Environment
Sentinel 7.3
Sentinel Log Manager 1.2
Sentinel Collector Manager 7.3
Sentinel Log Manager 1.2
Sentinel Collector Manager 7.3
Situation
With the collectors running on the Sentinel server, data mappings
were defined using the identities collected through the Microsoft
Identities collector. The Sentinel Log Manager (SLM) servers were
forwarding their events to the Sentinel server, through Sentinel
Link. The data mappings were being applied as expected.
For performance reasons, the collectors were moved over to a dedicated collector manager (CM) server. The SLM servers were reconfigured to forward their events to the CM. However, with event collection now happening on the collector manager server, the data mapping information was no longer being inserted. Moving a collector back to the Sentinel server, data mappings will again work.
For performance reasons, the collectors were moved over to a dedicated collector manager (CM) server. The SLM servers were reconfigured to forward their events to the CM. However, with event collection now happening on the collector manager server, the data mapping information was no longer being inserted. Moving a collector back to the Sentinel server, data mappings will again work.
Resolution
On the Collector Manager server, perform the following:
1. Edit the configuration.properties file
vi /etc/opt/novell/sentinel/config/configuration.properties
2. Locate the following property: sentinel.router.event.transformation.foreign
3. If it missing, create the entry.
4. Set the value to true
sentinel.router.event.transformation.foreign=true
5. Save the file.
6. Restart the Sentinel Collector Manager.
1. Edit the configuration.properties file
vi /etc/opt/novell/sentinel/config/configuration.properties
2. Locate the following property: sentinel.router.event.transformation.foreign
3. If it missing, create the entry.
4. Set the value to true
sentinel.router.event.transformation.foreign=true
5. Save the file.
6. Restart the Sentinel Collector Manager.
Additional Information
The default sentinel.router.event.transformation.foreign property
has a value of false. This property determines whether events being forwarded from other
systems will be enhanced by the local mapping service. Normally this is
not desired because the events should remain the same as they were on
the original system they were forwarded from but, in certain cases it
may be helpful to enhance the events with the local mapping service
data.
When the custom mapping were defined on the Sentinel server, this property was set true. Because the mappings were not defined on the CM server, this value remained set to false.
When the custom mapping were defined on the Sentinel server, this property was set true. Because the mappings were not defined on the CM server, this value remained set to false.