell Sentinel 6.0 Support Pack 2 Correlation Server
Novell Sentinel 6.1 Correlation Server
Novell Sentinel 6.1 Correlation Server
Situation
By default the Sentinel Correlation Engine creates and publishes an
event when a correlation rule matches its defined conditions.
These events do not usually make up a significant percentage of the
data stored in the database but depending on the requirements of
the correlation rules they could end up causing twice the data
storage requirements as the events without correlation rules in
place (if the correlation rules match each event sent through
Sentinel). If the event is not desired when a correlation
rule fires then disabling the publication of the events may be a
valid option.
Resolution
Modify $ESEC_HOME/config/correlation_engine.xml adding the
following directly beneath the <obj-container
name="Correlation_Engine"> tag:
<obj-component id="CorrelatedEventPublisher">
<class>esecurity.ccs.comp.correlation.CorrelatedEventPublishComp</class>
<property name="correlation.event.publish">false</property>
</obj-component>
Restart the Correlation Engine's Sentinel services to apply the change. All Correlation Rules on that machine should no longer generate correlated events.
<obj-component id="CorrelatedEventPublisher">
<class>esecurity.ccs.comp.correlation.CorrelatedEventPublishComp</class>
<property name="correlation.event.publish">false</property>
</obj-component>
Restart the Correlation Engine's Sentinel services to apply the change. All Correlation Rules on that machine should no longer generate correlated events.
Additional Information
Note: This prevents all correlated events, even explicitly created
events, from coming from the entire Correlation Engine machine on
which this setting is implemented. Other Correlation Engines
will not be affected by this change.
Note: Performance of the overall Sentinel system in general and the Correlation Engine specifically will not be affected. The Correlation Rule still fires and the event is still created but with this setting it is not published to the rest of the system.
Note: Statistics for the Correlation Engine should not be affected by this change. The count of times the rule and/or action has fired should increment normally. These can still be reliably used to determine if a correlation rule is executing as events that trigger it are processed.
Note: Performance of the overall Sentinel system in general and the Correlation Engine specifically will not be affected. The Correlation Rule still fires and the event is still created but with this setting it is not published to the rest of the system.
Note: Statistics for the Correlation Engine should not be affected by this change. The count of times the rule and/or action has fired should increment normally. These can still be reliably used to determine if a correlation rule is executing as events that trigger it are processed.