SenSage AP Glossary

Overview

This article lists the product-specific terms and acronyms that customers and agents need to know for SenSage AP.

 

Terms

Term

Definition

Active directory

A Windows‐based authentication authority that manages users and user groups; when integrated into an EDW instance, the Active Directory authority authenticates each userʹs name and password at login.

Administrator

A role that by default gives its user account full permission to access, modify, and delete all Sensage AP objects in the Event Data Warehouse and in the Sensage AP Analyzer.

Ambari

A deployment software that is used by Sensage to install the cluster, monitor it, and allow adding more nodes to it. 

Analytics

Analytics (also known as IntelliSchema) is a set of tables and views, which describe the most standard event logs schemas in the industry, like Cisco switches logs, Apache logs, Microsoft security event logs, etc.  These tables/views can be installed in the EDW, to provide the customer the foundation for collecting these standard logs from their systems.

Analytics packages

 

The Ignite Enterprise Software Solutions add‐on components that enable the rapid implementation of PTL files, reports, and queries that are tailored to specific industry and organization requirements.
Analytics packages enable event data to be available for analysis in the Sensage AP Analyzer.

Analyzer

An HTML-based SIEM user interface (Security Information and Event Management), used by security analysts from where, among other functionalities, it can visualize reporting dashboards, execute reports, schedule different operations, and configure alerts.

Anonymous request

Requests from users or systems that do not have user names and passwords in the Ignite Enterprise Software Solutions. The system uses the guest user for such requests.

Attribute

In the Collector config.xml and errors.xml files and in rules, an attribute refers to a setting within an XML element tag. For example, name is an attribute of the Retriever element and fs is its value here:
<Retriever name="fs" ....

Authentication

The security process that and validates a user's identity by default through their user name and password.

Authorization

The security process that, once authenticated, validates a user’s roles and permissions before allowing the identified user to access any object or perform any operation.

Batched events

Events that are collected from log files and other event repositories maintained by network devices and software applications.

Character encoding

A scheme by which human‐readable characters are represented in computer systems and transported across computer networks. Simple, single‐byte character encoding schemes, such as ASCII or ISO 8859‐1, represent each character of their character set with the binary equivalent of its code point. For example with ASCII character encoding, the letter “A” is represented with bytes that contain the numeric value 65.

Character set

A set of characters and the assigned, numeric code point for each character. For example, the ASCII character set includes the upper‐ and lower‐case letters of the U.S. English alphabet and a few punctuation marks and symbols. A character set does not necessarily equate with a particular character encoding. For example, the Unicode character set can be represented in computers with Unicode character encoding, a fixed, two‐byte encoding scheme, or with UTF‐8, a variable‐width encoding scheme where specific characters are represented by one‐, two‐, three‐, or four‐byte bit patterns.

Clause

A standard portion of a SELECT statement, such as the WHERE, DURING, ORDER_BY, and GROUP BY clauses. Clauses are expected in a particular sequence. Some clauses are required and some are optional.

Clustered instance

An EDW instance that runs on multiple hosts.

Code point

A decimal number assigned to a particular character in a character set. For example with ASCII character encoding, the letter “A” is assigned the code point 65.

ComboBox

A display field that combines the features of an editable text field and a drop‐down list.

Computer font

A typeface that determines how computer screens and printers display the characters and symbols of a particular character set.

Collector

The Sensage AP component that pulls event‐log data from disparate sources, uses adapters to normalize the data, and loads the data into the EDW.

Before the enterprise can analyze event log data, original event-log data must be collected into the system.  System supports batch data collection in which events are collected from log files and other event repositories maintained by network devices and software applications.

Its core process is responsible for reading the configuration file, maintaining state, starting Retrievers and Loaders, and managing Log Queues.

After it has been loaded, the data is available for queries and reports through the Sensage AP Analyzer in both original and normalized views.

Compliance Reports Package

An Analytics package containing report definitions designed to report on
events that must be monitored to maintain compliance with various regulations and standards.

config.dtd

DTD file used to verify and enforce the way elements and attributes are defined in config.xml. It is located in:
/<Sensage AP Home>/etc/collector

config.xml

Configuration file for the Collector. It is located in:
/<Sensage AP Home>/etc/collector

Connector view

An IntelliSchema source‐specific view used to normalize event data at query‐time by enforcing consistent use of column names, data types, and formats, and by consistently presenting disparate event data that indicates the same information.

Coupled instance

An EDW instance that shares the same data store as another instance; used in the upgrade process to enable access to the datadir (the dsroot) from an earlier version of the EDW; also used to create read/write and read‐only instances to segregate people who load log entries from people
who query them.

Custom interval

The time period of a report query that specifies the start date as well as the end date; see standard interval.

Dashboard

A Sensage AP Analyzer function that organizes and displays reports on one or more pages.

Deployment Manager

With this component every node installation, health, and administrative service operation is managed.  It provides a graphical interface to operate sensage infrastructure.

Drilldown

 

A link from a high‐level summary report to detailed reports that decompose the summarized data for individual rows. The link enables users to drill down from rows on the high‐level report to a more detailed report for a given row.

Element

In the Collector’s config.xml and error.xml files and in rules, an element is an XML tag that contains the relevant configuration setting and its attributes.

errors.xml

File that lists errors, settings for email alerts, and paths to activity.log and error.log. It is located
in:
/opt/ignitetech/sensage-ap/share/locale/en_QA/collector/errors.xml
/opt/ignitetech/sensage-ap/share/locale/en_US/collector/errors.xml

/opt/ignitetech/sensage-ap/share/locale/fr_FR/collector/errors.xml
/opt/ignitetech/sensage-ap/share/locale/de_DE/collector/errors.xml
/opt/ignitetech/sensage-ap/share/locale/ja_JP/collector/errors.xml
/opt/ignitetech/sensage-ap/share/locale/sl_SI/collector/errors.xml
/opt/ignitetech/sensage-ap/share/locale/qa_QA/collector/errors.xml
/opt/ignitetech/sensage-ap/share/locale/es_ES/collector/errors.xml

Event

Data representing an action that occurred in some environment at a specific time that flows into the Sensage AP system from network devices and software applications, or is collected from log files and other repositories maintained by network devices and software applications. Events always have a timestamp and never change.

Event Data Warehouse

The Event Data Warehouse (EDW) is a scalable database built for and dedicated to loading, storing, and analyzing event data. Event data from multiple sources is stored in a highly compressed format. Parallel processing enables clustered servers to execute as a single instance, allowing high-speed loading and querying on terabytes of data. This architecture allows users to load and query massive data volumes in a single, logical database instance without partitioning. The EDW uses a proprietary data model that achieves high levels of compression, while still making all data fully available to query.

Event type

A high‐level categorization of event data, such as a login, startup, or shutdown.

Event-type view

An IntelliSchema source‐agnostic view that references multiple connector views to create a view used to report on a single event type. See master view.

Exception report

A report designed to find non‐normal or exception conditions. In normal conditions, the report will return 0 rows. If the report ever returns more than one row it has found an exception.

Exception report alert

An alert raised when a scheduled exception report contains one or more rows.

Filter

Text that limits the value of selected data.

Failover

Operational backup mode performed by secondary system components, such as processors, servers, databases, in the event the primary system components become non‐operational.

Foundation Report Package

An analytics package that includes report definitions for reporting on event
data from Microsoft Windows systems, Unix systems, and the Sensage AP system itself.

Ganglia

A monitoring system used in the Sensage AP Ambari Monitoring interface.

Hierarchical instance

See clustered instance.

Home directory

A directory on a host that you specify during installation in which all the Sensage AP software and application files are located.

Host

In Unix networks, a computer system with one or more network IP addresses. In Windows networks, a host is called a server.

Instance

A set of EDW hosts that collectively manage a distributed data store and the access to that datastore; the data store and its running service accept load and query requests.

Instance reference

An EDW instance reference may be specified by its name (my_instance) or by its host and port (host1.myco.com:7002).

Interval

The time period over which a report runs in Sensage AP Console. Intervals are either standard or custom.

IntelliSchema

A set of SQL views that provide an abstraction layer between raw data and normalized event data. Used to create reports based on common event types.

Investigation report

An interactive report that provides detailed information about specific attributes such as the destination IP address, the user ID, or hostname.

Kerberos

A strong authentication protocol based on key cryptography, that Ignite Enterprise Software Solutions uses to process authentication data between the EDW and Active Directory.

Keyword

A word that forms a standard part of a SQL clause, operator, modifier, or is otherwise understood with special significance by the SQL engine.

Loader

A process of the Collector that loads data from a log file into an EDW table after parsing and transforming the log data as specified by a PTL file.

Log adapter

A collection of files, including a PTL file, a Map file, IntelliSchema views, sample data, and documentation which supports loading event‐log entries from a particular log source into the EDW and querying the data from the EDW.

Log entry

An entry recorded in a log file. Generally, log entries include fields of information for the date and time of day that the entry was recorded, the application or device that recorded the entry, and a message about an event that occurred or a situation that was detected. See Event.

Log File

A file that contains log entries and is retrieved and processed by the Collector module.

Log host

A host or server computer that produces the logs from which the Collector gathers data.

Log Queue

A user-specified directory where log files are stored while being downloaded, while waiting to be loaded, or during loading. The log-file naming convention used ensures consistency of state and prevents concurrency or locking issues. By default, log files in the queue are expected to be written with UTF-8 encoding; other character encoding schemes can be specified.

Log source

 

A system or protocol for recording a log entry.

Match

A regular expression that describes which matching log files will be run through a preprocessor. For example, ʺmailʺ is the same as the /.*mail.*/ regular expression; it is a substring match anywhere in the original log file name.

Master view

An IntelliSchema view that references multiple connector views or event‐type views to create a unified view of a single event type from multiple, heterogeneous information systems.

Netflow Receiver

Used to collect and analyze network data, providing Network Managers a detailed view of application and traffic flow so that appropriate responses can be applied to network‐based threats and intelligence gained about application usage for capacity planning.

Node

Another name for a host or a server; one item in a network data.

Normalization

A process used to create consistent representations of event data originally presented in different forms. For example, an event log may record a failed login with the word ʺfailureʺ while another event log may use the words ʺlogin failedʺ, or a numeric code. A normalized version of this data records all events using a consistent representation such as ʺfailed loginʺ with a consistent set of
columns.

Operator

Conditional, math, or other keywords used to work with expressions, SQL constants, and report filters. These include AND, OR, NOT, EXACT, <, >, =, PREFIX.

Parameterized query

A query that specifies parameters (or macros) to be replaced with values at runtime.

Privileged port

A TCP/IP port number in the range 1‐1023.

PTL File

A file that provides the EDW with instructions for parsing a specific log file format and for targeting the parsed fields to a specific table schema. PTL files have .ptl as their extension and are sometimes pronounced ʺPitalsʺ (pea‐tals).

Query

One or more statements submitted to the EDW that produces a single result set. A query can include multiple SELECT statements by using UNION ALL, UNION OVER, or subqueries. In the Analyzer, a Sensage AP SQL statement that extracts event‐log data from the EDW data store and is a required
child of every report.

Query file

A file created by the Application Manager to track information about queries run in Sensage AP Console.

Quiesce

To render quiet, (that is, temporarily inactive or disabled).

Receiver

A process within the Collector that listens on a specific port and receives data streams for loading to EDW.

Report definition

A specification of a query and how to display the result set in a report including the way the data is arranged and whether the data is also graphically displayed and if so, what type of graph or chart.

Report filter

Determines the report data a viewer can see based on a SQL WHERE clause applied to one or more columns. Can be either preset or prompted interactively in parameterized reports.

Report Wizard

A graphical tool that walks you through the process of creating report definitions.

Retriever

A process spawned by the Collector that retrieves log data (either directly or by using a Sender), performs any required preprocessing, and writes the log data to log files in specified Log Queues.

Risk

A condition of an alert that is based on the value of the asset against which it was triggered; the higher the value placed on one asset over another, the higher the risk posed by alerts with the same priority.
For example, a failed password attempt on a payroll system probably poses more of a risk than a failed password attempt on an email system.

Role

Authorization object that determines which permissions an identified set of users can access.

Sender

A log‐specific module/process sitting on a remote system that sends (or pushes) the log data to a location where it can be received by a Retriever for entrance into the Collector.

SELECT statement

A complete set of instructions to the SQL engine as to how to select desired rows from a given table (either an EDW table or a subquery result set) and transform them into a result set table of rows and columns.

Server

In Windows networks, a computer system running Microsoft Windows Server. In Unix networks, a server is often called a host.

SNMP Bridge

Used to trap and send messages into the syslog‐ng server when parsing and loading data.

SQL aggregate

A function that returns one result per group of row values processed.

SQL expression

A combination of references to column values, SQL constants, functions, aggregates and operators that evaluates to a single value of any data type.

SQL function

Takes SQL expressions as arguments and returns one result per one or more rows processed.

Standard interval

The time period of a report query that specifies a specific interval (such as 1 week or 5 months) as well as the end date; see custom interval.

Streamed events

Events that flow into the Sensage AP as they are created from network devices and software applications that publish the events. See batched events.

System asset

An asset that represents a Sensage AP component, such as a receiver or parser.

Target

An expression plus an optional target name that defines what is to be returned in a result column.

Target list

A set of targets; not the same as an SQL list.

View filter

A report filter that applies to reports after they run.

Virtual machine

Software emulation of a computer operating system.

Workspace

The primary area of Sensage AP Analyzer in which you view and manage data.

 

 

Acronyms

Acronym

Definition

CLI

Command‐line interface

DNS

The Domain Name System is the hierarchical and decentralized naming system used to identify computers, services, and other resources reachable through the internet or other internet protocol networks. The resource records contained in the DNS associate domain names with other forms of information.

EDW

Event Data Warehouse. This term was started being used to refer to the SLS component in the new Sensage AP 6.X/20XX.X version. Please refer to the term above.

FQDN

A fully qualified domain name is the complete domain name for a specific computer, or host, on the internet. The FQDN consists of two parts: the hostname and the domain name.

LEA

 

Log Export API, used by products like CheckPoint FireWall for transporting log files across networks.

LUN

Logical Unit Numbers. A term used in Storage Area Network (SAN) configuration. A LUN identifies a storage volume within a SAN.

MD5

Message Digest compression algorithm used in checksum processes.

NSI

Nearline Storage Identifier: A unique text identifier for a nearline storage target.

NSS

Nearline Storage Server: SenSage AP uses NSS to archive data to nearline storage devices.

OAE

Open Access Extensions. Component that provides a representation of the SLS/EDW tables in a standard RDBMS database (Postgres). This component was optional in Sensage AP 5.0.1 as the communication was direct from the SLS to the Analyzer. In 6.X/20XX.X version the Analyzer uses OAE to query the SLS/EDW tables.

PTL

Parse Transform Load. This is the core logic of the log adapter that performs the key parsing and transforming necessary to load the data into SLS/EDW tables. The PTL file is composed of a regular expression, Perl logic and a SQL statement that defines how records are written to the table.

SAN

 

Storage Area Networks. A method of attaching storage devices to an operating system.

SLS

Scalable Log Server. This term was used widely to refer to the clustered custom column-based database component in Sensage AP 5.0.1 version. Please refer to the EDW term above.

SSH

Secure Shell is an interactive program that enables encrypted network connections between computers. One computer can connect to another for the purpose of running programs on the other computer.

SSL

Secure Sockets Layer. A protocol that uses cryptography to provide secure transmission over the Internet.

SWM

SWM is a software management tool that allows them to run specific commands on the server as root user (usually Sensage Application Admins in AT&T don't have full root-level access)

TLS

Transport Layer Security. A protocol that ensures secure communication over the Internet. TLS is the successor to SSL.

TS

Timestamp

 

Comments

0 comments

Please sign in to leave a comment.