Data mappings not working after moving the collectors to a different Collection Manager

With the collectors running on the Sentinel server, data mappings were defined using the identities collected through the Microsoft Identities collector. The Sentinel Log Manager (SLM) servers were forwarding their events to the Sentinel server, through Sentinel Link. The data mappings were being applied as expected.

For performance reasons, the collectors were moved over to a dedicated collector manager (CM) server. The SLM servers were reconfigured to forward their events to the CM.  However, with event collection now happening on the collector manager server, the data mapping information was no longer being inserted. Moving a collector back to the Sentinel server, data mappings will again work.

On the Collector Manager server, perform the following:

1. Edit the configuration.properties file
    vi /etc/opt/novell/sentinel/config/configuration.properties

2. Locate the following property: sentinel.router.event.transformation.foreign

3. If it missing, create the entry.

4. Set the value to true
    sentinel.router.event.transformation.foreign=true

5. Save the file.

6. Restart the Sentinel Collector Manager.

The default sentinel.router.event.transformation.foreign property has a value of false. This property determines whether events being forwarded from other systems will be enhanced by the local mapping service.  Normally this is not desired because the events should remain the same as they were on the original system they were forwarded from but, in certain cases it may be helpful to enhance the events with the local mapping service data.

When the custom mapping were defined on the Sentinel server, this property was set true. Because the mappings were not defined on the CM server, this value remained set to false.